CompTIA CASP+ CAS-004 Certification: Basics of Risk Mitigation Strategies

Security professionals must help the organizations they work for to put in place the proper risk mitigation strategies and controls. Security professionals should use a risk management framework to ensure that risks are properly identified and the appropriate controls are put into place.
 

Security teams ensure organizations have proper risk mitigation strategies and controls in place. Using risk management frameworks helps identify and implement the appropriate controls. This guide covers the steps involved in risk mitigation, which include asset identification, CIA triad, determination of threats, the likelihood of attacks, implementing countermeasures, and conducting a risk analysis to determine the security threshold level.
 

Exam topics covered:
- Asset classification
- Threat identification
- Risk determination
- Countermeasures and controls
- CIA-impact decisions
- Aggregate score for security controls
- Worst case scenario
- Technical to business risk
- Risk controls
- Business continuity planning

Structure
In this guide, we will cover all the tasks involved in risk mitigation, including the following:
- Data classification by impact levels based on CIA
- Incorporate stakeholder input into CIA impact-level decisions
- Determine the aggregate CIA score
- Determine the minimum required security controls based on the aggregate score
- Select and implement controls based on CIA requirements and organizational policies
- Extreme scenario planning/worst-case scenario
- Conduct system-specific risk analysis
- Make risk determination based upon known metrics
- Translate technical risks into business terms
- Recommend which strategy should be applied based on risk appetite
- Risk management processes, continuous improvement, and monitoring
- Business continuity planning, and IT governance

Objective
Security teams ensure organizations have proper risk mitigation strategies and controls in place. Using risk management frameworks helps identify and implement the appropriate controls. This guide covers the steps involved in risk mitigation, which include asset identification, CIA triad, determination of threats, the likelihood of attacks, implementing countermeasures, and conducting a risk analysis to determine the security threshold level.

Data classification by impact levels based on CIA
Confidentiality, integrity, and availability (CIA) are the three cornerstones of security. Most security concerns arise in a breach of at least one CIA triad aspect. Understanding these three security principles will aid security professionals in ensuring that at least one of these principles is protected by the security controls and processes in place. You must avoid disclosing data or information to unauthorized parties in order to maintain confidentiality. Before any access restrictions are put in place, the sensitivity level of data must be evaluated as part of confidentiality. Access controls will be in place for data with a greater sensitivity level than the data with a lower sensitivity level.
 

Disclosure is the polar opposite of secrecy. Confidentiality is something that most security experts think about when it comes to data on a network or device. Data, on the other hand, may be printed. Data on a network should be safeguarded with appropriate controls, but data in its printed form must also be protected, which necessitates the implementation of data disposal rules. Encryption, steganography, access control lists (ACLs), and data classifications are examples of restrictions that promote secrecy.
The second component of the CIA trinity – integrity – guarantees that data is safe from unwanted change or corruption. The purpose of data integrity is to keep the data consistent. Corruption is the polar opposite of honesty. Many people believe that data integrity is less essential than data confidentiality. Data alteration or corruption, on the other hand, maybe just as damaging to a business because the original data is lost. Digital signatures, checksums, and hashes are examples of integrity-enhancing measures.
Finally, availability refers to the capacity to obtain data when it is required. Only those with a legitimate need for data should have access to it. The opposite of destruction or isolation is availability. While many people believe this to be the least critical of the three tenets, an availability failure will have the greatest impact on end-users and customers. Consider a denial-of-service (DoS) assault on a web server that serves customers. Load balancing, hot sites, and RAID are examples of measures that increase availability. DoS attacks have an impact on availability.

Every security control implemented by an organization satisfies at least one of the CIA triad’s security principles. It’s just as crucial to know how to get around these security principles as it is to know how to offer them. When security measures are introduced, a balanced security approach should be used to guarantee that all three aspects are taken into account. You should determine the aspect that the control targets before implementing it. Data availability is addressed by RAID, data integrity is addressed by file hashes, and data secrecy is addressed by encryption.
No aspect of the CIA trifecta is overlooked with a balanced approach. FIPS 199 (Government Information Processing Standard Publication 199) establishes security classification rules for the federal information systems. This US government standard specifies security categories for federal government information systems. FIPS 199 mandates that federal agencies evaluate their information systems in terms of confidentiality, integrity, and availability, assigning a low, moderate, or high impact rating to each system in each area. The overall security category of an information system receives the highest grade of any category.
If the loss of any CIA tenet is projected to have a modest negative impact on organizational operations, organizational assets, or personnel, the prospective impact is low. This happens when an organization can accomplish its core role, but not as well as it might. Only minimal damage, financial loss, or injury is included in this category.
If the loss of any CIA tenet is projected to have a severe negative impact on organizational operations, organizational assets, or personnel, the potential impact is moderate. This occurs when the organization’s ability to accomplish its principal function effectively is considerably decreased. This category involves significant damage, financial loss, or harm.
If the loss of any CIA tenet is projected to have a significant or catastrophic unfavorable effect on organizational operations, organizational assets, or personnel, the potential impact is considerable. This happens when a company is unable to fulfill one or more of its core activities. Major damage, financial loss, or serious injury fall under this category. It is also critical for security professionals and businesses to understand the categorization and life cycle of information. Depending on whether the organization is a commercial enterprise or a military/government body, classification differs.

