Risk Identification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> So we've talked about risk assessment
00:00
involving three pieces: risk identification,
00:00
risk analysis, and then risk evaluation.
00:00
Let's start off with risk identification.
00:00
We are trying to identify risks,
00:00
but there's more to identifying risks than just
00:00
thinking of bad stuff that can happen, right?
00:00
We want to take a look at our assets.
00:00
Usually we start with our assets.
00:00
We figure out what's valuable to us?
00:00
How valuable is it? What are our assets?
00:00
What are they worth? From there
00:00
we tried to figure out what things could threaten
00:00
those assets and we also want
00:00
to figure out any vulnerabilities that would
00:00
exist that would allow that asset to be compromised.
00:00
We can think of
00:00
all the bad things in the world that could ever happen.
00:00
But that's not risk identification.
00:00
Remember, you only have a risk where
00:00
an asset meets a threat, meets a vulnerability.
00:00
So we have to look at all of those.
00:00
Of course, we're going to start with our assets.
00:00
But then we got to figure out what threats there are.
00:00
One of the ways that we can come up with threats
00:00
or brainstorm threats is we can do
00:00
some threat modeling where we
00:00
examine maybe processes or assets
00:00
and we go through a methodical process to
00:00
determine what risks exist, what threats exist.
00:00
For certain industries or certain disciplines,
00:00
there are certain threat models that you use,
00:00
like for instance, software development
00:00
or systems engineering.
00:00
But we follow those through in a methodical approach.
00:00
We can also use risk scenarios as
00:00
tools that help us examine, again,
00:00
looking at our asset and
00:00
thinking about what could threaten,
00:00
how, who, what, when,
00:00
where, why almost through risk scenario.
00:00
Then the other piece that we're going to do,
00:00
we're going to identify assets, identify threats,
00:00
identified vulnerabilities and then the other piece
00:00
to this is once we have
00:00
this information or even before that,
00:00
we're going to develop a document called a risk register.
00:00
That risk register is an important document because
00:00
this is where we're going to
00:00
store our information about risk.
00:00
It's not public.
00:00
It's available on a need-to-know basis
00:00
because we don't want to publish
00:00
every risk and every vulnerability that we have.
00:00
However, for folks on
00:00
the risk team or for senior leaders or again,
00:00
those with a need to know,
00:00
this is a place to have
00:00
central access to the information on risk;
00:00
what the risks are,
00:00
what their priorities are, mitigation strategies,
00:00
status updates, all those pieces of information.
00:00
We need a central location and that's
00:00
>> the risk register.
00:00
>> We're going to be creating it
00:00
in this phase of risk assessment as well.
00:00
Now with our first piece,
00:00
identifying assets,
00:00
anything of value to you and your organization.
00:00
So certain things come to mind immediately.
00:00
We think about our data.
00:00
Data isn't a tangible.
00:00
You can't really hold that.
00:00
Certainly not your digital data, your digital assets.
00:00
Certainly those are assets very
00:00
valuable to us, but how valuable?
00:00
The difficulty can really be
00:00
identifying assets fine, easy enough,
00:00
but figuring out what they're worth,
00:00
especially when you have intangibles.
00:00
What is my data really worth.
00:00
Well, what type of data?
00:00
What's the impact if the information is compromised?
00:00
We can think about in terms of impact.
00:00
Think of impact to the business specifically.
00:00
Does it impact the day to day operations?
00:00
Are we able to accomplish our goals and
00:00
objectives without it or does
00:00
it bring us to a screeching halt?
00:00
So we have to prioritize our data and based on that,
00:00
determine what its value is.
00:00
Now at this point,
00:00
a classification scheme is really
00:00
helpful or strategy or classification program,
00:00
however you want to look at this.
00:00
But the goal of classification is to help me
00:00
categorize my assets based on pre-defined criteria.
00:00
So basically identify assets,
00:00
figure out their value.
00:00
Then we're going to assign them a label based on
00:00
their value called the classification label.
00:00
Now in the government, military,
00:00
we think of things like top secret,
00:00
secret and confidential.
00:00
But the private sector also uses
00:00
labels as well to classify data.
00:00
So they might have for internal use
00:00
only or they're confidential.
00:00
In private sectors,
00:00
generally they're most sensitive information.
00:00
But every organization can
00:00
have their own classification scheme.
00:00
But the bottom line is,
00:00
after we've identified those assets,
00:00
we figure out their value.
00:00
Then we classify them based on
00:00
predetermined criteria and then
00:00
based on that predetermined criteria,
00:00
we can then add security controls.
00:00
So you can think of classification as
00:00
three Cs: cost, classify, control.
00:00
We figure out what they're worth.
00:00
That's the cost piece.
00:00
Classify them according to pre-defined criteria,
00:00
and implement controls to protect them properly.
00:00
That goes hand in hand with risk management.
00:00
What we're concerned with right here at
00:00
the identify assets piece is just
00:00
identifying the assets and figuring out their value.
00:00
But when we get into risk mitigation,
00:00
that's where we talk about adding
00:00
controls in order to lessen the risk,
00:00
in order to protect the assets.
00:00
Assets, their value
00:00
comes from lots of different directions.
00:00
So it's not always just dollar value.
00:00
When we're thinking about things like reputation,
00:00
it's really hard to put a dollar value
00:00
on an organization's reputation.
00:00
Customer confidence, brand recognition.
00:00
Those things are difficult.
00:00
It's very hard to get
00:00
a quantitative dollar value for some of your assets.
00:00
But we need to try.
00:00
The other thing is that when we come to things like,
00:00
what's another impact on assets,
00:00
maybe it might be
00:00
some partial loss for specific risks and threats.
00:00
We'll have to calculate values for threats and
00:00
vulnerabilities a little bit later
00:00
and probability and impact.
00:00
A lot of work in
00:00
risk management is difficult to quantify.
00:00
That's why we can use qualitative analysis,
00:00
which we'll talk about in the next section,
00:00
or a couple of sections down the line.
00:00
We do the best we can. What are
00:00
our assets? What are they worth?
00:00
That information is going to lead
00:00
us down the line to figure out how to protect them.
Up Next