SYO-701 Security Program Management and Oversight Study Guide for the CompTIA Security+

Risk Management

There is risk associated with every aspect of business, including cybersecurity. When engaging in business, it is not possible to avoid all risks. This is where risk management and its related concepts come into play. Risk management is how an organization identifies and responds to potential risks. You will need to be able to identify and summarize common risk management processes and concepts.

Risk Identification

The risk identification process involves determining any risk an organization and its networking environment may face. This process identifies malicious risks (such as data breaches), environmental risks (such as natural disasters), governance risks (such as compliance), and repercussion risks (such as financial and reputational harm), among other risk types.

Risk Assessment

A risk assessment is the process of assigning a risk severity value to an identified risk by assessing how likely the risk is to occur and what potential impact the risk would have on the organization if it occurs. Risk severity is commonly expressed using the following formula:

\[\text{severity} = \text{probability} \times \text{impact}\]

Ad Hoc

An ad hoc risk assessment is one that is conducted as a response to an occurrence or event. Ad hoc assessments are commonly expedited assessments that can be used to address a particular situation or event.

Recurring

A recurring risk assessment is conducted at preset intervals to monitor a risk, its potential impact, and the associated risk response. A recurring risk assessment can be used to ensure the risk response is still appropriate to the severity of the risk in the current environment.

One-Time

A one-time risk assessment is a point-in-time risk assessment that is used to provide a generalized overview of an organization’s risk profile. One-time risk assessments are commonly used to provide a high-level view of the organization’s current risk state.

Continuous

A continuous risk assessment is one that monitors a risk on an ongoing basis. Continuous risk assessments are commonly automated and can be used to identify new or emerging threats and then alert the organization to the possible risk.

Risk Analysis

Risk analysis involves the processes, methods, and technologies used to track, analyze, and evaluate risk. This analysis identifies potential risks and determines their risk severity, which is used to choose which risk management strategy best fits the situation. A risk assessment type refers to how risk data is collected and analyzed. Some risks can be numerically calculated, while other risks are more intangible in nature and require a different assessment metric.

Qualitative

A qualitative risk assessment is dependent on subjective knowledge and experience. A qualitative risk assessor may rate a risk on a scale of one to five or from low to high based on their knowledge and experience. A qualitative risk assessment tends to be quicker than a quantitative one and may be useful when the risk is more difficult to define numerically.

Quantitative

A quantitative risk assessment uses numerical data, mathematical algorithms, statistics, and probability to produce replicable results. A quantitative risk analysis tends to require more time for data collection and commonly leverages pre-defined metrics for analysis. The risk severity formula discussed above is used for this type of risk assessment.

Exposure Factor

EF is the exposure factor, or how much damage an asset will incur when exposed to a specified risk (expressed as a percent).

Single Loss Expectancy (SLE)

The SLE is the monetary amount of damage that would be incurred, based on the cost of the asset, or asset value (AV), every time a specified risk occurs. It is calculated using this formula:

\(\text{SLE} = \text{AV} \times \text{EF}\) #### Annualized Rate of Occurrence (ARO)

The ARO (also known as the annual rate of occurrence) is a numerical calculation of how many times a risk is expected to occur in a year. For example, if a risk is expected to occur twice in a year, the ARO would be 2.0.

Annualized Loss Expectancy (ALE)

The ALE is how much monetary damage can be expected each year from a specified risk. The formula for ALE is:

\[\text{ALE} = \text{SLE} \times \text{ARO}\]

Probability

The probability of a risk places a numerical value on the chance of a vulnerability being exploited over a specific period of time.

Likelihood

The likelihood of occurrence is the probability that a risk will occur. It is commonly expressed as a percentage.

Impact

The impact refers to what effect a risk would have on an organization if it were to occur. The impact may include financial impacts, operational impacts, and reputational impacts.

Risk Register

A risk register is a comprehensive guide to potential risks an organization may encounter, with information on their likelihood, impact, description, and any other details that may be valuable to an organization. Due to the extensive nature of the information contained in a risk register, a heat map or heat matrix is commonly used to present a concise version of the data. A risk matrix, also known as a heat map, provides a digestible visualization of a risk, which can be used by company leaders to make a decision on how to respond. A risk matrix is typically a box matrix that shows the impact on one axis and the likelihood of occurrence on the other, with designations of low, medium, and high.

Key Risk Indicator (KRI)

KRIs are metrics that can be used to identify increasing risk levels, the effectiveness of current risk controls, and the maintenance of acceptable residual risk. KRIs vary by organization and can be configured to meet specific needs. For example, a KRI for malware could be employee credential exposure or employee downloads of affected files.

