Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 39 minutes
This is risk management and information technology
in this lesson, We will do a complete review of our previous lessons and tie them all together.
Let's start with defining risk management.
Risk management is an element of sustaining a secure environment.
It is also the process of identifying factors that cause damage to an organization or information structure, as well as the methods for implementing cost saving solutions for reducing risk.
With that in mind, let's define risk
risk is the likelihood that a threat will exploit the vulnerability,
which leads to the damage or theft of an asset in an organization,
reducing threats or vulnerability,
we'll lower the risk
since assets are affected by risk, what is an asset?
An asset is anything in an organization that should be protected and has value.
It can be tangible, such as products or intangible such as business process or task
assets. An organization must be protected from threats and vulnerabilities.
In most cases has its referred to customer information and trade secrets. Such a source good for risk management, information technology.
So what is vulnerability?
It is a weakness in an asset or protecting an asset?
It can be weaknesses in the IT infrastructure or a process.
It can be exploited, which lost an asset can occur.
What is a threat?
Attract is a potential currents that can cause a loss or theft of an asset.
It can be an action or inaction that can cause damage or disclosure of assets.
Threats can be large and small.
It can be accidental or intentional.
Since we have threats and vulnerabilities, we also have safeguards which reduces threats and vulnerabilities by implementing a process or control around an asset.
This is the only way to reduce risk
by implementing risk mitigation or risk removal.
So how do we implement the risk assessment?
We have management requesting a risk assessment by a 3rd party audit.
The risk assessment team determines risk by qualitative or quantitative risk assessments are a combination of both.
That assessment is passed back. The management which reviews the report.
Upon receiving a report. Either management mitigator rejects the risk identified and works with their staff to implement safeguards into the infrastructure process or environment.
As security auditors, we have two methods of creating a risk assessment.
We use qualitative risk analysis or quantitative risk analysis.
We can also combine both to have a more comprehensive report
in a qualitative risk assessment, we use different scenarios and service to determine risk.
We do this by interviews or surveys that utilize a scale
to evaluate risks, costs and threats.
In quantitative risk assessment, we use calculation based risk methodologies and probability percentages to determine the risk
data used for this methodology comes from industry standards and calculation based from previous assessments.
To accomplish quantitative risk assessment. First we assign a value to an asset.
Then we calculate exposure factor, which the potential losses. If the risk is realized,
then we calculate the single loss expectancy
which the exact amount of loss an organization were experienced. If the risk is realized,
we then determine how frequent is that as a leak can occur,
which is derived from historical records and statistics from industry standards.
That is used to determine the annualized risk loss expectancy, which the yearly cost of all instances of realized threats.
Annualized loss expectancy is determined
by using software data modeling and tools used in the industry.
And his calculations modified
by applying safeguards or countermeasure.
We then perform a cost benefit analysis of implementing safeguards and countermeasures to determine if the risk is worth preventing against the cost of preventing a threat.
Once we have all these calculations and risk assessments completed and given to management to review,
management has different responses to the risk.
Management can optimistic. eight. The risk by implementing recommended safeguards and countermeasures.
This is also cost restrictive since the different mitigation methods have a dollar impacted organization.
If the risk can be avoided, by removing threats and modifying process,
management can opt apply risk avoidance.
This can be restricted to the growth of the organization as it becomes a practical scale when your procedures
will introduce new threats and vulnerabilities
as such. If the organization cannot handle the risks of threats and vulnerabilities to its assets, they cannot the transfers to a third party who should be more equipped or or specialist to handle the risk.
This can cost significantly higher in the long run.
If the organization has exhausted all options to mitigate the risk, they can accept the risk and responsibilities for any threat that is realized and has a form that needs to be completed to record such an agreement.
An organization can also reject the risk as invalid, which the risk assessment team has to calculate the residual risk, which the remaining risk percentage once any counter measures are implemented.
Finally, in a class review,
we learn different concepts and terminologies and processes and risk management for information technology.
We're also able to provide a preliminary risk analysis report by use of qualitative and quantitative risk assessment to management
within work with management to determine what next steps are in mitigating or rejecting the risk.
I hope this small. She has been informative for you.
Their quizzes and a glossary provided to the car Smallville as well.
Feel free to send me an email for more information or guidance about this course.
This is your instructor, robert Ghana.
Course Assessment - Risk Management and Information Systems Control