SYO-601 Incident Response vs Risk Assessment
During my preparation for SYO-601, I tend to mix the two process up. This blog is a focus on ensuring that I remember the key differences between the two. Incident Response is a set of actions security staff performs in response to triggering events. Risk Assessment aims to determine the risks that exists for the entity's valuable assets.
Here is the Incident Response Process:
Continuing with the COVID-19 Analogy, we then use the Testing Kit to Identify whether the symptoms are in fact the feared virus. In the world of Cybersecurity, it's absolutely good practice to investigate and Identify the root of the issue so that it helps us establish an eradication plan.
Now that we've confirmed that we've got COVID-19, we then isolate to ensure that we help mitigate the virus from not spreading. It's the same idea with Malware that could potentially be a Worm and travel across Networks within our system!
Now that we're isolated, we do everything we can to not make COVID-19 worse in our system. In Security terms, we now try to figure out how to remove the the problem. We don't go to the next step until there's reasonable grounds that it's now absolutely removed.
Once the test kit returns a negative, we focus on recovery so that we can be as productive as we used to be pre-covid symptoms. The idea is similar to the systems we administrate after Eradicating the issues found. We now focus on safely reactivating the systems and services for daily operations to resume.
Documentation! We need to learn from all of this and jot variables down that could help us mitigate facing the issue again, or how we could handle the situation more efficiently.
Here is the Risk Assessment Process:
1. Identify Assets Potentially at Risk
To protect a system, we need to know what assets are actually in it. If we can effectively identify all the assets that are at risk, then it gives us a visual on the amount of responsibility at hand that of course contributes with performance quality in securing the valuable resource.
2.Conduct a Threat Assessment for each Asset
Now that we've established the size of the asset variable, we now assess the threats in each resource to ensure that we have strength in awareness that aids mitigation. Penetration tests can also be used by organisations to implement this adequately.
3.Analyse Business Impact
To effectively explain BIA (Business Impact Analysis), I think it's important that we tackle these 2 ideas: RPO (Recovery Point Objective) and RTO (Recovery Time Objective). RTO describes target time for recovery after an incident. It's usually a part of Business Continuity or Disaster Recovery Plans. RPO illustrates time bracket for agreed acceptable data loss.
4.Determine the likelihood of a given Threat doing Damage
Typically performed annually, we can measure this through quantitative or qualitative risk assessments. Qualitative Assessments are accomplished through experienced judgement while Quantitative Assessments is a bit more tangible that uses metrics to measure the damage like Annual Loss Expectancy or Annualised Rate of Occurrence.
5.Prioritise Risks by weighing the likelihood vs Potential Impact of each Threat
Investigating these thoroughly is ideal because of the resource and cost required to do this productively. Assets are also likely to be huge in size and it just simply wouldn't be practical to give each risk equal attention. Prioritising the right risks will result to maximising security with 'back for your buck' on time.
6.Create a Mitigation Risk Strategy
Strategies are important to meet legal requirements and of course minimise the risks found. The Strategy will ensure that good communication is in place that aids Team Coordination with providing flexibility for the Strategy to evolve relative to risk.