Okay, now we talked about risk in general, and we just want to go through some basics with I t. Specifically information technology and information security. Risk management.
So when we talk about business risk versus I t. Risk well, for a long time that's how we thought of things. There was business. Risk theirs. I t risk and never the two shall meet. And we know now that that's not realistic. That's not really true. I t risk is business risk.
And we care about i t as it supports the business.
So we have to understand how I t an i t risk impacts the business, and we have to make sure that our I t risk management strategy is in alignment.
So in order to do that, we have to look at the organization's culture. What's the company culture? What's the culture of the environment in which we operate?
How do we look? ATT risks outside of I T. And really look att at risks in relation to how the business is impacted,
what is necessary from I t to support the business. The whole purpose of technology is to help the business. So how do we look, ATT risks in that context and not forgetting that we have to have elements like business continuity to keep the organization going, no matter what
on it has to happen to make sure that we have the right systems in place. And then we've got to think about information, security controls and also ultimately work that we do through the use of projects and how changes, whether in projects or in the organization as a whole, can impact our business.
All right, so
when we look at information security, all information security is is risk management, identify your assets, look at the threats and vulnerabilities and then determine
what the appropriate response or they're appropriate control to put in place.
So we have different types of risk control risks. Well, we put controls in place to mitigate risk. But what if that controls improperly working or if it's configured wrong? Using default settings? Well, that's going to give us false sense of security, and it may open up a doorway into our network
that wouldn't have otherwise been there. So
a certain amount of risks come with controls, which means when we implement controls, we have expectations for their performance, and we monitor against those expectations.
Their project risks when we take on a nightie endeavor. Usually that's managed as a project. Will projects failed? They have scope creep. They come in over budget, over, you know, outside of the schedule.
We may fail to produce a quality product there, risks associated with products
and then changes. And we have a change control system to prevent changes that, you know, to put foot prevent changes from being made without going through a process. Well, what if our process is too cumbersome and changes don't get made in time? Or what if our processes and implemented properly
and changes fall through the cracks?
So again, you know, these often are, you know, just risks that happen as part of day to day organization. But they can come to us from I t. So business risks and I t risks really need to be seen on the same page, not as different entities.
All right, and then business continuity versus risk management. You know, a lot of times you can think of risk management is for the known unknowns. You know, we talked about black swan events, right? Well, there are some things you know enough to have on your radar, and then they're things that you don't.
So, for instance, if I'm planning a picnic, a known unknown might be bad weather.
it's also technically true that a family of bears could come through
and steal everybody's picnic basket,
Get a little yogi bear thing going on. But anyway,
risk management is for known unknowns. It tends to be, if then, if there's a power failure than we have a backup generator. If a hard drive fails, then we have raid.
But business continuity tends to be for those unknown unknowns that have moderate toe high impact
those things with low probability. But if they materialize, have a very big impact.
So when they look at the context, what is the environment or the context in which we evaluate risks? Well, that depends on our organization. We've got a look at our organizational context, which is why, on this exam, always, always, always, you will begin with
understanding the organization,
understanding the business, you know, learning from other senior executives. What is the overall strategy? What is the philosophy of this organization? What's our direction? What are we looking for because that's the context in which the organization operates and that impacts risks,
right? So if we're in the context of protecting national security items, we have an entirely different capability from Attackers. Then you would see a script kiddies trying to launch an attack against the low end company.
Right? So we're looking at state sponsored Attackers that have lots of funds, lots of skills. Well, based on the context of the information that we manage,
you know, that's that's the impact, right? That's how it is. Ah, that's how it reveals itself is through the skill of our Attackers. How dedicated How much more likely is an advanced, persistent threat to be directed when we have high value assets.
We have very low value assets. Well, that changes things.
We may not be as willing to spend tons of money to protect those assets, because if the threat just isn't there or the value of the assets isn't there, then it makes no sense to spend all of that money.
But what you can see and I'm not going to read all these, you know, Are we in an area of natural disasters? Are we affected by political climate. You know, when I worked at the State Department and I worked there for several years, we were very, very affected by the political climate.
And specifically, I was at the Department of Foreign Affairs.
But you know, not just major elections where the secretary of state change, but even elections that didn't technically involve a change of administrative, you know, administration. But still, the loo wins of politics would kind of impact what we did.
So all of that understanding what?
Where we are in the grand scheme of things, what's important to us. What are those things that are likely to impact us? That's all part of the context in which we manage risks.