Risk Management 2

Risk management 2 - Concetti pratici

2025/2026 - Materiale liberamente tratto, adattato, e riassunto dal prof. Zatti.

Disclaimer

Questi appunti, come tutti i miei appunti sul sito, sono condivisi “così come sono” Possono contenere errori, imprecisioni o parti mancanti. Usali a tuo rischio. Non mi assumo alcuna responsabilità se li prendi come unica fonte e poi l’esame va male, ottieni risultati negativi, confusioni o qualsiasi altra conseguenza dovuta all’uso di questo materiale. In breve: studia con la testa, non solo con questi appunti.

Grazie per il tuo supporto

Se questi appunti ti sono stati utili, puoi offrirmi un caffè cliccando qui

Classic definitions

• Risk: effect of uncertainty on objectives (ISO 31000)
• Enterprise Risk Management (ERM) has a broader scope (beyond cyber risks)
• In business, risk management is defined as the process of identifying, monitoring and managing potential risks in order to minimize the negative impact they may have on an organization.

Examples of potential risks include security breaches, data loss, cyber attacks, system failures and natural disasters. An effective risk management process will help identify which risks pose the biggest threat to an organization and provide guidelines for handling them at the best level of resources.

• The risk management process consists of three parts: risk identification and analysis, risk evaluation and risk treatment.

3 steps of risk management

1. Risk Identification & Analysis

   • A risk assessment evaluates an organization’s exposure to uncertain events that could impact its day-to-day operations and estimates the damage those events could have on revenue and reputation.

2. Risk Evaluation

   • A risk evaluation compares estimated risks against risk criteria that the organization has already established. Risk criteria can include associated costs and benefits, socio-economic factors, legal requirements and system malfunctions.

3. Risk Treatment & Response

   • is the implementation of policies and procedures that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk avoidance. In the end, residual risks can be accepted.

The ISO 27X Standards Family

• ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems - Requirements
• ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection – Guidance on managing information security risks
• ISO/IEC 27032:2023 Cybersecurity — Guidelines for Internet Security

ISO 27000 and 27001

• standards for IT and communications
• PDCA: Plan Do Check Act cycle
• spend as much as you need to counter your risks
• protect the CIA triad

In simple words, these are the main steps you need to take:

• Define the scope: Decide which parts of your company the security system (ISMS) covers.

• Assess risks: Identify dangers, separating those you control directly from those you don’t.

• Choose remedies: Decide which security measures to put in place.

• Write the justification (SoA): List why you chose those specific remedies.

• Reassess regularly: Check periodically if risks have changed.

• Management must push: Leaders must actively support everything.

• Do internal audits: Internal checks to see if it’s working.

• Measure if it works: Verify effectiveness with concrete data.

• Manage everything else: Document everything, assign responsibilities, continuously improve, fix problems.

27001:2013 vs 27001:2022

Area	ISO 27001:2013	ISO 27001:2022
Context & Scope	Basic context identification	Must identify “relevant” interested parties’ requirements; ISMS explicitly includes processes and interactions
Planning	Security objectives defined	Objectives monitored as documented info; new section for planning ISMS changes
Support	Communication processes defined	Shift to “how to communicate” instead of who/processes
Operation	Basic operational planning	Process criteria for Clause 6 actions; control externally provided processes/services
Performance Eval	Basic monitoring methods	Methods must be comparable/reproducible; management review includes parties’ changing needs
Annex A Controls	114 controls (aligned with 27002:2013)	93 revised controls (aligned with ISO 27002:2022)

ISMS

Information Security Management System: systematic approach to managing sensitive information so that it remains secure

ISO 27032:2023

Cybersecurity — Guidelines for Internet security

The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:

• social engineering attacks;
• zero-day attacks;
• privacy attacks;
• hacking; and
• the proliferation of malicious software (malware), spyware and other potentially unwanted software

Aspects to remember when considering the goals and objectives of Cybersecurity

• protect the overall security of the Cyberspace;
• plan for emergencies and crises through participation in exercise, and update response plans and plans for continuity of operations;
• educate stakeholders on Cybersecurity and risk management practices;
• ensure timely, relevant and accurate threat information sharing between law enforcement and intelligence communities and key decision makers relevant to the Cyberspace
• establish effective cross-sector and cross-stakeholder coordination mechanisms to address critical interdependencies, including incident situational awareness and cross-sector and cross-stakeholder incident management

In detail

• Organizations should develop policies, procedures and response capability to define rules, services may be exposed, identify threats vulns attack vectors and their risks, define the roles and the responsibilities of various users of the internet and conduct user awareness on the safe practices, and test the infrastructure.

