If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of risk management processes and concepts. This includes risk assessment methods used by organizations to mitigate risks using different types of security controls.
For example, can you answer this question?
Q. Martin is performing a risk assessment on an e-commerce web server. While doing so, he created a document showing all the known risks to this server, along with the risk score for each risk. What is the name of this document?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Residual risk
D. Risk register
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level. It doesn’t eliminate risks, but instead identifies methods to limit or mitigate them. The amount of risk that remains after managing risk is residual risk.
Risk Assessment
A risk assessment, or risk analysis, is an important task in risk management. It quantifies or qualifies risks based on different values or judgments. A risk assessment starts by first identifying assets and asset values.
An asset includes any product, system, resource, or process that an organization values. The asset value identifies the worth of the asset to the organization. It can be a specific monetary value or subjective value, such as Low, Medium, and High. The asset value helps an organization focus on the high-value assets and avoid wasting time on low-value assets.
After identifying asset values, the risk assessment then identifies threats and vulnerabilities and determines the likelihood a threat will attempt to exploit a vulnerability. A risk assessment attempts to identify the impact of potential threats and identify the potential harm, and prioritizes risks based on the likelihood of occurrence and impact. Last, a risk assessment includes recommendations on what controls to implement to mitigate risks.
A risk assessment is a point-in-time assessment, or a snapshot. In other words, it assesses the risks based on current conditions, such as current threats, vulnerabilities, and existing controls. For example, consider a library computer that has up-to-date antivirus protection and cannot access the Internet. Based on these conditions, the risks are low. However, if administrators connect the system to the Internet, or fail to keep the antivirus software up to date, the risk increases.
It’s common to perform risk assessments on new systems or applications. For example, if an organization is considering adding a new service or application that can increase revenue, it will often perform a risk assessment. This helps it determine if the potential risks may offset the potential gains.
Risk assessments use quantitative measurements or qualitative measurements. Quantitative measurements use numbers, such as a monetary figure representing cost and asset values. Qualitative measurements use judgments. Both methods have the same core goal of helping management make educated decisions based on priorities.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Risk Registers
Some risk assessments use a risk register. There are different definitions for a risk register, depending on which standard you’re following. For example, ISO 73:2009 defines it as a “record of information about identified risks.” Projects IN Controlled Environments (PRINCE2), a detailed project management method, defines a risk register as a “repository for all risks identified and includes additional information about each risk.”
An easy way to create a risk register is in a table format. As an example, imagine you are evaluating risks related to a new e-commerce web site that accesses a back-end database. Your risk register might include the following columns:
• Category. Risk categories could include downtime due to hardware failures, outages from an attack, downtime to database server failure, data breaches, and more.
• Specific risk. One of the risks related to hardware failures could be hard drive failure. Of course, there are other potential hardware failures, but the remaining columns for this risk will focus on hard drive failure. For this example, imagine that one drive holds the operating system and applications. A second drive holds data.
• Likelihood of occurrence. Medium. This assumes that the installed hard drives are not currently using a redundant array of inexpensive disks (RAID) disk subsystem.
• Impact. High. If a hard drive fails, it will probably disable the entire web site.
• Risk score. 50 (out of 100). This assumes a score of Medium has a value of 5 and a score of High has a value of 10 (5 × 10 = 50). Note that organizations can assign any desired values to the likelihood of occurrence and impact. The values used here are simply an example.
• Security controls or mitigation steps. Implement a RAID-1 to protect the hard drive hosting the operating system. Implement a RAID-6 to protect the data.
• Contingencies. Ensure backups exist and are kept up to date.
• Risk score with security controls. 10 (out of 100). With the RAID-1 and RAID-6 in place, the likelihood of occurrence is now Low, but the impact remains High. The new score assumes a score of Low has a value of 1 and a score of High has a value of 10 (1 × 10 = 10).
• Action assigned to. A risk register may document who has responsibility for implementing the security control.
• Action deadline. The deadline identifies when the security control should be implemented.
Organizations might use columns such as these or modify them as they see fit. The key is that the risk register documents relevant risks based on the needs of the organization.
Remember this
A risk register is a comprehensive document listing known information about risks. It typically includes risk scores along with recommended security controls to reduce the risk scores.
Q. Martin is performing a risk assessment on an e-commerce web server. While doing so, he created a document showing all the known risks to this server, along with the risk score for each risk. What is the name of this document?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Residual risk
D. Risk register
Answer is D. A risk register lists all known risks for an asset, such as a web server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk).
Risk assessments (including quantitative and qualitative risk assessments) might use a risk register, but they aren’t risk registers.
Residual risk refers to the remaining risk after applying security controls to mitigate a risk.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on risk management tools.
