Risk Assessment Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's go ahead and move into domain 2,
00:00
which is risk assessment.
00:00
With risk assessment, we're going to have to start
00:00
out by going over some concepts
00:00
and some definitions just
00:00
because different frameworks and different individuals,
00:00
organizations use some of
00:00
these risk assessment terms a little bit
00:00
differently and we want to make sure
00:00
that we're in alignment with isochore.
00:00
Then we're going to talk about
00:00
the main pieces of risk assessment.
00:00
We're going to look individually at risk identification,
00:00
risk analysis, and then risk evaluation.
00:00
After that, we're just going to look
00:00
at some common frameworks.
00:00
We're choosing NIST to look
00:00
at NIST 800-39-30 and dash 37.
00:00
Then with dash 37,
00:00
we're going to look at
00:00
NIST 800-37 is the risk management framework.
00:00
We're going to look at that in combination to
00:00
the software development life cycle and talk about
00:00
integrating risks into the development process.
00:00
Also, referenced throughout
00:00
these frameworks is the concept
00:00
of having various tiers of risk assessment,
00:00
the organization then the processes,
00:00
then the individual technology.
00:00
We'll look at those and how they relate.
00:00
We'll talk about some different types of
00:00
risk methodologies, some techniques.
00:00
One of the big things that we talk about when determining
00:00
the value of risk is we think about two things.
00:00
We think about probability and impact.
00:00
We'll talk about impact to the business.
00:00
Then last but not least,
00:00
we're going to talk about risk culture and
00:00
how we build a risk aware environment.
00:00
As promised, we're going to start out just by
00:00
going over a couple of definitions first.
00:00
For me, one of the more frustrating things is
00:00
that everybody has some input on risk management,
00:00
all these different organizations,
00:00
and there's not a really consistent agreement of
00:00
this is how we're going to use
00:00
this phrase across all the different organizations.
00:00
That's why it's so important that as an enterprise,
00:00
you choose a framework on which to build,
00:00
everyone within the organization accepts that framework.
00:00
I can't control what everybody in the world does,
00:00
but I can at least approach or
00:00
provide the lexicon for dealing with
00:00
risk in my own enterprise.
00:00
These are the definitions we're
00:00
going to use with C risks.
00:00
We start off with the category of risk assessment.
00:00
I've been asked to write
00:00
a new information security policy for the organization,
00:00
I need to assess the risks.
00:00
With risk assessment as an overarching process,
00:00
there are three pieces.
00:00
There's risk identification.
00:00
When I do risk identification,
00:00
I'm looking for three pieces.
00:00
I'm looking for assets, threats, and vulnerabilities.
00:00
Assets, what are those things I value.
00:00
Threats, what can harm my assets,
00:00
and then vulnerabilities or
00:00
weaknesses that allow the threats to be successful.
00:00
The three of those,
00:00
sometimes you'll see the formula,
00:00
asset times threat times vulnerability equals risks.
00:00
Or sometimes you'll just see
00:00
threat times vulnerability equals risk.
00:00
That's perfectly fine.
00:00
I know what folks are referencing,
00:00
but really you should account for assets as
00:00
well because if you don't have something
00:00
worth protecting, what's the risk?
00:00
In any way when you're doing risk identification,
00:00
you're looking at your assets,
00:00
the threats, the vulnerabilities.
00:00
Now, I've identified my risks.
00:00
I know what risks are,
00:00
I haven't done anything with them yet.
00:00
I don't even know what to do with them yet.
00:00
What happens? I do a risk analysis.
00:00
Now with a risk analysis,
00:00
I'm looking at probability times impact.
00:00
How likely is it to happen and if so,
00:00
what will the severity be?
00:00
You'll hear likelihood and probability used together,
00:00
you'll have impact and severity
00:00
or maybe you may see some spin-offs of those words,
00:00
but ultimately,
00:00
that's what gives us the value for the risk.
00:00
How likely is it to happen?
00:00
If it happens what's the severity?
00:00
What I'm trying to do by
00:00
the end of analysis is I want a value for the risk.
00:00
I've got an 80 percent chance that
00:00
I'm going to lose $10,000.
00:00
That's an $8,000 risk.
00:00
That's my risk value.
00:00
I'm not done yet though,
00:00
because I have to consider the value of
00:00
the risk versus the cost of the countermeasure.
00:00
I have some mitigation strategy or strategies in mind,
00:00
they always have costs associated with
00:00
them though that costs may not always be in dollars.
00:00
There's always a cost
00:00
when it comes to implementing security.
00:00
I look at the potential for loss versus
00:00
the cost of the countermeasure and I
00:00
tried to make a decision that
00:00
has more benefits than cost,
00:00
where the pros outweigh the cons.
00:00
When we complete our risk assessment,
00:00
then we're ready to recommend a mitigating strategy.
00:00
Here's my plan based on the assessment that I've done.
00:00
At the end of the day,
00:00
I'll have a risk assessment report
00:00
that talks about my methodology,
00:00
the process I've gone through to assess these risks,
00:00
but we'll see these three big phases,
00:00
if you will, of risk assessment,
00:00
risk identification, risk analysis, risk evaluation.
Up Next