We covered risk management process and its components and frameworks. We explained the different steps taken to undertake risk management starting with risk frame, risk assessment, risk analysis (qualitative and quantitative), risk response and monitoring. We also covered practical examples on quantitative risk analysis and how to determine the appropriate course of mitigation. This was part of TryHackMe risk management room security engineering pathway.

Get COMPTIA Security+ Exam Notes

Definition of risk management

Risk management is a process of identifying, assessing, and responding to risks associated with a particular situation or activity. It involves identifying potential risks, assessing their likelihood and impact, evaluating possible solutions, and implementing the chosen solutions to limit or mitigate risk. It also involves monitoring and assessing the effectiveness of the solutions put in place.

A Risk Management Policy is a set of procedures and processes designed to minimize the chances of an adverse event or outcome for an organization. It helps organizations identify, assess, and manage potential and actual risks related to their operations, financial activities, and compliance with applicable laws and regulations. The policy provides guidance on identifying and assessing risks, as well as assigning tasks and responsibilities to those involved in managing them.

Information Systems Risk Management is a system of policies, procedures, and practices that seek to protect a company’s computer system from various internal and external threats. It includes identifying threats, assessing the probability of their occurrence, and evaluating the effectiveness of various measures that can be taken to limit the damage they could cause. The process also involves determining the resources that should be allocated to respond to potential threats, as well as monitoring and maintaining the integrity of the system

Risk Assessment Methodologies

  • NIST SP 800-30: A risk assessment methodology developed by the National Institute of Standards and Technology (NIST). It involves identifying and evaluating risks, determining the likelihood and impact of each risk, and developing a risk response plan.
  • Facilitated Risk Analysis Process (FRAP): A risk assessment methodology that involves a group of stakeholders working together to identify and evaluate risks. It is designed to be a more collaborative and inclusive approach to risk analysis.
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE): A risk assessment methodology that focuses on identifying and prioritising assets based on their criticality to the organisation’s mission and assessing the threats and vulnerabilities that could impact those assets.
  • Failure Modes and Effect Analysis (FMEA): A risk assessment methodology commonly used in engineering and manufacturing. It involves identifying potential failure modes for a system or process and then analysing the possible effects of those failures and the likelihood of their occurrence.

CVE-2023-4911  Remediation

Patching your system is the best and only way to remediate.

Room Answers

What do you call the potential for a loss or an incident that may harm the confidentiality, integrity or availability of an organisation’s information assets?

What do you call a weakness an attacker could exploit to gain unauthorised access to a system or data?

What do you consider a business laptop?

Ransomware has become a lucrative business. From the perspective of legal business, how do you classify ransomware groups?

What is the name of the risk assessment methodology developed by NIST?
Click on View Site. Decide whether each of the suggested safeguards (controls) is justified. Follow the instructions to retrieve the flag.

You want to confirm whether the new policy enforcing laptop disk encryption is helping mitigate data breach risk. What is it that you are monitoring in this case?

You are keeping an eye on new regulations and laws. What is it that you are monitoring?

Click on View Site and follow the instructions to retrieve the flag. Remember that your decision should be based on the value of the safeguard to the organisation, which is calculated as follows:

ValueofSafeguard = ALEbeforeSafeguard − ALEafterSafeguard − AnnualCostSafeguard

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles