Risk Findings and Decisions
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary's [inaudible],
00:00
of course, I'm your instructor, Brad Rhodes.
00:00
Let's talk about risk findings and decisions.
00:00
In this video, we're going to look at a risk model,
00:00
we're going to talk about risk assessments in general,
00:00
and then we're going to review and talk about
00:00
risk-based decisions at the different management tiers.
00:00
This is the risk model as shown to us from
00:00
the National Institute of Standards and Technologies.
00:00
I really like this chart.
00:00
I'm going to highlight some important stuff on it.
00:00
One, this is based on different systems,
00:00
so this could be a systems level approach,
00:00
this could be a requirements level approach.
00:00
We start with a threat source
00:00
and we're looking at intent.
00:00
So if there's intent,
00:00
that's obviously a threat.
00:00
We're going to look at a threat event.
00:00
That could be something that happens.
00:00
As you can see, a threat source
00:00
has to initiate the threat event,
00:00
and then they have to exploit something here,
00:00
they have to exploit a vulnerability.
00:00
Vulnerability is tied to severity of
00:00
some conditions predisposing and
00:00
then what are the controls and how effective they are.
00:00
I want to stick on this
00:00
middle chart here for just a second.
00:00
Predisposing conditions.
00:00
If you deploy a Windows XP
00:00
as your primary operating system,
00:00
you know that it comes with
00:00
a large chunk of vulnerabilities out of the gate,
00:00
so you have predisposing conditions,
00:00
so your security controls hopefully are pretty darn good.
00:00
But again, we know that
00:00
there are some security controls that can't
00:00
actually be implemented in that case
00:00
because the operating system is so old,
00:00
and so it's important to understand
00:00
the vulnerabilities of your systems as you use them.
00:00
Then, obviously the threat source event
00:00
and a vulnerability that's been
00:00
exploited causes some adverse impact,
00:00
and that's what produces risk for our organizations.
00:00
Each one of these factors or
00:00
areas can have a direct linkage or
00:00
impact on how risk is
00:00
viewed or how risk is assessed in an organization.
00:00
When we talk about risk assessments,
00:00
there are four steps.
00:00
We're going to prepare. We're going to
00:00
look at the organizational risk frame.
00:00
So that's the attitude and appetite.
00:00
We are then going to conduct a risk assessment.
00:00
So using our model,
00:00
we're going to look at sources and events,
00:00
we're going to identify those vulnerabilities,
00:00
and we're going to determine a
00:00
likelihood of occurrence and
00:00
the magnitude of impact and
00:00
this is really a lot of time,
00:00
especially in the commercial space,
00:00
comes down to dollars.
00:00
Then we're going to determine what is our risk.
00:00
An important step here is communicating the results.
00:00
As an [inaudible], when you're
00:00
working on risk assessments,
00:00
if you come across a severe risk,
00:00
a high-risk item, don't sit on it.
00:00
You need to communicate those results so that we can make
00:00
decisions faster and better at the leadership level.
00:00
Then of course, step 4 just
00:00
like everything else we've talked about risk,
00:00
it's a continuous process,
00:00
you maintain that assessment.
00:00
If a system changes significantly because of,
00:00
say, a technology stack swap out,
00:00
you have to go back and
00:00
redo that risk assessment based on new vulnerabilities,
00:00
new predisposing conditions,
00:00
and new likelihoods and magnitudes.
00:00
This is really meant to demonstrate that risk assessments
00:00
are a continuous process like
00:00
everything else we do in risk management.
00:00
Let's talk about risk-based decisions or responses.
00:00
That's done in the frame of our three-tier model.
00:00
We're going to start at the bottom.
00:00
Tier 3 is our system owner.
00:00
So our folks that are hands-on keyboard.
00:00
They don't make decisions or do things with
00:00
their systems unless they have guidance from above,
00:00
from tier 2 and tier 1.
00:00
Tier 2 is obviously our mission
00:00
or business process owners,
00:00
that's our departments, and then tier 1 is
00:00
our executives or our organization enterprise frame.
00:00
Well, at the tier 2 level,
00:00
that's where we're looking at those functions.
00:00
What are the assumptions, constraints, priorities,
00:00
trade-off that had been directed to tier 2 from tier?
00:00
Tier 1 are executives,
00:00
think our C-suite,
00:00
and this is a lot of times
00:00
where [inaudible] spend their time
00:00
discussing the decisions that need to
00:00
be made about risk is with the executive level.
00:00
Well, the executive levels,
00:00
remember, do that strategic frame.
00:00
They define what is an organization's mission and
00:00
vision and where they're going to go and ultimately,
00:00
that drives the risk,
00:00
attitude and appetite in the context of the organization.
00:00
You can see all of these are listed,
00:00
and you can see we do assessments,
00:00
we do responds, and we monitor.
00:00
This is a continuous cycle across the triangle of
00:00
our organizational risk areas of tier 1 organization,
00:00
tier 2 mission business process,
00:00
tier 3 information systems.
00:00
We've touched on this triangle multiple times.
00:00
So it's probably a clue to you that
00:00
you should keep track of that and
00:00
value that that's important
00:00
in the context of the [inaudible] content.
00:00
What did we cover in this lesson?
00:00
We looked at a risk model. It's a great model.
00:00
You need to know that model for the [inaudible] content.
00:00
Risk assessments, continuous.
00:00
Key thing in risk assessments,
00:00
communication early of high-risk items,
00:00
and then of course, risk-based decisions which
00:00
vary depending on where you're at in the triangle.
00:00
If you're an executive,
00:00
you make a different set of decisions
00:00
from mission and business,
00:00
than from our system owners.
00:00
These areas are going to be driven
00:00
based on organizational contexts
00:00
and those risk-based decisions are
00:00
going to have a direct impact on
00:00
how an organization works
00:00
through issues when it comes to
00:00
vulnerabilities. We'll see you next time.
Up Next
Similar Content