Incorporate stakeholder input into CIA decisions
CIA levels for business information assets are sometimes difficult to evaluate by security experts alone. Security experts should seek opinions from asset stakeholders to know which level should be ascribed to each tenet for an information asset. However, keep in mind that all stakeholders must be consulted. While the department heads should be contacted since they have the most impact on CIA decisions concerning departmental assets, other stakeholders within the department and organization should also be consulted. This guideline applies to every security endeavor a company conducts. Stakeholder involvement should be sought early on in the project to ensure that stakeholder demands are captured and that project buy-in is obtained. If difficulties with the security project occur later and adjustments are required, the project team should consult with project stakeholders before approving or implementing any project changes. Any input should be documented and integrated with the security professional’s evaluation in order to calculate the CIA levels.

Determine the aggregate CIA score
FIPS 199 establishes three effects (low, moderate, and high) for the three security pillars. However, the organization must define the levels that are given to organizational entities since only the organization can judge if a particular loss is limited, serious, or severe. The security category of an identifiable entity conveys the three tenets with their values for an organizational entity, according to FIPS 199. After that, the values are utilized to decide which security restrictions should be put in place. If an asset is made up of numerous entities, the security category for that asset must be calculated based on the entities that make it up.

Determine minimum required security controls based on aggregate score
For all organizational assets, suitable security procedures must be applied. Based on the aggregate CIA score outlined previously in this guide, the security policies that need to be applied are identified. It’s critical for security professionals to understand the different types of coverage given by the various security measures that might be used. Security experts should define a minimal set of security measures that must be applied as the study progresses.

Implement controls based on CIA requirements
For organizational assets to be secured, the security experts must ensure that the right measures are adopted and executed. The controls that are chosen and implemented should be based on the CIA’s needs as well as the organization’s rules. Following the implementation of controls, a gap analysis may be required to establish where the security holes still exist so that more security controls may be introduced. The many types and categories of access restrictions that might be imposed should be recognizable to the security experts.

Access control categories
As a countermeasure to the discovered vulnerabilities, security engineers create access controls. Any access control put in place will fall into one or more of these categories.

There are seven different types of access control techniques that are utilized, which are as follows:
- Compensative
- Corrective
- Detective
- Deterrent
- Directive
- Preventive
- Recovery

Compensative
Compensative controls are in place to lessen risks in the absence of primary access control. You can minimize the risk to a more reasonable level by employing compensatory measures. Compensatory measures include needing two authorized signatures to disclose sensitive or secret information and requiring two keys to unlock a safe deposit box maintained by separate people.

Corrective
Corrective measures have been put in place to lessen the impact of an assault or other unfavorable occurrence. Corrective controls can be used to repair or restore the entity that has been attacked. Installing fire extinguishers, isolating or terminating a connection, creating new firewall rules, and employing server images to restore to a prior state are all examples of corrective measures. After an event has occurred, corrective controls are important.

Detective
There are detective measures in place to identify an assault in progress and inform the proper individuals. Motion detectors, intrusion detection systems (IDSs), logs, guards, investigations, auditing, and job rotation are all examples of detective controls. During an event, detective controls are important.

Deterrent
An attacker is deterred or discouraged by deterrent measures. Attacks can be detected early in the process, thanks to deterrent controls. Preventive and corrective controls are frequently triggered by deterrent controls. User identity and authentication, fencing, lights, and corporate security rules, such as non-disclosure agreements, are examples of deterrent controls (NDAs).

Directive
Within an organization, directive controls define what is and is not acceptable. They exist to establish an organization’s security mandate, which is primarily directed at its personnel. An acceptable usage policy (AUP), which outlines correct processes and behaviors that employees must follow, is the most common directive control (and are often examples of improper procedures). This access control category generally includes any organizational security rules or processes. Keep in mind that directive controls are only effective if there is a specified penalty for failing to obey the organization’s instructions.

Preventive
Preventive measures keep an assault from occurring in the first place. Locks, badges, biometric systems, encryption, intrusion prevention systems (IPSs), antivirus software, personnel security, security guards, passwords, and security awareness training are examples of preventative controls. Preventive measures are beneficial prior to an occurrence.

Recovery
After an assault, recovery controls are used to restore a system or device. The restoration of resources is the major purpose of recovery controls. Disaster recovery plans, data backups, and remote facilities are examples of recovery measures.

Access control types
Access control necessitates the employment of all three types of access controls in any organization where defense in depth is a concern. You can’t fully secure the environment without logical controls, even if you use the toughest physical and administrative controls. Access control types are divided based on their method of implementation.

There are three types of access controls, which are as follows:
- Administrative (management) controls
- Logical (technical) controls
- Physical controls

Administrative (Management) controls
Security policies, procedures, standards, baselines, and guidelines developed by the management are used to administrate the organization’s assets and workers. Soft controls are the term for these kinds of controls. Personnel controls, data categorization, data labeling, security awareness training, and supervision are just a few examples. Training in security awareness is a crucial administrative control. Its goal is to change the organization’s attitude toward data security. Security awareness training has several advantages, including a decrease in the frequency and severity of mistakes and omissions, a better knowledge of the value of information, and improved administrator notice of unauthorized infiltration attempts. Creating an award or recognition program is a cost-effective strategy to ensure that the staff takes security awareness seriously.

Logical (Technical) controls
Logical controls, also known as technical controls, are software or hardware components that are used to limit access. Firewalls, intrusion detection systems, intrusion prevention systems, encryption, authentication systems, protocols, auditing and monitoring, biometrics, smart cards, and passwords are all examples of logical controls. Adopting a new security policy that prohibits workers from remotely setting the email server from a third-party location during business hours is an example of putting in place the technological control. Despite the fact that auditing and monitoring are logical controls and are frequently included together, they are two distinct controls. Auditing is a one-time or ongoing process for assessing security. Monitoring is a continuous process that checks the system or the users.

