7 hours 35 minutes
Hey, guys. Welcome to domain three in the s S c p exam. Crab. Siri,
I'm your host, Peter Simple.
This is first lesson in the third. Do me
So in this lesson, since we have no objectives to review, let's talk about Will Graham talk about in this lesson
in this lesson, we will look at the risk management process, which is the whole process of identifying, managing and reducing risk and the negative impact off that risk to an organization.
Let's get started.
In order to talk about the risk management process, we need to go over a few concepts and faux cap words associated with it.
The first is risking stuff. What is risk?
Well, risk is a function of the likelihood of a given threat source exercising a potential vulnerability and the resulting impact of that adverse event on the organization.
So, in a nutshell, risk is
what is the possibility that something bad is going to happen,
and how bad is it going to be?
The probability that a potential vulnerability, maybe exercise within the construct of the associated threat environment
again water the chances that a potential potential vulnerability might be exploited.
Threat source either intent and method targeted at the intentional exploitation of a vulnerability or a situation or method that may accidentally trigger of vulnerability.
Where's this coming from?
How bad will be
that kind of thing?
the potential for a threat source to exercise a specific vulnerability.
So what is the possibility the bad guys will exploit a specific part of the system that is not entirely sink
vulnerability? Ah, flaw or weakness in a system security procedures, designed implementation or internal controls
that could be exercised and result in a security breach or a violation of the system security policy
the magnitude of harm that could be caused by a threats. Exercise off a vulnerability
asset, anything of value that his own body organization?
All right, So now that we got the basic terminology at the way,
let's get down to business
risk assessment. There are four main steps in a risk assessment.
They are prepared for the assessment,
conduct the assessment,
communicate the results and maintained the assessment.
This photo here shows how the four steps off risk assessment are interlocked together.
As you can see, he start with Step one,
perform everything in step two,
and then you go back and forth from Step two and Step three. Talk about your findings,
and then you go back and forth between Step four and Step two to make sure that your risk assessment stays current.
Let's take a look at the Four Steps of Risk Assessment in a little more detail.
That one. Prepare for the assessment,
right? Can't have an assessment
well, without knowing exactly what we are assessing. So to get ready for the risk assessment, we need to set up some boundaries. What exactly are we looking for in this step? Want to identify the purpose? Why are we even performing this risk assessment?
Identify this, Scoob.
How deep is this risk assessment going to go? A new organization. What parts of the organization will it apply to
identify any assumptions?
What are we assuming going in? Are we assuming that the risk will only plot to certain parts of the organization or the entire organization?
Identify sources of information. Do we have any information on this risk assessment? Is there any inside or outside knowledge that we should know
and identify the risk model?
So this is the assessment and analysis approach to be ploy during the assessment.
How were we going to measure our results?
conduct the assessment.
So first step in step two is produced a list off risk. So this is everything that we already know could be a problem.
We want to gather any and all essential information. Anything that we might need
in terms, off
threat sources, events, valuable assets, things like that. We want to assess the impact, threw the formulas
which we will get to in a second. So we want to take a look at How bad
could the harm be to an organization
this rest or vulnerability is exploited
and after that, we want to determine the actual risk itself. What do we need to do? We will be watching out for
Impact foremost are different ways of measuring the damage that could be done to an organization. So the first impact formula is known as single loss in expectancy.
Also new. This essentially
s l E. Is the combination off the asset value
times the exposure value. So
the way this is calculated, you take the value off any asset at any time, and you multiply it
against the exposure factor. Now the exposure factor is merely a percentage that determines how likely or how much does them. This
asset could be destroyed. So 0% exposure factor means that the asset cannot be destroyed. It all
or ah 100% exposure factor means that the asset could be totally destroyed.
Multiply these two numbers together and you have single loss expected
annualized lost expectancy.
Annualized lost expectancy is simply single loss expectancy times the annual rate of current.
We already know how to calculate single loss expectancy. Just multiply that times the annualized rate of occurrence,
which is a number which represents the expected number off exploitations by a specific threat of a vulnerability to an asset in a given year.
So what this means is, how many times
will this happen to this asset? How many times will
ah threat or a vulnerability be exploited against a particular asset in a given
risk assessment tables? This is a very, very easy way to determine whether you were dealing with low risk,
or high risk. So in the columns we have low,
medium or high,
these are the likelihood is that
a threat will actually be exploited. So whoa, we label that is 0.1 or 10% moderate and about in the middle of 50%. And then hi
high means that there is a very, very good chance that your *** could be exploited.
Now across the top, we have the impact.
So we have low impact, which is only a small amount of damage. Modern impact, which is in the middle medium moderate amount of damage. And that high in the amount of damage is could be anything from utter destruction to something close to utter destruction.
So when we combined them together, multiply these numbers out, we get off risk assessment table,
which helps us determine what kind of risk we're dealing with.
So hi anything of high rescue things like high impact and high likelihood
that this is anything with a risk score off 5200.
Moderate is 10 to 50 where there's a good chance of something happening, or if something's happening, there were the result will only be a low impact.
And then we have the green. The low risk score, which is anything wrong with 1 to 10.
High risk. Is this considered to be significant risk to the organization, Front of action should be implemented ASAP.
Corrective action should be done immediately to reduce this risk as much as possible. High risk, No good
medium risk is really just in the middle of the moderate risk to any organization.
Corrective action should be implemented, but it's not immediate. You shouldn't waste time and leave these vulnerabilities lying around, but it is not an immediate pressing matter to get these corrective actions in place.
Arrest to the organization and evaluation should be performed to determine any risk should be of any action should be taken to address this risk.
and, you know you might want to choose not to do anything with rest. If the risk is low enough to wear.
Oh, the benefits outweigh the risks.
Then you might not want to take any action at all.
Step three. After a risk assessment is done, we want to talk about the results. We want to talk about what we learned from this risk assessment, and we definitely want to share information to support any and all risk management activity.
The objective of this step is to ensure that decision makers across the organization
have all the necessary risks. Related information to make informed risk decisions.
The fourth step in the risk assessment process is maintained the risk we want to stay current with the risks
at all time at any given time. We also want to incorporate risk monitoring,
which is identifying risk on an ongoing basis, and understand any changes that might occur to this risk. We also want to continue do update the components of the risk assessments reflecting any monitoring activities carried out by the organization.
Best part move. One of the most important reasons why we want to maintain this assessment is to determine the effectiveness of risk. Responses are the risk response is good enough.
We want Thio identify risk impacting changes to any organization
and up the associating risk assessments. And also we want to verify compliance if we added any corrective controls at any point. Aren't we want to know? Are they working
in today's lecture? We discuss risk concepts were ruled over some basic terminology about risk and risk security assessments where we went over the four step process.
Four. Learning about and assessing risk in any given time.
the probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Is it a threat?
See threats, source
If you said be likelihood than you are correct, remember, likelihood is just a probability that says how, What did? What is the potential that this will happen?
Thanks for washing guys that really hope you learned a lot in this video and I'll see you next time.
ISC2 Systems Security Certified Practitioner (SSCP) Practice Assessment
The SSCP exam preparation package helps students prepare for the ISC2 SSCP certification exam. ...
(ISC)2 Certified Information Systems Security Professional 2015
(ISC)2 Certified Information Systems Security Professional 2015 is a practice exam preparing for the CISSP ...