LECTURE

INCIDENT HANDLING AND

RECRESPONSE
BY

Audrey Asante
Dept. of Of
Dpt. Computer Science
Management and Engineering
Studies

Contact Information: aasante@umat.edu.gh

UNIVERSITY OF MINES AND

TECHNOLOGY

Course Code: CY277

RISK MANAGEMENT
 OVERVIEW OF RISK MANAGEMENT

• One part of information security is risk management,

which is the process of identifying and controlling the
risks to an organization’s information assets.
• Risk management is the process of discovering and
assessing the risks to an organization’s operations and
determining how those risks can be controlled or
mitigated.
• This process involves discovering and understanding
answers to some key questions with regard to the risk
associated with an organization’s information assets:
– Where and what is the risk (risk identification)?
– How severe is the current level of risk (risk analysis)?
– Is the current level of risk acceptable (risk evaluation)?
– What do I need to do to bring the risk to an acceptable
level (risk treatment)?
Components of risk management and their relationships
to one another
 Risk Management and the RM Framework

• Risk management involves two key areas: the RM framework

and the RM process.
• The RM framework is the overall structure of the strategic
planning and design for the entirety of the organization’s RM
efforts.
• The RM process is the implementation of risk management, as
specified in the framework.
• The RM framework (planning) guides the RM process (doing),
which conducts the processes of risk assessment and risk
treatment.
• Risk Assessment: An approach to combining risk identification,
risk analysis, and risk evaluation into a single strategy.
• Risk Treatment: The selection of a strategy to address residual
risk in an effort to bring it into alignment with the organization’s
risk appetite.
 Risk Management and the RM Framework

• The RM framework also assesses the RM process,

which in turn assesses risk in the organization’s
information assets.
• The RM framework and the RM process are
continuous improvement activities. That means they
are ongoing, repetitive, and designed to
continually assess current performance in order to
improve future RM results.
• The RM framework repeatedly assesses and
improves not only how the RM process is evaluating
and reacting to risk, it also continuously assesses
and improves how well the planning and review
activities are being performed—the framework
itself.
 Risk Management and the RM Framework

• The RM framework consists of five key stages:

• 1. Executive governance and support
• 2. Framework design
• 3. Framework implementation
• 4. Framework monitoring and review
• 5. Continuous improvement
 The RM Process

• The process includes the following tasks:

• Establishing the context, which includes
understanding both the organization’s internal and
external operating environments and other factors
that could impact the RM process.
• Identifying risk, which includes:
– Creating an inventory of information assets
– Classifying and organizing those assets meaningfully
– Assigning a value to each information asset
– Identifying threats to the cataloged assets
– Pinpointing vulnerable assets by tying specific threats
to specific assets
 The RM Process

• Analyzing risk, which includes:

– Determining the likelihood that vulnerable systems will be attacked by
specific threats
– Assessing the relative risk facing the organization’s information assets,
so that risk management and control activities can focus on assets
that require the most urgent and immediate attention
– Calculating the risks to which assets are exposed in their current
setting
– Looking in a general way at controls that might come into play for
identified vulnerabilities and ways to control the risks that the assets
face
– Documenting and reporting the findings of risk identification and
assessment
• Evaluating the risk to the organization’s key assets and comparing
identified uncontrolled risks against its risk appetite:
– Identifying individual risk tolerances for each information asset
– Combining or synthesizing these individual risk tolerances into a
coherent risk appetite statement
 The RM Process

• Treating the unacceptable risk:

– Determining which treatment/control strategy is best
considering the value of the information asset and
which control options are cost effective
– Acquiring or installing the appropriate controls
– Overseeing processes to ensure that the controls
remain effective
• Summarizing the findings, which involves stating the
conclusions of the identification, analysis, and
evaluation stages of risk assessment in preparation
for moving into the stage of controlling risk by
exploring methods to further mitigate risk where
applicable or desired
 RM Process Preparation—Establishing the Context

• NIST’s Special Publication 800-30, Rev. 1, “Guide for

Conducting Risk Assessments,” recommends
preparing for the risk process by performing the
following tasks:
– Identify the purpose of the assessment;
– Identify the scope of the assessment;
– Identify the assumptions and constraints associated
with the assessment;
– Identify the sources of information to be used as
inputs to the assessment; and
– Identify the risk model and analytic approaches (i.e.,
assessment and analysis approaches) to be
employed during the assessment.
 Risk Assessment: Risk Identification

