May 25 2021

A leadership guide for mitigating security risks with low code platforms

Category: Risk Assessment,Security Risk AssessmentDISC @ 8:32 am
A leadership guide for mitigating security risks with low code platforms

The lingering question of application code security follows, as stories of security breaches continue to pour, and remote teams across the world adopt low code for faster application delivery. Even as Gartner predicts that 65% of applications will be built using the low-code paradigm by 2024, it is important to understand the security implications that come with it and discuss how we can mitigate possible risks.

Most low code platforms enable non-technical users to build applications quickly and offer in-built security for various aspects of the application, such as APIs, data access, web front-ends, deployment, etc. Some go deeper with functionalities purpose-built for professional developers, with abilities to customize at a platform level. That said, no platform can claim to be the silver bullet when it comes to abstracting all security risks.

Business leaders should assess both internal and external risks that arise, and make sure there are certain guard rails enforced to secure low code-built applications. Let’s discuss some of these in detail.

The Enterprise Risk Management Program (ERMP) Guide provides program-level risk management guidance that directly supports your organization’s policies and standardizes the management of cybersecurity risk and also provides access to an editable Microsoft Word document template that can be utilized for baselining your organizations risk management practices. Unfortunately, most companies lack a coherent approach to managing risks across the enterprise:When you look at getting audit ready, your policies and standards only cover the “why?” and “what?” questions of an audit. This product addresses the “how” questions for how your company manages risk.

The ERMP provides clear, concise documentation that provides a “paint by numbers” approach to how your organization manages risk.The ERMP addresses fundamental needs when it comes to what is expected in cybersecurity risk management, how risk is defined, who can accept risk, how risk is calculated by defining potential impact and likelihood, necessary steps to reduce risk.Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from an HR perspective, the ERMP does this from a cybersecurity risk management perspective.Regardless if your cybersecurity program aligns with NIST, ISO, or another framework, the Enterprise Risk Management Program (ERMP) is designed to address the strategic, operational and tactical components of IT security risk management for any organization.

Policies & standards are absolutely necessary to an organization, but they fail to describe HOW risk is actually managed. The ERMP provides this middle ground between high-level policies and the actual procedures of how risk is managed on a day-to-day basis by those individual contributors who execute risk-based controls.

May 03 2021

Risk-based vulnerability management has produced demonstrable results

Category: Risk Assessment,Security Risk AssessmentDISC @ 7:44 am
Risk-based vulnerability management has produced demonstrable results

Risk-based vulnerability management

Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities than others.

Research has shown that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. Common triage strategies, like patching every vulnerability with a CVSS score above 7 were, in fact, no better than chance at reducing risk.

But now we can say that companies using RBVM programs are patching a higher percentage of their high-risk vulnerabilities. That means they are doing more, and there’s less wasted effort. (Which is especially good because patch management is resource constrained.)

The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019. This year, it was 27 days.

And then there is another measure of success. Companies start vulnerability management programs with massive backlogs of vulnerabilities, and the number of vulnerabilities only grows each year. Last year, about two-thirds of companies using a risk-based system reduced their vulnerability debt or were at least treading water. This year, that number rose to 71 percent.

When a company discloses that their networks have been breached and that their data has been stolen or encrypted for ransom, there is a steady drumbeat of critics. The company, these critics contend, is somehow at fault. Its security team didn’t do EVERYTHING it could have to prevent the breach. The proof of this doesn’t lie in knowledge of what preventative steps the security team did, but in the fact that it got breached. Victim blaming was alive and well in cybersecurity.

Thankfully, this mindset is fading away. But when cybersecurity companies with risk-based approaches began entering the market, they faced headwinds from the security nihilism crowd who thought if you can’t fix everything, then “why bother?”

We can now say that, when it comes to vulnerability management – a complex, yet fundamental cybersecurity discipline – the risk-based approach has produced clear results. The proof is in the data.

