Risk Identification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:01
>> If risk management is
00:01
our first step of the risk management life cycle,
00:01
let's go ahead and talk about that.
00:01
Let's compare and contrast some of the other steps.
00:01
When we start with risk management
00:01
>> like I just mentioned,
00:01
>> we've got four stages of
00:01
the lifecycle and this is the very first.
00:01
When we look at risk management,
00:01
what this is all about is identifying.
00:01
I want to identify assets,
00:01
threats, and then ultimately
00:01
find out where my weaknesses are.
00:01
What I've learned in
00:01
risk identification is going to feed into
00:01
risk assessment so figure
00:01
out what my assets are and what they're worth.
00:01
I look at things that would propose harm to the assets.
00:01
Now, identify what controls are in place because
00:01
rarely are you going to just walk
00:01
into an organization and they have nothing,
00:01
no security program, no controls.
00:01
Something's in place.
00:01
I'm going to identify what's in place and
00:01
determine how much residual risk is leftover.
00:01
When we talk about identifying vulnerabilities,
00:01
what that means is in addition,
00:01
[NOISE] to controls that are there,
00:01
we almost assuredly have some weaknesses still leftover.
00:01
Well, if we've got those weaknesses,
00:01
what would the damage be
00:01
if those weaknesses were compromised?
00:01
Then, of course,
00:01
that's going to lead into risk assessment.
00:01
Really these five bullet points
00:01
are what we're looking for with identify risks.
00:01
Now, there are a million ways to
00:01
identify risk within your organization.
00:01
Look around.
00:01
But senior management is
00:01
responsible for due care and due diligence,
00:01
and due diligence says,
00:01
we've got to go out and educate ourselves.
00:01
We've got to look for
00:01
industry standards and understand what those are.
00:01
We need to understand laws
00:01
and regulations that are applicable to us.
00:01
What drivers are there within the industry?
00:01
What do our stakeholders expect?
00:01
What do our customers expect?
00:01
We can look at audit logs and honeypot logs,
00:01
intrusion detection system logs.
00:01
We can watch the media because it seems like to me,
00:01
every week there's
00:01
an organization that's being compromised.
00:01
I almost wonder each Monday when I wake up.
00:01
Well, who's it going to be this week?
00:01
We've seen Facebook,
00:01
and Yahoo, and LinkedIn,
00:01
and Home Depot, and on, and on,
00:01
and on target and all these others.
00:01
Really part of just staying knowledgeable and aware of
00:01
the environment is looking at what's going on currently.
00:01
With risk culture and communication.
00:01
The idea is that it's not enough
00:01
for senior management to understand what
00:01
the threat landscape is or what
00:01
our overview philosophy is.
00:01
We've got to communicate that to our employees.
00:01
We've got to raise awareness.
00:01
We've got to talk in clear and honest terms.
00:01
We've got to have them understand what
00:01
our risk context is, what's at stake,
00:01
and making sure that our employees
00:01
understand that because many times we
00:01
have employees that are a little bit
00:01
lax with policies and I know that's
00:01
every well where if we can help them
00:01
understand what's at stake,
00:01
ideally, they will have greater buy-in.
00:01
Now, risks, of course,
00:01
are relevant to us only as they support the business.
00:01
When we're determining where to prioritize,
00:01
and how to prioritize,
00:01
which risks get the most money for us to address,
00:01
the idea is those areas with
00:01
the least amount of tolerance.
00:01
That's what we've got to spend our money on.
00:01
We have to know from senior management,
00:01
they've got to really prioritize.
00:01
When senior management prioritizes our risk,
00:01
there's a much greater likelihood we're going to
00:01
be in alignment with business goals and objectives.
00:01
Like we've said throughout,
00:01
IT people want to prioritize and they want bigger,
00:01
better, louder,
00:01
faster controls in technology and equipment devices.
00:01
But senior management has to say, listen,
00:01
you guys are here just to support the business unit,
00:01
and here's the degree of security
00:01
the business unit needs and
00:01
this is our top priority
00:01
than this unit and then this unit.
00:01
Again, senior management really has to be in there.
00:01
Otherwise, you're going to have
00:01
an IT department prioritizing risks based on
00:01
the technology [NOISE] that may not
00:01
wind up meeting the goals of the organization.
00:01
Now, an organization should
00:01
have three levels of defense.
00:01
There should be the business units themselves.
00:01
The business units are involved in
00:01
overseeing that risk management is implemented.
00:01
Risk management controls are implemented,
00:01
that there's a risk process in place.
00:01
They want to make sure that
00:01
the controls are applied properly.
00:01
Then we back up and that second line,
00:01
we look for senior management
00:01
to put the policies and procedures in place.
00:01
They're the ones who ultimately
00:01
guarantee us compliance with laws and regulations.
00:01
Then that third step is going to be audit,
00:01
where audit goes through with read-only.
00:01
There's never a point in time when
00:01
an auditor will make a change.
00:01
An auditor documents and reports.
00:01
What they're looking for is,
00:01
are we following policy as laid out by senior management?
00:01
Those are the three lines of
00:01
defense and you'll notice down the bottom,
00:01
a RACI chart is mentioned.
00:01
RACI stands for Responsible,
00:01
Accountable, Consult, and Informed.
00:01
Really the accountable is the buck stops here.
00:01
It's their ultimate requirement
00:01
that they provide these elements.
00:01
It's their ultimate requirement
00:01
that they protect the assets of the organization.
00:01
If they don't, it really is on their shoulders.
00:01
Now, responsible means that we're the worker bees.
00:01
We're the ones who do.
00:01
Senior management dictates what's happening and then
00:01
responsible people go through and implement the strategy.
00:01
Consult means I'm going to get together and work
00:01
with someone before decisions made.
00:01
Then inform means I'm going to tell you it happened.
00:01
RACI, Responsible,
00:01
Accountable, Consult, and Informed.
00:01
Now, risk controls,
00:01
proactive and reactive need to
00:01
come from a lot of different categories.
00:01
Segregation of duties, job rotation,
00:01
mandatory vacations, and within control,
00:01
secure state principle of least privilege need to know
00:01
acceptable use policy and data and system ownership.
00:01
We're going to go through each of
00:01
these terms [NOISE] in the next segment.
Up Next