• Risk identification begins with the process of self-

examination.
• As Sun Tzu stated, the organization must know itself
in order to understand the risk to its information
assets and where that risk resides.
• At this stage, managers must (1) identify the
organization’s information assets, (2) classify them,
(3) categorize them into useful groups, and (4)
prioritize them by overall importance.
• This can be a daunting task, but it must be done to
identify weaknesses and the threats they present.
 Categorization of Information Assets

• The people asset can be divided into internal personnel

(employees) and external personnel (nonemployees).
Insiders can be further divided into employees who hold
trusted roles and therefore have correspondingly greater
authority and accountability, and regular staff members
who do not have any special privileges. Outsiders consist
of other users who have access to the organization’s
information assets; some outsiders are trusted and some
are untrusted.
• Procedures can be information assets because they are
used to create value for the organization. They can be
divided into (1) IT and business standard procedures and
(2) IT and business-sensitive procedures. Sensitive
procedures have the potential to enable an attack or to
otherwise introduce risk to the organization.
 Categorization of Information Assets

• The data asset includes information in all states:

transmission, processing, and storage. This is an
expanded use of the term “data,” which is usually
associated with data sets and databases, as well as the
full range of information used by modern organizations.
• Software can be divided into applications, operating
systems, utilities, and security components. Software that
provides security controls may fall into the operating
systems or applications category but is differentiated by
the fact that it is part of the InfoSec control environment
and must therefore be protected more thoroughly than
other systems components.
 Categorization of Information Assets

• Hardware can be divided into (1) the usual systems devices

and their peripherals and (2) the devices that are part of
InfoSec control systems. The latter must be protected more
thoroughly than the former. •
• Networking components can include networking devices
(such as firewalls, routers, and switches) and the systems
software within them, which is often the focal point of attacks,
with successful attacks continuing against systems connected
to the networks. Of course, most of today’s computer systems
include networking elements. You will have to determine
whether a device is primarily a computer or primarily a
networking device. A server computer that is used exclusively
as a proxy server or bastion host may be classified as a
networking component, while an identical server configured
as a database server may be classified as hardware. For this
reason, networking devices should be considered separately
rather than combined with general hardware and software
components.
 Categorization of Information Assets

• In some corporate models, this list may be simplified

into three groups: People, Processes, and
Technology.
• Regardless of which model is used in the
development of risk assessment methods, an
organization should ensure that all of its information
resources are properly identified, assessed, and
managed for risk.
Organizational Assets Used in Systems
 Classifying and Categorizing Information Assets

• Data classification scheme A formal access control

methodology used to assign a level of confidentiality to an
information asset and thus restrict the number of people who
can access it
• A data classification scheme should be developed (or
reviewed, if already in place) that categorizes these
information assets based on their sensitivity and security needs.
• Consider the following classification scheme for an information
asset: confidential, internal, and public.
• Each of these classification categories designates the level of
protection needed for a particular information asset.
• Some asset types, such as personnel, may require an
alternative classification scheme that identifies the InfoSec
processes used by the asset type.
 Classifying and Categorizing Information Assets

• For most organizations, there need be no distinction

between multiple levels of information that need security
protections, and a simple three-layer public-internal-
confidential model is sufficient.
• For organizations that need higher levels of security for
very sensitive data, such as that in research and
development (R&D), additional levels might be needed.
• Classification categories must be comprehensive and
mutually exclusive.
• “Comprehensive” means that all inventoried assets fit
into a category;
• “mutually exclusive” means that each asset is found in
only one category.
 Classifying and Categorizing Information Assets

• For example, an organization may have a public key

infrastructure certificate authority, which is a software
application that provides cryptographic key
management services. Using a purely technical
standard, a manager could categorize the application
in the asset list as software, a general grouping with
no special classification priority.
• Because the certificate authority must be carefully
protected as part of the InfoSec infrastructure, it should
be categorized into a higher-priority classification, such
as software/security component/cryptography, and it
should be verified that no overlapping category exists,
such as software/security component/PKI.
 Assessing Value in Information Assets

• As each information asset is identified, categorized,

and classified, a relative value must be assigned to
it.
• Relative values are comparative judgments
intended to ensure that the most valuable
information assets are given the highest priority
when managing risk.
• It may be impossible to know in advance—in
absolute economic terms—what losses will be
incurred if an asset is compromised; however, a
relative assessment helps to ensure that the higher-
value assets are protected first.
 Assessing Value in Information Assets

• As each information asset is assigned to its proper

category, posing the following basic questions can help
you develop the weighting criteria to be used for
information asset valuation or impact evaluation.
• Which information asset is the most critical to the success
of the organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest
profitability?
• Which information asset is the most expensive to
replace?
• Which information asset is the most expensive to
protect?
• Which information asset’s loss or compromise would be
the most embarrassing or cause the greatest liability?
Assessing Value in Information Assets
 Prioritizing (Rank Ordering) Information Assets

• The final step in the risk identification process is to

prioritize, or rank order, the assets.
• This goal can be achieved by using a weighted
table analysis similar to the one shown in Table 1-3.
 Threat Assessment

• Armed with a properly classified inventory, you can

assess potential weaknesses in each information
asset—a process known as threat assessment.
• Threat assessment: An evaluation of the threats to
information assets, including a determination of
their likelihood of occurrence and potential impact
of an attack.
• Each step in the threat identification and
vulnerability identification processes is managed
separately and then coordinated at the end.
• Not all threats endanger every organization, of
course.
 Threat Assessment

• Posing the following questions can help you find an

answer by understanding the various threats the
organization faces and their potential effects on an
information asset:
• Which threats represent an actual danger to our
information assets?
• Which threats are internal and which are external?
• Which threats have the highest probability of
occurrence?
• Which threats have the highest probability of success?
• Which threats could result in the greatest loss if
successful?
• Which threats is the organization least prepared to
handle?
• Which threats cost the most to protect against?
• Which threats cost the most to recover from?
 Vulnerability Assessment

• After the organization has identified and prioritized

both its information assets and the threats facing
those assets, it can begin to compare information
assets to threats.
• This review leads to the creation of a list of
vulnerabilities that remain potential risks to the
organization. What are vulnerabilities? They are
specific avenues that threat agents can exploit to
attack an information asset.
• In other words, a flaw or weakness in an information
asset, security procedure, design, or control that
can be exploited accidentally or on purpose to
breach security.
 Vulnerability Assessment

• A list should be created for each information asset to

document its vulnerability to each possible or likely
attack.
• This list is usually long and shows all the vulnerabilities of
the information asset.
• Some threats manifest themselves in multiple ways,
yielding multiple vulnerabilities for the asset-threat pair.
• Of necessity, the process of listing vulnerabilities is
somewhat subjective and is based on the experience
and knowledge of the people who create the list.
• Therefore, the process works best when groups of people
with diverse backgrounds work together in a series of
brainstorming sessions.
 The TVA Worksheet

• At the end of the risk identification process, an

organization should have (1) a prioritized list of assets
and (2) a prioritized list of threats facing those assets.
• Prioritized lists should be developed using a technique
like the weighted table analysis.
• The prioritized lists of assets and threats can be
combined into a Threats-Vulnerabilities-Assets (TVA)
worksheet, in preparation for the addition of vulnerability
and control information during risk assessment.
• Before you begin the risk analysis process, it may be
helpful to create a list of the TVA “triples” to facilitate
your examination of the severity of the vulnerabilities. For
example, between Threat 1 and Asset 1 there may or
may not be a vulnerability. Not all threats pose risks to all
assets.
 The TVA Worksheet

• T1V1A1—Vulnerability 1 that exists between Threat 1

and Asset 1
• T1V2A1—Vulnerability 2 that exists between Threat 1
and Asset 1
• T2V1A1—Vulnerability 1 that exists between Threat 2
and Asset 1 . . . and so on.
• In developing the TVA worksheet, the organization is
performing risk identification simply by determining
whether an asset is at risk from a threat and
identifying any vulnerabilities that exist.
• The extent to which the asset is at risk falls under risk
analysis.
The TVA Worksheet
 Risk Assessment: Risk Analysis

• Assessing the relative risk for each vulnerability is

accomplished via a process called risk analysis.
• Risk analysis is a determination of the extent to
which an organization’s information assets are
exposed to risk.
• Risk analysis assigns a risk rating or score to each
specific vulnerability.
• While this number does not mean anything in
absolute terms, it enables you to gauge the relative
risk associated with each vulnerable information
asset, and it facilitates the creation of comparative
ratings later in the risk treatment process.
 Risk Assessment: Risk Analysis

• A simple and popular risk model known as the Risk

Management Framework, which was developed and
promoted by NIST, to evaluate the risk for each
information asset.
• model calculates the relative risk for each vulnerability
based on existing controls, and calculates the likelihood
and impact of a threat event.
• Likelihood: The probability that a specific vulnerability
within an organization will be attacked by a threat.
• Impact: An understanding of the potential
consequences of a successful attack on an information
asset by a threat.
 Risk Assessment: Risk Analysis

• Mitigation of Applicable Controls: If a vulnerability

is fully managed by an existing control, the
vulnerability can be set aside. If it is partially
controlled, you can estimate what percentage of
the vulnerability has been controlled. A simplistic
approach involves determining what
recommended controls have been implemented
as part of the security program, and describing the
level of implementation. The organization must
research each vulnerability to ensure complete
understanding of the issues.
 Risk Assessment: Risk Analysis

• Determining the Likelihood of a Threat Event: Likelihood is the

overall rating—a numerical value on a defined scale—of the
probability that a specific vulnerability will be exploited or
attacked.
• This attempt is commonly referred to as a threat event.
• According to NIST’s SP 800-30, Rev. 1:
The likelihood of occurrence is a weighted risk factor
based on an analysis of the probability that a given threat
is capable of exploiting a given vulnerability (or set of
vulnerabilities). The likelihood risk factor combines an
estimate of the likelihood that the threat event will be
initiated with an estimate of the likelihood of impact (i.e.,
the likelihood that the threat event results in adverse
impacts). For adversarial threats, an assessment of
likelihood of occurrence is typically based on:
(i) adversary intent; (ii) adversary capability; and (iii)
adversary targeting. For other than adversarial
threat events, the likelihood of occurrence is estimated
using historical evidence, empirical data, or other factors.
Risk Assessment: Risk Analysis
 Risk Assessment: Risk Analysis

• Assessing Potential Impact on Asset Value: After

the probability of an attack by a threat has been
evaluated, the organization typically looks at the
possible impact or consequences of a successful
attack. A feared consequence is the loss of asset
value.
 Risk Assessment: Risk Analysis

• Aggregation: If the RM process begins to

overwhelm a small or medium-sized business, the
RM team can reduce the process’s complexity by
merging together or aggregating groups of assets,
threats, and their associated risks into more general
categories. Larger organizations are usually
prepared for the volume of assets, the number of
threats, and the multiplicity of risks.
 Risk Assessment: Risk Analysis

• Uncertainty: It is not possible to know everything

about every vulnerability, such as the likelihood of
an attack against an asset or how great an impact
a successful attack would have on the
organization. The degree to which a current control
can reduce risk is also subject to estimation error. A
factor that accounts for uncertainty must always be
considered; it consists of an estimate made by the
manager using good judgment and experience.
 Risk Assessment: Risk Analysis

• Risk Determination: After the likelihood and

impact are known, the organization can perform
risk determination using a formula that seeks to
quantify certain risk elements. In this formula, risk
equals likelihood of threat event (attack)
occurrence multiplied by impact (or
consequence), plus or minus an element of
uncertainty. Most organizations simply accept the
uncertainty factor and go with a simpler formula:
Likelihood × Impact. The results provide a range of
risk ratings from 1 to 25. The results of this analysis
can be summarized in a risk rating worksheet
 Risk Assessment: Risk Analysis