Risk Owners

The risk owner is the individual or entity who assumes the responsibility of the oversight and management of risks. Risk owners are also responsible for implementing controls to mitigate the identified risks.

Risk Threshold

The risk threshold is the predefined boundary at which a risk becomes too high. When the risk threshold is reached, action is taken to reduce the risk. A risk threshold is typically a quantifiable metric or value.

Risk Appetite

The risk appetite is the amount of risk an organization is willing to take. The risk appetite is a method used to balance operationality with protection against a risk.

Expansionary

An expansionary risk appetite is one that is willing to take higher risks for the chance of higher rewards. For example, a startup may be willing to assume higher risks with higher consequences to increase its market share quickly.

Conservative

A conservative risk appetite is one that tends to avoid risk, focusing on the protection of current assets and stability. For example, a large organization with a dominant foothold in market share may not be willing to take risks with its assets, data, or current consumer base.

Neutral

A neutral risk appetite is one that attempts to reach a balance between conservative risk and expansionary risk. For example, an established organization may choose to take mild risks for moderate growth while also protecting current assets and stability.

Risk Tolerance

Risk tolerance is the ability of an organization to withstand a risk and maintain operational functionality, primarily as it surpasses the organization’s risk appetite.

Risk Management Strategies

A risk management strategy is the stance an organization takes after evaluating the risk associated with an organization. Risk management strategies consider both quantitative and qualitative metrics before deciding on which strategy to adopt.

Transfer

A risk transfer, or risk transference, is the shifting of risk impact from one organization to another. The most common example of transference is the purchase of insurance.

Accept

Accepting a risk, or risk acceptance, occurs when an organization weighs the associated risks and decides that the cost of addressing the risk is higher than the potential impact (financial, operational, or legal) of the risk. Acceptance is the “do nothing” approach.

Exemption

An exemption is a form of risk acceptance that acknowledges and approves the acceptance of a risk that lies beyond the risk appetite and risk tolerance of the organization. An exemption is typically a more formal type of acceptance, requiring documentation and approval from organizational leaders, and often comes with a predefined expiration.

Exception

An exception is a form of risk acceptance that is used to allow for non-compliance to standards, policies, or procedures that are typically employed to mitigate the stated risk. Exceptions are most commonly granted on a case-by-case basis with complete awareness of the known risk.

Avoid

Avoiding a risk, or risk avoidance, is the decision to completely eliminate the risk by not engaging in the risky behavior. Avoidance, while it may sound tempting, is often not conducive to productivity and operations, as it could necessitate foregoing the most expedient or appropriate method.

Mitigate

Mitigating a risk, or risk mitigation, is the risk strategy that attempts to reduce the potential for and impact of a risk. This is the midway stance between acceptance and avoidance.

Risk Reporting

Risk reporting is the process of creating, maintaining, and providing documentation as to the status of risk, which is then presented to the stakeholders of an organization to inform the decision-making process. Risk reports may include risk updates, risk trend analysis, ad hoc risk reports, and risk event reports, among other details. Risk reports are intended to be easily digestible and should be tailored to the intended audience.

Business Impact Analysis (BIA)

A BIA is designed to identify the most critical functions an organization requires to operate as well as the systems that support these functions. A BIA uses multiple metrics to identify and evaluate critical functions, with Security+ specifically defining four key metrics: recovery time objective, recovery point objective, mean time to repair, and mean time between failures.

Recovery Time Objective (RTO)

The RTO is the time duration after a system failure but before repair that the organization can tolerate.

Recovery Point Objective (RPO)

The RPO is the amount of data loss that an organization can tolerate during a system failure.

Mean Time to Repair (MTTR)

The MTTR is the average amount of time it takes to restore a system to normal functionality after a failure.

Mean Time Between Failures (MTBF)

The MTBF is the average time that occurs between failures. The MTBF provides a metric for system reliability.

Third-Party Risk Assessment and Management

Most organizations interact with outside or third-party entities regularly. While an organization controls how its employees are trained, there is no way to ensure that third parties have the same security measures or training in place. There are techniques that can be employed to reduce the vulnerabilities incurred by using third parties in order to reduce the vulnerabilities incurred by third-party risk management. For the Security+ exam, you must be able to explain the processes associated with third-party risk assessment and management.

Vendor Assessment

A vendor assessment is the process of testing to ensure a vendor is meeting the agreed-upon security requirements. Vendor assessments may be conducted via methods such as penetration testing, client audits, internal audit documentation, independent assessments, and analysis of the supply chain.

