welcome the CyberRays video, Siri's and the copy of Security Plus 5 +01 certification. Do an exam.
This video is Part two for section 5.3 on risk management processes and Concepts.
Please refer to the first video for the definitions, as well as a discussion of threat assessments.
Let's dive into Part two of risk management concepts and processes.
Risk assessments are conducted throughout business, and sometimes they're not well defined.
Within security, though we want to make sure we define what are risks are, says what we could make conscious decisions to make sure we're appropriately mitigating risks for the benefit of the business.
This slide shows a definition of what a risk assessment is. It's the process of an identifying and analyzing threats. Vulnerabilities, exploits, impacts of loss of information, processing capabilities or systems
or loss of that information itself.
It's also may be known as risk analysis and risk calculation.
The process of conducting a risk assessment
first of all you need to identify your assets, can't protect what you don't know about right.
It's also the first step, but from nest in their risk management framework.
So what are your hardware, software and data assets. Step number one,
threats and vulnerabilities. So threat sources. Who would want to harm that particular asset?
How would that asset come to harm?
Also, vulnerabilities where the weaknesses associated with those assets
as you walked in through your risk assessment process. Make sure you're documenting all of this and a risk register,
which also fine in a moment.
Once you've determined your assets, Threats, vulnerabilities determine that likelihood of occurrence.
What's the probability that it may occur? Probability of ransomware or malware or network based attack or fishing, et cetera. A lot of this you can begin to find actual metrics for out and say the
rise indeed, data breach report or many other breach reports that are now available.
Identify and determine that impact
of exploit or compromise. So what's gonna be the cost?
Should there be a risk event? Monetary cost is available.
Downtime. How much would it cost your organization? Cost of cleaning up ran somewhere, et cetera.
Prioritize your risk activities. Why're controls you can put into place to reduce those risks?
You want to prioritize your risk activities based on the cost and availability and east of implementing security controls.
What you see here is a very simplified risk assessment process.
Before I briefly mentioned the NIST Risk Management framework or R M f.
This slide shows the process according to nest, and some of their documents associated with each step
may not be tested on your security plus exam. Let me tell you, this is a process and seeing more and more organizations leverage,
so check it out. Become familiar with it. It can help you in your security career.
There are two primary ways of conducting a risk analysis.
You really want to leverage both to get the best bang for your buck. Best understand risks.
So qualitative approach.
It's more like estimating values. Using the scale of, say, 1 to 5, you see the chart on the screen
for probability and impact. Keep in mind the risk definition,
probability and impact weighed against the costs.
So rather than having exact numbers for probability, you might just be ableto have a scale, say of 1 to 5
same thing with impact.
Trivial. No real cost involved
and you can use a chart like this to determine how to manage those risks. How to weigh those risks
quality of his subjective,
but quicker to perform
quantitative is actually using numbers or metrics to measure your risk using real values. So rather than kind of guessing at that likelihood or probability,
finding exact values from a source
could be internal or external source but using numbers for your calculation. That's a numeric
processes. Quantitative risk analysis.
A couple of the terms you made a sea associated with quantitative risk analysis R R A y business term, Return on investment
or return on security investment or Rosie. If I spent X
to protect an asset, will I get the commensurate value? By reducing my risk,
we'll be talking about the equation you see at the bottom here. That s L e times a row equals a l E.
It's a way to perform quantitative risk assessments you'll need to know for the security plus exam.
A common risk calculation you may find is showing on the screen.
S l E times a row equals a l E or annual loss expectancy.
Let's define these terms and show you how you can use this to calculate risks within your organization.
Alias, I mentioned, is a monetary that measure of how much loss you could expect in a time frame in a year
because you want to understand frequency of occurrence associated with the risk
S L E single loss expectancy. So if the event were to happen once,
how much would it cost? You
has two parts to it asset value, so the replacement costs for the vat of the asset so for a laptop or server should be compromised. The exposure factor that's percentage of loss
all comprise that s l E
Aargh angle rate of occurrence.
with this occur is a one time of year event two times a year, once every 10 years, and this is to quantify risk.
Let's walk through an example of how you can use this to perform an actual risk calculation.
A good example of arrest calculation is on the screen
for a single loss event. Safer the asset value of
$1000 so the S L E. $1000 to replace it, and you're expecting seven occurrences a year. So to replace laptops that are lost or stolen, you expect to lose seven laptops in a year.
