Hello and welcome to see risk with Cyber Harry. My name is Kelly Hander Han and I am your subject matter expert. Today's material we're gonna be talking about certified and risk and information systems controlled. Of course, this is a certification put out by the organization I, sacha, for those of you that focus on risk,
governance, risk management
and, ah, information, security or governance within the workplace. So we've got a couple of objectives with our material. First and foremost, this is very much focused on what you need to know to pass the C risk exam as you may or you probably know, See, Risk has offered three kinds of year currently in June, September in December,
and the material per I sack and it's gonna be covered on the exam is what will be covered on this slide.
But hopefully this will be much more than just a exam prep video for you. What we want to do, really
is to make this meaningful. I want it to be something that you can take back and you can implement in the workforce and the reason these certifications are important. And I know there are a lot of people that have differing opinions on certification, and that's all fine. But one of the purposes of getting certified and maintaining certification and even requiring certification in the workplace
is because we want to use a common lexicon.
Ah, one of the things that I've found. I've been in this business for about 20 years. Every organization kind of does their own thing. We have a proprietary way. We have our own lingo so that when I say risk management, you might think I mean rich risk governance. When I say risk mitigation, you might think I mean reduction.
You know, a lot of these charms are very, very similar, and we throw him around,
and a lot of times there used improperly or at best inconsistently. Ah, lot of times are processes are inconsistent or they may be very consistent within one organization, but not so consistent within another. So the benefit of applying to a common framework is that we're all on the same page.
So when I ask you to show me a risk management plan, I know what I'm expecting.
You know what to provide for me, so hopefully we'll get some of that. Um going to get a deeper understanding of the world of I t risk. It's a risky place out there, so we want to look at the different areas of risk. We want to look at our general approach as well. Let's get into some specifics.
This is very much a class of best practices, and please know that I understand. Also best practices don't fit every situation. So when we're teaching this class, I want you to think about the best practiced, the best practice in the best environment, and that's the solutions that those air, the solutions we're gonna be providing.
I do understand because I've been I've been a 90 field for going on about 20 years, focusing on information assurance for last
11 12 something like that Done, I t Project management. I've got ah, wide background. I understand that when you teach a certification class, nobody works in a one size fits all environment. But what we're gonna focus on are the best practices, which is exactly what the exam focuses on,
and it's a good foundation on which we can build our knowledge. All right now,
the sea risk agenda. We have five separate areas four of these are the specific domains of the sea risk exam. I wanted to bring us back a little bit further rather than just jumping straight into risk identification. I wanted to give us an introduction chapter where we can talk a little bit about the material,
um, and just kind of set some ground work before we jump in. Start using. Maybe some risk terms that aren't is clearly defined,
but the four domains of the exam risk identification, risk, assessment, risk response. And then, of course, risk never dies. So once we've responded to our risks, we have to continue monitoring Ah, and making sure that we're ready to respond to future risks or also making sure the risk responses that we've put in place work.
So those were the domains that we're gonna cover.
I'll start right off with an introduction because I want to give you a little bit of an overview about the exam itself. So when we talk about the exam again, the four domains broken down, risk identification, assessment, response and monitoring income been controlling so really the 1st 2 identification and assessment.
That's the weight of the exam.
But honestly, it's not really even that big a difference between the bottom two. So really, it would be pretty appropriate to spend your time fairly equally across the domain. Now there are 100 and 50 questions.
Passing score is a 4 50 on a sliding scale of 200 to 800. I'm not really sure what the logic behind that exact grading scheme is. What I tell most people that speak actual,
normal math, as I would call it, is shoot for about 65 to 70% when you're doing the practice questions. If you're getting about 75% right said I'm sorry, 70% right on the practice questions. You're gonna be ready for this exam. There's a good portion of just common sense
and foundational questions on the exam.
So when you're going through and you're doing some practice exercises out about, if you're doing about 70% you're ready. If you're not, it's not a big deal. Go back and study until you are getting 70% right And one other thing. You know, we have some links with cyber of some recommended sights. Ah
ah, there's ah, book that I Sacha puts out that's full of sea risk questions their various
places that you could go as a source to get questions.
Don't look at the questions as a way to assess whether or not you're ready to take the exam.
When you get review questions, look at them as a way of expanding your knowledge.
So the reason I try to stress that
is, let's say, I get a brand new set of questions and I go through and let's say I got a 50%. I'm disappointed. Look at all I learned doing those refute questions, looking at the answers, trying to figure out why I was wrong and why be is a better answer than what I chose this. See, So
you know, people always come to me and say, What should I be getting on the questions that I'm doing at first time around? You should be getting smarter.
That's your goal. You should be getting smarter with the review questions that you do. Look at that. It's just a way to enhance your study. So the whole point of that being the slides, the lecture that I give you will be a good portion of what will get you ready for the exam? Find some self assessment questions and use that to expand your learning.
Get on the schedule for this exam. Register for it early because slots close up. And when they close off all the slots, there is no getting in. You have to wait months before you contest again. So those would be my recommendations. Now we're going to just go ahead and jump right into the material.
And like I said, I've got an introductory chapter that I just want to lay down some ground work
for some of the material that we're gonna be covering and that we're gonna be talking about later.
The world of risk. You know, risk comes into play. In everyone's environment, there is no environment. There's no business. There's no category of work that's immune from risk. Risk is everywhere and because risk is
so much a part of our day to day lives, and so many people are talking about risk and addressing risk,
we have a real variance in the terminology that we use and how we use it. So right off the bat, let's talk about two terms. Let's talk about risk, governance and let's talk about risk management and you can see how those terms could be used interchangeably. And I totally understand that,
and honestly, out in the real world, I'm very slow to correct somebody when that comes up.
But certainly as for is the language that I use and the language will need to use on the exam. You want to be very clear as to the distinction between risk, governance and risk management. So up on the slide when we talk about risk, governance,
risk governments comes from executive management and the board of directors. So this is very, very heights, the highest entities within the organization and risk governance. The job is to align our risk strategy with the objectives of the organization.
Okay, that's a phrase you're gonna get really tired of me hearing of me saying, because this is the heart and soul of everything that we do in risk management. We want to make sure that we operate within a level of risk that is, in conjunction with the risk appetite of the organization
that is in line with the business objectives. The only reason we're here is to support the business, so risk government says executive management. The board of directors
determine what our appetite for risk is, and and they're a couple of terms that will use. I've said Risk appetite twice. Let me just define that risk. Appetite goes with tolerance. I'm sorry with governance. Risk Appetite is a broad idea of the amount of risk that we as an organization,
to subject ourselves to.
Okay, And that's a very broad category, as a general rule, were risk averse
or were very risk tolerant or were risk aggressive, You know, think about some of the smaller companies. Some of the startups might be very risk aggressive
because the more you risk the more potential for gain.
Other organizations, especially organizations that are under federal regulations, for instance, may be very risk averse. We do things very particularly
so when we talk about risk appetite that comes from the board comes from executive management, and it's an overall kind of philosophy towards risk. We like it. We don't we're neutral,
and the goal is to make sure that if we are risk averse, that that really does meet the strategic objectives of the organization is a hole. All right now, the next piece risk management.
So it's up to the manager's once we understand the risk appetite of the organization to make sure we have the processes and procedures in place, that we can operate within those limits and those confines that senior management is set for us. Okay,
so if Senior management says our executive management says our risk tolerance is
we're risk averse, then I as a manager and I t manager, for instance, better make sure that we have systems in place so that we're not putting ourselves out on the forefront as a target, making sure that we're locked down and hardened from a security perspective, making sure that we're choosing the most cost
shouldn't even though that might not have the highest potential for gain.
So if you take a look
governance, Are we doing the right things? Yeah, you know, I've actually heard governance, and I kind of like this. I've actually heard them described governance, as are we doing the right things management, as are we doing things right?
As in government says this shall happened
and management figures out how to make it happen in the most efficient and effective way
so that's probably a good way to think about it. You know, these air some questions we have to ask, talking about management and governance. But I would really look a governance is Are we doing the right things?
We gotta stay in compliance with hippo or socks or servings, actually, or whatever and in management figuring out how we're going to do it
and management, making sure that we operate within the constraints that the organization's senior in executive management set, Ah, one other term. I want to mention to you risk tolerance So risk tolerance and risk appetite get thrown around a lot. Also risk appetite. We've already said we're risk averse. Were risk
aggressive where risk neutral or anywhere in between.
So, let's say, as an organization were risk averse.
even if we're risk averse,
risks happen right? We've got the potential for loss. So what risk tolerance says is let's take this broad idea of being risk averse and let's quantify it.
And when we talk about quantification, we'll talk about quantitative analysis and so on. Give me a dollar amount or give me a percentage, or give me hard, fast numbers. Give me something tangible.
So let's put it like this. Ah, governance gives us the risk appetite where risk averse senior management says Okay, so what that might look at is will not go into any ventures where there is the potential loss off 2% or greater off
our primary card holders.
Customer satisfaction. That's just something off the top of my head. But hopefully you can get that idea. So we're gonna take this broad idea of not liking risks.
And we're gonna quantify that and saying we're willing to lose no more than 2% of our top customers.
Okay, so they're all closely related. Yes, yes, yes, Rhys. Government risk, appetite, risk management, risk, tolerance. But we want to make sure that we use those words well, and certainly that we use them for I Sacha