CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson offers an overview of risk response. This is used to determine risk strategies and evaluate their effectiveness to manage risk to a level in alignment with business objectives. This lesson covers risk response strategies and risk reduction via policies and technology. Risk reduction lessens the probability and/or impact of a risk event and is somethings called risk mitigation. The ultimate risk reduction is risk avoidance. Other ways to deal with risk are: - Risk transference - Risk acceptance - Risk mitigation through policies

Video Transcription

00:04
Now, as we move on to module four, Module four is all about risk response. And it's essential that we did step one into first and that we get it properly. We've identified all of our risks in risk identification, and then in the last module, we got a value for them
00:22
in risk assessment. So now, now what? This kind of the So what of the whole class, right. How can we properly respond to risk? What does it even mean to respond? And how do we know if we've responded? Well, we'll pry, Sacha. Essentially, the whole purpose here is to figure out what our risk strategies are gonna be.
00:40
This idea to evaluate their effectiveness
00:44
is before we implement them, as in Let's talk about these risk strategies. Let's figure out if they're gonna work to what degree they're gonna work. And ultimately what we wanna do is we want to make sure that the risk that's left over is gonna be in alignment with our company's approach to risk our risk appetite,
01:03
essentially to make sure that what we're doing is in alignment with their business objectives.
01:07
All right, so when we talk about risk response strategies. We're gonna reduce, transfer or accept the risks. So when we talk about risk reduction, couple of different ways to reduce risks, Andi Well, basically, what we're gonna look at doing there is to lessen the probability and or
01:27
impact of the risk
01:29
we can transfer the risk transfer. The risk means we're going to share it with somebody else. And then also we can accept a risk which essentially means
01:38
I know there's a potential here, but I'm not gonna do anything about it because the probability and or impact is so low that it's not within my my realm of possibilities, because again we have limited budgets. Ah, the ways I can reduce risks. Policy helps. And we'll talk about some policies that will help us.
01:56
Ah, and technology encryption firewalls, intrusion detection systems, all of those elements that we put in place to protect our network.
02:05
Now, another concept that's very important is risk. Management doesn't always work.
02:10
There risks we failed to identify. There are accepted risks. They're all sorts of elements that fall through the crack. And when that happens, business continuity planning is there to save the day. So you can think of that is the safety net underneath.
02:24
Um,
02:27
risk management always comes back to cost benefit analysis. Always no exception to that. What we look for is a balance between expense and benefit. Always please keep in mind. Cost, though, is not always dollars.
02:44
When we add security to a network, the tradeoff. Theirs performance.
02:46
Sometimes we trade ease of use. Sometimes we trade backwards compatibility, so there's always a cost. Don't get caught up in the idea of thinking money all the time.
02:58
All right, So, uh, NIST has a special publication 800-100 that talks about risk mitigation. And again, this comes down to a cost benefit analysis the Attackers calls versus the gain. What's our loss? When do we accept the risk? When did we mitigate the risk?
03:16
Well, when the risk amount that's leftovers is unacceptable,
03:20
we have to do something else.
03:22
So risk reduction again, lessening the probability and or impact of event of a risk event. This is one of the first things that we think about doing. Why do we put any virus programs on our client computers? Does that eliminate the risk of anything malicious? No.
03:39
It's a matter of fact will rarely focus on risk elimination,
03:44
although there are certain risks that we can eliminate. For instance, I may find that doing business in a certain region of the world is too risky because of economic upheaval, political strife, whatever that might be. So I decide not to open an office there. That's risk elimination. But for the most part,
04:01
when you eliminate risks, you're not doing something that has a benefit to you.
04:05
So what we looked to do is we look to address those risks rather than just eliminate him altogether. So risk reduction is very frequent
04:14
now
04:15
reducing risk. We're gonna have some risk left over, right? I mean, you couldn't do everything in the world to secure your network, but you cannot say there is no conceivable way there would ever be a compromise. You're always left with a little risk left over
04:32
that is called the residual risk.