Penetration Testing

Penetration testing of a vendor is a useful tool that can be used to identify potential vendor vulnerabilities. Penetration testing of a vendor by a client should be authorized prior to initiation of the simulation to minimize the potential for adverse effects on the vendor and for the maintenance of a healthy working relationship.

Right-to-Audit Clause

A right-to-audit clause is a provision of a contract between a vendor and a client that ensures the client has the permission to audit the vendor directly or through a third party.

Evidence of Internal Audits

A client should be able to request evidence of a vendor’s internal audits. Examining internal audits can provide the client with insight into the vendor’s security, the vendor’s risk management strategy and processes, and the internal controls used by the vendor to mitigate risk.

Independent Assessments

An independent assessment is one that is conducted by an entity not affiliated with either the client or the vendor. Independent assessments can provide a completely objective analysis of the vendor’s security posture and risk management strategies. Independent assessments may also supply verification of the vendor’s certification, such as the ISO 27001.

Supply Chain Analysis

The supply chain is how a product gets from a business to a consumer. There can be numerous moving parts in the supply chain that make it difficult to secure. The same analysis techniques, contracts, and vendor agreements can be applied to supply chain risk management. It is also important to understand how a product runs through the supply chain and with which outside vendors the supply chain may be in contact.

Vendor Selection

Vendor selection is the process of choosing an appropriate vendor for the organization’s needs. The vendor selection process should thoroughly examine and assess all aspects of a potential vendor, which is crucial in maintaining organizational security.

Due Diligence

Due diligence is the process of examining a vendor to the best of the organization’s ability to ensure the organization’s standards are met. Ensuring due diligence may include evaluating a vendor’s reputation, financial stability, product and service quality, security protocols, and regulatory compliance, among other factors.

Conflict of Interest

A conflict of interest occurs when there is an overlap in the vendor’s priorities as a result of meeting the needs of more than one client. If a conflict of interest is identified, clauses may be added to vendor contracts to mitigate this risk, or a vendor may be eliminated completely as a business partner.

Agreement Types

To reduce the risk of using third-party vendors, there are various contracts and agreements that can be implemented, such as master services agreements, statements of work, service level agreements, or memoranda of understanding.

Service-Level Agreement (SLA)

An SLA is a contract that outlines the minimum level of service a provider is expected to maintain and what the service provider will do if those minimums are not met.

Memorandum of Agreement (MOA)

An MOA is a legally binding document between two parties that outlines the roles and responsibilities of the parties and their relationship to one another.

Memorandum of Understanding (MOU)

An MOU is an informal agreement that outlines the relationship between parties. It provides a guideline for the relationship, but it is not legally binding.

Master Service Agreement (MSA)

An MSA is a contract that specifies a baseline of expectations between a vendor and a user over a prolonged period of time. This is the primary contract that may outline the baseline security and privacy requirements of the vendor.

Work Order (WO)/Statement of Work (SOW)

When new projects with a vendor are started, a WO or SOW may be created to address specific requirements for that particular project. These will commonly refer back to the MSA that’s already in place.

Non-Disclosure Agreement (NDA)

An NDA is a contract that can be used with individuals or third-party providers that specifies how sensitive information is treated during and after employment or use. NDAs may specify what information can be discussed or who the information can be shared with. They are commonly used to protect sensitive information, such as personally identifiable information (PII), trade secrets, or proprietary information.

Business Partners Agreement (BPA)

Business partners are two or more companies that agree to do business with one another. One way to mitigate risk when working with business partners is to have a clearly defined BPA, which outlines the expectations and responsibilities between two or more entities. The extent of the BPA depends on the partnership and may include defined profit-sharing specifications, the delegation of duties and responsibilities, minimum security requirements, and best practices.

Vendor Monitoring

Vendor monitoring is an ongoing process that analyzes a vendor’s compliance with business agreements and their performance of contractual obligations. Components of vendor monitoring include clear rules of engagement, performance monitoring, compliance monitoring, and financial monitoring, among others.

Questionnaires

Questionnaires can be used during both the vendor assessment and vendor monitoring process to garner insight into a vendor. Effective questionnaires should be tailored to address a specific area or subject, such as security and data policies.

Rules of Engagement

The rules of engagement are a set of agreements between a vendor or third party and the primary business that are established prior to any interaction. These rules detail what systems may be accessed, what actions can be taken, when the possible testing can occur, and any other details regarding the acceptable parameters of the testing, monitoring, or analysis.