all right. Risk management is our next topic and operations management. And if I ruled the world, every human being on the planet
would need to go through risk management training. Now, of course, in this course, it's way scaled back, and we're just gonna kind of talk about it in relation to the C. C S P exam. It's a starting point for working with risk management,
but risk management should be the point of origin for everything we do right? Every decision that we make should be based on risks. So just with a little introduction to risk, when we look at risk management, we're talking about identifying what risks exist.
Then we're gonna analyze, and analyzing and assessing will often go be used interchangeably. Okay, So analyze and assess what we're trying to do. There's get a value. What's my potential for loss?
Well, based on my potential for loss, I'm gonna mitigate that risk because I wanna move. I want to reduce that lost potential into an area that I'm comfortable with, right. I can't eliminate risks. I mean, I'm 48 years old. There's a risk just getting out of bed in the morning,
right? you don't know if you can relate, but if you get out of bed in the first noise you make is,
uh and then you hear the popping in the cracking right. So there's just a certain amount of risk with everything I need to reduce the amount of risk to a level that's acceptable, really. That's kind of the whole purpose of risk management
on dhe. Then I'm going to continue to monitor for risk because the threat landscape changes.
Mitigation controls, uh, lose their potency over time as the threat landscape changes. Or as they get older, they're out of date and so on. So when we talk about that idea of risk management, it's that umbrella term that groups identify risks,
analyzer, assess risks, mitigate risk and then continue
to monitor for them.
We've got some risk definitions and these air important to go over because everybody just seems to use thes terms interchangeably or use them incorrectly. So I just want to hit a couple of these terms to make sure we're all solid again.
This is not an in depth risk class, or there are a lot of other ideas we need to talk about but these air the maintenance for this class.
All right, so when we're looking at identifying risks, we have to have an asset, right? The first step in risk management is what is valuable and how and how valuable is it.
So in assets, anything we value, I need to know what those are and how valuable I am to spend $50 to protect a $20 bill. Right? So we start with the asset. The next element we think about is okay, what are the existing vulnerabilities? What are those areas in which the asset is unprotected?
Then we take that we move to the threats. All right, What sources exist that would pose potential harm to the asset. So where you have an asset with the vulnerability and a threat, there's where you have a risk. So we look at risk identification. That's what we're figuring out.
What are our assets? What are their vulnerabilities? What threats could harm
threat? Agent is that entity that carries out the threat. So it might be the attacker themselves. Could be the software that they use. Like, you know, any sort of malicious software that could be the threat Agent And when that threat compromises the vulnerability we have
what we were sure to his next point.
Now the probability of that threat materializing. That's the risk. There's an 80% risk of right risk is associated with probability.
you also would think about impact as well, in terms of risk. But right now we're just gonna look at the probability of the threat materializes.
What we do about risks, we control them. We put in controls, and the job of those controls is to mitigate the risk. And remember, we want a balanced approach between physical, administrative and technical controls that we put in place. We also want proactive and we want reactive.
So if you look at proactive controls, you think about safe gods. If you look about reactive controls, think countermeasures.
A firewall is proactive. Not a long is react.
So a firewall is safe. Guard and all it wall is a countermeasure.
All right, total risk. Like we said, it's the amount of risk that exists before you do anything.
As is. What's the total risk?
Then you add mitigating control. What's left and what's left is the residual risk. So again, we're trying to get that residual risk down to a level that's acceptable to senior management
and then the last piece. Sometimes you fix a problem just to cause another. And that's exactly what a second Gary Risk is. If you've ever gone in, has a very minor plumbing issue in my home. And
I took my wrench in because every now and then I think I'm handy and I tightened a few things up. You know,
I just did a little this and that, and I thought I'd fix the problem. Turns out I had just simply calls the leak to go to another location, and it was much more significant from the initial leak.
I do not belong with
a wrench or any other two really, for that matter in my hand for home repair. But, you know, patching system, sometimes a patch you install creates a bigger problem than the security vulnerability that you closed up. So we've always got to think about secondary risk. All right, so those were some good definitions of risks,
and the next section we're gonna go through and we're gonna look att each of these steps different separately,
but again identify your risks.
Analyzed to get a value mitigate to reduce the risk and then continue to monitor because risks go on for ever never done.