Enterprises that use risk-based approaches to vulnerability management are getting faster and smarter at this foundational cybersecurity discipline. They are doing less work and seeing more impactful security improvements. It’s encouraging to see these year-over-year improvements and we believe this trend is likely to continue.

Risk Based Vulnerability Management 

Risk Based Vulnerability Management A Complete Guide - 2019 Edition by [Gerardus Blokdyk]

Tags: Risk-based vulnerability management

Apr 17 2021

Infection Monkey: Open source tool allows zero trust assessment of AWS environments

Category: Security Risk Assessment,Zero trustDISC @ 10:58 am
Infection Monkey: Open source tool allows zero trust assessment of AWS environments

Guardicore unveiled new zero trust assessment capabilities in Infection Monkey, its open source breach and attack simulation tool. Available immediately, security professionals will now be able to conduct zero trust assessments of AWS environments to help identify the potential gaps in an organization’s AWS security posture that can put data at risk.

zero trust AWS

Infection Monkey helps IT security teams assess their organization’s resiliency to unauthorized lateral movement both on-premises and in the cloud.

The tool enables organizations to see the network through the eyes of a knowledgeable attacker – highlighting the exploits, vulnerabilities and pathways they’re most likely to exploit in your environment.

Zero trust maturity assessment in AWS

New integrations with Scout Suite, an open source multi-cloud security auditing tool, enable Infection Monkey to run zero trust assessments of AWS environments.

Infection Monkey highlights the potential security issues and risks in cloud infrastructure, identifying the potential gaps in AWS security posture. It presents actionable recommendations and risks within the context of the zero trust framework’s key components established by Forrester.

Expanded MITRE ATT&CK techniques

Infection Monkey applies the latest MITRE ATT&CK techniques to its simulations to help organizations harden their systems against the latest threats and attack techniques. The four newest ATT&CK techniques the software can equip are:

  • Signed script proxy execution (T1216)
  • Account discovery (T1087)
  • Indicator removal on host: timestomp (T1099)
  • Clear command history: (T1146)

InfoSec Shop

Tags: AWS environments

Mar 29 2021

Understanding Cyber Risk Quantification – A Four Minute Journey Into Your Future

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:56 pm

Cyber Risk Quantification (CRQ) is now viewed as a core pillar of any effective Integrated Risk Management program. This short explainer video walks you through and gives you a glimpse into your future as a top tier cyber risk management organization. 

A FAIR Approach

Tags: A FAIR Approach, cyber risk quantification

Mar 17 2021

Why is financial cyber risk quantification important?

Category: Risk Assessment,Security Risk Assessment,Vendor AssessmentDISC @ 10:13 am
Why is financial cyber risk quantification important?

In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the various security lapses that accompany remote workforces.

However, something that has changed recently is how business leaders and boards of directors are viewing cyber risk. While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations.

In fact, a recent survey of 100 senior security professionals found that 70% of respondents have received pressure to produce cyber risk quantification for their business. Further, half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.

Why are executives pressuring CISOs to start financially quantifying cyber risk for their business? This process allows CISOs to identify and rank risk scenarios that are most critical to their enterprise, based on factors such as which attacks would have the biggest financial impact, and how equipped the company is to defend itself against any given attack.

Automated risk quantification makes this process even easier, removing the guesswork out of these decisions and streamlining the process of getting to actionable information. The potential for human error and subjectivity are removed completely from the equation.

Previously, security leaders have relied on theoretical models of risk like the Common Vulnerability Scoring System (CVSS). Even with this system, it can be difficult to prioritize the vulnerabilities that rank highest in terms of severity. This is even more challenging for leaders across the enterprise who may be unfamiliar with this system. Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.

By assigning a dollar value to potential cyber incidents, business leaders have better visibility into the most pressing – and costly – threats facing the enterprise. With this information, the business and security teams can align their efforts and prioritize the largest risks, rather than dedicating resources to lower priority risks.