• The useful approach shown in Table 1-7 illustrates the use of a

weighted factor spreadsheet to calculate risk vulnerability for
a number of information assets, using the simpler model of
ignoring uncertainty.
• The columns in the worksheet are used as follows:
• Asset—List each vulnerable asset.
• Vulnerability—List each uncontrolled vulnerability.
• Likelihood—State the likelihood of the vulnerability’s realization
by a threat agent, as indicated in the vulnerability analysis
step. (In our example, the potential values range from 0 to 5.)
• Impact—Show the results for this asset from the weighted
factor analysis worksheet. (In our example, this value is also a
number from 0 to 5.)
• Risk-rating factor—Enter the figure calculated by multiplying
the asset impact and its likelihood. (In our example, the
calculation yields a number ranging from 0 to 25.)
Risk Assessment: Risk Analysis
 Risk Assessment: Risk Analysis

• Risk Evaluation: After the risk ratings are

calculated for all TVA triples, the organization needs
to decide whether it can live with the analyzed
level of risk—in other words, the organization must
determine its risk appetite. This is the risk evaluation
stage.
• Risk Evaluation: The process of comparing an
information asset’s risk rating to the numerical
representation of the organization’s risk appetite or
risk threshold to determine if risk treatment is
required.
• Although this may seem to be a minor step in the
overall risk assessment task, it is a crucial one.
 Risk Assessment: Risk Analysis

• Documenting the Results of Risk Assessment: The

efforts to compile risks into a comprehensive list
allow the organization to make informed choices
from the best available information. It is also of
value for future iterations of the process to
document the results in a reusable form.
 Evaluating Risk

• After the risk has been identified and its relative

severity against the value of the information asset
has been evaluated, the organization must decide
whether the current level of risk is acceptable or
something must be done.
• The bottom line is that once the risk is known, it
requires extensive deliberation and understanding
before the “yea or nay” decision is made.
• Another step performed during risk evaluation is the
prioritization of effort for the treatment of risk.
 Risk Treatment/Risk Control

• Risk treatment, also known as risk control, is the process

of doing something about risk after the organization has
identified risk, assessed it, evaluated it, and then
determined that the current level of remaining risk—the
residual risk—is unacceptable.
• A variety of options are open to organizations, including
removing the information asset from harm’s way,
modifying how it is currently protected, and passing the
responsibility for its protection or replacement to third
parties.
• Treating risk begins with an understanding of what risk
treatment strategies are and how to formulate them.
• The chosen strategy may include applying additional or
newer controls to some or all of the assets and
vulnerabilities.
 Risk Treatment Strategies

• Teams must choose one of five basic strategies to treat

the risks for assets:
• Defense—Applying controls and safeguards that
eliminate or reduce the remaining uncontrolled risk
• Transference—Shifting risks to other areas or to outside
entities
• Mitigation—Reducing the impact to information assets
should an attacker successfully exploit a vulnerability
• Acceptance—Understanding the consequences of
choosing to leave an information asset’s vulnerability
facing the current level of risk, but only after a formal
evaluation and intentional acknowledgment of this
decision
• Termination—Removing or discontinuing the information
asset from the organization’s operating environment
 Defense

• The defense risk treatment strategy attempts to prevent

the exploitation of the vulnerability. This is the preferred
approach, and it is accomplished by means of
countering threats, removing vulnerabilities in assets,
limiting access to assets, and adding protective
safeguards.
• This approach is sometimes referred to as the avoidance
strategy.
• In essence, the organization is attempting to improve the
security of an information asset by reducing the
likelihood or probability of a successful attack.
• Eliminating the risk posed by a threat is virtually
impossible, but it is possible to reduce the residual risk to
an acceptable level in alignment with the organization’s
documented risk appetite
 Defense

• There are three common approaches to implement the

defense risk treatment strategy:
• Application of policy—The application of policy allows all
levels of management to mandate that certain procedures
must always be followed. However, policy alone may not be
enough. Effective management always couples changes in
policy with the training and education of employees, with an
application of technology, or both.
• Application of security education, training, and awareness
(SETA) programs—Simply communicating new or revised
policy to employees may not be adequate to assure
compliance. Awareness, training, and education are essential
to creating a safer and more controlled organizational
environment and to achieving the necessary changes in end-
user behavior.
• Implementation of technology—In the everyday world of
InfoSec, technical controls and safeguards are frequently
required to effectively reduce risk
 Transference