Physical controls
Physical controls are put in place to safeguard an organization’s assets and workers. Considerations about personnel should take precedence above all other concerns. Perimeter security, badges, swipe cards, guards, dogs, mantraps, biometrics, and cabling are all types of physical controls.

Security control frameworks
To assist security professionals, several firms have established security management frameworks and approaches. Security program development standards, enterprise and security architect development frameworks, security controls, development techniques, corporate governance methods, and process management methods are just a few of the frameworks and methodologies available. Because frameworks, standards, and techniques are all connected, they are discussed together.
Standards are considered the best practices, whereas frameworks are commonly used practices. Frameworks are generic, whereas standards are specialized.
A methodology is a set of practices, techniques, processes, and regulations that are followed by persons who operate in a certain field. Based on the demands of the stakeholders, the organizations should choose the framework, standard, and/or technique that best reflects the organization.

ISO/IEC 27000 series
ISO 27000 is a security program development standard on how to create and maintain an information security management system, albeit it isn’t exactly a framework (ISMS). The 27000 Series consists of several standards, each of which focuses on a different component of ISMS. These guidelines have either been published or are in the works, as shown below:


Figure: ISO 27000 Series

Zachman Framework
The Zachman FrameworkTM, a two-dimensional categorization system based on six communication questions (what, where, when, why, who, and how), is an enterprise architectural framework that collides with diverse points of view (executive, business management, architect, engineer, technician, and enterprise). This approach enables an organization’s analysis to be delivered to various groups within the organization in ways that are relevant to their responsibilities. Even though this framework is not security-oriented, it might assist you in relaying information to workers in the language and format that they prefer.

The Open Group Architecture Framework (TOGAF)
Another enterprise architectural framework, TOGAF, assists businesses in the design, planning, implementation, and governance of an enterprise information architecture. TOGAF is made up of four areas that are all interconnected – technology, applications, data, and business – as shown in below:


Figure: TOGAF

CIS critical security controls
Critical security controls, published by the Center for Internet Security (CIS), is a list of 18 controls. These propose concrete and effective solutions to stop today’s most ubiquitous and serious assaults by recommending a set of cyber security procedures. SANS provides training, research, and certification to support the CIS Controls. Backward compatibility with earlier versions is also provided, as well as a migration path enabling users of previous versions to upgrade to v8, as shown below:



Figure: CIS version 8

Information Technology Infrastructure Library (ITIL)
The Office of Management and Budget created ITIL as a process management development standard in OMB Circular A-130.

ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement are the five fundamental ITIL books. There are 26 processes in these five key articles.

Although ITIL has a security component, it is primarily focused on establishing service-level agreements (SLAs) between a company’s IT department and its clients, as shown below:



Figure: ITIL Framework

Six Sigma
Six Sigma is a process improvement standard that incorporates two project techniques based on the Plan–Do–Check–Act cycle developed by W. Edwards Deming. Six Sigma was created to find and eliminate errors in the manufacturing processes, but it can be used for a variety of company tasks, including security.

The following two Six Sigma project methodologies are illustrated below:
- DMAIC: Define, Measure, Analyze, Improve, and Control
- DMADV: Define, Measure, Analyze, Design, and Verify


Figure: DMAIC v/s DMADV

Capability Maturity Model Integration (CMMI)
CMMI is a method for improving processes in three areas – product and service development (CMMI for development), service establishment and administration (CMMI for services), and product service and acquisition (CMMI for product service and acquisition) (CMMI for acquisitions).

All processes within each level of interest are assigned one of the following five levels of maturity:
- Level 1: Initial
- Level 2: Managed
- Level 3: Defined
- Level 4: Quantitatively Managed
- Level 5: Optimizing.

Extreme scenario planning/worst-case scenario
A company must do extreme scenario or worst-case scenario preparation as part of any security strategy. This planning guarantees that an organization can predict catastrophes and put in place adequate preparations before they happen. The first stage in the worst-case scenario planning is to assess all hazards and identify all players that offer a major risk to the company.

The examples of the threat actors include the following:
- Internal actors: Reckless/untrained/disgruntled employee, internal/government spy, vendors, thief
- External actors: Anarchist, competitor, data miner, irrational individual, legal adversary, mobster, activist, terrorist, vandal

Non-hostile and aggressive actors can be split into two types. Three actors in the preceding categories are often regarded as non-hostile – the careless employee, the inexperienced employee, and the partners. All other players should be regarded as adversarial. The company must next assess each of these threat actors against a set of criteria. To assist select which threat danger actors will be studied, each threat actor should be assigned a ranking.

The examples of some of the most commonly used criteria include the following:
- Skill level: None, minimal, operational, adept
- Resources: Individual, team, organization, government
- Limits: Code of conduct, legal, extra-legal (minor), extra-legal (major)
- Visibility: Overt, covert, clandestine, don’t care
- Objective: Copy, destroy, injure, take, don’t care
- Outcome: Theft, business advantage, damage, embarrassment, technical advantage

The organization must then decide which of the actors it wishes to investigate using these criteria. For example, the organization may decide to examine all hostile actors with an adept skill level, the organization’s or government’s resources, and the organization’s or government’s extra-legal (minor) or extra-legal (major) constraints (major). The list is then whittled down to only the threat actors that meet all these requirements.

he business must next establish what it truly cares about safeguarding. This judgment is frequently done using the FIPS 199 approach or a business impact study. Using the objective and outcome values from the threat actor analysis, as well as the asset value and business effect information from the impact analysis, the company should pick the scenarios that might have a catastrophic impact on the firm. Scenarios must then be created in order to thoroughly assess them.

For example, a company could decide to investigate a situation in which a hacktivist group conducts long-term denial-of-service assaults, producing long-term disruptions that harm the company’s reputation. Then, for each scenario, a risk assessment should be made. After all of the situations have been defined, the organization must create an attack tree for each one. This attack tree should contain all of the phases and/or criteria that must be met for the attack to succeed. The security controls must then be mapped to the attack trees by the organization. An organization would need to consult industry standards, such as NIST SP 800-53, to establish the security measures that may be implemented. Finally, the controls would be mapped back into the attack tree to ensure that they are used at as many levels as feasible during the attack. As you can see, the worst-case scenario planning is an art that takes a lot of practice and work to master. Candidates should concentrate on the procedure and actions necessary for the CASP test, rather than on how to execute the analysis and prepare the scenario documentation.

Conduct system-specific risk analysis
A risk assessment is a risk management tool that identifies vulnerabilities and threats, assesses their effect, and determines which controls to adopt.

Risk assessment or analysis has four main goals, which are as follows:
- Identify assets and asset value
- Identify vulnerabilities and threats
- Calculate threat probability and business impact
- Balance threat impact with countermeasure cost

Management and the risk assessment team must first decide which assets and threats to evaluate before beginning the risk assessment. The scale of the project is determined by this method. After that, the risk assessment team must provide a report to the management detailing the worth of the assets under consideration. After that, the management may evaluate and complete the asset list, add and eliminate assets as needed, and decide the risk assessment project’s budget.
For instance, to boost efficiency, the sales division decides to use touchscreen technology and tablet PCs. A new sales application that works with the new technology will be built as part of this new initiative. The chief security officer (CSO) sought to halt the deployment from the start since the technology was not supported in the organization. The deployment was approved by the upper management. The CSO should collaborate with the sales division and other stakeholders to adequately document the risk associated with the new deployment’s complete life cycle and to apply suitable controls and tactics during deployment. Before any mergers and acquisitions, or the deployment of new technology and applications, a risk assessment should be conducted. A risk assessment will not be successful unless it is endorsed and led by high management. The aim and scope of a risk assessment must be defined by management, who must then assign personnel, time, and financial resources to the project.

Risk determination using known metrics
To make a risk determination, an organization must perform a formal risk analysis. Formal risk analysis often asks questions such as the following:
- What corporate assets need to be protected?
- What are the business needs of the organization?
- What outside threats are most likely to compromise network security?

Different types of risk analysis, including qualitative risk analysis and quantitative risk analysis, should be used to ensure that the data obtained is maximized.

Qualitative risk analysis
All aspects of the risk analysis process are not assigned monetary and mathematical values in the qualitative risk analysis. Intuition, experience, and best practice procedures, such as brainstorming, focus groups, surveys, questionnaires, meetings, interviews, and Delphi, are all examples of qualitative risk analysis methodologies. The Delphi method is a method for calculating the probability and outcome of future occurrences. Despite the fact that any of these strategies may be employed, most companies will choose the best one(s) based on the threats to be assessed. There is a need for experience and education about the hazards.
Each member of the group, who has been chosen to participate in the qualitative risk analysis, ranks the likelihood of each danger and the potential damage it may do based on his or her own experience. The data is compiled in a report to provide to the management after each group member ranks the threat likelihood, loss potential, and safeguard benefit. Qualitative risk analysis has two advantages over quantitative risk analysis – it prioritizes risks and finds opportunities for quick improvement in managing threats. These are some of the disadvantages of qualitative risk analysis – all of the outcomes are subjective, and no monetary value is given for cost/benefit analysis or budgeting purposes. These are some of the disadvantages of qualitative risk analysis – all outcomes are subjective, and no cash value is supplied for cost/benefit analysis or budgeting.

Quantitative risk analysis
All aspects of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs, are assigned monetary and mathematical values in quantitative risk analysis. Total and residual hazards are calculated using equations. Quantitative risk analysis has the benefit of requiring less guessing than qualitative risk analysis. The intricacy of the calculations, the time and effort required to conduct the analysis, and the amount of data that must be obtained for the study are all disadvantages of quantitative risk analysis. The majority of risk assessments incorporate a mix of quantitative and qualitative risk assessments. Quantitative risk analysis is preferred by most businesses for tangible assets, whereas qualitative risk analysis is preferred for intangible assets. Keep in mind that, while quantitative risk analysis includes numeric values, a totally quantitative analysis is impossible to obtain since data always contains some element of subjectivity. Historical data, industry experience, and expert opinion should all be used to make this sort of assessment.

Magnitude of impact based on ALE and SLE
Risk impact, also known as the magnitude of impact, is a calculation of how much harm a negative risk can do or the possible opportunity cost if a positive risk occurs. Risk effect can be calculated in monetary terms (quantitative) or on a subjective scale (qualitative). Risks are often graded on a scale devised by the organization. Low-level risks result in small losses, whereas high-level risks result in considerable losses. When the scale of an influence can be described in monetary terms, using monetary value to quantify, the magnitude has the advantage of being simple to understand by the employees. Long-term expenses in operations and support, loss of market share, short-term costs in more effort, or opportunity costs might all have a financial impact. When calculating the amount of effect, two calculations are used – single loss expectancy (SLE) and annualized loss expectancy (ALE).

SLE
The monetary effect of each danger occurrence is referred to as SLE. You’ll need to know the asset value (AV) and the exposure factor to calculate the SLE (EF). The EF is the percentage of an asset’s value or functionality that will be lost if a threat event happens.

The following is the formula for calculating the SLE:
SLE = AV x EF
Imagine a company that owns a web server farm with a value of $20,000 in AV. If a power outage is judged to be a danger agent for the web server farm by the risk assessment, and the exposure factor for a power outage is 25%, the SLE for this event is $5,000.

ALE
An annual threat event’s estimated risk factor is known as ALE. You’ll need to know the SLE and the annualized rate of occurrence to calculate the ALE (ARO). The following is the formula for calculating the ALE:
ALE = SLE x ARO

Using the previously described example, if the risk assessment determines that the ARO for a web server farm power outage is 50%, the ALE for this event is $2,500. The company can use the ALE to determine whether or not to establish controls. If the yearly cost of a web server farm protection control exceeds the ALE, the organization might simply opt to accept the risk by not deploying the control. If the annual cost of the control to protect the web server farm is less than the ALE, the organization should consider implementing the control.

Likelihood of threat
The likelihood of threat is a calculation of the possibility that a certain risk occurrence will have an impact on the company. The loss potential for each vulnerability and danger must be calculated once they have been discovered. This loss potential is calculated by combining the probability of an occurrence with the impact that such an event would have. An occurrence with a high probability and significant impact would be prioritized over the one with a low probability and low impact. Natural catastrophes will have varying degrees of probability depending on where you live. Human-made hazards, on the other hand, are more dependent on organizational characteristics such as visibility, location, and technology footprint. The levels used for threat likelihood are usually high, moderate, and low. The motive, source, ARO, and trend analysis are commonly used to determine the chance of an event occurring.

Motivation
Organizations and their attackers are influenced by motivation. Not all risks identified by a company will be motivated. Natural catastrophes, for example, have no purpose or cause for occurring other than climatic or other natural circumstances that are conducive to their occurrence. Most human-made attacks, on the other hand, have motives. Understanding the motivations behind these risks is critical in selecting which risk management technique your company should use.

If your organization identifies any risks that are due to the actions of other people or organizations, these risks are usually motivated by the following:
- Acquisition/theft
- Business advantage
- Damage
- Embarrassment
- Technical advantage

Total cost of ownership
Organizational risks abound, ranging from easily insurable property hazards to risks that are difficult to predict and quantify, such as the loss of a key employee. The total cost of ownership (TCO) of risk is a metric that reflects the whole expenses of running an organization’s risk management process, including insurance premiums, financing charges, administrative costs, and any losses. This figure should be weighed against the company’s entire revenue and asset base. TCO is a method of determining how an organization’s risk-related expenditures are changing in comparison to the overall growth rate. TCO can also be compared to industry benchmarks provided by trade associations and industry organizations. Working with appropriate businesses and industry specialists ensures that the company obtains comparable and relevant risk data. A financial organization’s risk TCO should not be compared to the TCOs of healthcare firms. There are several benefits to calculating risk TCO. It can assist companies in identifying anomalies in their risk management strategy. It can also spot situations where risk management is overly aggressive in comparison to similar risks addressed elsewhere. Risk TCO may potentially save money in the long run by revealing inefficient risk management processes. Comparable risk TCO, on the other hand, is sometimes difficult to come by since many direct rivals guard this sensitive information. Using trade associations and industry standards organizations may frequently solve this challenge. Also, keep in mind the possibility that TCO will be perceived as a cost-cutting exercise, resulting in a lack of complete buy-in from employees.

When assessing risk TCO, a business should keep the following principles in mind:
- Determine a framework that will be used to break down costs into categories, including risk financing, risk administration, risk compliance costs, and self-insured losses
- Identify the category costs by expressing them as a percentage of overall organizational revenue
- Employ any data from trade bodies for comparison with each category’s figures
- Analyze any differences between your organization’s numbers and industry figures for reasons of occurrence
- Set future targets for each category

When calculating and analyzing risk TCO, you should remember the following basic rules:
- Industry benchmarks may not always be truly comparable to your organization’s data.
- Cover some minor risks within the organization.
- Employ risk management software to aid in decision-making because of the complex nature of risk management.
- Remember the value of risk management when budgeting. It is not merely a cost.
- Risk TCO does not immediately lead to cost savings. Savings occur over time.
- Not all possible solutions will rest within the organization. External specialists and insurance brokers may be needed.

Translate technical risks in business terms
Nontechnical workers are frequently misinformed about technical cybersecurity threats. Security experts must close the knowledge gap in a way that stakeholders can comprehend. To effectively explain technical hazards, security professionals must first understand their target audience and then be able to convert those risks into commercial language that the target audience understands. Semi-technical audiences, nontechnical leadership, the board of directors and executives, and regulators are among the people who need to know about technical hazards. The semi-technical audience is aware of the challenges of security operations and, thus, it frequently includes significant friends. Typically, this audience needs a data-driven, high-level message based on verifiable facts and trends. The non-technical leadership audience needs the message to be put in context with their responsibilities. This audience needs the cost of cybersecurity expenditures to be tied to business performance. Security professionals should present metrics that show how cyber risk is trending without using popular jargon. The board of directors and executives are primarily concerned with business risk management and managing return on assets. The message to this group should translate technical risk into common business terms and present metrics about cybersecurity risk and performance.
Finally, it is critical to be comprehensive and upfront when engaging with regulators. Additionally, before an audit, companies may choose to hire a third party to do a gap analysis. This allows the third party to speak on behalf of the security program and will assist security experts in identifying and remediating problems prior to the audit. Security experts should focus on business interruption, regulatory difficulties, and negative press to translate technical dangers into business terms for these audiences. A severe interruption of business operations occurs when a company’s database is breached and the website is unable to offer items to customers. A regulatory issue has developed if an occurrence happens that results in a regulatory inquiry and penalty. Negative publicity can result in lost revenue as well as expenditures to rebuild the company’s reputation. Risk metrics must be understood by security professionals, as well as the expenses associated with each statistic. Although security professionals may not be able to predict the return on investment (ROI), they should consider the frequency of security incidents at the company and assign costs in terms of risk exposure to each risk. To ensure that the organization’s investment is safeguarding the most important assets, it will also be beneficial to match the risks with the assets safeguarded.

Risk Appetite Strategy
The process of changing parts of an organization in response to risk analysis is known as risk reduction. After determining the ROI and TCO, an organization must decide on how to handle risk, which is dependent on the company’s risk appetite, or how much risk it can take on its own. Avoid, transfer, mitigate, and accept are the four key tactics you must know for the CASP test.

Avoid
The avoid approach entails stopping a dangerous activity or adopting a less risky option. Regrettably, this strategy cannot be utilized to counteract all risks. Organizations that use alternate data centers in separate geographic regions to avoid natural disasters hitting both facilities are an example of avoidance. It is nearly impossible to avoid danger in many situations. Avoiding the danger, for example, is difficult if a CEO acquires a new mobile device and demands that he be provided internal network access via this device. You’d have to find a means to reduce and/or transfer the risk in this scenario.

Consider the following case:
A firm is in discussions to purchase another company for $1,000,000. Due diligence investigations revealed widespread security problems in the company’s flagship product. Because of the security vulnerabilities, a complete product rebuild is anticipated to cost $1,500,000. The corporation should not purchase the other company in this situation since the acquisition would cost $2,500,000 in total.

Transfer
The risk is transferred to a third party, such as an insurance company, as part of the transfer plan. Outsourcing specific activities to a supplier, for example, frequently involves a third-party SLA. However, depending on the contract’s terms, the risk may still be borne by the original company. Legal counsel should verify that the contract offers the amount of protection required if your business intends to adopt this strategy. Consider the following case:
A tiny firm has opted to boost its earnings by selling to the general public via an Internet system. This will be a short-term experiment at first. If the system proves to be successful, it will be enlarged and integrated into daily operations.

The following two main business risks for the initial trial have been raised:
- Internal IT staff have no experience with secure online credit card processing.
- An internal credit card processing system will expose the business to additional compliance requirements.
In this situation, it is best to transfer the initial risks by outsourcing the payment processing to a third-party service provider.

Mitigate
The mitigate strategy entails determining the organization’s acceptable risk threshold and reducing the risk to that level. This is the most widely used approach. Implementing security measures such as IDSs, IPSs, firewalls, and so on is part of this strategy. Consider the following case:
Three times a year, your firm’s web server has a security issue, which costs the organization $1,500 in downtime each time. The web server will be deactivated in five years and will only be used for archival access. The initial cost of putting software in place to avoid this catastrophe would be $15,000, plus $1,000 each year in upkeep.

The cost of the security incident is calculated as follows:
($1,500 per occurrence × 3 per year) × 5 years = $22,500
The cost to prevent the problem is calculated as follows:
$15,000 software cost + ($1,000 maintenance × 5 years) = $20,000

In this situation, mitigation (implementing the software) is cheaper than accepting the risk.

Accept
Understanding and accepting the amount of risk as well as the cost of potential losses is part of the accept approach. This method is typically employed to protect against residual risk. It’s often used for assets with low exposure or value. However, an organization may be forced to accept risks if the funding set aside for establishing measures to defend against risks has been spent. Accepting risk is acceptable if the risks and assets are low-profile. However, if they are deemed high-profile hazards, the management should be notified that more funding is required to minimize the risks.

Risk management processes
Automated risk assessment tools, questionnaires, interviews, and policy document reviews, according to NIST SP 800-30 Rev. 1, are standard information-gathering strategies used in risk analysis. When determining the risks associated with a particular asset, keep in mind that several sources should be used.

NIST SP 800-30 identifies the following steps in the risk assessment process:
Step 1: Prepare for the assessment.
Step 2: Conduct the assessment.
- Identify threat sources and events.
- Identify vulnerabilities and predisposing conditions.
- Determine the likelihood of occurrence.
- Determine the magnitude of the impact.
- Determine risk as a combination of likelihood and impact.
Step 3: Communicate the results.
Step 4: Maintain the assessment.
Asset appraisal, vulnerability identification, and threat identification are all part of the risk management process. Exemptions, deterrents, inherent risk, and residual risk must all be understood by security experts.

Information and asset value and costs
As previously said, identifying assets and determining asset valuations is the first stage in any risk assessment. Both tangible and intangible assets exist. Computers, facilities, materials, and staff are examples of tangible assets. Intellectual property, data, and corporate reputation are examples of intangible assets. The asset’s worth should be assessed in light of the asset owner’s perspective.

The following six considerations can be used to determine an asset’s value:
- Value to owner
- Work required to develop or obtain the asset
- Costs to maintain the asset
- Damage that would result if the asset were lost
- The cost that competitors would pay for the asset
- Penalties that would result if the asset were lost
After determining the value of the assets, you should determine the vulnerabilities and threats to each asset.

Vulnerabilities and threats identification
When determining vulnerabilities and threats to an asset, considering the threat agents first is often the easiest. Threat agents can be grouped into the following six categories:
- Human: This category includes both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel.
- Natural: This category includes floods, fires, tornadoes, hurricanes, earthquakes, and other natural disasters or weather events.
- Technical: This category includes hardware and software failure, malicious code, and new technologies.
- Physical: This category includes CCTV issues, perimeter measures failure, and biometric failure.
- Environmental: This category includes power and other utility failures, traffic issues, biological warfare, and hazardous material issues (such as spillage).
- Operational: This category includes any process or procedure that can affect the CIA.

Exemptions
While most businesses should conduct a full risk assessment and take steps to mitigate all threats, certain organizations are excluded from some risks owing to the nature of their operations or government regulations. The Environmental Protection Agency (EPA) in the United States, for example, has restrictions governing the use and storage of specific chemicals like ammonia and propane. Organizations that keep these substances in quantities greater than a specific threshold must adhere to the EPA’s accidental release prevention requirements and risk management program standards. These laws, however, do not apply to most farmers who use ammonia as a soil fertilizer or use of propane in data distribution centers. In most circumstances, businesses should get legal advice to ensure that they are aware of any exclusions that may apply to them.

Deterrence
The use of the threat of punishment to dissuade people from doing specific tasks is known as deterrence. Many government entities utilize this risk management strategy by publishing legal declarations that threaten unauthorized users with fines and/or jail if they obtain access to their network or systems. When accessing mail systems, eCommerce systems, or other systems that may include private data, organizations use comparable procedures that incorporate warnings.

Inherent
Because it is nearly difficult to prevent, inherent risk has no mitigating measures or therapies applied to it. Consider a determined attacker with the ability to physically gain entry to an organization’s facilities. While numerous measures may be established to safeguard against this hazard, such as guards, CCTV, fences, locks, and biometrics, an organization cannot completely promise that this risk will never occur if the attacker has the necessary capabilities. This is not to say that these measures, which are considered baseline controls, should not be implemented.

When possible, inherent risks should be identified for the following reasons:
- Knowing the risks helps identify critical controls.
- Audits can then be focused on critical controls.

Risks that are inherent but might have catastrophic repercussions can be exposed to more rigorous scenario testing. Risks that might have catastrophic implications can be made known to the organization’s board of directors and management.

Residual
It is difficult to completely avoid all dangers, no matter how cautious a company is. The degree of risk that remains after safeguards or controls have been introduced is known as residual risk.

The following equation is used to represent residual risk:
Residual risk = Total risk – Countermeasures
This equation is thought to be more conceptual than practical for actual calculations.

Continuous improvement/monitoring
Any organization’s risk management must be constantly improved and monitored. All changes to the enterprise must be tracked in order for security specialists to analyze the dangers that such changes pose. Security measures should be altered to handle the modifications as soon as feasible after they are deployed. If your company wishes to upgrade a vendor program, for example, security experts must examine the application to determine how it affects enterprise security. Certain aspects of the organization, including audit log collecting and analysis, antivirus and malware detection upgrades, and application and operating system updates, should be automated to aid in continual improvement and monitoring. Change management, configuration management, control monitoring, and status reporting are all part of continuous monitoring. Security experts should examine enterprise security measures on a regular basis to ensure that modifications do not have a detrimental impact on the business. Management should establish a consistent risk lexicon and convey expectations effectively. Employees, particularly new recruits, must also get training to ensure that they understand risk in the context of the company.

Business Continuity Planning (BCP)
Continuity planning entails determining the impact of a disaster and putting in place a workable recovery strategy for each function and system. Its main focus is on how to carry out organizational operations in the event of a disruption. BCP takes into account all elements of a disaster’s impact, including functions, systems, employees, and facilities. It identifies and prioritizes the services that are required, with a focus on telecommunications and information technology. Developing a Business Continuity Plan (BCP) is critical to ensure that the company can recover from a disaster or disruptive incident. For business continuity, several organizations have set standards and best practices. Many common components and actions are included in these standards and best practices. The people components, project scope, and business continuity tasks that must be accomplished are covered in the following areas.

Personnel components
The most significant people in the growth of the BCP are senior management. The overarching organizational view of the process is driven by senior management support for business continuity and catastrophe recovery. This procedure will fail if the high management does not support it. The overall goals of business continuity and catastrophe recovery are determined by the senior management. The BCP committee should be led by a business continuity coordinator appointed by senior management. The BCP and disaster recovery plan are developed, implemented, and tested by the committee (DRP). Each business unit should have a representative on the BCP committee. This committee should include at least one member of senior management. Furthermore, because of the critical responsibilities that the IT department, legal department, security department, and communications department play during and after a crisis, the business should guarantee that they are represented. The BCP committee must engage with business units under management’s supervision to define the business continuity and catastrophe recovery priorities. Time-critical systems must be identified and prioritized by senior business unit managers. Following the completion of all components of the plans, the BCP committee should be entrusted with evaluating them on a regular basis to ensure that they stay current and sustainable. All business continuity measures should be actively monitored and controlled by senior management, and any accomplishments should be publicly praised. Other teams are involved when an organization begins catastrophe recovery planning.

Project scope
Senior management must establish the BCP scope for the BCP development to be effective. A business continuity project with an unbounded scope is frequently too big for the BCP committee to handle properly. As a result, the senior management may need to divide the business continuity project into smaller, easier-to-manage chunks. When it comes to dividing the BCP into portions, an organization may decide to do so depending on the geographic location or facility. However, an enterprise-wide BCP should be developed to ensure the compatibility of the individual plans.

The following list summarizes the BCP steps:
Step 1: Develop a contingency planning policy.
Step 2: Conduct business impact analysis (BIA).
Step 3: Identify preventive controls.
Step 4: Create contingency strategies.
Step 5: Develop an information system contingency plan.
Step 6: Test, train, and exercise.
Step 7: Maintain the plan.

