Risk Management and Security Basics
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi everybody. We're starting out with one of
00:00
the most important topics and information security,
00:00
and that's risk management.
00:00
Of course, we'll look at some security basics as well.
00:00
What we want to do from
00:00
the very beginning is spring
00:00
security in the realm of risk.
00:00
Because that's what allows us to make
00:00
good business decisions that support
00:00
the security function while also
00:00
making sure that we delivered value to the business.
00:00
We're going to start off with the risk management
00:00
and security overview,
00:00
and then we're going to focus
00:00
>> a bit more closely on risk
00:00
>> and look at the four phases of
00:00
the risk management life cycle.
00:00
Risk identification, risk assessment,
00:00
risk communication, and risk monitoring.
00:00
From there, we're going to see
00:00
>> how looking at risk allows
00:00
>> us to identify information security priorities.
00:00
We'll also discuss audits,
00:00
vulnerability assessments, and penetration tests.
00:00
When we talk about information security,
00:00
a lot of things come to mind.
00:00
But our focus here is on our need to
00:00
protect organizational assets,
00:00
commensurate with the value of the assets,
00:00
and then threats and vulnerabilities.
00:00
That last part is important,
00:00
commensurate with the value of
00:00
the assets and the threats and vulnerabilities.
00:00
If you've ever heard the statement,
00:00
you can never have too much security,
00:00
that's actually not true.
00:00
You can definitely have too much security.
00:00
It needs to be appropriate for
00:00
the asset you are protecting
00:00
and be reduced to a level that is
00:00
acceptable to senior leadership.
00:00
For example, you probably wouldn't
00:00
have a retina scan system to protect your house.
00:00
Is that it's too expensive and not
00:00
commensurate with the assets that you need to protect.
00:00
But if you were protecting
00:00
a top secret government information,
00:00
a retina scan might make sense.
00:00
Assets are something we value,
00:00
it could be tangible like a big screen TV,
00:00
or intangible, like a company's reputation.
00:00
You always start with your assets,
00:00
figure out what they are and what they're worth,
00:00
then you look at what threats exist.
00:00
Threats are those elements that would
00:00
pose harm to your assets.
00:00
Now, a threat is only going to be
00:00
successful if there's a weakness,
00:00
and another word for weakness is vulnerability.
00:00
When we talk about risk,
00:00
we think in terms of those
00:00
>> three things coming together;
00:00
>> asset, threat and vulnerability.
00:00
When I'm looking to implement a security control,
00:00
which is something that mitigates risk,
00:00
I need to think about the value
00:00
of the assets I'm protecting,
00:00
as well as the threats and vulnerabilities.
00:00
Otherwise, I may spend too much on
00:00
security or I may not spend enough.
00:00
The question is how much security is enough?
00:00
The answer is just enough based on risk management.
00:00
Now often, when you implement a
00:00
>> control to mitigate risk,
00:00
>> it doesn't eliminate all risk,
00:00
and the amount of risk that is
00:00
left over is called residual risk.
00:00
As an example, let's say
00:00
that I'm worried about malicious activity
00:00
from outside my network impacting internal resources,
00:00
so I might configure a firewall.
00:00
That's going to go a long way to keep
00:00
malicious actors off my internal network.
00:00
But that doesn't eliminate
00:00
any conceivable possibility of
00:00
something affecting my internal network.
00:00
But what it does do is bring down the total risk to
00:00
a much smaller amount and
00:00
>> what is left over is residual.
00:00
>> Then I look at residual amount
00:00
and I determine whether it's acceptable or not.
00:00
Sometimes the amount of risk that is
00:00
left over is acceptable,
00:00
so what our job is with risk management is to
00:00
reduce the risk to a degree that
00:00
is acceptable to senior management.
00:00
That's what risk management and
00:00
information security is all about.
00:00
Then of course, you need to monitor and maintain
00:00
that risk to make sure it
00:00
continues to stay at that acceptable level.
Up Next
Similar Content