• Organizations must develop policies of whom using internet and services, rules to control physical and logical access to information. They also must keep updated the entire organization among the latest threats and menaces.

• IMT (Cert) incident management team, with a supporting incident response team should be established to provide the organization with capability for assessing, responding to and learning incidents. They should detect and report the occurrence of security events, like potential and actual incidents by human or automatic means.

• ICT components containing crucial assets, must be adequately protected.

• Organizations should also mantain an information asset register of where their information is processed, stored, transferred, regardless where

• Organizations must implement security mechanism to avoid outages and implement redundancy

• Before transmitting PII (personal identifiable information), the organizations should assess the privacy risks in transferring this kind of information

• Organizations must regularly review their contermeasures, document and monitor everything

• They must use antivirus, antimalware, DMZ, give a look to system log, use cryptography both for communications both for devices

• They must adopt SDLC (secure development lifecycle) to identify and mitigate risks in products and solutions being developed

ISO 31000 vs 27000 vs 27005 vs NIST SP 800-30

Risk: effect of uncertainty on objectives (ISO 31000)

• ISO 27000 - 2.71 risk assessment, overall process (2.61) of risk identification (2.75), risk analysis (2.70), and risk evaluation (2.74)
• ISO 27005 Risk Assessment = Identification, Analysis and Evaluation
• NIST SP 800-30 Risk Assessment is the analysis of threats in conjunction with vulnerabilities and existing controls.

IS-Risk Assessement

• Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization’s security profile

• its strengths and weaknesses its vulnerabilities and exposures

if you can’t measure it, you can’t manage it

Most important references

• The most important references are:
  • ISO 31000
  • ISO 27004
  • OCTAVE
  • NIST SP 800-30
  • EBIOS
  • Mehari

ISO 27000 vs 27005:2023

Term	ISO 27000	ISO 27005:2022
Risk	2.68: Effect of uncertainty on objectives	3.1.3: Effect of uncertainty on objectives
Threat	2.83: Potential cause of unwanted incident (needs intention, capability, opportunity)	3.1.9: Potential cause of info sec incident that can damage system/organization
Vulnerability	2.89: Weakness of asset/control that threats can exploit	3.1.10: Weakness of asset/control that can be exploited causing negative consequence
Control	2.16: Measure that modifies risk	3.1.16: Measure that maintains or modifies risk
NEW: Risk Owner	-	3.1.5: Person/entity accountable for managing a risk
NEW: Risk Source	-	3.1.6: Element that can give rise to risk
NEW: Risk Criteria	-	3.1.7: Reference for evaluating risk significance
NEW: Risk Appetite	-	3.1.8: Amount/type of risk organization willing to pursue/retain
The 27005 emphasize on ISMS.

Benefits of Risk Management

• identify
• assess consequences to business and likelihood of their occurrence
• understand the consequences if the risks are communicated
• establish a priority order for risk treatment and actions
• stakeholders are notified
• effectiveness of risk treatment monitoring
• risk and risk management process being monitored and reviewed
• managers and staff being educated about the risks and the actions taken to mitigate them

Risk acceptance criteria

Special criteria that determine whether a risk is acceptable or not. It is specific for each organization, depending on their goals, policies, objectives…

Qualitative vs Quantitative

• qualitative: uses a scale of qualifying attributes to describe the magnitude of potential consequences (low, medium, high) and the likelihood that those consequences will occur.
  • it is useful as an initial screening activity to identify risks that require more detailed analysis
  • if possible, it should information and data
    • pros: it’s easy to understand
    • cons: it depends on subjective choisce of the scale
• quantitative: uses a scale with numerical values for both consequences and likelihood using data from a variety of sources
  • in most cases uses historical incident data
  • cons: lack of data in case of new risks or information security weaknesses

IMPORTANT: ISO 27005 Risk Assessment

Information Security Risk Assessment = Risk Identification + Risk Analysis / Estimation + Risk Evaluation

1. Risk Identification: characterized in terms of organizational conditions
   • identification of assets
   • identification of threats: incident reviewing, asset owners, asset users, external threats…
2. Risk Analysis / Risk Estimation
   • specifies the measure of risk (qualitative / quantitative)
3. Evaluation
   • compares and prioritizes risk level based on risk evaluation criteria and risk acceptance criteria

Workflow

1. General description of ISRA
2. Risk analysis: Risk Identification
   • in this phase we define assets, threats, existing controls (implementation, usage status), vulnerabilities, consequences (impact of the loss of CIA)
3. Risk analysis: Risk Estimation
   • qualitative: high, medium low
   • quantitative: $, hours…
   • assessment of consequences in terms of assets and impact criteria
   • level of risk estimation
4. Risk Evaluation

Tables

Ranking of Threats by measure of risks

Likelihood of Incident	Very Low Business Impact	Low Business Impact	Medium Business Impact	High Business Impact	Very High Business Impact
Very Low (Unlikely)	0	1	2	3	4
Low (Unlikely)	1	2	3	4	5
Medium (Possible)	2	3	4	5	6
High (Likely)	3	4	5	6	7
Very High (Very Likely)	4	5	6	7	8

Ranking of threats in order of their associated measure of risks

Threat Descriptor (a)	Consequence (asset value) (b)	Likelihood of occurrence (c)	Measure of risk (d)	Threat ranking (e)
Threat A	2	5	10	2
Threat C	3	4	15	1
Threat D	4	1	4	4
Threat F	2	4	8	3

Likelihood of an incident scenario

Likelihood of Threat	Low	Medium	High
Levels of Vulnerability L	0	1	2
Levels of Vulnerability M	1	2	3
Levels of Vulnerability H	2	3	4

Decision table: should I accept the risk (A) and prepare recovery or (N) prepare countermeasure? Matrix of acceptance

Damage value	0	1	2	3	4
Incident frequency value 0	A	A	A	A	N
Incident frequency value 1	A	A	A	N	N
Incident frequency value 2	A	A	N	N	N
Incident frequency value 3	A	N	N	N	N
Incident frequency value 4	N	N	N	N	N

Risk evaluation - quantitative

The formula is:

$$Risk(R)=Threat(T)\ast Impact(Im)\ast \text{Annual Rate of Occurrence (ARO)}\ast \text{Asset Value (V)}$$

or

$$R=T\ast Im\ast ARO\ast V$$

where:

• T ⇒ threat: probability of potential exploitation of an existing weakness or absence of security counter measure (potential exploitations of an existing vulnerability), range: 0-1
• Im ⇒ Impact: result of an unwanted accident, range 0-10 (harm)
• ARO ⇒ Annual Rate of Occurrence, probability of such a risk happening in one year, range: 0-1
• V ⇒ Asset value, the importance of the asset in terms of CIA on a scale, range: 1-3 (3 is the maximum)
• R: combination of probability of an event and its consequence, range: 0-30
• NRV: is a value obtained by dividing risk by the total number of risk, scale: 0-1

NRV = Normalised Risk Value

NRV is a value obtained by dividing risk by the total number of risk

Normalised Risk Value is evaluated as it follows:

$$NRV=\frac{R}{Rmax}$$

where $Rmax$ is the maximum possible risk value

It is used to better understand what to do first and what’s more important.

Risk Acceptance

• all risks that fall under a pre-established NRV are acceptable and can be retained. No action, only recovery if it happens.

• the risk acceptance criterion for a specific system is (assuming NRV=0.20)

  • all risks with NRV < 0.20 are accepted/retained
  • risks with NRV >= 0.20 are acted upon

IS Risk Treatment: 4 options

1. risk modification / mitigation
2. risk acceptance
3. risk avoidance
4. risk sharing

The risk owner is the executive manager who accepts the risk, and will take care of the consequences and arrange recovery in case of disasters (business continuity framework)

In accordance with ISO 31000, risk should be shared between stakeholders, final users, social media press in order to build reponsibility, awareness and align with ISO directives.

---

Tiers of risk management hierarchy

1. Tier 1: organization
2. Tier 2: mission / bp
3. Tier 3: information systems

FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT

NIST 800-30

NIST 800-30 vs ISO

National Institute of Science and Technology, they develop standards, guidelines, measurements and everything that can be useful to develop the existing or the new technology.

NIST and ISO work together to ensure new standards are suitable, however the first are guidelines and are purely theoretical, the latter are real-case implementation.

What it says

Risk management process:

1. frame risk: define policies (ISO 31000)
2. assess risk: threats, vulns, har and likelihood of risks
3. respond: how to respond
4. monitor: determine if everything has been correctly implemented

The NIST 800-30 suggest how to prepare for risk assessments, how to conduct risk assessments, how to communicate risk assessment results to key organizational personnel and how to maintain the risk assessments over time

Risk assessment methodology typically includes:

1. risk assessment process
2. an explicit risk model, definining key terms and risk factors and relationships among the factors
3. assessment approach (quantitative, qualitative…)
4. analysis approach (threat oriented, asset/impact-oriented, vulnerability oriented)

Warning

Risk assessment methodologies are defined by organizations and are a component of the risk management strategy developed during the risk framing step of the risk management process.

Organizations can use a single risk assessment methodology or can employ multiple assessment methodologies.

By making explicit risk model, approaches… organizations can increase the reproducibility and the repeatability of risk assessments.

Definitions

• Risk models define the risk factors to be assessed and the relationships among those factors.
• Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments (threat, vulnerability, impact, likelihood, predisposing condition)
  • can be decomposed into more detailed characteristics, e.g. threat events and threat sources
• Reproducibility refers to the ability of different experts to produce the same results from the same data.
• Repeatability refers to the ability to repeat the assessment in the future, in a manner that is consistent with and hence comparable to prior assessments - enabling the organization to identify trends.

Control recommendations could pertain either to reducing the likelihood of a threat, or to mitigation of impact to reduce the risk score.

Framework

NIST - Cybersecurity Framework: A Quick Start Guide

1. identify: what’s the most valuable asset (without it, your business would collapse)? What could be the risks? Document information flows and maintain hardware and software inventory. Policy establishment.
2. protect: manage access (grain-fined, individual account per user) and ensure cryptography is used. Backup and test restore plans, protect devices (firewalls), update operating system and applications. The best defense is prevention
3. detect: log monitoring
4. respond: response plan must be tested BEFORE accidents and must be updated. Coordination and communication is essential with internal and external stakeholders.
5. recovery: recovery plans must be tested BEFORE accidents. Communication with internal and external stakeholders. Manage public relations and company reputation.

Risk Management Framework

It’s like ISO 27005, provides a structured process for managing security and privacy risk (control selection, implementation and assessment).

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

Step	Tasks/Outcomes	Primary Responsibility	Supporting Roles	Examples
1. Prepare	Establish risk roles/strategy; determine risk tolerance; update org risk assessment; create tailored baselines/profiles (P1-P5).	Head of Agency/Chief Information Officer	Authorizing Official, Risk Executive Function, Senior Agency InfoSec/Privacy Officers	”Company accepts moderate financial loss but zero tolerance for data breaches”; shared security controls list for all departments
2. Categorize	Describe system; categorize by impact; document security/privacy plans; get approval (C1-C3).	System Owner	Authorizing Official/Senior Leader, Mission/Business Owner	”Customer database = High impact if confidentiality lost”; security plan documenting protection needs
3. Select	Select/tailor/allocate controls; document planned actions; monitoring strategy approved (S1-S5).	System Owner	Security/Privacy Architect, Authorizing Official	”Select password complexity + two-factor for admin accounts”; continuous scanning schedule approved by leadership
4. Implement	Implement controls per plans; use engineering methods; update plans with results (I1-I2).	System Owner	System Engineers/Admins, Configuration Management	”Install firewall blocking unauthorized ports”; “Deploy endpoint protection on all employee laptops”; update security plan with results
5. Assess	Develop assessment plan; assess controls; produce reports (A1-A3).	Control Assessor	System Owner, Auditor	”Test if password policy prevents weak passwords”; “Run penetration test on web application”; generate compliance report with gaps
6. Authorize	Prepare package; risk analysis; authorization decision; reporting (AU1-AU4).	Authorizing Official	System Owner, Risk Executive Function	”Leadership signs ‘Authorization to Operate’ accepting residual weak password risk”; risk summary presented to executives
7. Monitor	Monitor changes/assessments; risk response; reporting; disposal planning (M1-M6).	System Owner	Security Operations, Privacy Officers, Authorizing Official	”Monthly vulnerability scans detect new server flaws”; “Quarterly executive dashboard on security posture”; data deletion plan for decommissioned app

---

Methodologies

EBIOS

EBIOS is the French acronym for “Expression of Needs and Identification of Security Objectives”.