Conduct the BIA
The goal of the BIA is to link the system to the important mission/business activities and services it provides and then define the repercussions of a disruption based on that knowledge. The BIA is the most important factor in the construction of a BCP. The BIA assists an organization in determining the impact of a disruptive event on the organization. It is a management-level examination that determines the impact of a company’s resources being lost.

The four main steps of the BIA are as follows:
Step 1: Identify critical processes and resources.
Step 2: Identify outage impacts and estimate downtime.
Step 3: Identify resource requirements.
Step 4: Identify recovery priorities.
Any vulnerability analysis and risk assessment that has been conducted is extensively relied upon by BIA. The BCP committee or a separately constituted risk assessment team can conduct the vulnerability analysis and risk assessment.

As part of determining how critical an asset is, you need to understand the following terms:
- Maximum tolerable downtime (MTD): The maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as the maximum period time of disruption (MPTD).
- Mean time to repair (MTTR): The average time required to repair a single resource or function when a disaster or disruption occurs.
- Mean time between failures (MTBF): The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR.
- Recovery time objective (RTO): The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences. RTO assumes that an acceptable period of downtime exists. RTO should be smaller than MTD.
- Work recovery time (WRT): The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable.
- Recovery point objective (RPO): The point in time to which the disrupted resource or function must be returned.

IT governance
Information security governance is made up of numerous components that work together to provide comprehensive security management within a company. Data and other assets should be safeguarded primarily on the basis of their monetary value and sensitivity. Long-term security actions (3–5 years or more) are guided by strategic plans. Tactical plans accomplish the strategic plan’s objectives in a shorter period of time (6–18 months). Management consent must be gained early in the process of establishing and adopting an information security policy since the management is the most crucial link in the computer security chain.

Senior management must take the following measures prior to the development of any organizational security policy:
- Define the scope of the security program.
- Identify all the assets that need protection.
- Determine the level of protection that each asset needs.
- Determine personnel responsibilities.
- Develop consequences for noncompliance with the security policy.

Senior management assumes responsibility for an organization’s security by fully embracing an organizational security policy. Senior management’s intention to assist security is expressed through high-level policies. The first stage in developing an information security program is to adopt an organizational information security statement after receiving approval from top management. The security planning process must specify how security will be managed, who will be in charge of setting up and monitoring compliance, how security measures will be evaluated for effectiveness, who will be engaged in defining the security policy, and where the security policy will be developed. Risk management frameworks must be understood by security experts, and companies must follow the right risk management frameworks. They must also comprehend the components of organizational governance and how they interact to ensure governance. To create a complete security plan, security professionals must understand how the information security components interact.

Information security governance components include the following:
- Policies
- Processes
- Procedures
- Standards
- Guidelines

Policies
A security policy specifies the function of security as determined by the senior management and is strategic in nature, i.e., it specifies the security outcome. Policies are classified according to two factors – the organizational level at which they are implemented and the category to which they apply. Policies must be broad in scope, i.e., they must not be tied to a single technology or security solution. Policies define objectives but do not provide details on how to achieve them. Each policy must have an exception section to guarantee that the management can handle scenarios that may need exceptions.
Policies are broad in scope and serve as the foundation for the establishment of security standards, baselines, guidelines, and procedures. Administrative, technological, and physical access restrictions complete the security program’s security and structure. Organizational security policies, system-specific security policies, and issue-specific security policies are the policy layers used in information security. Regulatory security policies, advisory security policies, and informational security policies are the three types of policies employed in information security. An organization’s highest-level security policy is called an organizational security policy.

The organizational security policy is guided by business objectives, contains general directions, and should have the following components:
- Define the overall goals of the security policy.
- Define the overall steps and the importance of security.
- Define a security framework to meet the business goals.

Processes
A process is a set of actions or processes taken to accomplish a certain goal. Individual processes and their interrelationships are defined by organizations. An organization may, for example, design a process for how consumers place online purchases, how payments are handled, and how items are delivered once payments are completed. While each of these processes is distinct and has its own set of responsibilities to perform, they all rely on one another to get the job done. A procedure outlines how to accomplish a goal or finish a task. Procedures are created as a result of processes.

Procedures
Procedures are the closest to the computers and other devices and contain all the particular activities that workers are expected to follow. Step-by-step listings describing how rules, processes, standards, and recommendations that are applied are common in procedures.

Standards
The implementation of policies inside an organization is described by standards. They are tactically oriented, mandated acts or regulations that give the procedures the essentials to accomplish security. Standards, like rules, should be evaluated and amended on a regular basis.

Guidelines
Guidelines are suggestions for activities that are far more flexible than standards, allowing for unforeseen scenarios. When standards aren’t applicable, guidelines give direction.

Baselines
A baseline is a determined and recorded reference point that will be used as a future reference point. While it is critical to capture baselines, it is also critical to use baselines to assess the security condition. Even the most thorough baselines are worthless if they are never used. It’s also crucial to take a baseline measurement at the right moment. When a system has been properly configured and upgraded, baselines should be taken. When new baselines are created, they should be compared to the existing baselines. Adopting new baselines based on the most recent data may be essential at that time.

Conclusion
In this guide, you learned about categorizing data types based on CIA and incorporating stakeholder input into CIA impact-level decisions. The process of selecting and implementing CIA-based controls and security control frameworks was also discussed. This guide discussed and analyzed risks based on systems and their attributes for security professionals to determine and communicate the identified risks in business terms.