HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the H C I s p p Certification course looks Library enterprise Risk Management, Part one
00:08
on your instructor, Shalane Hutchins.
00:12
Today we're going to discuss assets
00:15
exposure, likelihood and impact
00:18
threat,
00:19
vulnerability and risk
00:24
Organizations need to identify their information assets in order to categorize them based on criticality the business operations and to determine the threats to the confidentiality, integrity and availability of each asset
00:38
similar to risk analysis. Information valuation methods may be descriptive or metric.
00:45
Descriptive methods
00:47
include the creation and dissemination and data collection from checklists and surveys,
00:53
and metric or statistical measures may provide a more objective view off information valuation.
01:00
Tangible assets are generally those that have a physical presence.
01:04
These assets are typically valued based on the original cost of the assets, minus any depreciation
01:11
for a risk assessment purpose. The information security professional needs to be aware of the original cost,
01:18
but more importantly to replacing it cost
01:21
as suppliers and vendors come into the market and leave the market. The cost of replacing a specific appliance server or even type of lock may change due to supply and demand.
01:33
Additionally, assets originally depreciated making and value. If the supply is less than that, the man
01:41
certain assets may become outdated and new assets may be required to replace the functionality or utility provided.
01:49
Intangible assets are not physical, such as trademarks, copyrights, patents, business processes, brand recognition and intellectual property.
02:01
A definite intangible asset is an intangible asset with the definite expiration period, such as a patent.
02:09
Once the patent expires, it no longer has value.
02:14
Conversely,
02:15
an indefinite intangible asset
02:17
is with an indefinite expiration period. Like an organization's brand,
02:23
the brand is expected to be maintained and preserved into the foreseeable future,
02:30
so approximate value of an intangible asset. The following methods were generally acceptable
02:36
cost
02:37
because to create the asset and the cost to replace it.
02:40
Capitalisation of historic profits,
02:44
meaning if getting a patent, creating a brand or developing a new process directly lead to increase profits.
02:52
Those profits can be considered part of the overall value of the asset
02:58
cost avoidance Sir Savings.
03:00
If acquiring that, the trademark of a product
03:04
or service allowed an organization tow. Avoid paying royalties. Those savings can be considered part of the asset about
03:13
health care. Professionals should seek the aid of a financial expert when attempting to determine the intangible value of an asset.
03:23
Let's talk about exposure
03:25
miter, a US non profit organization that maintains the common vulnerabilities and exposures or see the eat. It's a dictionary of names for vulnerabilities and exposures identified in In in the industry.
03:42
Miter defines an exposure as an information security exposure to a system configuration issue or a mistaken software that allows access to information or capabilities that can be used by a hacker as a stepping stone into a system or network.
04:00
Missed 800-30 revision one describes likelihood as awaited risk factor on analysis of the probability that a given threat is capable of exploiting the given vulnerability
04:16
Likely that is generally viewed as an actor, cereal and non as an AB material and mom at the cereal.
04:25
When considering the adversarial view, it's necessary to consider the atmosphere's capabilities intent and target
04:33
for the non at the cereal you. It's common to consider historical data
04:40
once the value has been determined for likelihood it has been associated with the impact so as to properly make a risk determination.
04:47
Missed 800-30 revision. One describes impact as the magnitude harm that can be expected to result from the consequences of an unauthorized disclosure, modification or destruction of information
05:03
or loss of information or information systems. Availability
05:12
on a health organization considers impact
05:15
in these. Also, consider other entities outside of itself.
05:18
For example, health organization may have data that belongs to a specific patient.
05:24
Therefore, that patient needs to be considered along with any other organization or entity that may be impacted.
05:31
In addition, each organization needs to explicitly define definitions for impact that may include anything such as loss of life,
05:42
loss of money or loss of reputation within their scale.
05:46
Impact is considered in the same manner as likelihood and given a value
05:53
that will be used in computing risk.
05:56
It is also important to note that within the industry, impact may be called consequences. In some, tax arms
06:08
threats are pre defined topical areas that can put an organization at risk. Most risk assessment methodologies have a threat table that is utilized to determine if a system given unique characteristics would actually be have exposure or is vulnerable to a threat.
06:26
For instance, ah, hurricane is an environmental threat, but a data center in Kansas City has a little exposure.
06:33
However, data center in New Orleans has significant exposure and is vulnerable to the adverse impacts from a hurricane
06:43
missed 830 revision. One describes a threat as any circumstance for event with the potential to adversely impact organizational operations and assets. Individuals and other organizations or the nation.
07:00
Threat sources are not always militias, as they may also be accidental.
07:04
Some common categories for threat sources are human.
07:09
A malicious outsider or insider or just human hair. Natural fire, flood, tornado, hurricane, snowstorm or earthquake.
07:19
Technical hardware or software failure. Malicious cold or wireless technologies.
07:26
Environmental meaning hazardous waste or biological Asian
07:30
and operational by process, whether manual or automated, that affects the confidentiality, integrity or availability of the information.
07:46
Now vulnerability is a weakness in an information system
07:49
system, security procedures, internal controls
07:54
or implementation that could be exploited by a threat. Source.
07:58
There are many software tools that could be used to scan and identify software vulnerabilities in the system,
08:05
but no, their vulnerabilities may exist in other areas than systems,
08:09
and a few examples of vulnerabilities are
08:13
a receptionist or guard was not at the front interest to limit access
08:18
patching and configuration of I T systems are done on ad hoc basis and neither documented or up to date
08:26
or no quality review process for manual changes made to a fax number on the form that IHS faxed electronica.
08:39
Lastly,
08:41
risk is determined by evaluating a number of factors and variables, along with potential impact that might occur as a result of a risk being exercise.
08:52
I sold 27,005. Definition of risk is the potential that a given threat will exploit the vulnerability.
09:01
This definition is a measure of the extent to which entities threaten by a potential circumstance or event that is typically a function of the adverse impacts that would arise if the circumstance or event occurs
09:20
and the likelihood of the currents
09:26
in summary. We've covered assets exposure, likelihood and impact,
09:33
threat, vulnerability and risk.
09:37
Next up is a risk management. Part two

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor