DISC InfoSec blogRisk Assessment Archives

The #1 Risk to Small Businesses: …And How to Minimize it

Mar 26 2025

You can’t eliminate risk entirely, but you can minimize it

Category: Information Security,Risk Assessment,Security Incident,Security Risk Assessment — disc7 @ 10:03 am

You can’t eliminate risk entirely, but you can minimize it. If a cyberattack occurs, here are three key steps to take:

Plan Ahead:
Create a detailed incident response plan now, involving all key departments (e.g., technical, legal, financial, marketing). Practice it through tabletop exercises to prepare for unexpected scenarios. The better your preparation, the less chaos you’ll face during an attack.
Contact Your Cyber Insurance Company:
Reach out to your cyber insurance provider immediately. They can coordinate response teams, provide legal and regulatory support, handle public relations, negotiate ransoms, assist with technical recovery, and help strengthen security post-incident. Follow their guidance to avoid unnecessary expenses.
Return to Normal Operations:
Once the active threat is contained, declare the incident over and shift your team back to regular duties. Fix vulnerabilities and train staff but avoid staying in “response mode” indefinitely, as it can lead to burnout, distraction, and reduced productivity.

Preparation and thoughtful responses are key to minimizing damage and ensuring a smoother recovery from cyber incidents.

Additional steps to help minimize information security risks:

1. Conduct Regular Risk Assessments

Identify vulnerabilities in your systems, applications, and processes.
Prioritize risks based on their likelihood and potential impact.
Address gaps with appropriate controls or mitigations.

2. Implement Strong Access Controls

Use multi-factor authentication (MFA) for all critical systems and applications.
Follow the principle of least privilege (grant access only to those who truly need it).
Regularly review and revoke unused or outdated access permissions.

3. Keep Systems and Software Up-to-Date

Patch operating systems, software, and firmware as soon as updates are released.
Use automated tools to manage and deploy patches consistently.

4. Train Employees on Security Best Practices

Conduct regular security awareness training, covering topics like phishing, password hygiene, and recognizing suspicious activity.
Simulate phishing attacks to test and improve employee vigilance.

5. Use Endpoint Detection and Response (EDR) Solutions

Deploy advanced tools to monitor, detect, and respond to threats on all devices.
Set up alerts for abnormal behavior or unauthorized access attempts.

6. Encrypt Sensitive Data

Use strong encryption protocols for data at rest and in transit.
Ensure proper key management practices are followed.

7. Establish Network Segmentation

Separate critical systems and sensitive data from less critical networks.
Limit lateral movement in case of a breach.

8. Implement Robust Backup Strategies

Maintain regular, secure backups of all critical data.
Store backups offline or in isolated environments to protect against ransomware.
Test recovery processes to ensure backups are functional and up-to-date.

9. Monitor Systems Continuously

Use Security Information and Event Management (SIEM) tools for real-time monitoring and alerts.
Proactively look for signs of intrusion or anomalies.

10. Develop an Incident Reporting Culture

Encourage employees to report security issues or suspicious activities immediately.
Avoid a blame culture so employees feel safe coming forward.

11. Engage in Threat Intelligence Sharing

Join industry groups or forums to stay informed about new threats and vulnerabilities.
Leverage shared intelligence to strengthen your defenses.

12. Test Your Defenses Regularly

Conduct regular penetration testing to identify and fix exploitable weaknesses.
Perform red team exercises to simulate real-world attacks and refine your response capabilities.

By integrating these steps into your cybersecurity strategy, you’ll strengthen your defenses and reduce the likelihood of an incident.

Feel free to reach out if you have any additional questions or feedback.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

Tags: eliminate risk, minimize risk

Information Security Risk Management for ISO 27001/ISO 27002

Mar 19 2025

ISO 27001 Risk Assessment Process – Summary

Category: ISO 27k,Risk Assessment,Security Risk Assessment — disc7 @ 8:51 am

The summary covers information security risk assessment, leveraging ISO 27001 for compliance and competitive advantage.

ISO 27001 Risk Management

Risk Assessment Process
- Identify assets and analyze risks.
- Assign risk value and assess controls.
- Implement monitoring, review, and risk mitigation strategies.
Risk Concepts
- Asset-Based vs. Scenario-Based Risks: Evaluating risk based on critical assets and potential attack scenarios.
- Threats & Vulnerabilities: Identifying security weaknesses and potential risks (e.g., unauthorized access, data breaches, human error).
Risk Impact & Likelihood
- Risks are measured based on financial, operational, reputational, and compliance impacts.
- Likelihood is classified from Highly Unlikely to Highly Likely based on past occurrences.
Risk Treatment Options
- Tolerate (Accept): Accepting the risk if the cost of mitigation is higher than the impact.
- Treat (Mitigate): Reducing the risk by implementing controls.
- Transfer (Share): Outsourcing risk through insurance or third-party agreements.
- Terminate (Avoid): Eliminating the source of risk.

Risk assessment process details:

The risk assessment process follows a structured approach to identifying, analyzing, and mitigating security risks. The key steps include:

Risk Identification
- Identify information assets (e.g., customer data, financial systems, hardware).
- Determine potential threats (e.g., cyberattacks, insider threats, physical damage).
- Identify vulnerabilities (e.g., weak access controls, outdated software, lack of employee training).
Risk Analysis & Valuation
- Assess the likelihood of a threat exploiting a vulnerability (rated from Highly Unlikely to Highly Likely).
- Evaluate the impact on financial, operational, reputational, and compliance aspects (from Minimal to Catastrophic).
- Calculate the risk level based on the combination of likelihood and impact.
Risk Mitigation & Decision Making
- Assign a risk owner responsible for managing each identified risk.
- Select appropriate controls (e.g., firewalls, encryption, staff training).
- Compute the residual risk (risk left after implementing controls).
- Decide on the risk treatment approach (Accept, Mitigate, Transfer, or Avoid).
Risk Monitoring & Review
- Establish a reporting frequency to reassess risks periodically.
- Continuously monitor changes in the threat landscape and update controls as needed.
- Communicate risk status and treatment effectiveness to stakeholders.

