3.2 ISO 27005 Framework

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

6 hours 30 minutes
Video Transcription
so to get started with our discussions on framework, it's only right that we start out with an international standard. So anytime, shoes, Anytime you see I s O, that was actually it's actually the abbreviation for the International Organization of Standards. But when you look at NIST, we're focusing on us frameworks. But
I so is gonna indicate that this is a universally accepted framework
and particularly with risk management. It's also 27,005.
Now, the thing that's fun about thes and by fun I put them in fake parentheses or air quotes rather and
what I really mean is the thing that's challenging is every framework is gonna use slightly different lingo
Now they're doing the same things, but they're gonna have lingo that's a little bit different from framework to framework.
So the risk i t. Life cycle is different than what we see here is so 27,005.
So we go through context, establishment, risk, identification, risk estimation, risk evaluation and risk response. Okay, so there's a lot going on there. So when we start with context, establishment, establishment, we look at
our organization
and we think about how our organization as a whole deals with risk. You know, if if we are a very heavily audited organization, we're probably not gonna take on a ton of risk. If we're startup company, we might.
Right. So we got a look. You know, the military because we're dealing with human life in the military. We're gonna be very conservative with risks in most instances,
unless the payoffs very, very high. So we've got to think about the environment that's we're in. And that's where we start.
And then next. What we do is we go to a category called risk assessment
and risk assessment is actually gonna include risk identification, risk estimation and risk evaluation. Okay, I want to stress that in ice. 0 27,005 Risk analysis includes risk identification,
risk estimation and risk evaluation. When we look at ice of frameworks, that's gonna be worked together a little differently. Okay, so risk identification. What do your threats and vulnerabilities impairing a threat to of vulnerability? Because that's really where you have your risks. Okay,
so in identification, we look att, assets, we look, att, threats. We look at vulnerabilities,
then with estimation. What we're trying to do is figure out probability, an impact off the loss potential. I want value for the risk. Maybe it's qualitative. Maybe it's quantitative, but risk estimation give me of value
and then risk evaluation says, Let's look at it all together. All right, So we have our threat. Vulnerability payers, We have potential for loss. Now let's start talking about how we can mitigate those risks in a manner where the benefit is greater than the cost. So
once we're in risk assessment, what were ultimately looking to do
is get to an evaluation where we can understand what security controls would be best implemented. Okay, so identification estimation and evaluation brings us to the point where we can make a good decision on mitigation.
Okay, So when we talk about our mitigation, we can treat the risk, which is, um, when we talk about risk treatment, what were generally doing is reducing the risk, which may also be referred to as mitigating the risk. But what we're doing is we're lessening the probability and or impact
of the risk event.
Now we can tolerate the risk, which means we can accept the risk
which pretty much, you know, sometimes there isn't anything you can do about it.
you know, I'm out here in the middle of the lake in my canoe, and it looks like rain.
Well, I can't get in, you know, I'm out in the middle of a lake.
I might just accept the fact that I'm about to be saturated, right? I'm about to get poured on.
But then also, when we talk about acceptance of risk or tolerance of risks, sometimes it may also be because the cost of the countermeasure is greater than the potential for los hay. And And don't forget that cost is not just money. You know, if we have this huge, convoluted process to implement
in order to mitigate a very minimal risk
When we think of things like cost effort, employees approval and acceptance all those things, it doesn't make sense. So when we talk about cost benefit, it's not always just money.
So risk tolerance is usually win the cost of the countermeasures greater than the potential for loss.
Now, transference of a risk. Any time you hear about insurance,
any time you hear about service level agreements, because what happens with risk transference is we're gonna find a party to share the potential for loss with
Okay, we're gonna share the loss potential, just like when I you know, I'm worried about fire, so I buy fire insurance doesn't make me any less likely to have a fire.
if I do have a fire, I'm still gonna lose the same amount of my home.
But the loss potential will be shared with an insurance company.
And then another really important idea.
You can transfer loss, but you cannot transfer responsibility.
I would say that again. Let it sink in. You can transfer loss, but you cannot transfer responsibility.
Okay, so let's say that I'm a health care provider and I have a lot of patients. We have very small office staff. We really don't have the staff or the equipment to protect patient information to a degree that's compliant with him.
Okay, We just can't do it. We just can't do it. Well, we just can't do it.
So we've decided we're gonna outsource all of our work to ABC Company. And their job is to process healthcare informations information in compliance with hip hop.
Great. They do exactly what I can do,
so I hire them.
Turn over all my patient information to them
and they have a breach. And not only do they have a breach, they have a breach because they didn't follow their service level requirements and they didn't implement any of the security features. They told us we'd have
who is legally responsible under HIPPA
for the loss of those records? I am.
I am the medical provider. I own those records. I am the custodian of those records. The fact that I handed it off to another company and said, Oh, you guys take care of this. I don't ever have to worry about it again. That's not how the world works, right? I am still
legally responsible.
Now what I can do is I can turn around and sue that service provider, right? I can sue them for failing to meet their service level a contract. We can take that up in court,
but it's my responsibility to protect health care information that I've collected. Whether they did their job or not is neither here nor there in relation to hip. I hope that makes sense because that's really important. You can't you know, if you're responsible for something you can't just say,
Oh, you do it. I don't have to worry about it, Right?
Outsourcing does not alleviate responsibility. It does potentially give you someone to share in the loss with.
But there are no guarantees in this world. If they fail to meet their requirements, you can soothe them or take it up elsewhere. There will be legal recourse, probably, but it's not about the liability under hip.
Okay, so those were the stages of ice. So 27,005 framework and you'll find us. We look at other frameworks were doing the same thing just maybe slightly, a different approach.
Up Next