5 hours 58 minutes
welcome back to CyberRays is. Of course, I'm your instructor. Brad Roads. Well, we're starting module three of 10.
This is domain two of S IP. We're gonna be talking about risk management.
Where are we In our course. Well, we're trucking along in our first level there,
looking at the domains of Issa Pond. So Module three is really gonna be all about risk management, enterprise operations and systems. We talk about each of those areas.
So our first lesson is objectives for the module itself. And we're gonna read talk about a quick review of risk management. Now, if your A. C s sp right, this is something you're well aware of and different formulas and everything like that. We're gonna talk about those all again and pretty good depth because it sees do this. This is like one of the bread and butter things that in ISI does.
So here's our learning objectives. We are going to look at our module.
We're gonna talk about risk from a definition perspective. So we level set that as we go in here. Now we're gonna talk about the risk formulas that you need to be aware of as an ISI and as you prep for the rest of concentration.
So here's our module objectives. We're gonna talk about context, analysis and evaluation. Obviously we do. Risk analysis assesses. That's one of things we do.
We'll talk about findings and decisions. Obviously, if we find stuff out, discover things about risk, we have to make decisions.
We're going to talk about risk tolerance. This is incredibly important.
Everybody's view and everybody's acceptance of risk or not is very different. And it varies from organization to organization.
We're gonna talk about remediation and system changes. Obviously, if we identify risks, we're going to in place controls, and we're going to hopefully mitigate some of that risk. But a ZAY said previously, you're never gonna get to risk zero That never happens, right? You're always going to have some degree of residual risk,
and then we're gonna talk, and it might seem a little out of order. We're gonna talk about risk treatment options last,
and you're gonna need to know those in good detail for the ESOP concentration.
So what is risk? I love this picture on the left hand side. You've got this, uh, this person who's jumping from one set of rocks to another set of rocks. That's a pretty big risk because maybe that person miscalculated the distance and they fall to their doom. Probably not the best thing, but it's an example of what we're talking about here. Risk is all about
Are we going to meet our goals? Are we gonna reach an objective? Is a requirement going to get there? But it's all based on whether or not we believe we can get there. It's that uncertainty.
Where do we find risk? Well, you remember our cost schedule scope Triangle. Well, guess what? We find risk all throughout that, um, if something. If we don't have the money, Thio meet a requirement. Guess what? There's a cost risk if we can't deliver an objective on time, there's a schedule risk. If
the system doesn't perform as designed from a security perspective. Now we have a scope of performance risk, and so we find risk in all of those and we find risk across the board no matter what we do. And oh, by the way, risk is organic. Risk varies from organization to organization.
There's two risk formulas I want you to remember. There's the probability of occurrence times. The consequence of occurrence gives you that risk value,
but I really like the second one on this slide. A little better risk is threat times the vulnerability so you have to have a threat and a vulgar or vulnerability. If you don't have one of those, you don't have a risk. Now Notice. I didn't say you don't have risk. I said, You don't have a risk. Risk is a is both a an individual assessment of something and
a compiled assessment,
which we're going to talk about.
We divide then that that threat and vulnerability by our controls, which reduces or mitigates our risk. And then we multiply times, ultimately the consequence. And so you will see variations of these formulas in Theis of concentration.
So what do we talk about in this lesson? We introduced our module objectives. We defined risk is all about uncertainty across things like cost, schedule scope. And then we looked at the two different risk formulas.
Let's get rolling. We'll see you next time
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...