Intro to Information Security Risk Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
moving on to module for
00:05
Module four pertains to close six.
00:08
Planning
00:12
Lesson 4.1.
00:14
An introduction to information security Risk management
00:21
In this lesson,
00:22
we will cover basic information security risk terms,
00:26
and we'll go over a simple example of what risk is
00:33
information. Security risk basically comes down to the following.
00:38
If you've had experience with or exposure to information security, then I'm sure you will have some level of understanding off the information security risk management process.
00:47
But because this is the under pending element of the entire ice 0 27,001 standard
00:53
on the way the ice mess is meant to be run and continually improved.
00:58
We're going to spend some time going through the elements of information security risk management. In this course
01:04
information security. Risk management is a bit different from normal T risk management,
01:10
and then it goes into a lot more detail,
01:14
So
01:15
one actually presents a risk.
01:19
Why do we have information security at all in the first place?
01:23
Well,
01:23
we have information assets, some of which are extremely valuable to the organization that we want to protect.
01:32
There are a variety of threats to these assets and the risk management process helps us to understand these threats
01:38
and identify which ones are the most likely to be really danger to us.
01:44
A threat, of course, has no real danger. Unless there is some what other vulnerability prison that could be exploited
01:49
and vice versa.
01:52
A vulnerability is simply a missing control or control that is not operating as intended.
01:57
This makes it easy for a threat to exploit and gain access to the asset.
02:02
Whether it is to steal asset, alter the asset or destroy the asset,
02:09
we will get into the impact and all of that in the coming sections.
02:13
But when we are assessing information security risks, especially for our ice mess,
02:17
it is important to keep in mind the C I. A triad of confidentiality,
02:23
integrity and availability.
02:27
Let's take a look at a simple example.
02:30
You want to protect your secret recipe for your company's best selling donuts.
02:36
That secret recipe is your information asset.
02:38
It's quite a valuable asset to your organization as your sales and profits are directly linked to this recipe.
02:46
You also have some goodwill on brand value attached to this asset,
02:51
so let's just say it's a very valuable asset.
02:53
No,
02:54
we want to make sure that this asset is protected,
02:58
so we we need to identify what the possible risks around this as it could be
03:04
the next step. Once we know what we are protecting,
03:07
we looked at the threats to the acids.
03:09
We'll get into threats in more detail in the next sections.
03:14
But for now, let's say the biggest straight
03:15
is our top computer.
03:17
They really want to get our recipe for themselves and steal our customer base.
03:23
Once we know who or what is trying to get our asset,
03:27
we need to assess the ways in which this *** it could be obtained.
03:31
Is the recipe stored in hard copy?
03:34
Is it kept in a safe?
03:36
Is the safe Kip Lak,
03:38
who has access to the safe?
03:40
One of your trusted employees has access to the safe and has recently fallen into difficult times.
03:47
A risk here is that your competitors learns this information,
03:51
approaches the employees
03:53
and offers them a substantial amount of money to give them the recipe.
03:58
We now have a threat
04:00
as well as a vulnerability existing together,
04:02
so there is a risk that needs to be addressed.
04:05
We'll talk about addressing risks in more detail in the coming sections.
04:12
Let's go over these points again.
04:14
What are we protecting? Ultimately, we are protecting information assets.
04:19
These information assets can exist across a variety of other assets, including hardware, software, networks and even people.
04:29
What are we ultimately protecting these against
04:32
traits.
04:33
Threats could be people
04:35
natural in nature or environmental,
04:39
and we'll get into that in the coming sections.
04:42
What could allow straits to get access to the assets vulnerabilities?
04:47
When the threatened vulnerability exist together, a risk is present.
04:53
The risk, likelihood and impact needs to be determined,
04:57
and once that has been determined, the risk needs to be appropriately treated.
05:06
To summarize
05:08
in this and 4.1 we covered
05:10
understanding what you are protecting is the fundamental component of information security risk management.
05:16
We also covered who you are protecting your acid from
05:20
being the next step in the information security risk management.
05:25
In other words, your threat identification
05:29
we covered understanding, vulnerabilities and threats together gives rise to risk scenarios
05:35
and that risks ultimately need to be treated
Up Next