Risk Assessment Consistency Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again, and welcome to
00:00
the HCISPP certification course with Cybrary,
00:00
risk assessment consistency, Part 1.
00:00
I am Schlaine Hutchins, your instructor.
00:00
In this module, we will cover
00:00
roles and responsibilities that
00:00
are consistent with
00:00
the risk assessment process within an organization.
00:00
Many different individuals within
00:00
an organization contribute to
00:00
the successful information protection.
00:00
Many will have a role to play
00:00
in the risk assessment process.
00:00
Security is everyone's responsibility
00:00
within an organization.
00:00
All end-users are responsible for understanding
00:00
the policies and procedures that are
00:00
applicable to his or her job function.
00:00
Users must have knowledge of
00:00
their responsibilities and be trained to
00:00
a level that is adequate to reduce
00:00
the risk of loss to an acceptable level.
00:00
Although the titles and scope of responsibility of
00:00
the individuals may vary from
00:00
organization to organization,
00:00
the following roles support
00:00
the implementation of security controls.
00:00
Executive management maintains the overall responsibility
00:00
for protection of the information assets.
00:00
The business operations are dependent
00:00
upon information being available,
00:00
accurate, and protected from
00:00
individuals without a need to know.
00:00
They must be aware of the risks that
00:00
they are accepting for the organization.
00:00
Executive management is responsible for providing
00:00
security leadership and governance for the organization.
00:00
The information security officers
00:00
maintain a subset of responsibilities of the CISO.
00:00
Specifically, the ISO is responsible for
00:00
the design, implementation, management,
00:00
and review of the organization security policies,
00:00
standards, procedures, baselines, and guidelines.
00:00
This individuals often uniquely
00:00
situated within the organization to be
00:00
able to highlight and identify
00:00
security risks during the assessment process.
00:00
In smaller organizations,
00:00
such as the startup in the healthcare industry,
00:00
this role becomes increasingly important
00:00
and challenging as the company grows.
00:00
Partnering with risk leaders is so important
00:00
to ensure security is appropriately designed.
00:00
It can also be pretty cool.
00:00
When working in an environment with smart people,
00:00
a security officer can leverage technologies to
00:00
help design and implement
00:00
the appropriate security measures.
00:00
In my experience, it's about
00:00
getting those technologists to
00:00
understand the why behind what you're asking them to do.
00:00
Once they understand that,
00:00
you can find more creative ways to achieve your goals.
00:00
The privacy officer will have
00:00
knowledge of information systems,
00:00
information security, privacy,
00:00
and legal requirements and be able to identify and manage
00:00
the associated risk and
00:00
business impact to system changes,
00:00
interconnections, and sharing practices.
00:00
The privacy officer's responsible
00:00
for reviewing organization practices and
00:00
procedures to ensure compliance
00:00
with the relevant privacy laws and policies.
00:00
Additionally, the privacy officer will be able to make
00:00
risk management recommendations to prevent incidents of
00:00
compromise and misuse of health or personal information.
00:00
Drafting of security policies,
00:00
standards, and supporting guidelines,
00:00
procedures in baselines is
00:00
coordinated through the information
00:00
security professional.
00:00
Guidance is provided for technical security issues and
00:00
emerging threats that are
00:00
considered for the adoption of new policies.
00:00
This individual possesses technical knowledge and is
00:00
able to inform
00:00
the risk assessment process for the organization.
00:00
A business executive or manager is
00:00
typically responsible for an information asset.
00:00
These are the individuals that assign
00:00
the appropriate classification to the information assets.
00:00
They ensure that the business information is
00:00
protected with appropriate controls.
00:00
The owners or their delegates may be
00:00
required to approve access to the information.
00:00
Owners or their delegates
00:00
are responsible for understanding
00:00
the risks that exist with
00:00
regards to the information they control.
00:00
A data custodian is an individual or function that
00:00
takes care of the inflammation on behalf of the owner.
00:00
These individuals ensure that
00:00
the information is available to the end-users,
00:00
and is backed up to enable recovery
00:00
in the event of a data loss or corruption.
00:00
This group administers access rights
00:00
to the information assets.
00:00
Individuals in this role will have
00:00
important business and operations knowledge to share,
00:00
to inform the risk management process.
00:00
IT auditors determine whether
00:00
users, owners, custodians, systems,
00:00
and networks are in
00:00
compliance with the security policies,
00:00
procedures, standards, and other requirements.
00:00
The auditors provide independent assurance
00:00
to management on the appropriateness of
00:00
security controls and provide
00:00
an independent view of
00:00
the controls in their effectiveness.
00:00
Business continuity planners develop
00:00
contingency plans to prepare for
00:00
any occurrence that could have the ability to
00:00
impact the company's objectives negatively.
00:00
We've reviewed the various threat vectors
00:00
that could affect an organization,
00:00
including earthquakes, tornadoes, blackouts, fires, etc.
00:00
The business continuity planner informs
00:00
the risk assessment process and
00:00
ensures that business processes can
00:00
continue through the disaster
00:00
and coordinates those activities with
00:00
the business unit areas and
00:00
IT professionals responsible for this recovery.
00:00
IT professionals are responsible for designing
00:00
security controls into information systems,
00:00
and testing the controls and implementing
00:00
the system in production environments.
00:00
They work with the business owners
00:00
to ensure the design solution
00:00
provides security controls
00:00
commensurate with the criticality,
00:00
sensitivity, and
00:00
availability requirements of the application.
00:00
They provide vital data
00:00
around systems vulnerabilities and
00:00
controls that feed directly
00:00
into the risk assessment process.
00:00
A security administrator manages
00:00
the user access request process
00:00
and ensures that privileges are
00:00
provided to those individuals
00:00
who have been authorized for
00:00
access by application or system or data owners.
00:00
These individuals have elevated privileges and
00:00
create and delete accounts and access permissions.
00:00
This professional will feed relevance systems and
00:00
security information into the risk assessment process.
00:00
A network or systems administrator
00:00
configures network and server hardware,
00:00
and the operating systems to ensure that
00:00
the information can be available and accessible.
00:00
They maintain the infrastructure by
00:00
installing patches and updates to systems.
00:00
The administrator tests and
00:00
implements system upgrades to ensure
00:00
the continued reliability of servers and network devices.
00:00
This professional will feed relevant system and
00:00
security information and to the risk assessment process.
00:00
The individuals assigned to the physical security role
00:00
establish relationships with external law enforcement,
00:00
such as the local police agencies,
00:00
state police, or the FBI to assist in investigations.
00:00
Physical security personnel
00:00
manage the installation, maintenance,
00:00
and ongoing operations of surveillance systems,
00:00
alarm systems, and card reader access controls systems.
00:00
Physical security personnel interface with
00:00
systems security, human resources,
00:00
facilities, and legal and business areas
00:00
to ensure that the practices are integrated.
00:00
Now, it's time for a knowledge check.
00:00
Who assigns
00:00
appropriate classification to information assets?
00:00
[NOISE] Executive management.
00:00
That is correct.
00:00
Who provides independent assurance
00:00
to management on the appropriate controls?
00:00
[NOISE] The Information Systems Auditor.
00:00
Did you get that one right?
00:00
Who directs, coordinates, plans,
00:00
and organizes security activities?
00:00
[NOISE] The security officer.
00:00
Very good. Today we talked about roles
00:00
and responsibilities as they apply to
00:00
the risk assessment process for consistency.
00:00
Stay tuned for Part 2.
Up Next