It is a risk management method related to information systems security (also known as INFOSEC). It was created in 1995 by the Central Service for the Security of Information Systems (SCSSI), the former name of the ANSSI (National Agency for the Security of Information Systems), which now maintains it.

The methodology is structured in the following goals:

• provide a common base of concepts and practical activities for anyone involved in risk management, particularly for information security.

• satisfy the needs for the risk management of an ISMS, an information security management system ([ISO 27001]).

• define a complete methodological approach that is consistent and in accordance with risk management international standards ([ISO 31000], [ISO 27005]…).

• set up a reference for risk management skills certification.

The methodology subdivides in five steps:

1. Study of the context
2. Study of the feared events
3. Study of threat scenarios
4. Study of the risks
5. Study of the controls

Usually we have:

• feared event (description)
• sensitivity (time)
• threat sources (what potentially could be the cause of the feared event)
• impacts (consequences, what this could lead)
• consequences (1 negligible, 2 limited, 3 important, 4 critical)

example:

• compromising of the website content - sensitivity: public - consequences: negligible
• alteration of estimate - sensitivity: uncorrupted - threat sources: unprofessional employee, competitor - imacts: loss of a contract, loss of credibility, legal proceedings against the company - consequences: important

EBIOS-RM is a method that can be used for reinforcing an already existent process, assess and treat the risks relating to a digital project and define the level of security to be achieved for a product or service USING WORKSHOPS.

Octave

It stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

It is divided into three main phases:

1. organizational view (assets, threats, currenct practices, organization vulns, security requirements)
2. technological view (key components, technical vulns)
3. strategy and plan development (risks, mitigation)

In 2008 is known as OCTAVE Allegro. Everything is made with worksheeets.

1. Step 1 – Establish Risk Measurement Criteria
2. Step 2 – Develop an Information Asset Profile
3. Step 3 – Identify Information Asset Containers
4. Step 4 – Identify Areas of Concern
5. Step 5 – Identify Threat Scenarios
6. Step 6 – Identify Risks
7. Step 7 – Analyze Risks
8. Step 8 – Select Mitigation Approach

Aspect	OCTAVE 1999 (Original)	OCTAVE Allegro 2008
Target	Large orgs (>300 people), deep tech focus	SMBs/small teams, info assets priority
Phases	3 full phases + heavy infrastructure scan	Streamlined 8-step process, less tech-heavy
Time/Resources	Weeks-months, needs experts/tools	Days-weeks, self-directed, minimal staff
Asset Focus	Tech infrastructure + org view	Information assets (data storage/processing)
Threat ID	Vulnerability tools, broad	Simplified mapping to asset containers
Output	Comprehensive enterprise strategy	Quick risk profiles + mitigation plans
Ease	Complex docs/analysis	Worksheets, repeatable, less data crunch

ENISA

European Directive on Network and Information Security, 2022

Effective from 17th October 2024, it aims to increase cybersecurity consistently across the states.

Some of the points and objectives are the same of the EU (support institutions, shall be a center of expertise, contribute to increase cybersecurity at union level)

but in particular:

6. ENISA shall promote the use of European cybersecurity certification, with a view toavoiding the fragmentation of the internal market.

7. ENISA shall promote a high level of cybersecurity awareness, including cyber-hygiene and cyber-literacy among citizens, organisations and businesses.

ACN

• Agenzia Cybersec Nazionale
  • questioni di ordine pubblico, si occupa “personalmente” di formare le nuove leve

TTPs, CVEs, KVEs

• TTPs tactics, techniques and procedures
• Common Vulns and Exposures CVE
• Known Exploited Vulns

CERT-EU

• Defence against cyber threats, in cooperation with constituents, peers and partners
• Information Hub: evidence based knowledge context and actionable advice about malicious activities

Also:

• consulence
• offensive security
• forensics and operational response to cyber events

State of the art in 2025

In 2025 ENISA found the most popular threats are:

1. ransomware
2. generic malwares
3. social engineering threats (phishing, theft identity)

spreaded by mostly:

• phishing
• vulnerabilities
• botnet mainly aimed towards mobile devices and AI-powered

The most common incident types are:

• DDoS
• Intrusion

Threat actors:

• state-nexus
• cybercrime actors and hacker-for-hire actors
• private sector offensive
• hacktivists

Threat motivations:

• ideological: e.g. hacktivism
• money
• geopolitical/espionage
• geopolitical/disruption

ENISA found out that Ransomware are 81% diffuse (Akira, CLop), followed by data breach, stealers, banking trojan and other bad things.

