Risk Action Plan

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now in this next section,
00:00
we know that our goal is going to be to mitigate risk,
00:00
to reduce risk to the degree that's acceptable,
00:00
but we have to have a plan.
00:00
That's exactly what the risk
00:00
action plan is going to give us.
00:00
We in our roles as risk practitioners,
00:00
and I just want to say that as risk practitioners,
00:00
that's probably the role you can
00:00
expect to be in as a C risk.
00:00
You're going to be somebody that is going to inform,
00:00
that's going to assess,
00:00
that's going to make recommendations,
00:00
but remember the decision-making
00:00
is the responsibility of the risk owner,
00:00
and in the business world the risk owner
00:00
usually is going to be the individual lines of business.
00:00
The various department heads,
00:00
those are the folks that own the asset,
00:00
they own the data
00:00
therefore they're the ones that own the risk.
00:00
Now again, that's just general,
00:00
it's not written in stone,
00:00
but that's generally how that's going to be.
00:00
Our job is going to be to provide
00:00
consultation, to make recommendations.
00:00
Keep that in mind.
00:00
On the test I would expect to see
00:00
multiple questions on who makes the decision.
00:00
We make the recommendation,
00:00
the risk owner makes the decision.
00:00
That's exactly how we want it to be,
00:00
because remember,
00:00
the risk owner is tied into the business.
00:00
When it comes down to it at the end of the day,
00:00
it's about the business.
00:00
What we're entrusting or what's
00:00
entrusted within the organization is that
00:00
the risk owner will make
00:00
the right decision and they
00:00
have that accountability to do so.
00:00
Now, whether or not that happens,
00:00
it's like anything else in this world,
00:00
we make mistakes, we go back and correct them.
00:00
Sometimes risk owners air on the side of
00:00
functionality as opposed to
00:00
security, but that's responsibility.
00:00
Now, when we write up this risk action plan,
00:00
there are a lot of things that we have to consider.
00:00
Just like back in Domain 2 we talked about framing risks.
00:00
I hope you remember that.
00:00
We talked about not all risks are created equal.
00:00
Every organization approaches risks differently.
00:00
There may be a different risk culture.
00:00
If you're in the government or military,
00:00
we look at risks one way.
00:00
If I am in the payment card industry,
00:00
I look at risks a different way.
00:00
We have lots of factors that are going to be
00:00
included in this action plan
00:00
and those should be referenced absolutely.
00:00
But the big piece,
00:00
how this project impacts our current risk level.
00:00
Are we taking on more risk or are we lessening our risk?
00:00
Always we have to think about regulations,
00:00
laws, maybe industry standards.
00:00
Whatever our goal is to be
00:00
compliant with that's the consideration.
00:00
Long-term plans and projects.
00:00
Budget is of course critical because
00:00
we have to operate within a set budget.
00:00
We've got to think about our people or
00:00
resources of our staff.
00:00
Public pressure is another,
00:00
especially if you work in the government or if
00:00
you work in any public facing organization.
00:00
There are a lot of risks associated today.
00:00
Everything is in view for all the public
00:00
and the public very much
00:00
can swing like a pendulum back and forth.
00:00
As an organization suffers some PR event,
00:00
it's very likely that
00:00
customers will choose to shift away from us,
00:00
so we have to be aware of
00:00
how we present to the public, of course.
00:00
Then competitors, where are they going?
00:00
How are they perceived?
00:00
Can they benefit from mistakes that we make?
00:00
You got to consider all of this in your risk action plan.
00:00
We've done our risk framing that came in Domain 2.
00:00
We've played out risk scenarios,
00:00
that came in Domain 2,
00:00
and we looked at risk analysis.
00:00
Now, when we analyze our risk,
00:00
if risk is within
00:00
the acceptable limits then we accept the risk.
00:00
If it's outside of
00:00
the acceptable risk then we need to respond to it.
00:00
When we respond to our risk,
00:00
we've got to keep in mind our options
00:00
and over on the left are our options.
00:00
Avoid, mitigate, transfer,
00:00
accept, we'll get into those in a few minutes.
00:00
Over on the right are some of the parameters
00:00
or some of the considerations
00:00
or constraints within we work.
00:00
We have to have a response
00:00
that is effective and efficient.
00:00
We can't just implement a response that is a band-aid.
00:00
We want to think about long-term implementation.
00:00
We want to think about is the control that
00:00
we're implementing going to
00:00
reduce risk to a sufficient manner.
00:00
What exposure are we left over with?
00:00
Do we have the capability of
00:00
responding in the appropriate manner?
00:00
Those are our parameters that we have to consider,
00:00
and that information along with looking at
00:00
the options we have is going to lead
00:00
us to risk responses.
00:00
Very rarely is a single risk response
00:00
something we come up with.
00:00
We're going to come up with lots of
00:00
different risk responses and it may take
00:00
multiple responses to effectively
00:00
mitigate risk to the degree that's important.
00:00
We prioritize our risks
00:00
and we prioritize those based on cost benefit ratio.
00:00
We're able to prioritize risks so that
00:00
those high priority risks get our first attention.
00:00
We want to make sure that we understand,
00:00
we don't have unlimited money,
00:00
we don't have unlimited time or
00:00
resources so we have to prioritize.
00:00
That prioritization is going to be made much easier by
00:00
the work we did in Domain 2
00:00
where we came up with our value for the risk.
00:00
Out of all of this,
00:00
we're now able to write a risk action plan that
00:00
essentially details our strategy in addressing risks.
00:00
We have our basic strategy and
00:00
methodology and the prioritization of risk.
00:00
This is all information
00:00
that's going to be formatted properly.
00:00
It's going to be presented as an easy to read
00:00
document to our risk owners with our recommendation.
Up Next