CISM

Course
Time
12 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
all right, here we go into the second stage of the risk management lifecycle risk assessment.
00:06
And when you look at this
00:09
following risk identification, we go through, we've done a risks in areas we developed. The risk register
00:15
and we move on will continue to build on that risk register all the way throughout all the faces.
00:22
And now it's time to get a value, for these risks are just right off the bat. The difference between identification and assessment
00:30
identification. You are looking to define
00:33
assets, their threats and vulnerabilities.
00:36
Once you have that through risk assessment, you look a probability, an impact, and try to determine a value for the risk event
00:45
identification were just listing. But now, with assessment, we want value.
00:50
Now I can have a qualitative value or a quantitative value, which we'll talk about in just a little bit.
00:57
But ultimately, these values were gonna dictate for us what type of response we have.
01:03
All right, so risk and controlled analysis once again,
01:07
we're gonna have existing controls in place, or what we want to figure out is, do they meet? Our goals
01:12
are we were
01:14
hey,
01:15
so just like we talked about before
01:18
we're talking Gap analysis. Here's what I need Here is where I am. How do I close that gap? And we've mentioned maturity models as a way to examine.
01:27
Okay,
01:27
um, the effectiveness of the controls is what we're getting at
01:32
and remember, we don't answer.
01:34
Are the controls effective by saying
01:37
if it ain't broke, don't fix it
01:40
or Well, nobody's gonna get on board with this change, right? What we do is we conduct a risk assessment
01:47
and for ourselves, we look at the start with identifying assets, threats and vulnerabilities. Now determine the value for walls. We look at how that is mitigated by the current controls, and then we have to determine is the residual risk within the acceptable?
02:04
Because if it's not,
02:05
we're gonna have to further mitigate, which is gonna be in the next phase of the life cycle. Risk mitigation in response.
02:12
All right, now, when we're analyzing this information,
02:15
um,
02:17
you know, the very nature of a risk is that it's unknown,
02:21
so we may not have all the data. You know, it's very difficult to determine
02:27
probability and impact of, you know, a fire. How likely are you to have a fire.
02:32
Even when we're doing quantitative analysis,
02:36
there's still that l a month
02:38
in some instances where we really are just kind of using subjective information,
02:44
right? Maybe I'm gonna, you know, based on what I see out there, insurance companies tell me,
02:51
um, maybe I'll have a fire once every seven years.
02:54
But that's not,
02:55
you know, that's not hard and fast, right? That's just my best prediction.
03:00
So what's the quality of the data?
03:02
How much is available? Can I guarantee or what's? My confidence may be in the data
03:08
and
03:10
is the data that I've been able to pull together.
03:14
Is it relevant in relation to the business? Right? So we've got to think about this
03:20
now, as I mentioned before, several types of assessment, and by the way, you'll hear the term assessment and analysis. They may be used interchangeably, and that's fine assessment analysis or both about vows.
03:34
All right, so the two main methods air qualitative and quantitative,
03:39
um, qualitative analysis
03:43
is always first. You can't have a purely quantitative analysis.
03:47
The quantitative is really what I like. That's what I'm working towards. You can't always get it, but I'd like
03:53
so qualitative
03:55
it's based on my opinions based on my experience.
04:00
Based on what I know,
04:01
Quantitative is based on cold, hard facts. Empirical data Show me the number,
04:08
right?
04:09
So they both that value. And like I said, we start with qualitative analysis. Qualitative analysis gives us things like this is a high probability in the media
04:19
pack. We can't really figure out exactly what that means.
04:23
But if I were to ask you what if there's damage to your company's reputation,
04:28
how would that impact your organization as a whole?
04:30
Most people would say yet have a big
04:33
But what does that mean? Right? That's qualitative. And some things are harder to quantify than others.
04:40
I can tell you how much money
04:42
lose if you lose 15 laptops without information on them. That's really easy.
04:46
But to figure out what a company's reputation, or really their data or all those other elements are very tricky,
04:55
by the way, a testable fat
04:58
when you are evaluating your assets and determining a value for them,
05:02
you determine the value of the assets based on their replacement cost,
05:09
not on their current call.
05:11
Okay,
05:12
put that down. Is Kelly Special Test
05:15
***?
05:16
Yeah,
05:17
because the idea is yet this may only be worth $300. This laptop may only be worth $300 based on the fact that it's five years old.
05:28
But to get another system that will do what I need, I have to spend $1000.
05:32
So I can't just say that assets worth 300 bucks, because I can't replace it for three
05:38
if you want to think about it that way. So assets cost of assets are based
05:43
placement
05:43
value. And, of course, we need the value of the asset when we're doing our risk assessment.
05:48
All right, so qualitative and quantitative.
05:50
And then there's a combination called a semi quantitative.
05:55
Honestly, I tend to think of things is qualitative or quantitative. Semi quantitative brings in numbers, but they're still subject
06:03
on a scale of one Did 10. How likely is it to Ray
06:08
six.
06:10
All right, if it rains, how big a problem would that be for your fishing trip?
06:15
Five.
06:15
So that has a risk value of 30.
06:18
Well, you're using numbers, but they're really not hard and fast. They're still subjective.
06:25
And with that, those numbers do is they allow me to rank my risk, which is really what qualitative analysis is all about.
06:31
So I sacked is gonna break out and say Okay, you got this semi quantitative. I'm fine with that,
06:38
but I tend to still want that up under Qualitative now.
06:43
Hey,
06:44
so
06:44
qualitative.
06:46
We're using that to prioritize risk.
06:48
Um, we use words like high, medium, low moderate
06:54
often will look at something called the probability and impact matrix. That kind of compares those high probabilities with high impact and again is trying to get to come up with sort of a risk score
07:08
that I can use to prioritize risks,
07:11
quantitative risk analysis or assessment. Though, like we said, empirical data show me the numbers. And when I get a good quantitative analysis or assessment,
07:23
that's going to be the justification I use to recommend immediate

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor