Security+: risk management processes and concepts [updated 2021]
The risk management process is a way of achieving a structured approach to the management of risk in IT corporations. Consistently implemented, it allows risks to be identified, analyzed, evaluated and managed in a uniform, efficient and focused manner. Risk management processes are addressed in the CompTIA Security+ certification, which is a standard for recognizing competence in the IT security landscape.
Understanding the context of risk management
Risk assessment and a mitigation strategy are part of the process of managing risks in many organizations worldwide. This type of approach represents a critical piece of work within the security horizon, as it includes the identification and evaluation of potential risk and its impact. The risk process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong.
Three concepts are important to consider when risk assessment is established:
- The external context: the environment in which the entity operates (the type of companies, such as cultural, financial and political) and the potential impact that risk can produce.
- The internal context: includes factors within the entity that is relevant to the risk assessment such as objectives, strategy, organizational capabilities, culture and more.
- The risk management context: the goals and objectives of the risk management activity. For example, determining who is responsible for each component and what is in scope.
Risk management concepts
Throughout this section, some of the most well-known concepts in risk management are described. These concepts are adopted by IT companies, and by information security specialists.
Figure 1: General workflow of the risk management process.
The main goal of risk identification is to recognize all the possible risks, and not to eliminate risks from analysis nor to develop solutions for mitigating risks (because those functions are carried out during the risk treatment and mitigation steps). A disciplined process typically involves the use of checklists of potential risks and evaluating the likelihood that those events might happen. For example, some companies develop risk checklists based on experience from past incidents and projects.
The following activities can conduct risk identification:
- Identification of assets: anything that has value to the organization and which therefore requires protection (software or hardware) — network, website, organization’s infrastructure, business processes, web servers, computers, mobile devices and more.
- Identification of threats: theft of media or documents, tampering with hardware and software, eavesdropping, software malfunction etc.
- Identification of existing controls: work costs, infrastructure security plan — in general, it’s an opportunity to make a check to ensure that the controls are working correctly (such as information obtained from previous audits).
- Identification of vulnerabilities: via pentesting audits, code review, management routines etc.
- Identification of consequences: damage or consequences to the organization that could be caused by an incident scenario should be identified.
A risk analysis quantifies the statistical likelihood of an impact of a particular risk and its frequency of occurrence afterward, using the combination of these two factors one can determine the severity of the risk, which may be either positive or negative. Although there are many ways of calculating risk, there is a generic form based on a matrix called risk heat map, illustrated below.
Table 1: Example of a risk heat map matrix.
This table is a vital piece of work that provides for all organizations the capacity to map the risk of its ecosystem and get an overview of security risk, its internal processes and strategy.
Risk evaluation allows determining the tolerability of each risk. It should be noted that tolerability is different from severity. Tolerability allows determining which risks need treatment and the relative priority. This can be achieved by comparing the risk severity established in the risk analysis step with the risk criteria generally found in the consequence criteria already defined in the table above.
Risk treatment and risk reduction
Once the particular risk has been identified, a risk mitigation plan should be developed. This is a plan to minimize and contain the impact of an unexpected event.
Risk can be grouped into different categories:
- Risk avoidance: involves the development of alternative strategies that have a higher probability of success, but a higher cost associated.
- Risk partnering: involves working with others to mitigate risk.
- Risk mitigation: it is an investment of funds to reduce the identified risks.
- Risk transfer: this is a risk reduction method that shifts the risk to another party.
Communication and consultation
Risk communication is a process that interacts bidirectionally with all other processes of risk management. Communication and consultation is an essential attribute of good risk management. Risk management cannot be controlled and managed in an isolated environment — it’s fundamentally communicative and consultative.
Good risk communication:
- Encourages stakeholder engagement and accountability
- Should be used fully
- Meets the requirements of all internal and stakeholders that are involved in the process
- Allows for expert opinion to be brought in
- allows informing other entity processes such as corporate planning and resource allocation
Monitoring and review
This represents an ongoing process where security controls are monitored on an ongoing basis. Business requirements, vulnerabilities and threats can change all the time. Monitoring and review can be both periodic and based on trigger events or changing circumstances.
In this sense, the key objectives of risk monitoring and review can include:
- Changes in the cyberthreat landscape
- Capacity to identify new types and kinds of cyberattacks and threats
- Maintaining a proactive stance of the cyber risk environment
- Analyzing and learning lessons from events, including near-misses, successes and failures
It is important to note that any updates, revisions or modifications made to the risk management process should be documented, and a version history kept as well.
Risk management processes are critical for the business security horizon. The Security+ exam helps you identify, analyze, evaluate and manage risk. For more on the Security+ certification, view our Security+ certification hub.
Risk management, Wikipedia
Understanding the risk management process, Internal Auditor
Risk management process, Pressbooks