CSSLP Tutorial: Module 01,Part 09 – Risk Mitigation and Review

CSSLP Tutorial: This section is about risk mitigation.

What this section is about is finding ways for the residual risk to be acceptable by the upper management.  In other words, finding ways to manage the risk in such a way as to reduce or eliminate it altogether.  So, first a conversation about whether the loss potential is removable or not, then also how much of the day can system work on for maintenance of the security, keeping that potential for loss at a minimum.  Last in the conversation, is specific mitigation strategies for reducing risk, so the system remains uncompromised.

CSSLP Tutorial: First, ways for the residual risk

to fall within the range of acceptability of the client and senior management.  At some point in time, there has to be the acknowledgement of no system being  100% secure and that every system comes with a small degree of risk.  Even if it’s not a necessary action for the administrator, it may be a good idea to have conversations about how much downtime is tolerable. So, for the most part it’s largely impossible to eliminate risk for a full hundred percent. 

Companies like Amazon and other amazing online provider companies are ones who can spend the money for the security and for the website to be running all the time, with no downtime.  These are big companies, earning millions of dollars per minute of downtime and so represent a huge loss if suffer through times where the website is down for maintenance or isn’t working properly.  Most websites, most organizations, however, have a higher tolerance to withstand any downtime.  It’s important for the administrator to negotiate opportunities for processing  and maintenance of the website or of the system architecture. 

CSSLP Tutorial: Because security costs can be high,

The everyday maintenance or downtime may reduce, but definitely not ever totally eliminated.  Having risk mitigation strategies will help reduce the loss of potential from others trying to compromise your system.  Overall, the larger more profitable provider service companies may have legitimate concerns over a complete 24-hour cycle.  They also can spend the millions to ensure their website and other structures are in place 24 hours a day, everyday.  However, most organizations must decide, based on cost-benefit analysis,where and how much of downtime they can tolerate, especially since they have a higher capability of withstanding the downtime.  There are three ways to reduce the overall loss of potential and they are: reduce, transfer and accept.

The three main ways of risk mitigation are reducing risk, risk transference, and acceptance of risk. Reducing the risk is accomplished in one of two ways: either do something to lessen the likelihood that risk will occur and/ or lessen what impact the risk might have.  Find ways to bring both down to a tolerable level, tolerated by senior management.  If we either eliminate completely or avoid the risk, then the probability for a loss of potential will decrease.  Risk avoidance is essentially similar to risk reduction, however, it’s on the extreme end of the spectrum.  Risk transference is a second method for risk mitigation.

CSSLP Tutorial: A good method for a risk mitigation strategy is

To share the the risk with someone else, as in risk transference.  For example, we take out flood insurance on our house and then it does turn out to be a flood this season. Well the costs of repair and replacements are not squarely just on the shoulders of the homeowner alone. Instead, there is a sharing of loss with the insurance company.   We haven’t reduced the likelihood of it flooding or not flooding, that will happen regardless of what we decide or ask for. 

Secondly, however much the flood damages the property, will be out of our hands as well.  Regardless of our ownership of flood insurance or not, if it’s going to flood, then it will do so .  If it damages the house to a certain amount, that’s how much it was going to damage it.   Again,this is regardless of what we do in terms of trying to risk the risk.  In the Information Technology(IT) world, service level agreements is another method for risk transference.

 CSSLP Tutorial: In the IT field, as an example

There’s a vendor that doesn’t meet the agreement levels, because they are late quite a few times.  So, we just modify the contract with a countermeasure, so that every day’s each time they are late, then the vendor will return 1% of the value of the contract.  This change will be in a contract after modifications.  We want to protect the assets to the degree that’s under the warranty.   All of these mean risk transference.

CSSLP Tutorial: Risk transference is one methodology

however, another mitigation strategy is to  just accept the risk.  When the cost of the potential for loss is less than what it would cost to protect my system, program, product, then in this case, we would just accept the risk.  This third mitigation strategy is used when it costs more for the protection than what the original value is worth.  This is risk acceptance. In this strategy, we basically do nothing.  We have made the choice to allow for the risk to exist, we document and maintain the paper as to the reasons for not implementing a strategy.  The documentation and paper trail is to help us to not  be liable but at the same time we actually do nothing for implementation.

CSSLP Tutorial: Implementation

mentioning have to do with first, the true estimate of value and secondly, the risk rejection.  The true estimate can be gleaned from a previous example, from Part 6, Module 1.  This was where a laptop had the diminishing value of $250. However, there needed to be taken into account the programs and other data which have been created, collected, or implemented. 

Other considerations are data which are highly confidential such as HIPPA or any of the other regulations like laws, standards, and other such rules you are going to violate if you try to get rid of the laptop without getting rid of the data first.  Because of the types of data which could potentially cause problems if compromised, then there’s even a greater amount of value to the asset other than just the hardware of the working parts of the laptop and if you don’t consider all the elements, then your decision making could be skewed. 

Concepts associated worth

So,  the concept here is to find the true estimate of the value.  Secondly, there‘s a concept worth mentioning associated with risk rejection.  This is like the ostrich sticking his head into the sand.  Not only do we have no action, but also there’s not a paper trail either.  This is the worst possible scenario.  Many organizations just say that they don’t want to hear it.  This is where there’s no investigation, no means of evaluating the loss potential. They don’t work through the site or really deal with it at the time. But, to really be on our toes about risk mitigation, we should avoid risk rejection immediately and do any one of the other strategies discussed. 

Risk rejection is simply not allowable nor acceptable to any thinking person of ethics. The three  main risk mitigation strategies are: reduction, transference, and acceptance.  To wrap up this main section over risk mitigation, the reduction is lessening the probability and/ or impact.  Acceptance is when someone choose implementation of a risk strategy, but follows paper trail and documentation diligently.   The third is transference which is where we look to share in the costs of the loss of potential with us, like in  SLA’s or like the flood insurance example. In this next section, we will review elements and aspects of risk management. Some may seem familiar, but some may seem new as well. They should all be tied back to previous material that we have already gone over.

So, some of that previous material is associated

With some definitions and terms, that are associated with risk.  Total risk is what’s there prior to any kind of control or risk mitigation strategy is employed.  If we don’t do anything, we’d know how much money we could lose if no backup system is in place.  Residual risk is the portion of what’s left over once a strategy is in place.  There may be times  where you have apply multiple strategies.

But, there will still be some risk remains and any of it is totally not removable. Secondary risk is when we respond with a strategy and it, in turn,  triggers another risk event.  The next few statements are conceptual not actual calculations . The amount of threats and the amount of vulnerabilities and the asset all comes together to make the Total Risk.  On the other hand, when we talk about total risk and control element, then it counted as Residual Risk.  So, these are just a few additional terms when it comes to risk and risk management.

CSSLP Tutorial: As you recall there are three main elements of risk and monitoring.

There are the steps of risk assessment, risk analysis, and risk mitigation.  Risk assessments are where we identify assets and/ or evaluate the assets. It can be a very difficult process to get a dollar value for intangible assets. However, must do so to gain opportunity for risk analysis.  This step is where we list our risks based on qualitative and quantitative values. That quantitative value part of the risk analysis is what drives how much money we spend. 

Conclusion

There are other options to weigh in of the actual managing of risk like, reducing, accepting, or transferring. The thing to bear in mind about risk is that you can’t totally remove it. It is manageable, but not completely removable.  To wrap up this review section, then there’s the definitions and terms with different types of risks as well.  There was also a discussion about the various risk models. While there are more out there, the ones here are at least some basic types. We will be talking more about governance and compliance in the next section, which starts the Module 2.