Professional Documents
Culture Documents
СИТАК ПЗ 3 1709 18 v1 Eng
СИТАК ПЗ 3 1709 18 v1 Eng
ЗАТВЕРДЖУЮ
Завідувач кафедри ____________________
____________________________________
____________________________________
(підпис, ініціали, прізвище)
МЕТОДИЧНА РОЗРОБКА
для проведення занять практичних
(вид заняття)
зі студентами інституту (факультету) НАВЧАЛЬНО-НАУКОВИЙ ІНСТИТУТ ЗАХИСТУ
ІНФОРМАЦІЇ
(назва інституту (факультету))
з навчальної дисципліни: Стандарти інформаційної та кібербезпеки
(назва навчальної дисципліни)
________________________________________________________________________________
Час: ___________
Навчально-методичне забезпечення
1. Комплект слайдів до лекції
2. Навчальний сайт
3. ________________________________________________________
№ Час, Метод
Навчальне питання (проблема)
зп хв. проведення
І Вступ.
ІІ Основна частина
Додатки:
методична розробка для проведення семінарського заняття
методична розробка для проведення практичного заняття
методична розробка для проведення лабораторного заняття
________________________________________________________________________________
__________________________________________________________________________
(посада, науковий ступінь, вчене звання, підпис, ініціали, прізвище)
TOPIC 1-RISK
The core duty of cybersecurity is to identify, mitigate and manage cyberrisk to an
organization’s digital assets. Cyberrisk is that portion of overall risk management that solely
focuses on risk that manifests in the cyber (Interconnected Information Environments) domain.
While most people have an inherent understanding of risk in their day-to-day lives, it is important to
understand risk in the context of cybersecurity, which means knowing how to determine, measure
and reduce risk effectively.
Assessing risk is one of the most critical functions of a cybersecurity organization. Effective
policies, security implementations, resource allocation and incident response preparedness are all
dependent on understanding the risk and threats an organization faces. Using a risk-based approach
to cybersecurity allows more informed decision-making to protect the organization and to apply
limited budgets and resources effectively. If controls are not implemented based on awareness of
actual risk, then valuable organizational assets will not be adequately protected while other assets
will be wastefully overprotected.
Too often, cybersecurity controls are implemented with little or no assessment of risk.
ISACA’s worldwide survey of IT management, auditors and security managers showed that over 80
percent of companies believe “information security risks are either not known or are only partially
assessed” and that “IT risk illiteracy and lack of awareness” are major challenges in managing risk.
Therefore, understanding risk and risk assessments are critical requirements for any security
practitioner.
KEY TERMS AND DEFINITIONS
A visual summary of the key terms is presented in International Organization for
Standardization (ISO) International Electrotechnical Commission (IEC) 27032 (figure2.1).
There are many potential definitions of risk — some general and others more technical.
Additionally, it is important to distinguish between a risk and a threat. Although many people use
the words threat and risk synonymously, they have two very different meanings. As with any key
concept, there is some variation in definition from one organization to another. For the purposes of
this guide, we will define terms as follows:
• Risk—the combination of the probability of an event and its consequence (ISO/IEC 73).
Risk is mitigated through the use of controls or safeguards.
• Threat—anything (e.g., object, substance, human) that is capable of acting against an asset
in a manner that can result in harm. ISO/IEC 13335 defines a threat broadly as a potential cause of
an unwanted incident. Some organizations make a further distinction between a threat source and a
threat event, classifying a threat source as the actual process or agent attempting to cause harm, and
a threat event as the result or outcome of a threat agent’s malicious activity.
• Asset—something of either tangible or intangible value that is worth protecting, including
people, information, infrastructure, finances and reputation
• Vulnerability—a weakness in the design, implementation, operation or internal control of a
process that could expose the system to adverse threats from threat events. Although much of
cybersecurity is focused on the design, implementation and management of controls to mitigate
risk, it is critical for security practitioners to understand that risk can never be eliminated. Beyond
the general definition of risk provided above, there are other, more specific types of risk that apply
to cybersecurity.
• Inherent risk—the risk level or exposure without taking into account the actions that
management has taken or might take (e.g., implementing controls)
• Residual risk—even after safeguards are in place, there will always be residual risk, defined
as the remaining risk after management has implemented a risk response.
Figure 2.2 illustrates one example of how many of these key terms come into play when
framing an approach to risk management.
Bottom-up Approach
The bottom-up approach to developing risk scenarios is based on describing risk events that
are specific to cybersecurity-related situations, typically hypothetical situations envisioned by the
people performing the job functions in specific processes. The cybersecurity professional and
assessment team start with one or more generic risk scenarios then refine them to meet their
individual organizational needs, including building complex scenarios to account for coinciding
events.
Bottom-up scenario development can be a good way to identify scenarios that are highly
dependent on the specific technical workings of a process or system, which may not be apparent to
anyone who is not intimately involved with that work but could have substantial consequences for
the organization. One downside of bottom-up scenario development is that it may be more difficult
to maintain management interest in highly specialized technical scenarios.
APPROACHES TO RISK
A number of methodologies are available to measure risk. Different industries and professions
have adopted various tactics based upon the following criteria:
• Risk tolerance
• Size and scope of the environment in question
• Amount of data available
It is particularly important to understand an organization’s risk tolerance when considering
how to measure risk. For example, a general approach to measuring risk is typically sufficient for
risk-tolerant organizations such as academic institutions or small businesses. However, more
rigorous and in-depth risk assessment is required for entities with a low tolerance for risk. This is
especially relevant for any heavily regulated entity, like a financial institution or an airline
reservation system, where any down time would have a significant operational impact
APPROACHES TO CYBERSECURITY RISK
There are three different approaches to implementing cybersecurity. Each approach is
described briefly below:
• Ad hoc — an ad hoc approach simply implements security with no particular rationale or
criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect
insufficient subject matter expertise, knowledge or training when designing and implementing
safeguards.
• Compliance-based — also known as standards-based security, this approach relies on
regulations or standards to determine security implementations. Controls are implemented
regardless of their applicability or necessity, which often leads to a “checklist” attitude toward
security.
• Risk-based — risk-based security relies on identifying the unique risk a particular
organization faces and designing and implementing security controls to address that risk above and
beyond the entity’s risk tolerance and business needs. The risk-based approach is usually scenario-
based.
In reality, most organizations with mature security programs use a combination of risk-based
and compliance-based approaches. In fact, most standards or regulations such as ISO 27001, the
Payment Card Industry Data Security Standard (PCI DSS), Sarbanes–Oxley Act (SOX) or the US
Health Insurance Portability and Accountability Act (HIPAA) require risk assessments to drive the
particular implementation of the required controls.
THIRD PARTY RISK
Cybersecurity can be more difficult to control when third parties are involved, especially
when different entities have different security cultures and risk tolerances. No organization exists in
a vacuum, and information must be shared with other individuals or organizations, often referred to
as third parties. It is important to understand third-party risk, such as information sharing and
network access, as it relates to cybersecurity.
Outsourcing is common, both onshore and offshore, as companies focus on core competencies
and ways to cut costs. From an information security point of view, these arrangements can present
risk that may be difficult to quantify and potentially difficult to mitigate. Typically, both the
resources and skills of the outsourced functions are lost to the organization, which itself will present
risk. Providers may operate on different standards and can be difficult to control. The security
strategy should consider outsourced security services carefully to ensure that they either are not a
critical single point of failure or that there is a viable backup plan in the event of service provider
failure.
Risk posed by outsourcing can also materialize as the result of mergers and acquisitions.
Typically, significant differences in culture, systems, technology and operations between the parties
present a host of security challenges that must be identified and addressed. Often, in these
situations, security is an afterthought and the security manager must strive to gain a presence in
these activities and assess the risk for management consideration.