• The transference risk treatment strategy attempts to shift risk to

another entity.
• This goal may be accomplished by rethinking how services are
offered, revising deployment models, outsourcing to other
organizations, purchasing insurance, or implementing service
contracts with providers.
• When an organization does not have adequate security
management and administration experience, it should consider
hiring individuals or organizations that provide expertise in those
areas. The key to an effective transference risk treatment strategy
is the implementation of an effective service level agreement
(SLA).
• In some circumstances, an SLA is the only guarantee that an
external organization will implement the level of security the client
organization wants for valued information assets.
• Of course, outsourcing is not without its own risks. It is up to the
owner of the information asset, IT management, and the InfoSec
team to ensure that the requirements of the outsourcing contract
are sufficient and have been met before problems occur.
 Mitigation

• The mitigation risk treatment strategy is the

treatment approach that focuses on planning and
preparation to reduce the impact or potential
consequences of an incident or disaster.
• This approach includes four types of plans, which
you will learn about in later modules: the incident
response (IR) plan, the disaster recovery (DR) plan,
the business continuity (BC) plan, and the crisis
management (CM) plan.
• Mitigation derives its value from its ability to detect
and respond to an attack as quickly as possible.
 Acceptance

• The acceptance risk treatment strategy is the decision to

do nothing beyond the current level of protection to
keep an information asset from risk, and to accept the
outcome from any resulting exploitation.
• While the selection of this treatment strategy may not be
a conscious business decision in some organizations, the
unconscious acceptance of risk is not a productive
approach to risk treatment.
• This strategy assumes that it can be a prudent business
decision to examine the alternatives and conclude that
the cost of protecting an asset does not justify the
security expenditure.
• An organization that decides on acceptance as a
strategy for every identified risk of loss may be unable to
conduct proactive security activities and may have an
apathetic approach to security in general.
 Acceptance

• Acceptance is recognized as a valid strategy only when

the organization has:
• Determined the level of risk posed to the information
asset • Assessed the probability of attack and the
likelihood of a successful exploitation of a vulnerability
• Estimated the potential impact (damage or loss) that
could result from a successful attack
• Evaluated potential controls using each appropriate
type of feasibility
• Performed a thorough risk assessment, including a
financial analysis
• Determined that the costs to treat the risk to a particular
function, service, collection of data, or information asset
do not justify the cost of implementing and maintaining
the controls
 Termination

• Like the acceptance risk treatment strategy, the

termination risk treatment strategy is based on the
organization’s intentional choice not to protect an asset.
• Here, however, the organization does not want the
information asset to remain at risk and so removes it from
the operating environment.
• Sometimes, the cost of protecting an asset outweighs its
value.
• In other cases, it may be too difficult or expensive to
protect an asset, compared to the value or advantage
that asset offers the company.
• In either case, termination must be a conscious business
decision, not simply the abandonment of an asset,
which would technically qualify as acceptance.
 Managing Risk

• Here are some rules of thumb for selecting a strategy:

• When a vulnerability (flaw or weakness) exists in an important
asset—Implement security controls to reduce the likelihood of
a vulnerability being exploited.
• When a vulnerability can be exploited—Apply layered
protections, architectural designs, and administrative controls
to minimize the risk or prevent the occurrence of an attack.
• When the attacker’s potential gain is greater than the costs of
attack—Apply protections to increase the attacker’s cost or
reduce the attacker’s gain by using technical or managerial
controls.
• When the potential loss is substantial—Apply design principles,
architectural designs, and technical and nontechnical
protections to limit the extent of the attack, thereby reducing
the potential for loss.
Managing Risk
 Process Communications, Monitoring, and Review

• As the process team works through the various RM activities, it

needs to continually provide feedback to the framework
team about the relative success and challenges of its RM
activities.
• This feedback is used to improve not only the process but the
framework as well. It is critical that the process team have one
or more individuals designated to collect and provide this
feedback, as well as a formal mechanism to submit it to the
framework team.
• These process communications facilitate the actions in the
process monitoring and review.
• The former involves requesting and providing information as
direct feedback about issues that arise in the implementation
and operation of each stage of the process.
• The latter involves establishing and collecting formal
performance measures and assessment methods to
determine the relative success of the RM program.
END OF LECTURE