12 hours 25 minutes
all right, here we go into the second stage of the risk management lifecycle risk assessment.
And when you look at this
following risk identification, we go through, we've done a risks in areas we developed. The risk register
and we move on will continue to build on that risk register all the way throughout all the faces.
And now it's time to get a value, for these risks are just right off the bat. The difference between identification and assessment
identification. You are looking to define
assets, their threats and vulnerabilities.
Once you have that through risk assessment, you look a probability, an impact, and try to determine a value for the risk event
identification were just listing. But now, with assessment, we want value.
Now I can have a qualitative value or a quantitative value, which we'll talk about in just a little bit.
But ultimately, these values were gonna dictate for us what type of response we have.
All right, so risk and controlled analysis once again,
we're gonna have existing controls in place, or what we want to figure out is, do they meet? Our goals
are we were
so just like we talked about before
we're talking Gap analysis. Here's what I need Here is where I am. How do I close that gap? And we've mentioned maturity models as a way to examine.
um, the effectiveness of the controls is what we're getting at
and remember, we don't answer.
Are the controls effective by saying
if it ain't broke, don't fix it
or Well, nobody's gonna get on board with this change, right? What we do is we conduct a risk assessment
and for ourselves, we look at the start with identifying assets, threats and vulnerabilities. Now determine the value for walls. We look at how that is mitigated by the current controls, and then we have to determine is the residual risk within the acceptable?
Because if it's not,
we're gonna have to further mitigate, which is gonna be in the next phase of the life cycle. Risk mitigation in response.
All right, now, when we're analyzing this information,
you know, the very nature of a risk is that it's unknown,
so we may not have all the data. You know, it's very difficult to determine
probability and impact of, you know, a fire. How likely are you to have a fire.
Even when we're doing quantitative analysis,
there's still that l a month
in some instances where we really are just kind of using subjective information,
right? Maybe I'm gonna, you know, based on what I see out there, insurance companies tell me,
um, maybe I'll have a fire once every seven years.
But that's not,
you know, that's not hard and fast, right? That's just my best prediction.
So what's the quality of the data?
How much is available? Can I guarantee or what's? My confidence may be in the data
is the data that I've been able to pull together.
Is it relevant in relation to the business? Right? So we've got to think about this
now, as I mentioned before, several types of assessment, and by the way, you'll hear the term assessment and analysis. They may be used interchangeably, and that's fine assessment analysis or both about vows.
All right, so the two main methods air qualitative and quantitative,
um, qualitative analysis
is always first. You can't have a purely quantitative analysis.
The quantitative is really what I like. That's what I'm working towards. You can't always get it, but I'd like
it's based on my opinions based on my experience.
Based on what I know,
Quantitative is based on cold, hard facts. Empirical data Show me the number,
So they both that value. And like I said, we start with qualitative analysis. Qualitative analysis gives us things like this is a high probability in the media
pack. We can't really figure out exactly what that means.
But if I were to ask you what if there's damage to your company's reputation,
how would that impact your organization as a whole?
Most people would say yet have a big
But what does that mean? Right? That's qualitative. And some things are harder to quantify than others.
I can tell you how much money
lose if you lose 15 laptops without information on them. That's really easy.
But to figure out what a company's reputation, or really their data or all those other elements are very tricky,
by the way, a testable fat
when you are evaluating your assets and determining a value for them,
you determine the value of the assets based on their replacement cost,
not on their current call.
put that down. Is Kelly Special Test
because the idea is yet this may only be worth $300. This laptop may only be worth $300 based on the fact that it's five years old.
But to get another system that will do what I need, I have to spend $1000.
So I can't just say that assets worth 300 bucks, because I can't replace it for three
if you want to think about it that way. So assets cost of assets are based
value. And, of course, we need the value of the asset when we're doing our risk assessment.
All right, so qualitative and quantitative.
And then there's a combination called a semi quantitative.
Honestly, I tend to think of things is qualitative or quantitative. Semi quantitative brings in numbers, but they're still subject
on a scale of one Did 10. How likely is it to Ray
All right, if it rains, how big a problem would that be for your fishing trip?
So that has a risk value of 30.
Well, you're using numbers, but they're really not hard and fast. They're still subjective.
And with that, those numbers do is they allow me to rank my risk, which is really what qualitative analysis is all about.
So I sacked is gonna break out and say Okay, you got this semi quantitative. I'm fine with that,
but I tend to still want that up under Qualitative now.
We're using that to prioritize risk.
Um, we use words like high, medium, low moderate
often will look at something called the probability and impact matrix. That kind of compares those high probabilities with high impact and again is trying to get to come up with sort of a risk score
that I can use to prioritize risks,
quantitative risk analysis or assessment. Though, like we said, empirical data show me the numbers. And when I get a good quantitative analysis or assessment,
that's going to be the justification I use to recommend immediate
ISACA CISM - Certified Information Security Manager
The ISACA Certified Information Security Manager (CISM) practice test from CyberVista helps students to prepare ...
Certified Information Security Manager
Certified Information Security Manager practice exam helps to prepare for the ISACA CISM certification exam. ...