Teams can focus their efforts on ensuring the business has adequate controls and processes in place to defend against the costlier risks and make additional investments accordingly. It can also make it easier for leaders and boards to justify spending more time or money to proactively defend against certain risks.

For CISOs, cyber risk quantification also provides an easier way to communicate the value of their work to leadership. Security leaders can calculate the return on investment of their tools and teams in the context of risk reduction for the enterprise. This gives leaders better visibility into the risks facing their organizations in terms that are understandable and actionable. Conversely, cyber risk quantification can help to identify any issues with an organization’s existing cybersecurity program and measure improvement over time.

Overall, shifting to this type of risk-led approach for cybersecurity will result in data-driven and actionable insights that will allow leaders across all business departments to understand and act on the most critical cyber risks facing their enterprise.

We know that attacks are going to continue, whether they’re state-sponsored or cyber criminals, and it is critical for an enterprise to have a comprehensive view into your risk landscape. Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.

Why is financial cyber risk quantification important?

Cyber Risk Quantification A Complete Guide

Tags: cyber risk quantification

Mar 16 2021

Risk management in the digital world: How different is it?

Category: Risk Assessment,Security Risk AssessmentDISC @ 3:33 pm
Risk management in the digital world: How different is it?

Prioritizing and communicating risk

Last year, the number of active phishing websites increased 350% from January to March alone. Now that employees are connecting to the office from their own remote networks and not through their office’s secure network, the chance of a security breach is higher than ever. While risk managers know this already, securing company data is essential to customer trust and longevity. To prioritize risk during remote work, risk managers need to involve executives and keep them updated and educated on potential problems and solutions. Prioritizing risk now will pay dividends in the long run.

Executive teams need to buy in — simply relegating all risk-related work to risk managers isn’t enough in the end. Investing time and money to form a risk-aware culture will better educate all employees on how to avoid common scams and prepare for larger-scale problems. Without prioritization and investment in risk, companies may not make it through the next major disruption and risk major security breaches.

A risk-aware culture can’t be created overnight. Risk managers and executives must first identify the risks and find out where the company stands, aligning risk culture with the existing company culture. Then, they can implement new risk management strategies that may require drastic changes, such as new software, revised policies and educational tutorials on risk. IT teams need to be on top of their game for virtual risks, educating employees and preparing them to ask the right questions. With phishing on the rise and data at a very vulnerable point, employees must be able to assess risk on their own.

Risk management in the digital world: How different is it?

Build a Security Culture

Tags: Risk management in the digital world

Mar 12 2021

The cyber security risks of working from home

Category: cyber security,Security Risk AssessmentDISC @ 10:13 am
Luke Irwin

Organisations have had to overcome countless challenges during the pandemic, but one that has continued to cause headaches is IT security for home workers.

A remote workforce comes with myriad dangers, with employees relying on their home networks – and sometimes their own devices – and without the assurance of a member of your IT team on hand if anything goes wrong.

But unlike many COVID-19 risks, these issues won’t go away when life eventually goes back to normal. Home working will remain prominent even when employees have the choice to return to the office, with a Gartner survey finding that 47% of organizations will give employees the choice of working remotely on a full-time basis.

Meanwhile, 82% said that employees would be able to work from home at least one day a week.

As such, organisations should reconsider if they’re under the assumption that the defences they’ve implemented to protect remote workers are temporary.

Robust, permanent defences are required to tackle the array of threats they face. We explain how you can get starting, including our remote working security tips, in this blog.

Online work increases cyber security risks

Without the security protections that office systems afford us – such as firewalls and blacklisted IP addresses – and increased reliance on technology, we are far more vulnerable to cyber attacks.

The most obvious risk is that most of our tasks are conducted online. After all, if something’s on the Internet, then there’s always the possibility of a cyber criminal compromising it.

They might attempt to do this by cracking your password. This could be easier than ever if you’re reusing login credentials for the various online apps you need to stay in touch with your team.