Annual annual loss expectancy. $7000
as another example. If, say, there's only a 10% chance of an event. So say Ransomware may not happen very often one every 10 years,
So the A L E drops too
100. So it's 1000 times 10000.10 It's the equation.
Be ready to perform this type of equation. I've often seen these types of questions on examinations like Security. Plus,
what do you do with at risk once it's identified?
Well, there's four ways
to respond to risk is part of a wrist response strategy. You can see them on your screen.
There's risk avoidance, transfer mitigation and acceptance may explain them. Risk avoidance.
Uh, for example, driving a car. Great example. For each of these,
you can avoid the risk of getting into a car accident by just not driving right
transfer. He might sharing the burden. It's not just giving the burden away, but sharing the burden.
Auto insurance. Great example of risk transfer
Reducing the risk toe a reasonable level, reducing either the likelihood or that impact.
So having airbags, antilock brakes or risk mitigation. Driving the speed limit is risk mitigation.
Risk acceptance what you need to get to class
so you accept the risk you need to do business. Business leaders accept risk.
I don't feel it's the job of a security professional to accept risk. I usually work with someone within the business to do that
for each of these decisions and strategy. She should be working, though with the business, to get them to own that risk.
You've worked through your risk process. You've
qualified or quantified each of the risks.
You understand what to do about each risk. Where do you document
within a risk register?
It's a program. Or sometimes a document or spreadsheet to record information about unidentified risk. Often have a line item saying a spreadsheet.
This is the risk risk of ransomware. Here's the likelihood. Here's the impact.
to avoid it, if you will, to cost to mitigate that risk through
the anti virus software through patching et cetera, User awareness training
Risk owner is associated with it, and then the risk decisions. All of this is documented in a risk register. It helps ensure the organizational risk, tolerance and appetite is aligned.
I want to highlight those terms real quick
risk, tolerance or appetite. It's the amount of risk. A business where even an individual is willing to accept
should also be documented in this comes from a business decision maker within the organization. Usually some type of an executive.
Make sure you're documenting risk. No matter it's for
common risk. We see within almost every organization our supply chain. Think of it as 1/3 party risk. Who are you doing business with who has access to your assets to your network? To your data.
That's the supply chain. Who supplies you with information or who do you supply with information?
You should assess their risks, making sure their security posture is aligned with yours. They have the necessary security controls in place
to make your make sure your risk tolerance is at the right level associated with that third party vendor.
There's numerous checklists you can use as a part of this, but it is a normal duty.
A common area of risk for organizations is associated with change.
A change can cause a risk,
so risk assessments should be part of your organization. Until change management processes
so you are aware of a change occurring installing a patch?
Have you assessed the risk associated with that change?
What about the risk of the system? After any time you change a system, you could be incurring new risks. She may want to conduct a new risk assessment of that. At that point.
Bless part of this section I want to discuss is assessment. Testing
the mentioned After you have a change, you may want to retest your environment to see where
threat vectors may reside or vulnerabilities. Have you mitigated the vulnerability, say of by playing bass lines or patching.
So it's part of the risk analysis and assessment process.
It provides that visibility to the different risk components. So gives you an idea of where your risks may lie, say, after a change so it could include penetration, testing or vulnerability. Assessment
may also be a type of tabletop exercise, which we'll talk about Maura when we're talking about incident, response and disaster recovery.
Just because you've mitigated arrest does not mean you're done, though. Take the time to test it
to help you prepare for your security plus certification exam. Let's walk through a few questions you might expect to see
choose the best term for the risk strategy accomplished any time you take steps to reduce risk.
the risk mitigation.
conducting a risk analysis. If you calculate the S L E to be $5000 it's known there will be five occurrences in a year,
then the annual loss expectancy is
This is where you need to know that equation.
a l e equals sl ee times a row in this case
$5000 single loss expectancy times annual rate of occurrence of five.
This concluded section 5.3 on explaining risk management processes and concepts.
Through these two videos, we covered about threat assessments, different types of risk assessments, qualitative quantitative, the process for conducting a risk assessment
as well as creating risky equations documenting them in a risk register.
Refer to your study mature materials and I wish you the best as you move forward in studying for security plus