Objectives and Review of Risk Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary ISSP course.
00:00
I'm your instructor, Brad Rhodes.
00:00
Well, we're starting Module 3 of 10.
00:00
This is Domain 2 of ISSP.
00:00
We're going to be talking about risk management.
00:00
Where are we in our course?
00:00
Well, we're trucking along in our first level
00:00
there looking at the domains of discipline,
00:00
so Module 3 is really going to
00:00
be all about risk management,
00:00
enterprise, operations, and systems.
00:00
We're talking about each of those areas.
00:00
Our first lesson is objectives for the module
00:00
itself and we're going to talk
00:00
about a quick review of risk management.
00:00
Now, if you're a CISSP,
00:00
this is something you're well aware of
00:00
and different formulas and everything like that.
00:00
We're going to talk about those
00:00
all again in pretty good depth
00:00
because ISSEs do this.
00:00
This is like one of the bread and
00:00
butter things that an ISSE does.
00:00
Here's our learning objectives.
00:00
We're going to look at our module.
00:00
We're going to talk about risk
00:00
from a definition perspective,
00:00
so we level set that as we go in here.
00:00
Then we're going to talk about the risk formulas
00:00
that you need to be aware of as an ISSE and
00:00
as you prep for the ISSEP concentration.
00:00
Here's our module objectives.
00:00
We're going to talk about
00:00
contexts analysis and evaluation.
00:00
Obviously, we do risk analysis as ISSEs.
00:00
That's one of the things we do. We're going
00:00
to talk about findings and decisions.
00:00
Obviously, if we find stuff out and
00:00
discover things about risk, we have to make decisions.
00:00
We're going to talk about risk tolerance.
00:00
This is incredibly important.
00:00
Everybody's view and
00:00
everybody's acceptance of risk or not
00:00
is very different and it
00:00
varies from organization to organization.
00:00
We're going to talk about remediation and system changes.
00:00
Obviously, if we identify risks,
00:00
we're going to in place controls and we're going
00:00
to hopefully mitigate some of that risk.
00:00
But as I said previously,
00:00
you're never going to get to Risk 0, that never happens.
00:00
You're always going to have some degree of residual risk.
00:00
Then we're going to talk,
00:00
and it might seem a little out-of-order,
00:00
we're going to talk about risk treatment options
00:00
last and you're going to
00:00
need to know those in good detail
00:00
for the ISSP concentration.
00:00
What is risk? I love this picture on the left-hand side.
00:00
You've got this person
00:00
who's jumping from one set
00:00
of rocks through another set of rock.
00:00
That's a pretty big risk because maybe
00:00
that person miscalculated the distance
00:00
and they fall to their doom.
00:00
Probably not the best thing,
00:00
but it's an example of what we're talking about here.
00:00
Risk is all about uncertainty.
00:00
Are we going to meet our goals?
00:00
Are we going to reach an objective?
00:00
Is a requirement going to get there,
00:00
but it's all based on whether
00:00
or not we believe we can get there.
00:00
It's that uncertainty. Where do we find risk?
00:00
Well, you remember our cost schedule scope triangle?
00:00
Well, guess what? We find risk all throughout that.
00:00
If we don't have the money
00:00
to meet a requirement, guess what?
00:00
There's a cost risk. If we can't
00:00
deliver an objective on time,
00:00
there's a schedule risk.
00:00
If the system doesn't
00:00
perform as designed from a security perspective,
00:00
now we have a scope of performance risk.
00:00
We find risks in all of those and we find risk
00:00
across the board no matter what we do.
00:00
By the way, risk is organic.
00:00
Risk varies from organization to organization.
00:00
There's two risk formulas I want you to remember.
00:00
There's the probability of occurrence times
00:00
the consequences of occurrence
00:00
gives you that risk value,
00:00
but I really liked the second one
00:00
on this slide a little better.
00:00
Risk is threat times the vulnerability,
00:00
so you have to have a threat
00:00
and a vulnerable or a vulnerability.
00:00
If you don't have one of those, you don't have a risk.
00:00
Now, notice I didn't say, you don't have risk.
00:00
I said you don't have a risk.
00:00
Risk is both an individual assessment of
00:00
something and
00:00
a compiled assessment, which we're going to talk about.
00:00
We divide then the threat
00:00
and vulnerability by our controls,
00:00
which reduces or mitigate our risk
00:00
and then we multiply it times
00:00
ultimately the consequences,
00:00
and so you will see variations of
00:00
these formulas in the ISSP concentration.
00:00
What do we talk about in this lesson?
00:00
We introduced our module objectives.
00:00
We defined risk is all
00:00
about uncertainty across things like cost,
00:00
schedule, scope and then we looked at
00:00
the two different risk formulas.
00:00
Let's get rolling. We'll see you next time.
Up Next
Similar Content
