as we talk about risk, we want to talk about risk management as a whole and what risk management is and what elements make up risk management
and risk management really kind of an umbrella term. And what that means is, if you're talking about risk, you're doing some form of risk management and their various elements of risk management. There's assessment, there's analysis, there's mitigation and then ongoing monitoring of risks.
So when we talk about risk assessment and we'll look at each of these in detail, more
risk assessments really more about identification. Identify your assets, identify your threats and your vulnerabilities. Start out by identifying Figure out what's out there. What am I protecting? What are the things that could pose harm to what I'm protecting as well as what weaknesses would exist to allow that,
Then we're gonna look at risk analysis, risk analysis. We're trying to get a value.
What is the value of the potential for harm, which that risk worth and often we start off with getting a subjective value like that's a high risk
and then we move into wanting a quantitative or a numeric assessment of the risk saying things like that has the lost potential of $8000. Ultimately, we generally do wantto wind out working towards that dollar value of the risk, because when I find out the dollar
value of risk potential or lost potential,
that will guide how much money I'll spend in order to mitigate the risk. That's the cost benefit analysis right there.
All right, so risk analysis leads us directly to risk mitigation. And after we determined those values from analysis, we figure out a risk response. How are we going to respond to the risk? And remember, we're gonna respond in such a way that we reduce residual risk toe a level that's acceptable by senior management.
We don't think of eliminating risks. We think about lowering risks to a level that's except
all right, and then we wind up or we wrap up risk with continuous monitoring because risk never dies. Risk is forever and ever, and we always have to be very cognizant of risks. Risks are frequently changing, especially in this field, so there is no rest for someone in risk management.
So let's talk about each of these areas. Let's talk about risk assessment analysis and so on So when we do talk about assessment, the most important thing in the first step of risk management and what drives all of our decisions, what are we protecting and what it's worth,
identify our assets many times our assets are gonna be the data that we protect
and how much value is associate ID by that data.
So let's just talk for a second. What drives the value of data?
You know, if you think about if I go to ensure my dad, I'm probably not gonna get much money from the insurance company if I've lost my data. But what gives it its value? And I kind of referred to this a little bit earlier. What's the value to meet? How much time did I take in creating the information?
What's the value to my customers? You know, if I hold customer personally identifiable information, if I have their credit card information, their health care information that becomes very valuable, what type of fines and my susceptible to
if the information gets compromised? So all of that goes into the value of the assets,
then we look at the threats and vulnerabilities,
and that's a risk assessment
now There are several different methodologies and approaches to accepting. I'm sorry to assessing risks. There's octave frack and the NIST 800-30 which would be my focus on for this particular Sam.
So octave is sort of a self Ah ah, self
Excuse me. Octave is really a self based assessment.
Ah, where someone internally looks the criticality in the value of the assets, the threats and the vulnerabilities frappe, facilitated risk analysis process. This is a qualitative analysis, and ultimately what it is is It's a way of prioritizing
my assets to determine which ones are worthy or my risks rather
which ones are worthy of going on to a quantitative analysis. We may decide with qualitative that this is such a low potential for loss. It's not even worth looking at the dollar value. So that's what frappe does
now, Mr 800. Dash 30 is the Risk Management guide for Information Technology systems, and it walks us through a nine step process of dealing with risk. And this isn't just risk assessment. This really goes through the full gamut of dealing with risks
where we characterize our system, and basically what that means is we look at the value of the assets.
Is this system hold top secret data or sensitive but unclassified?
Then we look ATT, threats and vulnerabilities, just like we talked about. Ah, threat is what could cause harm to the system of vulnerabilities, where the weaknesses,
then we analyze the controls that are already in place, and then we look at likelihood and impact. Sometimes you'll hear me talk about probability and impact or likelihood and severity. Those ideas were the same probability and impact. How likely is it toe happen? And if it does happen,
how big is the impact?
Then we determine the amount of risk, and that risk determination is really the analysis piece that will drive us to recommend controls.
Then ultimately, we're gonna document our decisions and be able to justify the decisions that we've made.
So all of this ties in together, whether you're following the framework from Octave or frappe or NIST, or any of the other organizations that have a say in risk management, even though everyone says it perhaps a slightly different way. The premises all the same. Identify your assets assets, evaluate them,
look at your threats and your vulnerabilities. Figure out your potential for loss, which will guide your mitigation strategy, implement your mitigation strategy tested, and then document