This structured approach ensures organizations can proactively manage risks, comply with regulations, and strengthen cybersecurity defenses.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

An Overview of ISO/IEC 27001:2022 Annex A Security Controls

Managing Artificial Intelligence Threats with ISO 27001

Tags: iso 27001, ISO 27001 2022

Comments (2)

Mar 07 2025

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Category: ISO 27k,Risk Assessment,Security controls,Security Risk Assessment — disc7 @ 6:59 am

“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”

This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:

SoA Derivation from Risk Assessment
- The SoA must be based on the risk assessment and risk treatment plan.
- It should only include controls that were identified as necessary during the risk assessment.
- Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
Consistency with Risk Treatment Plan
- The SoA must align with the selected risk treatment options.
- This ensures that the controls listed in the SoA effectively address the identified risks.
Justification for Controls
- The SoA can state that all controls were chosen because they are necessary for risk treatment.
- No separate or additional justification is needed for each individual control beyond its necessity in treating risks.

Why This Matters:

Ensures a risk-driven approach to control selection.
Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.

Practical Example of SoA and Risk Assessment Linkage

Scenario:

A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:

Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
Risk Level: High
Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.

How This Affects the SoA:

Control Selection:
- The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
- This control is added to the SoA because the risk assessment identified it as necessary.
Justification in the SoA:
- The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
- The justification can be:
  “This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.”
- No additional justification is needed because the link to the risk assessment is sufficient.
What Cannot Be Done:
- The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
- Adding controls without risk justification would violate ISO 27005’s requirement for consistency.

Key Takeaways:

Every control in the SoA must be traceable to a risk.
The SoA cannot contain controls that were not justified in the risk assessment.
Justification for controls can be standardized, reducing documentation overhead.

This approach ensures that the ISMS remains risk-based, justifiable, and auditable.

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

Tags: #InfoSec, #RiskAssessment, AnnexA, Information Security Management System, isms, iso 27001, Risk management, security controls, SoA

Comments (4)

Nov 25 2024

Adding Value with Adding Value with Risk-Based Information Security

Category: ISO 27k,NIST CSF,Risk Assessment,Security Risk Assessment — disc7 @ 8:27 am

The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.

An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.

The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.

Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.

For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.

Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.

In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.

The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.

More details and considerations on pros and cons are described in recent ISACA Journal article, “Adding Value With Risk-Based Information Security.”

Source: National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, USA, 2024, https://www.nist.gov/informative-references

Information Security Risk Management for ISO 27001/ISO 27002

Information Security Risk Assessment Workshop

Tags: Risk-Based Information Security

Comments (1)

Nov 19 2024

Threat modeling your generative AI workload to evaluate security risk

Category: AI,Risk Assessment — disc7 @ 8:40 am

AWS emphasizes the importance of threat modeling for securing generative AI workloads, focusing on balancing risk management and business outcomes. A robust threat model is essential across the AI lifecycle stages, including design, deployment, and operations. Risks specific to generative AI, such as model poisoning and data leakage, need proactive mitigation, with organizations tailoring risk tolerance to business needs. Regular testing for vulnerabilities, like malicious prompts, ensures resilience against evolving threats.

Generative AI applications follow a structured lifecycle, from identifying business objectives to monitoring deployed models. Security considerations should be integral from the start, with measures like synthetic threat simulations during testing. For applications on AWS, leveraging its security tools, such as Amazon Bedrock and OpenSearch, helps enforce role-based access controls and prevent unauthorized data exposure.

AWS promotes building secure AI solutions on its cloud, which offers over 300 security services. Customers can utilize AWS infrastructure’s compliance and privacy frameworks while tailoring controls to organizational needs. For instance, techniques like Retrieval-Augmented Generation ensure sensitive data is redacted before interaction with foundational models, minimizing risks.

Threat modeling is described as a collaborative process involving diverse roles—business stakeholders, developers, security experts, and adversarial thinkers. Consistency in approach and alignment with development workflows (e.g., Agile) ensures scalability and integration. Using existing tools for collaboration and issue tracking reduces friction, making threat modeling a standard step akin to unit testing.

Organizations are urged to align security practices with business priorities while maintaining flexibility. Regular audits and updates to models and controls help adapt to the dynamic AI threat landscape. AWS provides reference architectures and security matrices to guide organizations in implementing these best practices efficiently.

*Threat composer threat statement builder*

You can write and document these possible threats to your application in the form of threat statements. Threat statements are a way to maintain consistency and conciseness when you document your threat. At AWS, we adhere to a threat grammar which follows the syntax:

A [threat source] with [prerequisites] can [threat action] which leads to [threat impact], negatively impacting [impacted assets].

This threat grammar structure helps you to maintain consistency and allows you to iteratively write useful threat statements. As shown in Figure 2, Threat Composer provides you with this structure for new threat statements and includes examples to assist you.

You can read the full article here

Proactive governance is a continuous process of risk and threat identification, analysis and remediation. In addition, it also includes proactively updating policies, standards and procedures in response to emerging threats or regulatory changes.

OWASP updated 2025 Top 10 Risks for Large Language Models (LLMs), a crucial resource for developers, security teams, and organizations working with AI.

How CISOs Can Drive the Adoption of Responsible AI Practices

The CISO’s Guide to Securing Artificial Intelligence

AI in Cyber Insurance: Risk Assessments and Coverage Decisions

Hackers will use machine learning to launch attacks

To fight AI-generated malware, focus on cybersecurity fundamentals

4 ways AI is transforming audit, risk and compliance

AI security bubble already springing leaks

Could APIs be the undoing of AI?

The Rise of AI Bots: Understanding Their Impact on Internet Security

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Comprehensive vCISO Services

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: LLM, OWASP, Threat modeling

Comments (5)

Nov 05 2024

ISO 27001 clauses 6.1.2 and 6.1.3 on information security risk assessment should be relocated to clause 8

Category: ISO 27k,Risk Assessment,Security Risk Assessment — disc7 @ 9:03 am

Clause 6.1.1 is often misunderstood and frequently overlooked. It requires organizations to assess risks and opportunities specifically related to the Information Security Management System (ISMS)—focusing not on information security itself, but on the ISMS’s effectiveness. This is distinct from the information security risk assessment activities outlined in 6.1.2 and 6.1.3, which require different methods and considerations.

In practice, it’s rare for organizations to assess ISMS-specific risks and opportunities (per 6.1.1), and certification auditors seldom address this requirement.

To clarify, it’s proposed that the information security risk assessment activities (6.1.2 and 6.1.3) be moved to clause 8. This aligns with the structure of other management system standards (e.g., ISO 22301 for Business Continuity Planning). Additionally, a note similar to ISO 22301’s should be included:

“Risks in this sub clause relate to information security, while risks and opportunities related to the effectiveness of the management system are addressed in 6.1.1.”

Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: clauses 6.1.2, clauses 6.1.3

Comments (1)

Nov 04 2024

The Risk Assessment Process and the tool that supports it

Category: ISO 27k,Risk Assessment,Security Risk Assessment — disc7 @ 12:00 pm

The “Risk Assessment analysis” covers key areas of risk assessment in information security:

Risk Assessment Process: The core steps include identifying assets, analyzing risks, and evaluating the value and impact of each risk. This process helps determine necessary controls and treatments to mitigate or accept risks.
Types of Risk:
- Asset-Based Risk: Focuses on assessing risks to tangible assets like data or hardware.
- Scenario-Based Risk: Evaluates hypothetical risk scenarios, such as potential data breaches.
Risk Analysis:
- Impact Analysis: Measures the financial, operational, and reputational impact of risks, assigning scores from 1 (very low) to 5 (very high).
- Likelihood Analysis: Assesses how likely a risk event is to occur, also on a scale from 1 to 5.
Risk Response Options:
- Tolerate (accept risk),
- Treat (mitigate risk),
- Transfer (share risk, e.g., via insurance),
- Terminate (avoid risk by ceasing the risky activity).
Residual Risk and Risk Appetite: After treatments are applied, residual risk remains. Organizations determine their acceptable level of risk, known as risk appetite, to guide their response strategies.

These structured steps ensure consistent, repeatable risk management across information assets, aligning with standards like ISO 27001.

The Risk Assessment Process involves systematically identifying and evaluating potential risks to assets. This includes:

Identifying Assets: Recognizing valuable information assets, such as data or physical equipment.
Risk Analysis: Analyzing the potential threats and vulnerabilities related to these assets to assess the level of risk they pose.
Evaluating Impact and Likelihood: Measuring the potential impact of each risk and estimating how likely each risk is to occur.
Implementing Controls: Deciding on control measures to mitigate, transfer, accept, or avoid each risk, based on organizational risk tolerance.

To streamline this process, organizations often use risk assessment tools. These tools assist by automating data collection, calculating risk levels, and supporting decision-making on risk treatments, ultimately making the assessment more consistent, thorough, and efficient.

CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.

Manage all your cybersecurity and data privacy obligations
Accelerate certification and supercharge project effectiveness
Get immediate visibility of critical data and key performance indicators
Stay ahead of regulatory changes with our scalable compliance solution
Reduce errors and improve completeness of risk management processes
Identify and treat data security risks before they become critical concerns

Reduce data security risks with agility and efficiency

Quickly identify and treat data security risks before they become critical concerns with the intuitive, easy-to-use risk manager tool
Keep track of data security compliance requirements and the security controls you have in place in conjunction with critical laws and information security frameworks
Demonstrate compliance with ISO 27001, the leading information security management standard, with powerful built-in reports
The software includes control sets from ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27032, NIST, CSA CCM, the PCI DSS, SOC 2, and the CPRA

Need expert guidance? Book a free 30-minute consultation with a Risk assessment specialist.

What is the significance of ISO 27001 certification for your business?

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Risk Assessment analysis, Risk Assessment Process

Comments (42)

Oct 30 2024

A step-by-step guide to risk management following ISO 27001 and ISO 27005 standards

Category: ISO 27k,Risk Assessment,Security Risk Assessment — disc7 @ 9:44 am

The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.

The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.

A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.

Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.

In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.

some commonly adopted approaches:

What is the significance of ISO 27001 certification for your business?

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: guide to risk management, iso 27001, iso 27005

Information Risk Management: A practitioner’s guide

Oct 16 2024

Not all information security risks translate directly to business risks

Category: Information Security,Risk Assessment,Security Risk Assessment — disc7 @ 3:15 pm

There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.

There are two types of risks:

Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.

Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.

Example:

Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.

Several factors to consider when assessing the relationship between information security and business risk:

Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.

Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: business risks, Information Risk Management: A practitioner's guide

Oct 09 2024

Pragmatic ISO 27001 Risk Assessments

Category: ISO 27k,Risk Assessment,Security Risk Assessment — disc7 @ 1:33 pm

Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.

He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.

To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.

Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.

For more information on Andrew Pattison interview, you can visit here

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

ISO 27001 Standard, Risk Assessment and Gap Assessment

Trust Me – AI Risk Management

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: iso 27001, ISO 27001 Risk Assessment, ISO27k

Comments (12)

Oct 04 2024

4 ways AI is transforming audit, risk and compliance

Category: AI,Risk Assessment,Security Compliance — disc7 @ 9:11 am

AI is revolutionizing audit, risk, and compliance by streamlining processes through automation. Tasks like data collection, control testing, and risk assessments, which were once time-consuming, are now being done faster and with more precision. This allows teams to focus on more critical strategic decisions.

