So if risk management is our first step of the risk management lifecycle, let's go ahead and talk about that.
And let's compare and contrast it to some of the other steps.
Okay, So when we start with risk management, like I just mentioned, we've got four stages of the life cycle and this is the very first.
So when we look at risk management, what this is all about is identified.
I want to identify assets, threats and then ultimately find out where my weaknesses are.
What I've learned in risk identification is gonna feed into risk assessment.
All right, so figure out what my assets are in what they were,
and I look at things that would propose harm to the asset.
Now, identify what controls are in place because rarely are you going to just walk into an organization and they have nothing, right? No security program, no controls. So something's in place. I'm gonna identify what's in place and determine how much residual risk is left over.
So when we talk about identifying vulnerabilities,
in addition to control center their way almost assuredly have some weaknesses still left over.
Well, if we've got those weaknesses. What would the damage be if those weaknesses were compromised?
And then, of course, that's gonna lead into risk assessment. So really, these five kind of bullet points or what we're looking for with identify risk
now there are a 1,000,000 ways to identify risk within your organization. I mean, look around, right. But senior management's responsible for due care and due diligence and due diligence says We've got to go out and educate ourselves.
We've gotta look for industry standards and understand what those are. We need to understand laws and regulations that are applicable to us. What drivers are there within industry? What do our stakeholders expect? What do our customers expect?
We can look at audit logs and honeypot logs, intrusion to *** detection system logs.
We can watch the media because it seems like to me
every week there's an organization that's being compromised, and I almost wonder each Monday when I wake up Well, who's it gonna be this week?
You know, we've seen Facebook and Yahoo and linked in and Home Depot and on and on and on Target and all these others,
so really part of just staying knowledgeable and aware of the environment is looking, what's going on currently
all right, with risk, culture and communication. So the idea is that it's not enough for senior management toe. Understand what the threat landscape is or you know what our overview
that philosophy is. We've got to communicate that to our employees. We've gotta raise awareness. We've got to talk in clear and honest terms. We've gotta have them understand what our risk context is, what's at stake
and making sure that our employees understand that. Because many times we have employees that are a little bit lax with policies, and I know that's every, well where. But if we can help them understand
Ideally, they will have greater buyin
all right now. Risks, of course, are relevant to us
on Leah's. They support the business.
So when we're determining where to prioritize and how to prioritize which risks get the most money for us to address, the idea is those areas with the least amount of tolerance.
That's what we've got to spend our money on, right, so we have to know from senior management. They've got a really prioritize, and when senior management prioritizes our risk. There's a much greater likelihood we're gonna be in alignment with business goals and object.
Like we've said throughout I t people wanna prioritize and they want bigger, better, louder, faster controls and technology and equipment devices.
But senior management has to say, Listen,
you guys were here just to support the business unit and here's the degree of security, the business unit
and this is our top priority than this unit and then this unit.
So again, senior management really has to be in there. Otherwise, you're gonna have an I T department prioritizing risks based on the technology that may not sign. That may not wind up meeting the goals of the organization.
Now an organization should have three levels of defense.
Okay, there should be the business units themselves. The business units are involved in overseeing that risk. Management is implemented. Risk management controls are implemented that there's a risk process in place.
They want to make sure that the controls are applied properly,
all right, and then we back up and that second line we look for senior management to put the policies and procedures in place.
They're the ones who ultimately guarantee its compliance with walls and regulation.
And then that third step is gonna be audit
where audit goes through
with read only. There's never a point in time when an auditor will make a change right in autumn on auditor documents and report.
And what they're looking for is,
are we following policy as laid out by senior man?
Okay, so those are the three lines of defense and you'll notice down the bottom. A racy chart is mentioned
and racy stands for responsible, accountable
And so really, the accountable is kind of the buck stops here. It's their their ultimate requirement
provide these elements. It's their ultimate requirement that they protect the assets of the organization. And if they don't, it really is on their shoulder.
Now responsible means that we're the worker. Bees were the ones who do
you know, senior management dictates what's happening, and then responsible people go through and implement the strategy.
Consult means I'm gonna get together and work with someone before the decisions made, and then inform means I'm gonna tell you happen,
right? So racy, responsible, accountable consult. And in four
risk controls proactive and reactive needs to come from a lot of different categories.
Segregation of Judy's, job response, a rotation,
mandatory vacations, M of in control, secure state principle of LISE privilege need to know, acceptable use policy and data and system ownership.
We're going to go through each of these terms