Meanwhile, according to CISO’s Benchmark Report 2020, organizations are struggling to manage remote workers’ use of phones and other mobile devices. It found that 52% of respondents said that mobile devices are now challenging to protect from cyber threats.

You can find more tips on how to work from home safely and securely by taking a look at our new infographic.

This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.

Top 5 remote working cyber security risk

Alternatively, attackers could send phishing emails intended to trick you into either handing over your details or downloading a malicious attachment containing a keylogger.

The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.

A recent report found that there has been a 600% increase in reported phishing emails since the end of February, with many of them cashing in on the uncertainty surrounding the pandemic.

Organisations should also be concerned about remote employees using their own devices.

This might have been unavoidable given how quickly the pandemic spiralled and the suddenness of the government’s decision to implement lockdown measures.

Still, where possible, all work should be done on a corporate laptop subject to remote access security controls. This should include, at the very least, 2FA (two-factor authentication), which will mitigate the risk of a crook gaining access to an employee’s account.

This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.

It also gives your IT team oversight of the organisation’s IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.

Control the risk

Any organisation with employees working from home must create a remote working policy to manage the risks.

If you don’t know what this should contain, our Remote Working Policy Template provides everything you need to know.

It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.

Organisations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.

Although it shouldn’t be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.

For example, when business goes back to normal, staff may well use company devices in places such as trains and cafés, where opportunistic cyber criminals can lurk without drawing attention to themselves.

Security incidents are just as likely to occur even if there isn’t a malicious actor. Consider how often you hear about employees losing their laptop, USB stick or paperwork.

Coronavirus: your biggest challenge yet

Disruption caused by COVID-19 is inevitable, and you have enough to worry about without contending with things like cyber security and compliance issues.

Unfortunately, cyber criminals have sensed an opportunity amid the pandemic, launching a spate of attacks that exploit people’s fear and uncertainty.

Therefore, it’s more important than ever to make sure your organisation is capable of fending off attacks and preventing data breaches.

To help you meet these challenges, we’ve put together a series of packaged solutions. Meanwhile, most of our products and services are available remotely, so we don’t need to be on-site to carry out things like security testing.

One virus is enough to worry about. Take action now to protect your business. Implement cyber security measures that help you respond to cyber attacks.

Tags: working from home

Mar 10 2021

Boards: 5 Things about Cyber Risk Your CISO Isn’t Telling You

Category: CISO,Security Risk Assessment,vCISODISC @ 5:33 pm
Let's Fix Startup Board Meetings: 5 Sections To Flow | by Dan Martell | Medium
Boards: 5 Things about Cyber Risk Your CISO Isn’t Telling You

As Jack Jones, co-founder of RiskLens, tells the story, he started down the road to creating the FAIR™ model for cyber risk quantification because of “two questions and two lame answers.” As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:

“How much risk do we have?”

“How much less risk will we have if we spend the millions of dollars you’re asking for?”

To which Jack could only answer “Lots” and “Less.”

“If he had asked me to talk more about the ‘vulnerabilities’ we had or the threats we faced, I could have talked all day,” he recalled in the FAIR book, Measuring and Managing Information Risk.

In that moment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.

Some CISOs are still in the position of Jack pre-quantification – talking all day and delivering lame answers, from the board’s point of view.  Here’s a short guide to what they’re not saying – and how RiskLens, the analytics platform built on FAIR, can provide the right answers.

1.  I don’t really know what our top risks are 

I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but that’s as close as I can get. 

Top Risks is the first report that many new RiskLens users run, and it only takes minutes, using the Rapid Risk Assessment capability of the RiskLens platform. The platform guides you through properly defining a set of risks (say, from your risk register) for quantitative analysis according to the FAIR standard. To speed the process, the platform draws on data from pre-populated loss tables. The resulting analysis quickly stack-ranks the risks for probable size of loss in dollar terms, across several parameters.

2.   I can’t give you an ROI on the money you give me to invest in cybersecurity 

You see, cybersecurity is different from other programs you’re asked to invest in – it’s constantly changing and never-ending. You never really hit a point of success; you just chip away at the problem.  

With Top Risks in hand, RiskLens clients can dig deeper on individual scenarios and run a Detailed Analysis to expose the drivers of risk to see, for instance,  what types of threat actors account for the highest frequency of attacks or what classes of assets account for the highest probable losses. Then they can run the Risk Treatment Analysis capability of the platform to evaluate controls for their ROI in risk reduction.

3.  I can’t really tell you if things are getting better on cyber risk.

 I can show you our progress with compliance checklists and maturity scales, and I hope you’ll assume that’s reducing risk. 

While compliance with NIST CSF, CIS Controls, etc. is good and useful, these frameworks don’t measure performance outcomes in reducing risk – that takes a quantitative approach.  The RiskLens platform can aggregate risk scenarios to generate risk assessment reports showing risk across the enterprise or by business unit, in dollar terms – and to show risk exposure over time. It’s easy to update and re-run risk assessments, thanks to the platform’s Data Helpers that store risk data for re-use. Update a Data Helper, and all the related risk scenarios update at the same time – and so do the aggregated risk assessments.

4.  I can’t help you set a risk appetite. 

I don’t really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.  

Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) cyber risk analysis only supports vague appetite statements that are difficult to follow in practice. On the RiskLens platform, a CISO can input a dollar figure for “risk threshold” as a hypothetical, and run the analyses to rank how the various risk scenarios stack up against that limit, making a risk appetite a practical target.

5. I don’t know how to align cyber risk management with the other forms of risk management we do.

Enterprise risk, operational risk, market risk, financial risk—I’ve heard their board presentations in quantitative terms. But cyber is just different.   

Quantification is the answer – reporting on cyber risk in the same financial terms that the rest of enterprise risk management programs employ finally gives the board what it wants to hear on cyber risk management. ISACA, the National Association of Corporate Directors and the COSO ERM framework have all recommended FAIR for board reporting. As an ISACA white paper said,

The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk…FAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.

CISO’s latest titles

Tags: Board Meeting

Feb 25 2021

How FAIR & ISO 27001 Work Together

Category: ISO 27k,Security Risk AssessmentDISC @ 11:43 am
How FAIR & ISO 27001 Work Together

We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.

The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.

The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.

Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.

Source: How FAIR & ISO 27001 Work Together

Measuring and Managing Information Risk: A FAIR Approach

Tags: FAIR, Quantitative Cyber Risk Management

Feb 25 2021

Proven Use Cases to Start Quantitative Cyber Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:05 am
Proven Use Cases to Start Quantitative Cyber Risk Management

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management –  but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…

…a slow, evolutionary process.

Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms.  And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.

Proven Use Cases to Start Quantitative Cyber Risk Management

Tags: Quantitative Cyber Risk Management

Aug 18 2020

Advice for senior management on their responsibilities towards information risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 5:55 pm

IAAC Directors’ Guides

Source:Succinct advice for senior management on their responsibilities towards information risk, courtesy of the IAAC.




Jul 08 2020

Google open-sources Tsunami vulnerability scanner

Category: Security Risk Assessment,Security vulnerabilitiesDISC @ 10:03 pm

Google says Tsunami is an extensible network scanner for detecting high-severity vulnerabilities with as little false-positives as possible.

Source: Google open-sources Tsunami vulnerability scanner | ZDNet

The scanner has been used internally at Google and has been made available on GitHub

Google Tsunami Security Scanner – Quick install an example run
httpv://www.youtube.com/watch?v=Xims19547gs

InfoSec Threats, Books and Training Courses

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: vulnerability scanner

Jun 06 2020

5 principles for effective cybersecurity leadership in a post-COVID world

Category: cyber security,Security Risk AssessmentDISC @ 6:32 pm

 

As more people work from home due to COVID-19, cybersecurity operations are facing tremendous challenges. These five principles can help Chief Information Security Officers (CISOs) and cybersecurity leaders ensure effective business continuity in the “new normal.”

