Risk Management Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome back to
00:00
the HCISPP certification course with Cybrary.
00:00
Enterprise risk management Part 2.
00:00
My name is Shalane Hutchins and I'm your instructor.
00:00
In this module, we're going to cover
00:00
controls and residual risk.
00:00
Controls regarding the security and
00:00
privacy of healthcare information are
00:00
safeguards and countermeasures that are
00:00
implemented to mitigate, lessen, or avoid risks.
00:00
Going forward, we're going to review
00:00
the different risk categories and classes of controls.
00:00
It's important to note when
00:00
discussing risk management and controls,
00:00
to identify the objective of the control,
00:00
meaning the why behind the control.
00:00
What is the control supposed to do?
00:00
Why is the control in place?
00:00
Keep that in mind as we discuss the various categories.
00:00
This will help you as you move
00:00
through this module of risk management.
00:00
Controls are generally grouped
00:00
into different categories,
00:00
and this defines three classes
00:00
in their description of controls based
00:00
on definitions from FIPS 200
00:00
that are based on a controls function.
00:00
Management controls are controls based on
00:00
the management of risk and
00:00
the management of information systems security.
00:00
These are generally your policies and procedures.
00:00
Technical controls are controls that are
00:00
implemented and executed through
00:00
mechanisms contained in hardware,
00:00
software, and firmware of the components of the system.
00:00
Operational controls are controls that are primarily
00:00
implemented and executed
00:00
>> by people as opposed to systems.
00:00
>> Other security control frameworks
00:00
define different classes,
00:00
which may be management, technical or physical.
00:00
Another security control class grouping
00:00
is organized around administrative,
00:00
technical, and physical as we talked about before.
00:00
The technical class may also be
00:00
characterized as logical controls and
00:00
the physical class may also be
00:00
identified as an environmental class of controls.
00:00
Classes of security controls.
00:00
Whether they are safeguards,
00:00
proactive or countermeasures,
00:00
reactive are also categorized as follows.
00:00
Directive.
00:00
>> Directive controls are controls designed to
00:00
>> specify acceptable rules of
00:00
behavior within an organization.
00:00
Deterrent are controls designed to
00:00
discourage people from violating security directives.
00:00
Preventive are controls implemented to
00:00
prevent a security incident or information breach.
00:00
Compensating controls are implemented
00:00
to substitute for the loss of
00:00
a primary control or to address a weakness or
00:00
limitation of a primary control
00:00
and mitigate risk to an acceptable level.
00:00
Compensating controls are frequently
00:00
associated with the two terms,
00:00
defense in depth and layered security.
00:00
My favorite example of
00:00
a compensating control is your front door,
00:00
which has or may have a deadbolt lock.
00:00
Then the compensating control would
00:00
be a pit bull behind that door.
00:00
Should someone be able to get
00:00
through the door in the deadlock,
00:00
the dog would compensate for that failure of control.
00:00
A detective control is a control designed
00:00
to signal a warning when
00:00
the security control has been breached.
00:00
Such as, someone gets through your front door,
00:00
your alarm system goes off.
00:00
A corrective control is
00:00
controls that are implemented to remedy circumstances,
00:00
mitigate the damage, or restore controls.
00:00
Recovery controls are controls implemented to
00:00
restore conditions after a security incident.
00:00
In this risk management process,
00:00
>> we've identified threats,
00:00
>> vulnerabilities, and the impact of such.
00:00
Assessing the likelihood of
00:00
this potential threat being
00:00
>> actualized is the total risk.
00:00
>> After applying a risk response strategy,
00:00
such as risk mitigation,
00:00
you have a new state of risk called
00:00
residual risk. Because risk is not static,
00:00
the current state of risk or residual risk fluctuates
00:00
between above and below
00:00
the organization's risk tolerance.
00:00
When risk is higher than
00:00
the organizational risk tolerance,
00:00
we refer to that as an unacceptable risk.
00:00
When the risk posture is
00:00
below the organizational risk tolerance,
00:00
we refer to that as acceptable risk.
00:00
Regardless, the current state is
00:00
referred to as residual risk.
00:00
Findings from a risk assessment are documented in
00:00
a report known as a Risk Assessment Report or RAR.
00:00
The risk assessment report is
00:00
a living document that is updated when
00:00
business processes or
00:00
the risk posture for a system changes.
00:00
Now let's do a knowledge check.
00:00
What is the current state
00:00
after applying a risk response strategy?
00:00
[MUSIC]
00:00
Residual risk, correct.
00:00
Next, what are safeguards and
00:00
countermeasures that are implemented to
00:00
mitigate, lessen or avoid risk?
00:00
[MUSIC]
00:00
You guessed it, controls.
00:00
What we talked about today was
00:00
controls and residual risk.
00:00
Stay tuned for risk management frameworks.
Up Next