Chapter 02

Risk Management &

Governance Elements Wenura Mendis
2022/09
2022/09 Vibernets Streaming
 Chapter 02

1. Risk Management Process

2. Governance Elements

09/22/2022 VIBERNETS STREAMING 2

2.1 Risk Management

Risk Management Concepts

Risk management is the process of determining the threats, and vulnerabilities, assessment of
the risks, and risk response. The reports resulting after this process are sent to management to
make educated and intelligent decisions. The team involved is also responsible for budget
controls.

Terms:
1. Asset – Something or someone in need of protection (People, Data, Property)
2. Vulnerability – It is a gap or weakness in those protection efforts.
3. Threat – It is something or someone that aims to exploit a vulnerability.

Risk = Threat × Vulnerability

To have risk, a threat must connect to a vulnerability. This relationship is stated by the formula:
Risk = Threat Vulnerability
09/22/2022 VIBERNETS STREAMING 3
VIBERNETS STREAMING
2.1 Risk Management

Threat Actor
A threat actor is a person or entity that is responsible for an event or incident that impacts, or
has the potential to impact, the safety or security of another entity.

Types of actors
• Hacktivist - Person who uses hacking techniques
• Organized crime - Organized groups seeking to steal money, identities, or corporate secrets
• Nation states/APT - Countries sponsoring illegal or fraudulent actions
• Insiders - Internal employees seeking to cause damage to their organization (dangerous)
• Competitors - Organizations seeking to commit corporate espionage for financial/market gain
• Script kiddies - who use hacking techniques but have limited skills

09/22/2022 VIBERNETS STREAMING 4

VIBERNETS STREAMING
2.1 Risk Management

Risk Identification
You are likely to assist in system-level risk assessment as a security professional, focusing on
process, control, monitoring, or incident response and recovery tasks.

• Identify risk to communicate it clearly.

• Employees at all levels of the organization are responsible for identifying risk.
• Identify risk to protect against it.

09/22/2022 VIBERNETS STREAMING 5

VIBERNETS STREAMING
2.1 Risk Management

Risk Assesment
Risk assessment is essential to determine if there are vulnerabilities and how those become
threats. If exploitation happens, the resulting impact must be identified. There are several
techniques to assess the risks.

Quantitative and Qualitative Risk Analysis are two methods for analyzing risk.
Quantitative Risk Analysis uses hard metrics, such as dollars.
Qualitative Risk Analysis uses simple approximate values.
Quantitative is more objective; qualitative is more subjective.
Both methodologies are required for comprehensive risk assessments.

09/22/2022 VIBERNETS STREAMING 6

VIBERNETS STREAMING
2.1 Risk Management

Risk Treatment
The term "risk treatment" refers to the process of deciding what to do about a risk once it has
been identified and prioritized.

• Accept the risk and hope it doesn’t realize, which assumes that the impact of this risk is less
than the cost of treating it.
• Transfer the risk to another entity such as an insurance company or a business partner.
• Avoid the risk by not implementing the information system that brings it, or by changing
business practices so the risk is no longer present or is reduced to acceptable levels.
• Mitigate the risk by implementing controls that bring it to acceptable levels.

09/22/2022 VIBERNETS STREAMING 7

VIBERNETS STREAMING
2.1 Risk Management

Risk Tolerance
Simply means, How much risk are they willing to take? Does management welcome risk or want
to avoid it?
Risk tolerance refers to the amount of loss an investor is prepared to handle while making an
investment decision. Several factors determine the level of risk an investor can afford to take.

09/22/2022 VIBERNETS STREAMING 8

VIBERNETS STREAMING
2.1 Risk Management

Risk Priorities
A risk matrix, which helps define priority as the intersection of likelihood of occurrence and
impact, is one successful way for risk prioritization.

3 1

4 2

09/22/2022 VIBERNETS STREAMING 9

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Part of the management of any security programme is determining and defining how security
will be maintained in the organisation. Ensuring proportionate policies, standards, guidelines
and procedures are in place that are understood and consistently enforced is critical in any
insider threat programme.

1. Regulations & Laws

2. Standards
3. Policies
4. Procedures

09/22/2022 VIBERNETS STREAMING 10

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Regulations & Laws

Local, state, and federal governments all have the authority to set regulations and related fines
and penalties. The imposition and enforcement of rules and laws can vary from one country to
the next.

Eg:
HIPPA (The Health Insurance Portability and Accountability Act) - 1996
GDPR (General Data Protection Regulation) – 2018

09/22/2022 VIBERNETS STREAMING 11

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Standards

Standards refer to mandatory activities, actions, or rules. Standards describe specific

requirements that allow us to meet our policy goals.
They are unambiguous, detailed, and measurable. There should be no question as to whether a
specific asset or action complies with a given standard.

Eg:
ISO - International Organization for Standardization
creates and publishes worldwide standards on a wide range of technological topics, including
information systems and security, as well as encryption standards

IEEE - Institute of Electrical and Electronics Engineers

Sets standards for telecommunications, computer engineering and similar disciplines.

09/22/2022 VIBERNETS STREAMING 12

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Policies

A security policy is a broad statement published by senior management (or a designated policy
board or committee) that specifies the role of security inside the organization.

The organizational security policy defines and guides all future security efforts within the
organization. It also specifies the level of risk that senior management is willing to accept.

09/22/2022 VIBERNETS STREAMING 13

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Procedures

procedures are implementation instructions and are step-by-step instructions. The procedures
are mandatory and therefore, well documented for reuse.

Procedures can also save a lot of time as a specific procedure can serve multiple products.
Some examples would be, Administrative, Access Control, Auditing, Configuration, and Incident
Response.

09/22/2022 VIBERNETS STREAMING 14

VIBERNETS STREAMING
2.2 Governance Elements

Governance Elements
Part of the management of any security programme is determining and defining how security
will be maintained in the organisation. Ensuring proportionate policies, standards, guidelines
and procedures are in place that are understood and consistently enforced is critical in any
insider threat programme.

1. Regulations & Laws

2. Standards
3. Policies
4. Procedures

09/22/2022 VIBERNETS STREAMING 15

VIBERNETS STREAMING
Chapter 02 - Summary

Try this

1. In order to make an online purchase, Nirmal must decide whether or not to create a new user
account with the vendor, who will then have access to Nirmal's full name, postal address, credit
card number, mobile number, personal email address, permission to send marketing messages to
Nirmal, and permission to share this data with other vendors. Nirmal thinks that the price of the
item is not worth the cost of giving up his identity, thus he does not buy it.
What kind of risk management approach did Nirmal make?
A. Mitigate
B. Accept
C. Conflate
D. Avoid

09/22/2022 VIBERNETS STREAMING 16

VIBERNETS STREAMING
Chapter 02 - Summary

Try this
2. Which of the following is NOT one of the four common methods of risk management?
A. Mitigate
B. Accept
C. Conflate
D. Avoid

3. Geeth is the network administrator for a small business. Geeth has been entrusted with creating a
manual that explains how to securely install the operating system on a new laptop, step by step. This
is an example of a ………..?
A. Guideline
B. Procedure
C. Standard
D. Policy

09/22/2022 VIBERNETS STREAMING 17

VIBERNETS STREAMING
Chapter 02 - Summary

Try this
4. Lasantha is the administrator of security for a small food delivery company. The country in which
Lasantha's company works publishes a new law that clashes with the company's policies. Which
governance principle should the corporation of Lasantha adhere to?
A. Guideline
B. Procedures
C. The Law
D. The Policy

5. The law of the European Union (EU) protects the privacy of individuals.
A. The Magna Carta
B. The constitution
C. The General Data Protection Regulation
D. The Privacy Human Rights Act

09/22/2022 VIBERNETS STREAMING 18

VIBERNETS STREAMING
 Thank you

Wenura Mendis @Vibernets Streaming

1. Study CCNA,CCNP & Linux with Vibernets:

https://www.facebook.com/vibernets/

2. Join Our Study Group:

https://www.facebook.com/groups/ccnastudygroup/

3. Vibernets Streaming Page:

https://www.facebook.com/vibernetsstreaming/

4. Telegram - Meet Wenura - https://t.me/meetwenura

5. Linkedin - https://www.linkedin.com/in/wenuragayan/

8/05/20XX VIBERNETS STREAMING 19