Risk Avoidance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 39 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:00
This is risk management information technology.
00:03
In our previous lesson, we discuss risk mitigation as part of risk banishment.
00:09
This lesson is about risk avoidance.
00:12
We will be discussing different risk avoidance scenarios and different examples of how this is done depending on the risk level.
00:20
Risk avoidance is a practical but business restrictive solution.
00:25
This is because avoiding the risk at scale can be impractical.
00:29
This is also a form of risk mitigation by removing the track itself by eliminating processes, procedures and resources to remove the trap.
00:38
With that in mind. Let's talk about scenarios on how risk avoidance can be done in a small risk environment, a medium risk environment or an enterprise setting.
00:47
The risk is determined as low if there is no significant loss when the threat is realized.
00:53
A medium sized risk is where there is substantial loss when the threat is realized.
00:58
Enterprise level risks are geared towards large size businesses with 50 employees or more.
01:04
Here is one risk avoidance scenario
01:07
RCO Read that FTP is insecure of a webinar he attended.
01:11
He requests the team to remove FTP access and usage across the company and any third party vendors.
01:19
The problem is a lot of these scripts have already been developed through the years and reliable.
01:25
And then moving towards another solution will take
01:26
retraining and new servers
01:30
with low risk avoidance. We can remove FTP from not necessary machines centralized FTp to a few servers and restrict access to the service by 80 group or some other mechanism.
01:41
Another control that can be used to upgrade
01:44
the built in FTP server to a vendor based FTP solution. Let me require purchase and schedule regular patches on the server and FTP software
01:53
with medium risk avoidance. We can remove FTp from unnecessary machines
01:57
Centrally Safety. P two, a few servers and restrict access to the service by A. D. Group.
02:02
And under control can be to upgrade scripts from FTp. SCP,
02:06
which is encrypted and more secure.
02:08
We could catch a regular patches on the server and CP software as well.
02:14
Would enterprise risk avoidance? We can prevent use of FTP via firewalls or network filtering.
02:20
We can then centralize the use of SCP her F D P. S. The few servers
02:25
then restrict access to the servers by 80 group and allow only service account access to the SCP or FTP s servers.
02:35
Another control that can be used is to upgrade the scripts that use of properly secured and configured file transfer service.
02:43
This can be some online service like tumbleweed box, dropbox or s. three.
02:49
We can schedule regular patches on the server and SCP software.
02:53
Another layer of control can be restricting access and separating shares for DEV test and production.
03:01
Here's another risk avoidance scenario. Our lead developer decided that job is no longer a viable solution.
03:07
She contends that upgrade process had become too cumbersome and the patches have been harder to manage.
03:14
She then requested the team to move forward to relatively
03:16
more supportive programming language such as C Sharp, which are Microsoft dot net, the solution and it's java compatible
03:24
with low risk avoidance, we can migrate a code and recompile using C Sharp, which is a java like language or any in your programming language such as python or go
03:36
we can deploy and test the code or software, refer migrating this to production
03:43
under million risk avoidance. We can migrate to code and recompile using C. Sharp or any neural programming language.
03:51
We can deploy and test the code or software.
03:53
We can also conduct a peer review which is reviewing with another pair of eyes to take a look at the logic before migrating this code production
04:02
under enterprise risk avoidance.
04:05
We can migrate the code and recompile. He's in C. Sharp and in your programming language
04:11
we can deploy and test occurred in a QA environment with production like data.
04:15
We can then perform a code review
04:17
and checking the code into the repository
04:20
with enterprises. Change the requests are required for coordinating changes that are approved by the change committee, then share no change effects and other change going on in the environment.
04:31
Change controls are also required
04:35
to have a specific date and time to deploy as well as rollback procedures. If the deployment has issues,
04:45
time for a quick quiz,
04:47
true or false.
04:48
Risk avoidance is a formal risk mitigation,
04:54
true or false
04:57
and the answer is true.
04:58
Risk avoidance is indeed a form of risk mitigation.
05:02
An example scenario the first migration to Ssh is a part of
05:08
a low risk avoidance.
05:10
Be media risk avoidance or C enterprise risk avoidance,
05:15
and the answer is B
05:17
the first migration to Ssh is a part of media risk avoidance.
05:25
An example scenario I change requests are part of a
05:29
low risk avoidance,
05:30
B
05:31
medium risk avoidance or C enterprise risk avoidance.
05:36
And the answer is C I. Change request as part of enterprise risk avoidance.
05:44
In summary,
05:46
we discuss risk avoidance,
05:46
which is a process and business restricting solution
05:50
as well as different risk avoidance, example scenarios and solutions.
05:57
This is instructor robert Ghana.
Up Next
Course Assessment - Risk Management and Information Systems Control
Assessment
30m