All right, let's go over some definitions. So Ah, again, just to make sure we're all on the same page, just gonna give some clarification. First of all, assets.
So everybody's familiar with an asset. It's something that we value. We have to be very particular in understanding that an asset is not always tangible. So when I look at an organization, certainly, you know my I t equipment. My router switch is my laptops, my monitors, my equipment.
Certainly those air all assets,
but also much larger value to an organization, things like customer confidence
cos reputations. Matter of fact, our reputation is one of our greatest assets as an organization. So we always want to consider much more than just those tangibles. Stockholders are very valuable tow us and how they perceive the value of the business. And what we deliver is crucial.
When I if I have a laptop, for instance,
maybe I paid 500 bucks for three years ago, and if you just stop and think what that might be worth today,
you know, if I paid 500 bucks for three, I think I may have said three weeks. Three years ago, I paid 500 bucks for three years ago. It's probably worth 100 150 today,
the real value of that laptop comes from the data that's on there,
you know? How long did it take me to produce this information?
Is their intellectual property?
Would there be any detriment to my organization? If I'm an I T instructor that has her laptop stolen, I think probably so are their files on there that my competitors might value. Ah, you know what sort of
ah harm would be done to the information team to the company? Do I have company secrets?
What about it? There's health care information on that laptop, and then maybe if it gets compromised, I'm, ah, susceptible to a fine from hip.
So now all of a sudden, this $150 laptop, really to me may have a $15,000 value based on the contents of what's on the drive.
It's very important that we understand that because our first step of risk management will always be identify, evaluate your assets because if I don't properly understand the value of those assets, I will make poor decisions later. I'm not gonna spend $50 to protect a $20 bill.
So if I just think that laptops worth $150 I'm not going to spend 300 bucks to keep it safe.
But once I understand the true value of the lot of the laptop
is $15,000.300 dollars doesn't look so bad after all. So we start with their assets, anything my organization values
now. Often we then take our assets and we say, Well, where is it vulnerable? What weaknesses are there? And usually they're external and our internal and external vulnerabilities that we'd look at, you know, think about software. For instance, if the code is poorly written,
that's an internal vulnerability,
right? If I've got a database that doesn't check for input if I've got code that doesn't do any sort of exception, handle Air doesn't handle exceptions. Well, those sorts of problems. I have an internal vulnerability.
We got a problem. That's a weakness. Okay, they're also external vulnerabilities, meaning that there's no external protection around them. So an organization that connects directly to the Internet without having a firewall that you know that lack of external protection
I might have poorly written code on the inside,
but a lot of times we can use external devices to mitigate those threats.
So we think about vulnerabilities both in and out. Threats. We've used that term anything that could have a negative impact,
a usually on our asset. So it's something negative. There's, ah, there's there's not a good context in which we would use the word threat. And often the threat occurs.
Ah, and exploits of vulnerability in the asset.
And when we talk the word risk, the word risk is the likelihood that that threat will exploit a vulnerability in the asset.
So my data, that's my asset.
The vulnerability is I've used weak passwords to protect it.
The fled is that an attacker could compromise those passwords and gain access to my data.
The risk is that if I don't do something about it, there's a 90% chance that will happen.
Okay, so that's how they all kind of go together.
Now, when we do talk about risks, a couple of terms that we look at, we look a probability and impact
probability. How likely is the risk event to materialize and impact if it does? How great, how much damage will happen. Okay, Few other terms, secondary risk and residual risk. So a secondary risk is when one risk response causes another risk event.
And sometimes that happens. You know, think about patching a system. You've patched a system you've closed the security vulnerability that the patch was designed for. Unfortunately, now that system doesn't interact properly on your network.
Hey, it's a secondary risk. Residual risk.
Rarely do we talk about eliminating risks.
Usually risks hang on. The best you can do is hope to minimize the residual risk. And that's what's left over after applying your risk responses.
So, for instance, I can put any virus software on these systems. It does not guarantee there's no way this system will catch a virus or have some sort of malicious activity,
but it does greatly reduce the likelihood that that would happen. So there's still a 2% chance that it could catch. You know, we could get a virus or some sort of malicious code or activity on here, but it's very minimal.
The goal of risk management is to ensure that the residual risk
tolerance as set out by management.
Okay, I won't say that again. That's an important piece. Our goal in risk management is to make sure the residual risk
is within the levels of risk tolerance as set about by management.
So what is that saying? We reduced risk to an acceptable level. Acceptable By who? Management.
Why? Because management will take that and make sure that their tolerance is aligned with the overall business objectives
so that ultimately we're supporting the business. And that's our goal. So I t risk all sorts of directions that risk can come from risking come from software and hardware vendors, third party vendors, databases, operating systems. We could go on and on and on infrastructure RISC architecture a risk,
but also think about things like project risk. A lot of what we do as a project as a kn I T manager involves overseeing various projects. You know this project we're gonna roll out new software we're gonna upgrade. The existing infrastructure
projects are very risky undertaking, so we gotta think about risks within projects,
risks within the environment and how change can affect those risks. Change can be very, very difficult. Most people are resistant to change, and they're resistant for a reason, and often that reason is because change in the past maybe wasn't handled well. So I've gotta look att risk From that perspective, we also have to realize that every control
that we implement has a risk associated with
It may not work properly, may not be configured properly. It may give us a false sense of security.
So again, risk is everywhere. All right, So within risk management, what we're gonna do is take that overall strategy divined by governance, and we're going to try to put it into action. And we're gonna go through setting up the actual processes for risk identification, assessment, mitigation and ongoing monitor.
I t risks come from a 1,000,000 different directions. These air just a few. But the's air, certainly some huge concerns within our organization.
Don't just get caught up in thinking we're protecting from the bad guys outside. Often the bad guys air within our organization. So when we start thinking about firewalls and intrusion detection systems and all of these technical elements, um, a lot of times an insider convey, I passed some of the controls we put in place.
So we're thinking of internal fraud
as well as attacks from the outside. Hardware failures, resource failures, nothing malicious there. But this affects the security of our organization. If the door locks on our front door fail, we're vulnerable. So keep that in consideration.
I have outsourced and activity, therefore I am absolved of all risk associated with that activity. Would that be correct?
I can hear many of you moaning no through the camera. And I agree with you 100% as a matter fact. Sometimes we increase our risk when we have the outsource. Because now we have an entity
pretty much operating within their their own confines, and we don't have a lot of control. And as a matter of fact, my contractor may outsource a portion of their work to a contractor who may outsource and outsource and outsource. So, yeah, we don't eliminate risk by outsourcing. We have to keep an eye on things, and we just
essentially have a new way of addressing risk.
We'll talk about third parties.
I don't know of any other field in which the environment changes so frequently as I t and especially I T security.
You know, if you're planning for what's going on today and you're getting caught up on today's attack so you can get ready for your behind schedule,
right, there's a very fluid environment
and again many, many others. So if we're able to manage our risks better,
we can better protect our assets. And that's really what it's all about. Right again. The Onley reason I'm here, the only reason you're where you are is somehow we support the organization, and somebody in that organization thinks we can help that company, that business get closer to their goals.
So if we have better capabilities of risk management skills, we can protect our company's assets better and help the organization as a whole.
We want to minimize loss. We also want to be very vigilant, ever vigilant, looking out for the new threats, making sure we're aware of our vulnerabilities, keeping our eye on the horizon. We want to be able to prioritize risk responses. Never sadly, have I worked for the company that has given me a blank check and said,
Just make everything better
right. We have a limited amount of funds. I need to be able to truly understand where we suffer the greatest potential for loss because the budget has to go there first. We want to direct our efforts to the areas that control a rate loss, the least
another big one. We've got staying compliance.
Ah, hip, Sarbanes Oxley, Grand Leach Bliley payment card industries, data security standards on and on and on different requirements, uh, that different organizations have to meet.
And just because I'm not, you know, one of those isn't necessarily pertinent to me. I have obligations to protect personally identifiable information of my of my employees of my customers. So we all have some legal and financial and regulatory responsibility.