Geographically speaking, most cybercriminals are associated to Russia, China, North’s Korea.

They usually:

• spread fake news
• fabricated investigations
• decontextualise quotes and images
• forge documents
• uses AI to achieve all above

they are hacktivist, and they seems to target france, italy, poland and detuschland

Emerging threats

1. supply chain compromise of software dependencies
2. fake news
3. digital surveillance authoritarianism
4. human error and exploited legacy systems
5. targeted attacks by using smart devices
6. lack of analysis and control of space-based infrastructure and objects
7. rise of advanced hybrid threats
8. skill shortage
9. cross border ict service providers as a single point of failure
10. ai abuse

Therefore, ENISA wants to encourage and fortify convergence, automation and industrialisation.

Defensive strategies must become intelligence-drive and systemic. Organizations should prioritise asset discovery, automated vulns management and resilience planning for their system. Collaboration between member states is essential.

ISO 27001-5 Implementation guide

Classic PDCA fashion style

1. Project initiation: members for a project are selected, backup members are chosen…
   • not coded in ISO
   • approval and commitment of senior management must be obtained in any way
   • it is mission critical
   • RA, types of of risk the organization will take and the ways they will balance threats, accountabilities for managing particular risks, how risk management performance will be measured, statement of committment
   • PM is a senior executive. Usually directs operations and sets priorities within the project.
   • therefore carefully plan activities
2. ISMS Mandate: scope of the IS must be defined. We should clearly identify goal/objective, scope, limits, interfaces, dependencies, exclusions and justification, strategic context, organizational context
   • security perimeter should be defined too
   • if the organization does not control the ISMS, it will be unable to manage it efficiently
3. Risk assessment: identification of the asset, determine asset value by CIAL criteria (the holy triad + legal requirements), determine weaknesses of every aspect
   • identify the crucial data
   • identify a risk assessment methodology suited to the ISMS (NIST, EBIOS, OCTAVE can be used)
   • develop criteria for accepting risks and identify the acceptable levels of risk
4. Risk treatment: choose how to treat a risk. Reduction, Acceptance, Avoidance or Transfer. Implementation of controls: what to do
   • matrix of acceptance, see here
   • risk, see here
   • SoA: statement of applicability
   • implementation of controls: contact authorities, who to contact, what to segregate, roles and responsibilities…
   • the most important one risk reduction
5. Training and awareness: provide training and feedback
6. Preparing for the audit: validation of compliance with implementation specifications of the mangement network.
7. Audit: documentation audit and implementation audit
8. Ongoing Improvement: verify and improve management framework once it has been implemented.

Risk assessment phase comprehend 1 2 3 and 4.

Risk Treatment Plan

• mandatory for risk reduction
• contains all the information pertinent to implementation
  • management tasks and responsibilities,
  • the names of those in charge,
  • the risk management priorities

Implementations of controls in the plan:

• implement admin, technical, logical, physical and env controls

Approval must be ensured via management reviews. It is the responsibility of the Risk Management Process Owner to keep the organization’s executive management continuosly updated.

Implementation: it must be embedded in other plans and processes, and suitable for the organization.

Residual risks

Residual risk is a risk that remains after all the Risk Management options have been identified and action plans have been implemented.

It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.

It is important for the organizations management and all other decision makers to be well informed about the nature and extent of the residual risk.

For this purpose, residual risks should always be documented and subjected to regular monitor-and-review procedures.

The residual risks (not or only partially addressed by the controls) must be accepted by the risk owner or transferred as follows:

• Insurance
• Business continuity management
• Disaster recovery

Business Continuity plan

When a risk is accepted, still you must plan for the worst to happen. Target is to ensure service availability.

Business Impact Assessment. Must define a:

• Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered.
• Recovery Time Objective (RTO) – the acceptable amount of time to restore the function

Within a

• Maximum Tolerable Period of Disruption

Plan, Design and development of the BCP

• Design a hierarchical backup system
• Document existing systems and ensure results are available off site.
• Purchase and locate failover hardware (minimum required for core functionality)
• Catalogue skills of personnel (skill matrix) and ensure that this information is available in hard copy outside live facility. Include contact information (mobile phone and times of call)
• Identify alternate location
• Test all functionalities regularly (drills, planned and unplanned)

Risk Owner vs Business Continuity Framework

• Risk Owner: the executive manager who accepts the risk and signs/approves the risk treatment plan

• Business Continuity Framework: who is prepared to take care of the consequences and arrange for recovery in case of disasters, within the scope of a corporate

Security Risk Management

Results from Risk Assessment and status of Risk Treatment plans.

🔴 Risk Category	Risk Summary	Risk Treatment
Major	Bridging systems allow cross-LAN access without proper Firewall authentication	Mitigate. Provide means to ensure a traceable and auditable way to connect between different security level networks.
Major	Limitations in configuration management may cause license infringement or vulnerabilities not being patched	Mitigate. Reliable way to obtain the current configuration and software in each and every Fully Supported system. • Short-term: Reporting capabilities to flag deviations from the default configuration. • Long-term: Tool-driven configuration management.
Major	Poor password management	Mitigate. Initiatives like Password Quality Assessments are giving more visibility to the problem, but there is still a long way to solve the issue. Shared passwords to be securely stored within a Password Management Tool.
Major	Low IT Security Proactivity leading to high incident cost	Mitigate. Preventive and Proactive Maintenance service in place since April ..yr.., in order to improve early detection of a potential degradation of the user services and ensure that preventive maintenance is performed in all systems.

Therefore by doing risk management you need to have:

• expertise
• knowledge of your domain of application (your reality)
• understanding of the ISO 27001/2 so as to select the appropriate controls

Case study: corporate ICT system of a commercial enterprise

Scope: to analyze and protect adequately for Company ACME:

• Web hosting services for the distribution of multi-mission data
• Assets: personnel, mission data, corporate data, business processes and the whole ICT infrastructure

1. Define policy
   1. scope
      • purpose: provide management support and corporate direction for IS
      • this policy has been approved by the head of the IS Department
      • is appliable to the web services of the IS group of company ACME
      • This policy reflects the Management’s commitment to the protection of the Confidentiality, Integrity and Availability of any information assets (tangible and intangible) that fall under the control of the Web Services division during the exercise of its ordinary or extraordinary functions
   2. Objectives
      • Maximizing the availability of all the information which the division is tasked to publish.
      • Setting and enforcing appropriate levels of protection of the access to information.
      • Maintaining the integrity of all information that falls within the division’s responsibilities.
      • Compliance with all relevant legislation.
      • Observation of best practices within the relevant industries
   3. Structure and coverage: policies and subpolicies include
      • general directives
      • physical access policy
      • document management policy (classification, sensitivity)
      • personnel policy (training)
      • is policy (pc, office, remote access…)
      • operational procedures developoment policy
      • communications policy
   4. Responsibilities and conformance
   • General responsibility for the compliance with the policy lies with all staff within the division.
   • Specific responsibility for the implementation lies with the appointed Information Security Officer (ISO).
   • All security incidents as defined by the security incident policy should be reported to the CERT, under the authority of the ISO.
   • This policy may be reviewed at any time.
   • The current valid uptodate version is available at http://policy.companyACME.org
2. Identification of system assets
   • Asset inventory (example Router01 Cisco 7200 IOS Edge connectivity OR PC01 Dell G240 WinXP Desktop)
   • Trace a score for each device about CIA (from 0 to 5)
3. Identification of threats
   • Hardware
     • Web server
       • Hacker attack
       • Disk crash
     • Firewall
       • Hacker attack
       • Configuration theft
   • Software
     • Web server Apache penetration
       • Software bug
       • Exploit of published vulnerability (zero day, before fixing)
   • People
     • Network Administrator
       • Defection
       • Death
       • Long Term Sick
       • Mid Term Sick
       • Short Term Sick
       • Maternity Leave
       • Holidays
       • Non-deliberate Human Error
       • Malicious Human Error
     • Chief Security Officer
       • Defection
       • Death
       • Long Term Sick
       • Mid Term Sick
       • Short Term Sick
       • Maternity Leave
       • Holidays
       • Non-deliberate Human Error
       • Malicious Human Error
   • Data
     • Personal Mail
       • Interception, Impersonation, Repudiation
       • SPAM
     • Mission data
       • Hacking, leakage, exfiltration
       • Manipulation, loss of integrity
       • Misuse, Abuse
   • Physical
     • Power
       • Failure
       • Low voltage
     • Air conditioning
       • Failure
       • Malfunction

Threat	# of Cases/Yr. (ARO)	Rank
Power failure	Zero to One	Low
Natural disaster	Zero to One	Low
Mail interception	One to Two	Medium
Sickness key personnel	One to Two	Medium
Hacker attack to web server	More than Three	High
Exploit of zero-day vulnerability	More than Three	High

4. Analysis of vulns

• Hardware

  • Web server
    • Position, Age, disk redundancy (lack of)

• Software

  • Web server Apache
    • Events in the press (mission goal, launch)
    • Software bugs
    • Published vulnerability

• People

  • Network Administrator
    • Health status, Nationality, Hobbies, Sex, Age, Salary

• Data

  • Personal Mail
    • Visibility of staff, size and frequency of messages

• Physical

  • Power
    • UPS (lack of), status of power grid
  • Air conditioning, heater

4. Determination of the impact (expected damage)

Value	Confidentiality	Integrity	Availability
4	Disclosure of system administrator level access keys	Non reversible loss of integrity for all received unique data	Unrecoverable loss of one or more web services
3	Undetected compromise of one or more internal systems	Defacing of public interface to ACME data	Recoverable loss of one or more web services
2	Disclosure of sensitive internal data	Loss of integrity of internal information requiring a repeat of resource intensive processes	Prolonged failure of one or more web services
1	Premature disclosure of data	Loss of integrity of internal information requiring repeat of minor internal processes	Temporary failure of one or more web services
0	Disclosure of insignificant data	Loss of integrity of trivial internal information	Failure of one or more web services with standby

5. Evaluation of risks

• OCTAVE ALLEGRO Worksheets

  • List assets, their owners, where they are, and why they matter.
  • List concrete threats, how often they might happen, and how bad they would be
  • Note existing controls, the risk score, and what mitigation action you will take, by when, and by whom.

• Acceptance matrix

• Review options for risk management (reduction/mitigation, acceptance, avoidance, transfer)

6. Decision of management

• COUNTERMEASURES’ EVALUATION & SELECTION
• RELATED FUNDING
• ACCEPTANCE OF RESIDUAL RISKS
• AVOIDANCE - TRANSFER
• RISK COMMUNICATION

7. Control of the implementation

• DEFINITION OF THE RISK MANAGEMENT PLAN
• IMPLEMENTATION OF THE COUNTERMEASURES
• TEST & EVALUATION
• CONTINUOUS MONITORING AND REVIEW

Things such as:

• puirchase office / 16mh / 1mo / purchase new hardware
• human resource / 24mh / 3mo / develop training curriculum
• …

SLAs

Service Level Agreements, terms and conditions, what is included and not included

Cloud sourcing

Here is what to check before entering into a contract for the provision of cloud computing services:

1. Protection of the privacy of the customers
2. Control of access to data and compromise due to the application of a legislation of non-EU member states which is wide in scope
3. Data physical location (should be in EU)
4. Data logical location
5. Data protection
6. IP of the data: where and how your data is stored
7. Are you the owner of your data?
8. Termination and migration
9. Indemnification and limitation of liability clauses
10. Dispute resolution

Case study: ESA

• ESA has 23 member states, and Canada too even if it’s not UE
• Security on Earth
  • Critical Infrastructures Protection
  • Maritime surveillance
  • Land surveillance
  • Humanitarian crisis support and rescue tasks
  • Public Safety (incl. Civil Protection)
  • Other emerging security threats (e.g., climate change)
• Security in Space
  • Space situational awareness:
  • Near-Earth Objects
  • Space weather
  • Satellite tracking

Common “interesting” situations:

• unauthorized accesses
• GPS spoofing
• DoS
• interferences
• redirecting satellites

Targets:

• goverment (international operations)
• telecommunications (all of them)