RISK Manage.

Risk Management 

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.
  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • ISO standards 

Risk 

means foreseeing the outcomes and trying to see what possible failures or roadblocks can happen in preventing the desired result or action or outcome.  

Best Example:

  • when you plan to reach to a destination by car, what are the risk you will foresee
  • Traffic jams, break down, road closures. 
  • Mitigation measures : preventive break down measures - fuel tank fill up, tyre air check, engine oil check. 
  • Contingency measures :  break down service cover, contact numbers. 

Risk Management Cycle: 

  • Appraising risks - Risk Identification (Infosec Risk assessment), 
  • Addressing identified risks (Infosec Risk Treatment), and 
  • keeping those risks under constant observation(Risk tracking). 

RISK REGISTER

Identifying all the possible scenarios that might constitute into a problem and identifying mitigation plans. 
  • The risk register is a live, current database of recognised risks. 
  • The database is categorised under the following headings: organizational; people; physical-access control, asset management, BYOD; and technological-restricted access privilege, controlled zone. 

TABLE 1: RISK REGISTER : SAMPLE

#S. NO

RISK DETAILS

OWNERSHIP

IMPACT

PROBABILITY

RISK LEVEL

MITIGATION PLAN

CONTINGENCY

STATUS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 SAMPLE

 

 

 

 

 

 

 

 

 

 

 

 

 


Information on the risk life cycle, 
  • Including Risk ownership (Avoidance, Acceptance, Transfer), 
  • Risk Treatment (Reducing or Minimizing the Impact of the Risk), is contained in the Risk Treatment Plan, which is a component of the Risk Register.

Risk Score

Risk score is based on the probability and impact of the event when it occurs, the rational is based on the previous know incidents and experiences. 

TABLE 2 : RISK SCORE

IMPACT

PROBABILITY

0.1

0.3

0.5

0.7

0.9

< 30%

LOW

LOW

LOW

MEDIUM

MEDIUM

>= 30% to < 50%

LOW

MEDIUM

MEDIUM

HIGH

HIGH

>= 50% to < 70%

LOW

MEDIUM

HIGH

HIGH

HIGH

>= 70% to <90%

MEDIUM

HIGH

HIGH

HIGH

HIGH

>= 90%

MEDIUM

HIGH

HIGH

HIGH

HIGH



The below table provides on example risks. 

TABLE 3: RISK REGISTER

Risk
Risk Description Probability Score Severity Impact Mitigation

Documentation File loss/ corruption

Project word documents lost or unable to recover

0.1

High

NTU OneDrive Backup is used

Virtual Machine Configuration

VM can be corrupted during the progress of then testing attacks.

0.3

Medium

Reconfiguration of VM will be done

Restricted Network Access

NTU restricted network access

0.5

Medium

Alternative Connectivity will be used such mobile hotspot

Malware infection

Taking live sample Malware/ Ransomware for simulation in Virtual machines could infect the host machine and network connected

0.9

High

Simulation carried out in sandbox/  isolated network

Risk Treatment


Based on the Risk score the risk treatment plan can be applied as follows with examples:
  • Avoidance: 
  • Eliminating the risk altogether by changing the activity or process that creates it.
    • Risk: Employees using personal devices for work, increasing the risk of data breaches and malware infections.
    • Avoidance: Implementing a strict BYOD (Bring Your Own Device) policy that prohibits personal device use for work activities. This eliminates the risk at its source.
  • Transfer:
  • Sharing the risk with another party, such as through insurance or outsourcing.
    • Risk: Cyberattacks causing financial losses due to data breaches or ransomware.
    • Transfer: Purchasing cyber insurance to offset potential financial damages. This shifts the risk burden to the insurance provider.
  • Mitigation: 
  • Reducing the likelihood or impact of the risk through controls, safeguards, or procedures.
    • Risk: Weak passwords easily compromised by hackers.
    • Mitigation: Implementing a strong password policy enforcing complexity requirements, regular changes, and two-factor authentication. This reduces the likelihood of password-related breaches.
  • Acceptance:
  • Deciding to live with the risk, considering its low probability or acceptable consequences.
    • Risk: Occasional power outages disrupting operations.
    • Acceptance: Determining that the cost of backup power systems outweighs the potential losses from brief outages. The organization accepts the risk and focuses on resilience measures like uninterruptible power supplies for critical systems.

RISK Score


**************************************************

GDPR

How to Collect, Manage, process personal data


GDPR key concepts

  • Lawful processing
  • Data subject rights
  • Data controllers Vs Data processors
  • Privacy by design

DPO - Data protection Officer 

GDPR requires parental concerns before collecting children's data who are less than 16 or 13.

Companies time to respond for a data breach and 72 Hrs to communicate with the EU regarding the breach.


Do I need all of the data I am Collecting here?

Could o do this work without using personal data at all.

Am I using the data in a way a user may not expect?

Do I have a plan to delete this data once I no longer need it?


DPIA -Data Protection Impact Assessment 


DSRs - Data Subject rights : 

6 GDPR DSRs


  1. Right to be forgotten
  2. Right of access
  3. Right to data portability
  4. Right to restriction of processing
  5. Right to rectify
  6. Right to object

Methods to prove lawfulness of Processing: 


  • Contractual Necessity
  • Consent
  • Legitimate interest

GDPR Controllers and Processors

Controllers: are at risk of incurring high fines if they do not meet the obligations set forth in the GDPR


****************************************

Comments

Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

Marriage Registration Online steps [Tamil Nadu]

Multifactor authentication Updated for 2024