In auditing, AI identifies anomalies and uncovers patterns in real-time, enhancing both the depth and accuracy of audits. AI’s ability to process large datasets also helps maintain compliance with evolving regulations like the EU’s AI Act, while mitigating human error.

Beyond audits, AI supports risk management by providing dynamic insights that adapt to changing threat landscapes. This enables continuous risk monitoring rather than periodic reviews, making organizations more responsive to emerging risks, including cybersecurity threats.

AI also plays a crucial role in bridging the gap between cybersecurity, compliance, and ESG (Environmental, Social, Governance) goals. It integrates these areas into a single strategy, allowing businesses to track and manage risks while aligning with sustainability initiatives and regulatory requirements.

For more details, visit here

AI Security risk assessment quiz

AI Management System Certification According to the ISO/IEC 42001 Standard

Responsible AI in the Enterprise: Practical AI risk management for explainable, auditable, and safe models with hyperscalers and Azure OpenAI

Previous posts on AI

Implementing BS ISO/IEC 42001 will demonstrate that you’re developing AI responsibly

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI audit, AI compliance, AI risk assessment, AI Risk Management

Comments (5)

Sep 25 2024

How to Address AI Security Risks With ISO 27001

Category: AI,ISO 27k,Risk Assessment — disc7 @ 10:10 am

The blog post discusses how ISO 27001 can help address AI-related security risks. AI’s rapid development raises data security concerns. Bridget Kenyon, a CISO and key figure in ISO 27001:2022, highlights the human aspects of security vulnerabilities and the importance of user education and behavioral economics in addressing AI risks. The article suggests ISO 27001 offers a framework to mitigate these challenges effectively.

The impact of AI on security | How ISO 27001 can help address such risks and concerns.

For more information, you can visit the full blog here.

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI Security Risks

Comments (19)

Sep 03 2024

AI Risk Management

Category: AI,Risk Assessment — disc7 @ 8:56 am

The IBM blog on AI risk management discusses how organizations can identify, mitigate, and address potential risks associated with AI technologies. AI risk management is a subset of AI governance, focusing specifically on preventing and addressing threats to AI systems. The blog outlines various types of risks—such as data, model, operational, and ethical/legal risks—and emphasizes the importance of frameworks like the NIST AI Risk Management Framework to ensure ethical, secure, and reliable AI deployment. Effective AI risk management enhances security, decision-making, regulatory compliance, and trust in AI systems.

AI risk management can help close this gap and empower organizations to harness AI systems’ full potential without compromising AI ethics or security.

Understanding the risks associated with AI systems

Like other types of security risk, AI risk can be understood as a measure of how likely a potential AI-related threat is to affect an organization and how much damage that threat would do.

While each AI model and use case is different, the risks of AI generally fall into four buckets:

Data risks
Model risks
Operational risks
Ethical and legal risks

The NIST AI Risk Management Framework (AI RMF)

In January 2023, the National Institute of Standards and Technology (NIST) published the AI Risk Management Framework (AI RMF) to provide a structured approach to managing AI risks. The NIST AI RMF has since become a benchmark for AI risk management.

The AI RMF’s primary goal is to help organizations design, develop, deploy and use AI systems in a way that effectively manages risks and promotes trustworthy, responsible AI practices.

Developed in collaboration with the public and private sectors, the AI RMF is entirely voluntary and applicable across any company, industry or geography.

The framework is divided into two parts. Part 1 offers an overview of the risks and characteristics of trustworthy AI systems. Part 2, the AI RMF Core, outlines four functions to help organizations address AI system risks:

Govern: Creating an organizational culture of AI risk management
Map: Framing AI risks in specific business contexts
Measure: Analyzing and assessing AI risks
Manage: Addressing mapped and measured risks

For more details, visit the full article here.

Predictive analytics for cyber risks

Predictive analytics offers significant benefits in cybersecurity by allowing organizations to foresee and mitigate potential threats before they occur. Using methods such as statistical analysis, machine learning, and behavioral analysis, predictive analytics can identify future risks and vulnerabilities. While challenges like data quality, model complexity, and evolving threats exist, employing best practices and suitable tools can improve its effectiveness in detecting cyber threats and managing risks. As cyber threats evolve, predictive analytics will be vital in proactively managing risks and protecting organizational information assets.

Trust Me: ISO 42001 AI Management System is the first book about the most important global AI management system standard: ISO 42001. The ISO 42001 standard is groundbreaking. It will have more impact than ISO 9001 as autonomous AI decision making becomes more prevalent.

Why Is AI Important?

AI autonomous decision making is all around us. It is in places we take for granted such as Siri or Alexa. AI is transforming how we live and work. It becomes critical we understand and trust this prevalent technology:

“Artificial intelligence systems have become increasingly prevalent in everyday life and enterprise settings, and they’re now often being used to support human decision making. These systems have grown increasingly complex and efficient, and AI holds the promise of uncovering valuable insights across a wide range of applications. But broad adoption of AI systems will require humans to trust their output.” (Trustworthy AI, IBM website, 2024)

Trust Me – ISO 42001 AI Management System

Enhance your AI (artificial intelligence) initiatives with ISO 42001 and empower your organization to innovate while upholding governance standards.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI Governance, AI Risk Management, artificial intelligence, security risk management

Comments (3)

Jul 16 2024

Understanding Compliance With the NIST AI Risk Management Framework

Category: NIST Privacy,Risk Assessment — disc7 @ 10:06 am

Understanding Compliance With the NIST AI Risk Management Framework

Incorporating artificial intelligence (AI) seems like a logical step for businesses looking to maximize efficiency and productivity. But the adverse effects of AI use, such as data security risk and misinformation, could bring more harm than good.

According to the World Economic Forum’s Global Risks Report 2024, AI-generated misinformation and disinformation are among the top global risks businesses face today.