Source: 5 principles for effective cybersecurity leadership in a post-COVID world

7 Security Risks and Hacking Stories for Web Developers
httpv://www.youtube.com/watch?v=4YOpILi9Oxs

Download a Security Risk Assessment steps paper!

Download a vCISO template

Subscribe to DISC InfoSec blog by Email




Tags: COVID-19, worrisome risks

Oct 06 2019

A CISO’s Guide to Bolstering Cybersecurity Posture

Category: Information Privacy,Risk Assessment,Security Risk AssessmentDISC @ 8:24 pm

iso27032

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Risk Management Framework for Information Systems

How to choose the right cybersecurity framework

Improve Cybersecurity posture by using ISO/IEC 27032
httpv://www.youtube.com/watch?v=NX5RMGOcyBM

Cybersecurity Summit 2018: David Petraeus and Lisa Monaco on America’s cybersecurity posture
httpv://www.youtube.com/watch?v=C8WGPZwlfj8

CSET Cyber Security Evaluation Tool – ICS/OT
httpv://www.youtube.com/watch?v=KzuraQXDqMY


Subscribe to DISC InfoSec blog by Email




Tags: cybersecurity posture, security risk management

Jul 21 2019

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 12:11 am

Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.

Source: When It Come Down To It, Cybersecurity Is All About Understanding Risk

An Overview of Risk Assessment According to
ISO 27001 and ISO 27005





Enter your email address:

Delivered by FeedBurner




Mar 17 2019

Risk Management Framework for Information Systems

Category: Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 9:32 pm

Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2












Subscribe to DISC InfoSec blog by Email




Tags: Risk Management Framework

Mar 07 2019

How to choose the right cybersecurity framework

Category: Policies & Controls,Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 10:05 am

Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

Source: How to choose the right cybersecurity framework





Apr 21 2017

vsRisk™ risk assessment

Category: ISO 27k,Security Risk AssessmentDISC @ 8:42 am

vsRisk Standalone 3.0 – Brand new vsRisk™ risk assessment software available now

vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.

Price: $745.00

Buy now




Tags: Risk Assessment

Jun 29 2016

5 Must Read Books to Jumpstart Your Career in Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:30 am

FAIR Institute blog by Isaiah McGowan

Read Books to Jumpstart Your Career in Risk Management

What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.

They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.

hubbard_failure_of_risk_management_cover.jpg#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)

In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.

fair-book-cover.jpg#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)
In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.

With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.

This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.

Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.

Superforecasting_cover.jpg#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)

We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.

If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.

Tetlock_expert_judgement_cover.jpg#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)

Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.

Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.

Thinking_fast_and_slow_cover.jpg#5 – Thinking, Fast and Slow (Daniel Kahneman)

Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.

There it is…

This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?

 





Tags: information security risk program, risk assessment program, risk management process, Security Risk Assessment

Apr 21 2016

Fundamentals of Information Risk Management Auditing

Category: Security Risk AssessmentDISC @ 2:01 pm

FIRMA

An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.

For any modern business to thrive, it must assess, control, and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed, and managed, and assigned to risk owners so that they can be mitigated and audited.

Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.

 Book overview

Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:

  • What is risk and why is it important? An introduction to general risk management and information risk.
  • Introduction to general IS and management risks An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity, and availability of information.
  • Introduction to application controls An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
  • Life as an information risk management specialist/auditor A guide for those considering, or undergoing, a career in information risk management.

 

Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.

Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.

The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.

Topics covered

Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defense; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL®, and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301, and ISO 38500; the UK Government’s Cyber Essentials scheme; IT security controls; and application controls.

Download your copy of Fundamentals of Information Risk Management Auditing






« Previous PageNext Page »