Okay, let's talk risk assessment Domain 13 from our class on this special publication 800-1 71 and we're getting there. We've got 14 requirements were moving right along. This is Requirement 11
So our first and our basic are only basic security requirement here is that we're periodically gonna assess the risk to our assets are organizational operations.
And keep in mind that assets aren't always tangible. Yes, our software, our hardware there, risks that are presented to our data,
but also things like the company's reputation,
Um, our credit rating, the functions, customer opinion of our organization. So there are a lot of things that can affect us that aren't necessarily linked to the loss of a product or hardware or software. So we've got to think about those organizational operations
we think about our company wide assets. We think about people certainly one of our better, bigger assets.
ultimately that stem from compromise or loss to our controlled unclassified information. So ultimately, we talk about risk assessment and this being a continual process, you know, every decision that we make comes down to risk assessment. Really, Risk management is a hole for a fact
when we talked about I t. Security. All that is this risk management.
You look at your assets, figure out what they're worth.
Then you look at the threats and vulnerabilities to your assets. When we talk about threats, those are things that can cause harm. Where's your vulnerabilities or weaknesses? You really only have a threat where you have both of weakness and, ah, potential for harm, so
you only have a risk if you have a threaten. A vulnerability is ultimately saying there.
So we look at our our threats and our vulnerabilities. Then we look at probability, an impact of exposure. How likely is it to happen? And if it does happen, how large an event isn't okay, what we're trying to come up with, there really is a value for the risk. Now keep in mind,
all of risk is about uncertainty.
So for me to say there's a 30% chance we'll have a fire, and if fire does happen, we'll lose 25% of our building. That's gonna be very difficult or even more difficult. What percentage of my, um,
reputation Well, I'd lose, or how will that translate to dollars, so risk assessment can be very, very complex and difficult. But it's something that we absolutely have tohave. Because once I get that value for a risk, what we're gonna do is look at our lost potential, match that up against the counter controls calls
and do a cost benefit analysis.
You know, I'm not gonna spend $50 to protect a $20 bill, right? So we're gonna base all decisions of controls that we implement based on that cost benefit analysis. And even once we've made our selections, you know, we have to reassess these risks because, as we've already talked about the threat landscape is ever changing.
All right, so are derived. Security requirements are we've gotta scan for vulnerabilities, right? We've gotta look for our weaknesses as in the system. So we do our vulnerability scans, perhaps our pen tests, um, and we do this periodically so that we can keep track of any vulnerabilities,
uh, in as new threats or identified. New systems were brought into the environment.
Um, the infrastructure changes. Ultimately, we scanned for vulnerabilities on a periodic basic basis, but also as risk changes and risk would mandate how often we scan, all right. And then the second derived requirement is fixed. What you found, right? Or maybe eight. These vulnerabilities
in accordance with the assessments of risks. Sure,
I do want to stress that remediating the vulnerabilities does not bypass change control and configuration management. Right? We find a weakness. We report on that weakness. Then it's up for senior management to dictate how we're going to respond. And ultimately, those proposed changes will go through change control, just like we expected.