To address the security risks posed by the increasing use of AI technologies in business processes, the National Institute of Standards and Technology (NIST) release d the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023.

Adhering to this framework not only puts your organization in strong position to avoid the dangers of AI-based exploits, it also adds an impressive type of compliance to your portfolio, instilling confidence in external stakeholders. Moreover, while NIST AI RMF is more of a guideline than a regulation, today there are several AI laws in the process of being enacted, so adhering to NIST’s framework helps CISOs to future-proof their AI compliance postures.

Let’s examine the four key pillars of the framework – govern, map, measure and manage – and see how you can incorporate them to better protect your organization from AI-related risks.

1.Establish AI Governance Structures

In the context of NIST AI RMF, governance is the process of establishing processes, procedures, and standards that guide responsible AI development, deployment, and use. Its main goal is to connect the technical aspect of AI system design and development with organizational goals, values, and principles.

Strong governance starts from the top, and NIST recommends establishing accountability structures with the appropriate teams responsible for AI risk management, under the framework’s “Govern” function. These teams will be responsible for putting in place structures, systems and processes, with the end goal of establishing a strong culture of responsible AI use throughout the organization.

Using automated tools is a great way to streamline the often tedious process of policy creation and governance. “We view it as our responsibility to help organizations maximize the benefits of AI while effectively mitigating the risks and ensuring compliance with best practices and good governance,” said Arik Solomon, CEO of Cypago, a SaaS platform that automates governance, risk management, and compliance (GRC) processes in line with the latest frameworks.

“These latest features ensure that Cypago supports the newest AI and cyber governance frameworks, enabling GRC and cybersecurity teams to automate GRC with the most up-to-date requirements.”

Rather than existing as a stand-alone component, governance should be incorporated into every other NIST AI RMF function, particularly those associated with assessment and compliance. This will foster a strong organizational risk culture and improve internal processes and standards.

2.Map And Categorize AI Systems

The framework’s “Map” function supports governance efforts while also providing a foundation for measuring and managing risk. It’s here that the risks associated with an AI system are put into context, which will ultimately determine the appropriateness or need for the given AI solution.

As Opice Blum data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilization.”

But how do you actually put this mapping process into practice?

NIST recommends the following approach:

Clearly establish why you need or want to implement the AI system. What are the expectations? What are the prospective settings where the system will be deployed? You should also determine the organizational risk tolerance for operating the system.
Map all of the risks and benefits associated with using the system. Here is where you should also determine your risk tolerance, not only with monetary costs but also those stemming from AI errors or malfunctions.
Analyze the likelihood and magnitude of the impact the AI system will have on the organization, including employees, customers, and society as a whole.

3.Measure AI Performance and Risk

The “Measure” function utilizes qualitative and quantitative techniques to analyze and monitor the AI-related risks identified in the “Map” function.

AI systems should be tested before deployment and frequently thereafter. But measuring risk with AI systems can be tricky. The technology is fairly new, so there are no standardized metrics yet. This might change in the near future, as developing these metrics is a high priority for many consulting firms. For example, Ernst & Young (EY) is developing an AI Confidence Index.

“Our confidence index is founded on five criteria – privacy and security, bias and fairness, reliability, transparency and explainability, and the last is accountability,” noted Kapish Vanvaria, EY Americas Risk Market Leader. The other axis includes regulations and ethics.

“Then you can have a heat map of the different processes you’re looking at and the functions in which they’re deployed,” he says. “And you can go through each one and apply a weighted scoring method to it.”

In the NIST framework’s priorities, there are three main components of an AI system that must be measured: trustworthiness, social impact, and how humans interact with the system. The measuring process will likely consist of extensive software testing, performance assessments and benchmarks, along with reporting and documentation of results.

4.Adopt Risk Management Strategies

The “Manage” function puts everything together by allocating the necessary resources to regularly attend to uncovered risks during the previous stages. The means to do so are typically determined with governance efforts, and can be in the form of human intervention, automated tools for real-time detection and response, or other strategies.

To manage AI risks effectively, it’s crucial to maintain ongoing visibility across all organizational tools, applications, and models. AI should not be handled as a separate entity but integrated seamlessly into a comprehensive risk management framework.

Ayesha Gulley, an AI policy expert from Holistic AI, urges businesses to adopt risk management strategies early, taking into account five factors: robustness, bias, privacy, exploitability and efficacy. Holistic’s software platform includes modules for AI auditing and risk posture reporting.

“While AI risk management can be started at any point in the project development,” she said, “implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”

Evolve With AI

The NIST AI Framework is not designed to restrict the efficient use of AI technology. On the contrary, it aims to encourage adoption and innovation by providing clear guidelines and best practices for developing and using AI securely and responsibly.

Implementing the framework will not only help you reach compliance standards but also make your organization much more capable of maximizing the benefits of AI technologies without compromising on risk.

AI-RMF A Practical Guide for NIST AI Risk Management Framework

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: NIST AI Risk Management Framework

Jun 11 2024

YOUR AZURE SECURITY AT RISK? HOW HACKERS ARE EXPLOITING AZURE SERVICE TAGS (AND HOW TO STOP THEM)?

Category: Hacking,Risk Assessment — disc7 @ 8:24 am

Your Azure Security at Risk? How Hackers Are Exploiting Azure Service Tags (And How to Stop Them)?

A significant security vulnerability has been discovered by Tenable Research that affects Azure customers relying on Service Tags for their firewall rules. This vulnerability allows attackers to bypass Azure firewall rules, posing a substantial risk to organizations using these configurations. Here’s an in-depth look at the vulnerability, how it can be exploited, and crucial defensive measures to mitigate the risk.

Azure Security

INITIAL DISCOVERY IN AZURE APPLICATION INSIGHTS

Tenable Research initially uncovered the vulnerability within Azure Application Insights, a service designed to monitor and analyze web applications’ performance and availability. The Availability Tests feature of Azure Application Insights, intended to check the accessibility and performance of applications, was found to be susceptible to abuse. Users can control server-side requests in these tests, including adding custom headers and changing HTTP methods. This control can be exploited by attackers to forge requests from trusted services, mimicking a server-side request forgery (SSRF) attack.

EXPANSION TO MORE THAN 10 OTHER AZURE SERVICES

Upon further investigation, Tenable Research found that the vulnerability extends beyond Azure Application Insights to more than 10 other Azure services. These include:

Azure DevOps
Azure Machine Learning
Azure Logic Apps
Azure Container Registry
Azure Load Testing
Azure API Management
Azure Data Factory
Azure Action Group
Azure AI Video Indexer
Azure Chaos Studio

Each of these services allows users to control server-side requests and has an associated Service Tag, creating potential security risks if not properly mitigated.

HOW ATTACKERS CAN EXPLOIT THE VULNERABILITY

Attackers can exploit the vulnerability in Azure Service Tags by abusing the Availability Tests feature in Azure Application Insights. Below are detailed steps and examples to illustrate how an attacker can exploit this vulnerability:

1. Setting Up the Availability Test:

Example Scenario: An attacker identifies an internal web service within a victim’s Azure environment that is protected by a firewall rule allowing traffic only from Azure Application Insights.
Action: The attacker sets up an Availability Test in Azure Application Insights, configuring it to target the internal web service.

2. Customizing the Request:

Manipulating Headers: The attacker customizes the HTTP request headers to include authorization tokens or other headers that may be expected by the target service.
Changing HTTP Methods: The attacker can change the HTTP method (e.g., from GET to POST) to perform actions such as submitting data or invoking actions on the target service.
Example Customization: The attacker configures the test to send a POST request with a custom header “Authorization: Bearer <malicious-token>”.

3. Sending the Malicious Request:

Firewall Bypass: The crafted request is sent through the Availability Test. Since it originates from a trusted Azure service (Application Insights), it bypasses the firewall rules based on Service Tags.
Example Attack: The Availability Test sends the POST request with the custom header to the internal web service, which processes the request as if it were from a legitimate source.

4. Accessing Internal Resources:

Unauthorized Access: The attacker now has access to internal APIs, databases, or other services that were protected by the firewall.
Exfiltration and Manipulation: The attacker can exfiltrate sensitive data, manipulate internal resources, or use the access to launch further attacks.
Example Impact: The attacker retrieves confidential data from an internal API or modifies configuration settings in an internal service.

DETAILED EXAMPLE OF EXPLOIT

Scenario: An organization uses Azure Application Insights to monitor an internal financial service. The service is protected by a firewall rule that allows access only from the ApplicationInsightsAvailability Service Tag.

Deploying an Internal Azure App Service:
- The organization has a financial application hosted on an Azure App Service with firewall rules configured to accept traffic only from the ApplicationInsightsAvailability Service Tag.
Attempted Access by the Attacker:
- The attacker discovers the endpoint of the internal financial application and attempts to access it directly. The firewall blocks this attempt, returning a forbidden response.
Exploiting the Vulnerability:
- Setting Up the Test: The attacker sets up an Availability Test in Azure Application Insights targeting the internal financial application.
- Customizing the Request: The attacker customizes the test to send a POST request with a payload that triggers a financial transaction, adding a custom header “Authorization: Bearer <malicious-token>”.
- Sending the Request: The Availability Test sends the POST request to the internal financial application, bypassing the firewall.
Gaining Unauthorized Access:
- The financial application processes the POST request, believing it to be from a legitimate source. The attacker successfully triggers the financial transaction.
- Exfiltration: The attacker sets up another Availability Test to send GET requests with custom headers to extract financial records from the application.

ADVANCED EXPLOITATION TECHNIQUES

1. Chain Attacks:

Attackers can chain multiple vulnerabilities or services together to escalate their privileges and impact. For example, using the initial access gained from the Availability Test to find other internal services or to escalate privileges within the Azure environment.

2. Lateral Movement:

Once inside the network, attackers can move laterally to compromise other services or extract further data. They might use other Azure services like Azure DevOps or Azure Logic Apps to find additional entry points or sensitive data.

3. Persistent Access:

Attackers can set up long-term Availability Tests that periodically execute, ensuring continuous access to the internal services. They might use these persistent tests to maintain a foothold within the environment, continuously exfiltrating data or executing malicious activities.

DEFENSIVE MEASURES

To mitigate the risks associated with this vulnerability, Azure customers should implement several defensive measures:

1. Analyze and Update Network Rules:

Conduct a thorough review of network security rules.
Identify and analyze any use of Service Tags in firewall rules.
Assume services protected only by Service Tags may be vulnerable.

2. Implement Strong Authentication and Authorization:

Add robust authentication and authorization mechanisms.
Use Azure Active Directory (Azure AD) for managing access.
Enforce multi-factor authentication and least privilege principles.

3. Enhance Network Isolation:

Use network security groups (NSGs) and application security groups (ASGs) for granular isolation.
Deploy Azure Private Link to keep traffic within the Azure network.

4. Monitor and Audit Network Traffic:

Enable logging and monitoring of network traffic.
Use Azure Monitor and Azure Security Center to set up alerts for unusual activities.
Regularly review logs and audit trails.

5. Regularly Update and Patch Services:

Keep all Azure services and applications up to date with security patches.
Monitor security advisories from Microsoft and other sources.
Apply updates promptly to minimize risk.

6. Use Azure Policy to Enforce Security Configurations:

Deploy Azure Policy to enforce security best practices.
Create policies that require strong authentication and proper network configurations.
Use Azure Policy initiatives for consistent application across resources.

7. Conduct Security Assessments and Penetration Testing:

Perform regular security assessments and penetration testing.
Engage with security experts or third-party services for thorough reviews.
Use tools like Azure Security Benchmark and Azure Defender.

