Risk Management Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Hello again and welcome back to the H C I s p p Certification Course works Library Enterprise Risk Management, Part two.
00:09
My name is Charlene Hutchins, and I'm your instructor
00:13
in this module. We're gonna cover controls
00:16
in residual risk
00:21
controls Regarding the security and privacy of health care information are safeguards in counter measures that are implemented to medicate
00:30
lesson or avoid a risk
00:33
going forward. We're going to review the different risk categories and classes of controls.
00:40
It's important to note when discussing risk management and controls toe identify the objective of the control, meaning the why behind the control.
00:49
What is the control supposed to do?
00:52
Why is the control in place?
00:55
Keep that in mind as we discuss the various categories,
00:58
and this will help you as we move through this module. Everest managing
01:06
controls are generally grouped into different categories, and this defines three classes in their description of controls. Based on definitions from Phipps 200 that are based on a controls function.
01:19
Management controls are controls based on the management of risk in the management of information systems security.
01:27
These are generally your policies and procedures.
01:32
Technical controls are controls that are implemented and executed through mechanisms contained and hardware, software and firmware of the components of the system.
01:45
Operational controls are controls that are primarily implemented and executed by people as opposed assistance.
01:56
Ever security control frameworks defying different classes, which may be management, technical or physical.
02:04
Another security control class grouping is organized around administrative, technical and physical, as we talked about before
02:13
the technical class, and they also be characterized as logical controls. And the physical class may also be identified as an environmental class of controls.
02:24
Classes of security controls, whether they're safeguards,
02:29
Proactiv
02:30
or countermeasures reacted,
02:32
are also categorized as follows.
02:36
Directed.
02:38
Directive controls are controls designed to specify acceptable rules of behavior within an organization
02:45
deterrent.
02:46
Our controls, designed to discourage people from violating security directives,
02:53
prevented
02:53
our controls implemented to prevent a security incident or information breach.
03:00
Compensating
03:02
compensating controls are implemented to substitute for the loss of a primary control or to address a weakness or limitation of a primary control and mitigate risk to an acceptable level.
03:15
Compensating controls air frequently associate it with the two terms defense in depth
03:22
and layer security.
03:23
My favorite example of a compensating control is your front door,
03:30
which has or may have a deadbolt lock.
03:34
And then the compensating control would be
03:38
a pit bull behind that door.
03:39
Should someone be able to get through the door in the deadlock,
03:44
the dog would compensate E for that failure. Control
03:49
a detective control is controlled, designed to signal a warning when the security control has been breached. Such a has someone gets through your front door. Your alarm system goes all,
04:00
Ah, corrective control is controls that are implemented to remedy circumstances, mitigate the damage or restore controls.
04:12
Recovery controls are controls implemented to restore conditions after a security incident.
04:25
So in this risk management process, we've identified threats,
04:29
vulnerabilities in the impact of such
04:32
assessing the likelihood of this potential threat being actualized is the total risk.
04:39
After applying a risk response strategy, such as risking medication, you have a new state of risk called residual risk.
04:48
Because risk is not static, the current state of risk, or residual risk fluctuates between above and below the organization's risk tolerance.
05:01
When risk is higher than the organizational risk tolerance, we refer to that as an unacceptable risk.
05:09
One. The risk
05:11
posture is below the organizational risk tolerance we refer to that as acceptable risk.
05:16
Regardless, the current state is referred to as residual risk.
05:24
Findings from a risk assessment are documented in a report known as a risk assessment report. Or are they are? The risk assessment report is a living document that is updated when business processes or the risk posture for system changes.
05:44
They're less doing knowledge. Check
05:46
What is the current state after acquiring a risk response strategy?
06:00
Residual risk? Correct.
06:03
Next,
06:06
What are safeguards and counter measures that are implemented to mitigate lesson or avoid risk?
06:21
Oh,
06:24
you guessed it controls.
06:29
So what we talked about today was controls and residual risk. Stay tuned for risk management frameworks.
Up Next