I had mentioned projects being successful. I believe the record is 60% of all projects that begin are considered to be failures.
So when you take that only 40% of projects are truly successful,
that's not necessarily what you'd expect. You kind of expect most of the projects we undertake to be successful. I certainly would want that to be the case while it comes down to not managing risks, not having the foresight to identify them properly.
Maybe not evaluating my assets and realizing that maybe more money needs to be spent protecting these assets, making poor decisions.
Customer confidence is huge. You will spend your money with a customer. I'm sorry with a ah store and organization of business that you have faith in If I'm constantly on the news. Yeah, we lost another 100 million. Credit card numbers are yet another super another security breach this week.
You have no confidence in me. You're not gonna do business with me there. Too many competitors.
Very few of us work in a company that does something truly unique today. Those days air kind of gone. Maybe we do things a little better than somebody else or slightly differently. But the bottom line is, whatever your organization, their competitors, somebody can do what you do better if you're not careful.
Also, even from an I T department. So I'm an internal department of I t within an organization. We're good. They're not gonna get rid of i t. Yeah, they might. Outsourcing I t service is has become a way of life for many organizations. So within i t, we have to think about ourselves as a business. If we want to stay in business
And that's going to mean that we have to operate in a more streamlined and efficient manner manner, and we have to deliver value for the organization, and that should be our top priority and focus.
All right, Better response to incident management because a well written risk management plan identifies the threats that could materialize but also gives us an appropriate response as well as what to do if appropriate, response. A doesn't work,
so risk management helps us within incident management,
which all of these pieces ultimately come together to align with the overall goals of the organization. Let's help me their business objectives.
Okay, just a couple more ideas here before we conclude the introduction. So we've talked a little bit about risk governments. We've talked a little bit about risk management. I also just want to throw a little bit of a precursor to what we'll talk about later with business continuity, because
when we look at risks, what we do is we identify those things that we can. There's things that we think reasonably will happen.
We're gonna prioritize those risks, and then we're gonna put a risk response in place.
sometimes the unheard of happens. Sometimes something comes in from left field,
Um, or even if it's not unheard of. Like, for instance, I live in the D C area and we had a great earthquake back in 2013. And by great earthquake, I pretty much mean that the house shook for about six seconds, and that was pretty much the gist of it. So it was fairly in consequence of inconsequential to me.
Um, however, the Washington Monument was under repair for almost eight months, I believe.
So. What's inconsequential to you may be very consequential, depending on a different area of your organization, maybe perhaps a different branch office. The whole point I want to meet make is even though I now know,
all right, we can have an earthquake in D. C.
I still don't have a really active mitigation strategy for that. For instance, I looked at the cost of moving my business downtown into a steel reinforced building designed to withstand unearth quake up to seven on the Richter scale. Too expensive. Can't do it. Too expensive.
The risk of a hurricane,
the probability not hurricane, earthquake. The probability that an earthquake would happen, First of all, very unlikely in Washington, D. C. But even when it does for my business, it has such a small impact I can't justify.
Okay, so I don't have a really active mitigation strategy. So what saves my organization if we do have an earthquake that is of a large scale? And let's say my primary facility is damaged,
that's where business continuity comes in.
So, yes, this is about risk management. But risk management would be incomplete without also talking about business continuity. Because business continuity is the safety net under risk management. So we'll certainly talk about that.
Um, I would focus risk management on those things that are likely to happen. Those things with medium to high probability
business continuity is for those things that we just don't think you're gonna happen. But if they do would have high impact.
Just a couple of other ideas. Audit. We will talk about audit within the confines of the class because when we look at risk management, part of risk management, putting our proper processes and procedures in place, how do we know that people are following them? How do we know that they're working.
That's where the audit comes in, where we go in and we examine the policies.
And then if we find that we're not where we want to be, what we do is we do a Gap analysis, Gap analysis says. Here's where we are. Here is where we want to be. How do we close that gap between the two and again? This just these air just in terms I want to throw out because we'll be using them through throughout the day.