Time
5 hours 31 minutes
Difficulty
Advanced
CEU/CPE
6

Video Description

In this video we cover the topic of risk assessment in detail. We note that risk management is an umbrella term and contains three elements which were previously mentioned in the Risk Intro video. Risk assessment is the process of identifying assets and the threats and vulnerabilities focused on them. In addition, the value of an asset must be determined prior to putting controls and safeguards in place. An asset's value is examined from several vantage points: the value to the organization as well as to customers. The loss of credit card data and PII has a cost not only to customers, but also to the business in the form of fines, legal penalties, the cost of reparations, not to mention the damage to a business' trust and reputation. We also discuss the major risk assessment methodologies of OCTAVE, FRAP, and NIST.

Video Transcription

00:04
as we talk about risk, we want to talk about risk management as a whole and what risk management is and what elements make up risk management
00:13
and risk management really kind of an umbrella term. And what that means is, if you're talking about risk, you're doing some form of risk management and their various elements of risk management. There's assessment, there's analysis, there's mitigation and then ongoing monitoring of risks.
00:30
So when we talk about risk assessment and we'll look at each of these in detail, more
00:34
risk assessments really more about identification. Identify your assets, identify your threats and your vulnerabilities. Start out by identifying Figure out what's out there. What am I protecting? What are the things that could pose harm to what I'm protecting as well as what weaknesses would exist to allow that,
00:55
Then we're gonna look at risk analysis, risk analysis. We're trying to get a value.
01:00
What is the value of the potential for harm, which that risk worth and often we start off with getting a subjective value like that's a high risk
01:11
and then we move into wanting a quantitative or a numeric assessment of the risk saying things like that has the lost potential of $8000. Ultimately, we generally do wantto wind out working towards that dollar value of the risk, because when I find out the dollar
01:30
value of risk potential or lost potential,
01:33
that will guide how much money I'll spend in order to mitigate the risk. That's the cost benefit analysis right there.
01:40
All right, so risk analysis leads us directly to risk mitigation. And after we determined those values from analysis, we figure out a risk response. How are we going to respond to the risk? And remember, we're gonna respond in such a way that we reduce residual risk toe a level that's acceptable by senior management.
02:00
We don't think of eliminating risks. We think about lowering risks to a level that's except
02:07
all right, and then we wind up or we wrap up risk with continuous monitoring because risk never dies. Risk is forever and ever, and we always have to be very cognizant of risks. Risks are frequently changing, especially in this field, so there is no rest for someone in risk management.
02:27
So let's talk about each of these areas. Let's talk about risk assessment analysis and so on So when we do talk about assessment, the most important thing in the first step of risk management and what drives all of our decisions, what are we protecting and what it's worth,
02:43
identify our assets many times our assets are gonna be the data that we protect
02:49
and how much value is associate ID by that data.
02:53
So let's just talk for a second. What drives the value of data?
02:58
You know, if you think about if I go to ensure my dad, I'm probably not gonna get much money from the insurance company if I've lost my data. But what gives it its value? And I kind of referred to this a little bit earlier. What's the value to meet? How much time did I take in creating the information?
03:14
What's the value to my customers? You know, if I hold customer personally identifiable information, if I have their credit card information, their health care information that becomes very valuable, what type of fines and my susceptible to
03:29
if the information gets compromised? So all of that goes into the value of the assets,
03:34
then we look at the threats and vulnerabilities,
03:37
and that's a risk assessment
03:39
now There are several different methodologies and approaches to accepting. I'm sorry to assessing risks. There's octave frack and the NIST 800-30 which would be my focus on for this particular Sam.
03:53
So octave is sort of a self Ah ah, self
03:59
Excuse me. Octave is really a self based assessment.
04:04
Ah, where someone internally looks the criticality in the value of the assets, the threats and the vulnerabilities frappe, facilitated risk analysis process. This is a qualitative analysis, and ultimately what it is is It's a way of prioritizing
04:23
my assets to determine which ones are worthy or my risks rather
04:27
which ones are worthy of going on to a quantitative analysis. We may decide with qualitative that this is such a low potential for loss. It's not even worth looking at the dollar value. So that's what frappe does
04:41
now, Mr 800. Dash 30 is the Risk Management guide for Information Technology systems, and it walks us through a nine step process of dealing with risk. And this isn't just risk assessment. This really goes through the full gamut of dealing with risks
04:59
where we characterize our system, and basically what that means is we look at the value of the assets.
05:04
Is this system hold top secret data or sensitive but unclassified?
05:11
Then we look ATT, threats and vulnerabilities, just like we talked about. Ah, threat is what could cause harm to the system of vulnerabilities, where the weaknesses,
05:18
then we analyze the controls that are already in place, and then we look at likelihood and impact. Sometimes you'll hear me talk about probability and impact or likelihood and severity. Those ideas were the same probability and impact. How likely is it toe happen? And if it does happen,
05:38
how big is the impact?
05:41
Then we determine the amount of risk, and that risk determination is really the analysis piece that will drive us to recommend controls.
05:48
Then ultimately, we're gonna document our decisions and be able to justify the decisions that we've made.
05:55
So all of this ties in together, whether you're following the framework from Octave or frappe or NIST, or any of the other organizations that have a say in risk management, even though everyone says it perhaps a slightly different way. The premises all the same. Identify your assets assets, evaluate them,
06:15
look at your threats and your vulnerabilities. Figure out your potential for loss, which will guide your mitigation strategy, implement your mitigation strategy tested, and then document

Up Next

ISC2 Certified Cloud Security Professional (CCSP)

This online course will guide you through the contents of the CCSP certification exam. Obtaining your CCSP certification shows that you are a competent, knowledgeable, cloud security specialist who has hands-on experience in the field.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor