Pedronel Cyber Security Handbook

M1 Strategy and Planning

M2 Information Security Risk Management

M3 Awareness and Training

M4 Human Resources Security

PRIORITY 1 Security Controls

The risk assessment process is initiated by establishing objectives, strategies, scope and parameters of the activities of the entity, or those parts of the entity where the risk management process is being applied. Further, criteria for assessing risks should be established in line with the entity’s objectives, available resources, and the magnitude of impact that could result from the compromise of confidentiality, integrity and/or availability of information assets. Topics such as authenticity and non-repudiation could also be considered based on the entity context.

The data for this stage are gathered here.

The entity should identify sources of risk, areas of impacts, events and their causes, and the potential consequences. The aim of this step is to generate a comprehensive list of risks based on the identified information security requirements. Because a risk that is not identified at this stage will not be included in further analysis, comprehensive identification is critical.

Risk estimation involves consideration of the causes and sources of risk in the form of threats and vulnerabilities, their impacts in terms of consequences of a loss of confidentiality, integrity and/or availability of information, and the likelihood that the potential impacts will occur. The risk should also take into account the effectiveness and efficiency of existing controls in addressing the current level of risk.

Risk evaluation involves comparing the level of risk found during the risk estimation activity with risk criteria established at the beginning of the process as part of establishing the context (Activity 1). The objective is to determine which risks are outside acceptable parameters and therefore require treatment.

For each of the risks identified in the risk assessment, a number of treatment options can be considered and applied either individually, or in combination, for treating the risk. There are several options that are usually considered for treating risks; these options include:

• Risk Reduction – Reducing the risk by applying security controls. The selection of security controls should follow a risk-based approach by apply the first set of security controls that treat the highest risks identified during the Risk Evaluation (See 3.4 Prioritization of Controls).
• Risk Retention – Accepting the risk based on the entity’s risk accepting criteria.
• Risk Avoidance – Avoiding the activity or condition causing the risk.
• Risk Transfer – Transferring the risk to another party.

The risk acceptance is the decision to accept residual risk by the management of the entity. The management based on the acceptance criteria should review and approve the treat plan and the residual risk.