8. Educate and Train Staff:

Provide training on risks and best practices related to Azure Service Tags and network security.
Ensure staff understand the importance of multi-layered security.
Equip teams to implement and manage security measures effectively.

https://www.securitynewspaper.com/2024/05/16/how-to-implement-principle-of-least-privilegecloud-security-in-aws-azure-and-gcp-cloud/embed/#?secret=4TeHUyw59w#?secret=RHf1cNP2eR

The vulnerability discovered by Tenable Research highlights significant risks associated with relying solely on Azure Service Tags for firewall rules. By understanding the nature of the vulnerability and implementing the recommended defensive measures, Azure customers can better protect their environments and mitigate potential threats. Regular reviews, updates, and a multi-layered security approach are essential to maintaining a secure Azure environment.

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Security

Measuring and Managing Information Risk: A FAIR Approach

Apr 12 2024

An Adoption Guide
For FAIR

Category: Risk Assessment,Security Risk Assessment — disc7 @ 8:44 am

Via RiskLens

Factor Analysis of Information Risk (FAIR), a powerful methodology for assessing and quantifying information risks. Here’s a comprehensive overview:

1. What Is FAIR?
a. FAIR, short for Factor Analysis of Information Risk, is a quantitative risk quantification methodology designed to help businesses evaluate information risks.
b. It stands out as the only international standard quantitative model framework that addresses both operational risk and information security.
c. Mature organizations that utilize Integrated Risk Management (IRM) solutions significantly benefit from FAIR.

2. Objective of FAIR:
a. The primary goal of FAIR is to support existing frameworks and enhance risk management strategies within organizations.
b. Unlike cybersecurity frameworks (such as NIST CSF), FAIR is not a standalone framework. Instead, it complements other industry-standard frameworks like NIST, ISO 2700x, and more.
c. As organizations shift from a compliance-based approach to a risk-based approach, they need a quantitative risk methodology to support this transition.

3. How FAIR Differs from Legacy Risk Quantification Methods:
a. FAIR is not a black-box approach like traditional penetration testing. Instead, it operates as a “glass-box” method.
b. Legacy methods focus on penetration testing without internal knowledge of the target system. While they identify vulnerabilities, they cannot provide the financial impact of risks.
c. In contrast, FAIR translates an organization’s loss exposure into financial terms, enabling better communication between technical teams and non-technical leaders.
d. FAIR provides insights into how metrics were derived, allowing Chief Information Security Officers (CISOs) to present detailed information to board members and executives.

4. Benefits of FAIR:
a. Financial Context: FAIR expresses risks in dollars and cents, making it easier for decision-makers to understand.
b. Risk Gap Identification: FAIR helps organizations efficiently allocate resources to address risk gaps.
c. Threat Level Scaling: Unlike other frameworks, FAIR scales threat levels effectively.
d. Board Engagement: FAIR fosters interest in cybersecurity among board members and non-technical leaders.

5. Drawbacks of FAIR:
a. Complexity: FAIR lacks specific, well-defined documentation of its methods.
b. Complementary Methodology: FAIR is not an independent risk assessment tool; it complements other frameworks.
c. Probability-Based: While FAIR’s probabilities are not baseless, they may not be entirely accurate due to the unique nature of cyber-attacks and their impact.

In summary, FAIR revolutionizes risk analysis by providing a quantitative, financially oriented perspective on information risk. It bridges the gap between technical and non-technical stakeholders, enabling better risk management decisions.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: A FAIR Approach

RISK ASSESSMENT: AN INDEPTH GUIDE TO PRINCIPLES, METHODS, BEST PRACTISE, AND INTERVIEW QUESTIONS AND ANSWERS

Sep 20 2023

Balancing budget and system security: Approaches to risk tolerance

Category: Risk Assessment,Security Risk Assessment — disc7 @ 10:56 am

Balancing budget and system security: Approaches to risk tolerance

Recently, it was revealed that Nickelodeon, an American TV channel and brand, has been the victim of a data leak. According to sources, the breach occurred at the beginning of 2023, but much of the data involved was “related to production files only, not long-form content or employee or user data, and (appeared) to be decades old.” The implication of this ambiguous statement: because the data is old and not related to individuals’ personally identifiable information (PII) or any proprietary information that hasn’t already been publicly released, this is a non-incident.

Let’s say Nickelodeon didn’t suffer any material harm because of this incident — great! It’s probable, though, that there are facts we don’t know. Any time proprietary data ends up where it shouldn’t, warning bells should go off in security professionals’ heads. What would be the outcome if the “decades old” files did contain PII? Some of the data would be irrelevant, but some could be crucial. What if the files contained other protected or private data? What if they compromised the integrity of the brand? All organizations need to think through the “what ifs” and apply the worst and base case scenarios to their current security practices.

The Nickelodeon case raises the question of whether keeping “decades old” data is necessary. While holding onto historical data can, in some cases, benefit the organization, every piece of kept data increases the company’s attack surface and increases risk. Why did Nickelodeon keep the old files in a location where it could be easily accessed? If the files were in a separate location, the security team likely did not apply adequate controls to accessing the files. Given that the cost of securing technology and all its inherent complexity is already astronomically high, CISOs need to prioritize budgetary and workforce allocation for all security projects and processes, including those for all past, present, and future data protection.

In a slow economy, balancing system security and budget requires skill and savvy. Even in boom times, though, throwing more money at the problem doesn’t always help. There is no evidence that an increase in security spending proportionately improves an organization’s security posture. In fact, some studies suggest that an overabundance of security tools leads to more confusion and complexity. CISOs should therefore focus on business risk tolerance and reduction.

Approaches to cyber risk management

Because no two organizations are alike, every CISO must find a cyber risk management approach that aligns with the goals, culture, and risk tolerance of the organization. Budget plays an important role here, too, but securing more budget will be an easier task if the security goals align with those of the business. After taking stock of these considerations, CISOs may find that their organizations fall into one or more core approaches to risk management.

Risk tolerance-based approach

Every company– and even every department within a company– has a tolerance for the amount and type of risk they’re willing to take. Security-specific tolerance levels must be based on desired business outcomes; cyber security risk cannot be determined or calculated based on cybersecurity efforts alone, rather how those efforts support the larger business.

To align cybersecurity with business risk, security teams must address business resilience by considering the following questions:

How would the business be impacted if a cybersecurity event were to occur?
What are the productivity, operational, and financial implications of a cyber event or data breach?
How well equipped is the business to handle an event internally?
What external resources would be needed to support internal capabilities?

With answers to these types of questions and metrics to support them, cyber risk levels can be appropriately set.

Maturity-based approach

Many companies today estimate their cyber risk tolerance based on how mature they perceive their cybersecurity team and controls to be. For instance, companies with an internal security operations center (SOC) that supports a full complement of experienced staff might be better equipped to handle continuous monitoring and vulnerability triage than a company just getting its security team up and running. Mature security teams are good at prioritizing and remediating critical vulnerabilities and closing the gaps on imminent threats, which generally gives them a higher security risk tolerance.

That said, many SOC teams are too overwhelmed with data, alerts, and technology maintenance to focus on risk reduction. The first thing a company must do if it decides to take on a maturity-based approach is to honestly assess its own level of security maturity, capabilities, and efficacy. A truly mature cybersecurity organization isbetter equipped to manage risk, but self-awareness is vital for security teams regardless of maturity level.

Budget-based approach

Budget constraints are prevalent in all aspects of business today, and running a fully staffed, fully equipped cybersecurity program is no bargain in terms of cost. However, organizations with an abundance of staff and technology don’t necessarily perform better security- or risk-wise. It’s all about being budget savvy for what will be a true compliment to existing systems.

Invest in tools that move the organization toward a zero trust-based architecture, focusing on security foundation and good hygiene first. By laying the right foundations, and having competent staff to manage them, cybersecurity teams will be better off than having the latest and greatest tools implemented without mastering the top CIS Controls: Inventory and control of enterprise and software assets, basic data protection, secure configuration management, hardened access management, log management, and more.

Threat-based approach

An important aspect of a threat-based approach to risk management is understanding that vulnerabilities and threats are not the same thing. Open vulnerabilities can lead to threats (and should therefore be a standard part of every organization’s security process and program). “Threats,” however, refer to a person/persons or event in which a vulnerability has the potential to be exploited. Threats also rely on context and availability of a system or a resource.

For instance, the Log4Shell exploit took advantage of a Log4j vulnerability. The vulnerability resulted in a threat to organizations with an unpatched version of the utility running. Organizations that were not running unpatched versions — no threat.

It is therefore imperative for organizations to know concretely:

All assets and entities present in their IT estates
The security hygiene of those assets (point in time and historical)
Context of the assets (non-critical, business-critical; exposed to the internet or air-gapped; etc.)
Implemented and operational controls to secure those assets

With this information and context, security teams can start to build threat models appropriate for the organization and its risk tolerance. The threat models used will, in turn, allow teams to prioritize and manage threats and more effectively reduce risk.

People, process and technology-based approach

People, process, and technology (PPT) are often considered the “three pillars” of technology. Some security pros consider PPT to be a framework. Through whatever lens PPT is viewed, it is the most comprehensive approach to risk management.

A PPT approach has the goal of allowing security teams to holistically manage risk while incorporating an organization’s maturity, budget, threat profile, human resources, skill sets, and the entirety of the organization’s tech stack, as well as its operations and procedures, risk appetite, and more. A well-balanced PPT program is a multi-layered plan that relies evenly on all three pillars; any weakness in one of the areas tips the scales and makes it harder for security teams to achieve success — and manage risk.

The wrap up

Every organization should carefully evaluate its individual capabilities, business goals, and available resources to determine the best risk management strategy for them. Whichever path is chosen, it is imperative for security teams to align with the business and involve organizational stakeholders to ensure ongoing support.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: risk tolerance

In what situations would a vCISO Service be appropriate?

Mar 12 2023

Security Risk Assessment Services

Category: Risk Assessment,Security Risk Assessment — DISC @ 11:16 pm

Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:

Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.

By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.

Transition plan from ISO 27001 2013 to ISO 27001 2022

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Security Risk Assessment

Feb 27 2023

Understanding Cyber Risk Quantification: The Buyer’s Guide” by Jack Jones

Category: Risk Assessment,Security Risk Assessment — DISC @ 11:42 am

Version 2 Updated for Release – February 2023.

From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.

If you’re considering or are actively shopping for an analysis solution that treats cyber risk in financially-based business terms, Jack’s extensive, jargon-free guide — including an evaluation checklist — will give you the objective and practical advice you need.

And just in time. There’s never been more interest or, frankly, confusion in the marketplace over what exactly is cyber risk quantification. As you’ll read in this buyer guide, many solutions may count vulnerabilities, provide ordinal values, or deliver numeric “maturity” scores but don’t measure risk, let alone put a financial value on it to help make business decisions.

This paper answers questions such as:

What does CRQ provide that I’m not already getting from other cyber risk-related measurements?
What makes CRQ reliable? Why should I believe the numbers?
Do I have enough data to run an analysis?

Jack also provides red flags to look out for in CRQ solutions, such as:

Mis-identification of risks.
Mis-use of control frameworks as risk measurement tools.
Over-simplification that can result in poorly-informed decisions, especially when performed at scale.

The ‘Understanding Cyber Risk Quantification’ guide is designed to be of use to security and risk executives, industry analysts, consultants, auditors, investors, and regulators–essentially anyone who has a stake in how well cyber risk is managed.

Download Below

DOWNLOAD NOW

Tags: CRQ, cyber risk quantification