04:34
And what we want to do is we want to mitigate or respond to that risk, said the residual risk. The risk that's left over is within our company's tolerance. Okay, um
04:46
so risk reduction. And if you do reduce a risk all the way to zero, then that is risk avoidance or risk elimination, if you will, for a particular threat. But to avoid risks as an organization as a whole, you just can't do it.
05:02
I saw a product the other day while I was out shopping, and it was a product on the shelves, a little home firewall system and, it said, eliminate all risks associated with the Internet and I just laughed at that. You know, that's market risk transfer DS risk transfers is to share the potential for loss with another entity. Whether I have insurance,
05:23
service level agreements are also risk transference.
05:26
Maybe I modify a contract, maybe have a vendor that's been late every time I've dealt with him. So we modify our contract that for every day he's late, he refunds this 1% of the contract.
05:38
Keep in mind risk transference does not lessen. The probability were impact of a risk event.
05:45
I can have fire insurance, but I'm still is likely to have a fire, and the damage to my home will be the same, whether I have fire insurance or not.
05:54
But it's my portion of the costs associated with it, so sometimes people say all that lessens the impact. Now it lessens the impact to meet, but not the impact in general, so rich transference is different. Risk acceptance again, risk acceptance is win, and this is important. I have done my due diligence.
06:13
Risk. Acceptance is not a head in the sand. Oh, I really hope this doesn't happen to us.
06:18
That's actually called risk rejection. I don't have a slide for that because that's not an acceptable risk response. But what risk acceptance does is it says, listen, based on the likelihood. And even if this event happens, the probability
06:33
eyes low. And even if it happens, the impact is so low I can't justify the expense
06:40
of mitigating. And that does happen in business. You know, we talk about qualitative analysis, allowing us to prioritize risks. Then we talk about quantitative analysis. There will be elements that have such a low potential value based on probability times impact that we can't justify putting more money out.
06:59
So what do we do?
07:00
We accept the risk. But make no mistake. Acceptance is not a callous approach, and we better have a paper trail, and we better be able to justify to our board why we made that decision. Because if that is a poor decision in our organization suffers a tremendous loss.
07:17
You can bet I can be found liable for failing to protect my company's assets.
07:23
So it's important that we do our due diligence. We leave a paper trail, and we're not callous about potential risks just because we don't think they're gonna happen. Policies, Let me tell you, policies are tremendous help in mitigating risks
07:39
putting the proper policies in place and enforcing those policies.
07:44
And I think I've already mentioned in this class If you're not gonna enforce a policy, don't write it.
07:48
It's worthless off policies only as good as its enforcement. So you implement these policies, you enforce them. You audit the policies to make sure they're being followed to make sure that they're working properly. And this is a tremendous step towards securing the organization.
08:05
All right, separation of duties. Ah, we've mentioned this before. Separation of duties make sure that not any one individual is all powerful. Everybody gets a distinct role within the organization, and they're given the rights and privileges associated with that role.
08:20
Dual control is sort of a subset of separation of duties. We've talked about that mandatory vacations we've also talked about. It's a way. It's a detective mechanism to see how an organization runs without a single employee.
08:33
Um,
08:35
job vacation. We've mentioned principle of least privilege and need to know a Zamir fact. One of the things on this slide that we have not talked about strong configuration management and change control processes
08:48
respect the process.
08:52
If you've ever worked for a company where you feel like you're just running around putting out one fire after another after another and I'm guessing many of us have work for an organization like that,
09:03
that's a company that's very short sighted. They're not looking towards the future and how you can grow the business. That's a company that's just trying to keep its head above water. What we want is an organization that's focused on the strategic direction and how we can get to where we want to be in five years. Very few of us want to be stagnant.
09:22
I want to be exactly where I am five years from now.
09:26
I don't know many people that feel that way. I want to be better off with a little more money in my pocket. I want a little a few more options. I want these things. So a company has to think that way. And if all we're doing is running around fixing problems, we'll never get there. We have to do is look at our process.
09:43
And if there's anyone process I find lacking in a lot of organizations,
09:48
it's strong configuration management
09:52
and what configuration management. It's kind of an umbrella term and configuration management includes change management.
