Risk Management Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again, and welcome to
00:00
the HCISPP Certification course with Cybrary,
00:00
Enterprise Risk Management Part 1.
00:00
I'm your instructor, Schlaine Hutchins.
00:00
Today, we're going to discuss assets, exposure,
00:00
likelihood, and impact, threat,
00:00
vulnerability, and risk.
00:00
Organizations need to identify
00:00
their information assets in order to
00:00
categorize them based on criticality,
00:00
the business operations, and to
00:00
determine the threats to the confidentiality,
00:00
integrity, and availability of each asset.
00:00
Similar to risk analysis,
00:00
information valuation methods may
00:00
be descriptive or metric.
00:00
Descriptive methods include the creation,
00:00
and dissemination, and
00:00
data collection from checklists and surveys.
00:00
A metric or statistical measures may provide
00:00
a more objective view of information valuation.
00:00
Tangible assets are generally
00:00
those that have a physical presence.
00:00
These assets are typically valued based on
00:00
the original cost of the assets minus any depreciation.
00:00
For a risk assessment purpose,
00:00
the information security professional needs
00:00
to be aware of the original cost,
00:00
but more importantly, the replacement cost.
00:00
As suppliers and vendors come
00:00
into the market and leave the market,
00:00
the cost of replacing a specific appliance, server,
00:00
or even type of lock may change due to supply and demand.
00:00
Additionally, assets originally depreciated
00:00
making the value,
00:00
if the supply is less than the demand.
00:00
Certain assets may become outdated and new assets may be
00:00
required to replace
00:00
the functionality or utility provided.
00:00
Intangible assets are not physical, such as trademarks,
00:00
copyrights, patents, business processes,
00:00
brand recognition, and intellectual property.
00:00
A definite intangible asset is
00:00
an intangible asset with
00:00
a definite expiration period, such as a patent.
00:00
Once the patent expires,
00:00
it no longer has value.
00:00
Conversely, an indefinite intangible asset is with
00:00
an indefinite expiration period
00:00
like an organization's brand.
00:00
The brand is expected to be maintained and
00:00
preserved into the foreseeable future.
00:00
To approximate the value of an intangible asset,
00:00
the following methods are generally acceptable.
00:00
Cost. The cost to create
00:00
the asset and the cost to replace it.
00:00
Capitalization of historic profits.
00:00
Meaning, if getting a patent,
00:00
creating a brand,
00:00
or developing a new process
00:00
directly led to increased profits,
00:00
those profits can be
00:00
considered part of the overall value of the asset.
00:00
Cost avoidance or savings.
00:00
If acquiring the trademark of a product or
00:00
service allowed an organization
00:00
to avoid paying royalties,
00:00
those savings can be considered part of the asset value.
00:00
Health care professionals should seek the aid of
00:00
a financial expert when attempting to
00:00
determine the intangible value of an asset.
00:00
Let's talk about exposure.
00:00
Mitre, a US non-profit organization that
00:00
maintains the common vulnerabilities
00:00
and exposures or CVEs.
00:00
It's a dictionary of names for vulnerabilities
00:00
and exposures identified in the industry.
00:00
Mitre defines an exposure as
00:00
an information security exposure to
00:00
a system configuration issue or a mistake in
00:00
software that allows access to
00:00
information or capabilities that can be
00:00
used by a hacker as
00:00
a stepping stone into a system or network.
00:00
NIST 800-30 Revision 1 describes likelihood as
00:00
a weighted risk factor on analysis of
00:00
the probability that a given threat is
00:00
capable of exploiting a given vulnerability.
00:00
Likelihood is generally viewed as
00:00
an adversarial and non-adversarial.
00:00
When considering the adversarial view,
00:00
it's necessary to consider
00:00
the adversaries capabilities, intent, and target.
00:00
For the non-adversarial view,
00:00
it's common to consider historical data.
00:00
Once the value has been determined for likelihood,
00:00
it is then associated with
00:00
the impact so as to properly make a risk determination.
00:00
NIST 800-30 Revision 1
00:00
describes impact as the magnitude of
00:00
harm that can be expected to result from
00:00
the consequences of an unauthorized disclosure,
00:00
modification, or destruction of information,
00:00
or loss of information,
00:00
or information systems availability.
00:00
When a health organization considers impact,
00:00
it needs to also consider
00:00
other entities outside of itself.
00:00
For example, a health organization
00:00
may have data that belongs to a specific patient.
00:00
Therefore, that patient needs to be considered along
00:00
with any other organizational entity
00:00
that may be impacted.
00:00
In addition, each organization needs to explicitly define
00:00
definitions for impact that may
00:00
include anything such as loss of life,
00:00
loss of money, or loss of reputation within their scale.
00:00
Impact is considered in the same manner as likelihood and
00:00
given a value that will be used in computing risk.
00:00
It is also important to note that within the industry,
00:00
impact may be called consequences in some taxonomies.
00:00
Threats are predefined topical areas
00:00
that can put an organization at risk.
00:00
Most risk assessment methodologies have
00:00
a threat table that is utilized to determine
00:00
if a system given unique characteristics would
00:00
actually have exposure or is vulnerable to a threat.
00:00
For instance, a hurricane is an environmental threat,
00:00
but a data center in Kansas City has a little exposure.
00:00
However, data center in New Orleans has
00:00
significant exposure and is vulnerable
00:00
to the adverse impacts from a hurricane.
00:00
NIST 800-30 Revision 1
00:00
describes a threat as any circumstance or
00:00
event with the potential to adversely
00:00
impact organizational operations and assets,
00:00
individuals and other organizations, or the nation.
00:00
Threat sources are not always malicious,
00:00
as they may also be accidental.
00:00
Some common categories for threat sources are human,
00:00
a malicious outsider or insider,
00:00
or just human error.
00:00
Natural, fire, flood,
00:00
tornado, hurricane, snowstorm, or earthquake.
00:00
Technical, hardware or software failure,
00:00
malicious code or wireless technologies.
00:00
Environmental,
00:00
meaning hazardous waste or biological agent.
00:00
Operational, a process whether manual
00:00
or automated that affects the confidentiality,
00:00
integrity, or availability of the information.
00:00
Now, a vulnerability is
00:00
a weakness in an information system,
00:00
system security procedures, internal controls,
00:00
or implementation that could
00:00
be exploited by a threat source.
00:00
There are many software tools that can be used to
00:00
scan and identify software vulnerabilities in a system.
00:00
But know that vulnerabilities may
00:00
exist in other areas than
00:00
systems and a few examples of vulnerabilities are,
00:00
a receptionist or guard who's not at
00:00
the front interests to limit access.
00:00
Patching and configuration of IT systems are done on
00:00
an ad hoc basis and neither documented or up-to-date,
00:00
or no quality review process for
00:00
manual changes made to a fax number
00:00
on a form that is faxed electronically.
00:00
Lastly, risk is determined
00:00
by evaluating a number of factors and
00:00
variables along with the potential impact that
00:00
might occur as a result of a risk being exercised.
00:00
ISO 27005, definition of risk
00:00
is the potential that
00:00
a given threat will exploit a vulnerability.
00:00
NIST definition is a measure of
00:00
the extent to which an entity is threatened by
00:00
a potential circumstance or event that
00:00
is typically a function of the adverse impacts
00:00
that would arise if the circumstance or event
00:00
occurs and the likelihood of occurrence.
00:00
In summary, we've covered assets, exposure,
00:00
likelihood, and impact, threat, vulnerability, and risk.
00:00
Next step is Risk Management Part 2.
Up Next
