Risk Identification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 49 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:01
>> The first step of
00:01
the risk management life cycle is risk identification.
00:01
This is our first step. What we're
00:01
doing here is just that.
00:01
All we are trying to do is to identify risk.
00:01
We're not talking about value,
00:01
we're not talking about responding.
00:01
What we want to do is take a step-by-step
00:01
process where we can figure out what risks exist.
00:01
Usually we do this based on our assets.
00:01
We often start with our assets,
00:01
then we look at the things that would threaten
00:01
the assets and what vulnerabilities exist.
00:01
But in this first piece,
00:01
those are the three elements we're exploring.
00:01
We're just looking at assets.
00:01
Things that would harm the assets are
00:01
threats, and weaknesses,
00:01
or vulnerabilities that allow that threat to
00:01
exist or to damage an asset.
00:01
We're going to document this information
00:01
through something called a risk register.
00:01
A risk register can be
00:01
provided to us through risk-related software.
00:01
We can design our own risk register.
00:01
We can bring one in through Excel or create it.
00:01
But ultimately that risk register is going to be
00:01
a central repository for information on risk.
00:01
Now, here's an example of a risk register.
00:01
Like I have here,
00:01
asset value times threat
00:01
times vulnerability is your risk.
00:01
Now, this isn't something that you're going
00:01
to plug values into.
00:01
This is just a conceptual formula that tells you,
00:01
you only have a risk where you have a valuable asset,
00:01
there's a threat that could cause harm to the asset,
00:01
and there's a weakness that allows
00:01
the threat to materialize.
00:01
We are just listing here.
00:01
As a matter of fact, I'll tell you
00:01
this risk register is fine,
00:01
but you'll see other risk registers
00:01
maybe that you'll like better,
00:01
or one that you customize.
00:01
But usually on the risk register,
00:01
you can see the first category to identify risks.
00:01
Each phase of the risk management life cycle usually
00:01
has associated entries on the risk register.
00:01
For instance, in risk identification
00:01
really all we're figuring out is the
00:01
first and maybe the category where we're
00:01
just filling in that first column of the risk register.
00:01
Now for me, I might also include
00:01
a column on the owner of the risk,
00:01
because that's really how you get accountability.
00:01
That's how you get additional assurance that
00:01
the risk is going to be managed properly,
00:01
is that you assign it to an individual.
00:01
Somebody has to have a little skin in the game in
00:01
order to properly insure the risk is mitigated.
00:01
If I find out that this is
00:01
a technology risk, for instance,
00:01
then I may assign it to the Chief Technology Officer,
00:01
and they may be the owner of that risk.
00:01
The risk owner does need to be
00:01
somebody high enough within the organization,
00:01
so that they can authorize
00:01
changes, authorize risk response,
00:01
so that they can monitor to ensure
00:01
the control appropriately manages risks.
00:01
But again, all we're doing here at
00:01
the risk identification piece is
00:01
focusing on the assets, threats, and vulnerabilities.
00:01
With our risk register,
00:01
we're not really going to list out our assets.
00:01
Those should be done earlier on
00:01
separate document based on asset management.
00:01
But we're going to list out our risks which are made up
00:01
of where a threat meets a vulnerability.
00:01
Then we're going to assign a risk owner to that risk,
00:01
and all of this information is going to be
00:01
captured and documented on the risk register.
00:01
Remember, risk identification stops here.
00:01
In the next section,
00:01
is where we're going to figure out the probability
00:01
and impact of the risk and get our risk value.
Up Next