10:00
So configuration management says for my
10:03
production environment,
10:05
I have strong documentation of the elements that are in production,
10:09
and I have a strong change control process when their modifications and we audit that process and we review it on a regular basis document, document, document,
10:22
control, control, control. I don't want users making a modification unless it's been approved. I don't want software added to my systems. I don't wantto bios upgraded. I don't want this that or the other because it makes my network unstable.
10:39
I don't just patch a system
10:41
in production, ever.
10:43
That patch gets downloaded in a test environment, it gets run through a series of tests well before it's rolled out. Even for critical security patch. You don't just throw those things out there, right? And I know many of you that have worked with patches. You get that you would never dream of throwing a patch out there. But sometimes we make other changes without going through the same process
11:03
and certainly without documentation.
11:05
People hate to document, and I don't know why it is so critical for what we do for me to be able to go back and say, Hey, this person made this change on this date This is the only system that's acting strange on the network. Maybe it's that change that was made.
11:20
So that's my soapbox for configuration management, change, control, other privileges We've talked about least privilege and need to know or other policies. Acceptable use policy is very important in an organization. We want to leave nothing up to discussion. We want to make everything very clear what our expectations are.
11:41
So you know, I'll ask a classroom of students sometimes, and I'll say,
11:46
Is it okay to browse social media at work?
11:48
Not a break not at lunch but on company hours on a company computer on the company provided Internet can I go browse Facebook
11:58
and the answer is maybe
11:58
maybe I've worked for many companies that don't care so long to get your work done. I've worked for other companies that take a very hard line stance on, ah, browsing the Internet or social media or whatever. So they're two main points to that question. First of all, the point is it should be defined in an acceptable use policy,
12:18
right? It's unacceptable to use companies provided Internet for personal purposes.
12:22
These computers air for work on Lee. No personal usage is allowed.
12:28
The other thing to keep in mind. And this is kind of from a test taking perspective.
12:33
When I throw out browsing social media immediately, many of us go to in our mind, goofing off on Facebook. Social media has a very riel and valid place in the workforce today, and that continues to grow. So watch those knee jerk reactions that say no, that's not allowed.
12:50
Just like, if I ask you,
12:52
is it okay for company employees to store MP three files on your file server?
12:58
Yeah, that just kind of makes me twitch a little bit, but the answers maybe, according to policy,
13:03
you know I work for training company. We have a ton of MP three files on the file server. They're very useful to the training process. So watch those knee jerk reactions off. This is wrong. Remember, the only reason we're here is to add value to the company.
13:18
So we create our security policies based on how we can best add value
13:24
data classifications, policies
13:26
guiding the classification of materials, making sure that people know how data should be classified with the baseline security controls are that match up? We shouldn't be doing any of this on the fly. I should have very clear cut guidelines about a certain value of data and what classification that would logically fall into.
13:46
And then, based on the classification, there should be a set of baseline controls.
13:50
There may be exceptions to that. There may be modification there, but
13:54
that should be detailed
13:56
data privacy.
13:58
Um, how do we protect our sensitive information? Another thing down here. Related data ownership.
14:05
Who owns the data? So I'm a medical provider and I have information about my patients. Do I own that data? Can I do anything that I want to with it? Where does my patient on the data because it's about them that is not always so clear cut out in the world. I upload information to Facebook server who owns that data?
14:24
Facebook does.
14:26
But it's about me. Doesn't matter. I put it on their server. Therefore, they own it. Very different data ownership policies here in the U. S. Then you would see in the European Union and perhaps other countries
14:39
Ah, computer ownership. Or we could say device ownership many times, maybe my sales team. We give them cell phones, Do they own that phone? Can they traded in? Can they upgrade? Can they store personal data on it? And again, the answer is, maybe
14:54
I give you a laptop when you come on board. Is it yours? Navy? Don't assume users know the answer to that question. It needs to be written out. And with things like that, I want a waiver signed. I want to make it very clear what my expectations are so mitigating
15:09
through policies. Mitigating risk through policies is an essential way that we enforce
15:16
and that we bring our company in alignment with our organization's risk appetite.

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor