Академический Документы
Профессиональный Документы
Культура Документы
G Logan Gombar
7/14/2019
To prepare for the upcoming meeting, the following is to ensure a base level of
knowledge, a standard set of terms to utilize, and to facilitate discussion. The topic at hand will
be the risk management planning, approaches to cyber security, and the potential damages of
ungoverned risk. The notes will include definitions, key elements of a risk management plan
Definitions
It is best to start by defining a set of terms for this discussion. What is risk, and what does
it mean to manage risk? Risk is where a vulnerability meets a threat (Van Impe, 2017). Said
another way, it is when someone who wants to steal stuff is given a way to break in. Managing
risk isn’t only preemptive, it is often accepting risk and enforcing policies to recover from losses.
The CIA triad is what many consider to be the pillars of cyber security. The CIA triad is
concept of keeping information out of the hands of bad actors. Integrity is keeping data from
legitimate users – information that cannot be reached when needed is as useless as information
that has been stolen. Utilizing these definitions, we can move onto defining an RMP.
Defining an RMP can be done in a series of steps. More tailored specifics must be created
for each organization, but that discussion is beyond the scope of these notes. The key steps are as
RMF READ AHEAD NOTES 2
follows: frame, assess, respond, and monitor (NIST, 2011, p. 7-8). With these steps worked out,
Framing risk is integral to the creation of a “risk management strategy”. This creates the
baseline for risk acceptance in the organization, and creating this foundation allows all layers of
the organization to adhere to the policies at hand. Framing risk clearly defines left and right
bounds on decision making, and can even influence investment strategies (NIST, 2011, p. 34).
Assessing risk is the evaluation of vulnerabilities and threats. Denoting the risk to the
organization can typically be done via an “impact vs. urgency” matrix (Topalovic, 2015). By
prioritizing risks, the mitigation strategies and responses can be more focused and specific.
Responding to risk is developing strategies for accepting, mitigating, etc. risks (NIST,
2011, p. 41) assessed in the previous step. By providing these policies, a company can prevent
risk from causing lasting damage to systems. The steps in this process will vary, but should
include steps for responding to active risks, such as containment, damage reduction, and service
restoral. With these regulations, a company will be more resilient in the event of an attack.
changes are not only external changes – internal changes increase the threat to a network as well.
The inability to adapt to a changing cyber battlefield will also lead to more loss than accepting
the risk of a change. By adapting to known threats, an organization can maintain a given level of
risk. This requires a level of risk acceptance, but the risk needs to be accepted to ensure
Potential Damages
The above RMP may seem extensive when diving into the specifics, as many of the
controls will not seem to apply. However, when looking into the potential damages caused when
RMF READ AHEAD NOTES 3
a single leg of the CIA triad is compromised, it becomes readily apparent why this is a critical
attackers. This can lead to knowledge being leaked (trade secrets or personally identifiable
information, for example) that may be extremely costly. By not securing the Confidentiality of
the data, the company is putting the information directly into the hands of attackers.
When the Integrity of a system is compromised, the data on the system is subject to
change. This change could be an alteration or could be complete deletion. Without assurance that
the data cannot be changed by an unauthorized user, there is no way to trust the data on a system.
If a payroll system could not be trusted, all payroll would have to be done by hand, costing the
company by requiring extensive new hires. This lack of trust in the systems would cause a
cascade of issues, rendering the system useless, making the company obsolete.
DDoS, Amazon reported a loss of $75 million in about an hour (Newman, 2018). If a resource is
ecosystem, and any web-based company knows that high availability is a very high priority.
Summary
By implementing a rigorous risk management plan, a company can prevent many attacks
from occurring. Enforcing a series of policies designed by framing, assessing, responding to, and
monitoring risk will enable greater resilience to attacks. Addressing the threats to the CIA triad
can reduce the risk to systems and profit, while increasing resiliency and reliability of those
systems. The network will never be fully secure, but by providing a baseline we can begin to
increase the strength of our security stance to reduce risk that exists on our systems.
RMF READ AHEAD NOTES 4
References
Newman, S. (2018, July 24). Amazon Invited DDoS Attack On Prime Day. Retrieved from
https://www.informationsecuritybuzz.com/expert-comments/amazon-invited-ddos-attack-
on-prime-day/
NIST. (2011). Managing Information Security Risk: Organization, Mission, and Information,
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
Topalovic, D. (2015, July 9). ITIL & ISO 20000 Service Desk Incident Classification. Retrieved
from https://advisera.com/20000academy/knowledgebase/incident-classification/
Van Impe, K. (2017, April 22). Simplifying Risk Management. Retrieved from
https://securityintelligence.com/simplifying-risk-management/