Information Security Risk Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> We are now upon the section
00:01
of information security risk management.
00:01
We've talked a lot up to
00:01
this point how important it is to
00:01
be able to make good risk-aware business decisions.
00:01
We're going to examine that a little bit more in depth.
00:01
In this next section,
00:01
we're just going to lay
00:01
the groundwork for what we're going to do.
00:01
I'm just going to talk about
00:01
information security risk management in broad term.
00:01
Then we're going to cover some definitions.
00:01
One of the things I find is people
00:01
use these risk terms sometimes
00:01
interchangeably when that's not necessarily appropriate.
00:01
Information security risk management.
00:01
Many times in organizations you will hear that ISRM.
00:01
You could also hear ERM,
00:01
enterprise risk management with
00:01
the idea that it's really essential
00:01
to incorporate our risk management strategy
00:01
throughout the company as a whole.
00:01
That it shouldn't just be one department or another.
00:01
But as an organization,
00:01
we cultivate an understanding
00:01
and a proactive stance on managing risks,
00:01
but then also being able to respond
00:01
to risks as they occur as well.
00:01
Let's get these definitions out of the way,
00:01
make sure we're all on the same page.
00:01
If we start out with risk management,
00:01
always begin with your assets.
00:01
Our assets are those things that I value.
00:01
What do we value as an organization?
00:01
As an organization, I value data, I value hardware,
00:01
I value furniture, I value all tangibles,
00:01
but also my intangibles.
00:01
Company reputation is huge.
00:01
That's a tremendous asset.
00:01
As matter of fact, that's usually
00:01
the most valuable asset a company has.
00:01
We value our brand,
00:01
we value goodwill in the community.
00:01
We have all these intangible assets,
00:01
but we always start by identifying
00:01
them and then trying to get the value,
00:01
understanding the value of
00:01
those assets to our organization.
00:01
Once I know what my assets are,
00:01
I then look at threats and vulnerabilities.
00:01
The vulnerabilities are those areas of weaknesses.
00:01
A lot of times, areas where my asset is not protected,
00:01
the absence of a safe guard
00:01
can be considered a vulnerability.
00:01
That's the weakness.
00:01
Then the threat is what's going to
00:01
could pose harm to the asset.
00:01
A threat exploiting a vulnerability
00:01
>> to damage the asset.
00:01
>> The threat agent is usually
00:01
>> what carries out that attack.
00:01
>> It could be the attacker themselves,
00:01
it could be specific pieces of
00:01
malware or tools that are used.
00:01
We considered those threat agents.
00:01
Like I said, the exploit is when this happens,
00:01
when the compromise of
00:01
a vulnerability by a threat to damage the asset.
00:01
Now the risk is
00:01
the probability of that threat materializing.
00:01
We often talk about that in
00:01
terms of total risk or inherent risk,
00:01
meaning, if I don't do anything,
00:01
what is the probability of that threat materializing?
00:01
Then usually we don't just talk about probability,
00:01
but I'll also mention just briefly here,
00:01
we think about impact as well.
00:01
The end impact of a threat exploiting a vulnerability.
00:01
Now, the way we mitigate
00:01
those risks is through the implementation of controls.
00:01
We mentioned in an earlier section about
00:01
our controls being physical, administrative,
00:01
and technical protections that
00:01
mitigate the risk or the potential for loss.
00:01
We can differentiate between the types of
00:01
controls based on whether they're proactive or reactive,
00:01
the category of controls that are proactive,
00:01
we would call safeguards.
00:01
For our safeguards, we have
00:01
deterrent or preventive means.
00:01
Now for reactive controls,
00:01
we have our countermeasures,
00:01
things that help us detect,
00:01
or correct, or recover loss.
00:01
Residual risk.
00:01
When I have total risk and I decide,
00:01
wait a minute, this total risk is way too high.
00:01
I can't accept this amount of total risk.
00:01
Then we implement controls.
00:01
Controls usually lessen the risk.
00:01
Well, how far do we need to reduce
00:01
our risks before we can be done?
00:01
Well, we reduce our risks to
00:01
a degree that's acceptable to senior management.
00:01
Rarely do we eliminate risks.
00:01
Risk elimination is just,
00:01
I mean, it's virtually impossible.
00:01
There might be certain risks we avoid,
00:01
but to eliminate risks can't be done.
00:01
We reduce risks to
00:01
the degree that's acceptable to senior management,
00:01
and what's left over is referred to as residual risk.
00:01
I have a certain amount of risk,
00:01
I apply control,
00:01
and that brings the risk amount down.
00:01
If that's acceptable, good,
00:01
if it's not acceptable,
00:01
we apply another control.
00:01
Then we look at the residual risk.
00:01
You can really say the ultimate purpose of
00:01
risk management is to reduce
00:01
residual risk to a degree that's
00:01
acceptable by senior management.
00:01
That's really what we're trying to do.
00:01
Now, another issue with risk is sometimes
00:01
one risk response causes another risk event.
00:01
For instance, if there's
00:01
a security vulnerability and I
00:01
apply a patch to mitigate that risk,
00:01
that patch may cause
00:01
another piece of software on my system not to work.
00:01
That would be a secondary risk.
00:01
When we're doing risk management,
00:01
we always have to follow
00:01
our risk responses through and make
00:01
sure that we're considering
00:01
what we refer to as a control risk.
00:01
You implement a control,
00:01
there are risks associated with the control.
00:01
You implement a firewall,
00:01
and there's the risk that it
00:01
may block legitimate traffic.
00:01
We have to consider those ideas of secondary risk.
00:01
Now, another thing to mention about risks.
00:01
Risks are always unknown.
00:01
They're in the future.
00:01
We don't know if it's going to happen or not.
00:01
We're really just doing our best planning.
00:01
Once the risk event materializes,
00:01
then we refer to it as an incident.
00:01
An incident is a risk
00:01
that has happened, that's transpired.
00:01
But as long as it's in the future,
00:01
it's still a risk.
00:01
This section we just laid the groundwork for what
00:01
we're going to do with the rest of the section on risk.
00:01
We have talked about just management of risks as whole,
00:01
and most important pieces we've
00:01
laid out some of these definitions.
00:01
Make sure that you're solid
00:01
on the definitions because sometimes
00:01
people will use terms like
00:01
vulnerability and threat interchangeably,
00:01
and that's just not correct.
00:01
We've covered the definitions
00:01
>> and now we're ready to move
00:01
>> into the next section where we'll
00:01
look at the risk management lifecycle.
Up Next
Instructed By
Similar Content
