The CyberRays Video Siris on the Conte, A Security plus 5 +01 Certification and Exams.
I'm your instructor, Round water.
It's always Please visit Cyber Eri died I t. For more information on Security plus plus many other certifications,
this video will help you prepare for section 5.3 explaining risk management processes and concepts.
This is part of domain five on risk management from the security plus certification material.
The next few minutes explain how to assess security risks for an organization understanding different terms like threats and vulnerabilities.
Risk management is the process and of identifying and reducing risk to a level that is acceptable and then implemented controls to maintain that level.
Let's learn more about risk management concepts.
Section 5.3 on risk management concepts and processes covers the following material.
We'll talk about a threat assessment.
Risk responds techniques associated with change management,
and we'll spend quite a bit of time on how to conduct a risk assessment all the different elements of of it to include that asset value evaluation
determining likelihood of occurrence of a potentially negative event, causing, say, system downtime,
impacts or costs associated with that
Qualitative versus quantitative risks. They're not the same. One is more subjective and the others objective
common quantitative risk terms such as S L E
A, L E and A Roo. Not sure what those are. Stay tuned. Cover him in a few minutes.
How did document risks in a risk register
supply chain assessments? Which is those third party risk assessments? Making sure anyone connected to your network
their security is at the right level for your organization
and then, lastly, is part of this section talking about testing?
How do you test for security risks?
So let's dive in deeper about risk management.
There are many common terms associating with risk management
on your site on screen. Now you see some of those common terms
risk, threat, impact, vulnerability, exploit, risk assessment and risk management.
I recommend you refer to nest
for the actual definitions.
I have not ever heard of anyone getting in trouble for using n'est for their definitions. They have a great glossary.
Let me show it to you.
On your screen is the website for nest CSRC darkness, tequila of slash glossary.
Use this as a great resource for going into the different terms.
Let's look at one of those terms.
For example, let's look up risk after clicking on the letter are you can see numerous terms defined by nest.
One of the things that's fascinating to me
is all of the different definitions of risk, even according to an authoritative source like NEST,
the federal regulation for U. S. Government
risk is the level of impact organization operations,
Let's take a look
how honest, defined risk
you see their definition on the screen. What I find interesting is even they have numerous definitions.
According to the U. S federal regulation, the nest is defined as the level of impact on organizational operations,
organizational assets, devices, etcetera, data or individual. Given the potential impact of a threat right source or threat agent, Given that also that likelihood. So basically, you can think of risk definition as risk is probability or likelihood of it.
weighed against the costs or impact or burden of that threat.
Also weighed against the costs of mitigation will dive in more in a few minutes.
You could also refer to cyber his definition of risk.
Now, also on your screen.
There's a little bit more broad. I prefer the mist definition
in the interest of time. I'm not going to go through the definitions for each of these terms.
We just hit some of the highlights, though
we already defined risk.
Ah, threat is different than a risk. The threat will always have a negative burden on organization. So the threat of an exploit
threat of malware threat of ransomware
different than the risks associated with those. So make sure you understand the definitions because they do matter.
Ah, vulnerability is usually associated with a weakness,
so vulnerabilities are things that you can patch or mitigate through other security controls
and exploit. Exploit takes advantage to cause damage, so exploiting a vulnerability by a threat. Source.
Other terms to be familiar with a risk assessment. How do you identify and analyze risks? They're all part of an overall risk management framework.
Let's talk more about how to go through a risk management and risk assessment process.
One of the first steps in conducting a risk assessment first, identifying and analyzing threats are conducting a threat assessment.
Miss defines threat as an entity or event with the potential to harm a system system conclude devices, software, hardware or even people in processes.
It's that potential danger.
So what is a threat agent or a threat? Source? What's those entities with the intent and method
where they're targeting at intentionally harming the organization?
You see the further definition by nest on your screen.
You can think of a good example of a threat agent. Maybe that malicious hacker or that uninformed internal employee who clicks on a link Their threat agents
threat. Vector is the way in the way a threat source will exploit the vulnerability or weakness
so it could be through your network. There's a threat vector
or through an application is a threat vector. It's that PATH threat agent uses
to exploit the target.
So a threat assessment is that structured process used to ident, toe, identify and evaluate various risk or threats.
I also see the definition for threat analysis
as you're evaluating threats. Be aware of different types of threat assessments.
Different types of threats There have your environmental threats, fire,
weather related events,
manmade events, human causes flooding
Could be if we to think about flooding. Say pipes burst.
Um, someone left the water running. Some of these could be multiple category fire if caused by human I'm not really naturally based
accidents are man made threats, of course, malicious hackers.
There's also internal threats versus external threats. As you may imagine, internal
to your company versus external sources to the origin of the threat source
asked. This question is that threat agent
within your organization and keep in mind,
employees could also include temporary workers, consultants, contractors, et cetera.
So be aware of these different threat assessment types.
This concludes part one of section 5.3 on risk management processes and concepts. Stay tuned for part two. Re further dive into how to conduct a risk assessment.
This is Ron Warner.