Risk Mitigation

00:01

This is risk management information technology. In our previous lessons, we discuss risk assessment processes.

00:08

Now we'll be discussing different risks responses. Management can use address the risk.

00:14

This lesson is about risk mitigation.

00:16

We will be discussing different risk mitigation scenarios and different examples on how this is done, depending on the risk level.

00:24

Risk mitigation is the most common way of handling risk.

00:27

Management decides on what to implement as safeguards or countermeasures to handle the threat.

00:32

It is also the most cost restrictive solution,

00:35

meaning that the cost of the solution will determine whether management will apply the countermeasure or safeguard or not.

00:43

With that in mind, let's talk about scenarios on how risk mitigation can be done in a small risk environment, a medium risk environment or an enterprise setting.

00:53

The risk is determined as low if there is no significant loss when the trenches realized

00:59

a medium sized risk is where there is substantial loss. What the threat is realized.

01:03

Enterprise level risk is geared towards large sized businesses with 50 employees or more.

01:11

Let's start by talking about this scenario. Our businesses hiring temporary contractors for development.

01:17

We hired a company to requested their team of developers logging on to the network as part of the contract and will be assigned user access to the database and servers.

01:26

The developers are requesting direct administrator access to the surface and databases.

01:30

The developers were coming and out of the office and use their own laptops.

01:37

In our environment. There is no formal password enforcement.

01:40

Active directory is available, but only for centralized server logins. For most servers.

01:45

A lot of the service are still off the domain, mostly development and test service for ease of development.

01:51

Database access is accessible to all users and have no restrictions.

01:56

Laptops used by developers are not monitored scanned and potentially used at home.

02:00

Pastors between servers do not follow any policy

02:05

for this scenario. Using low mitigation solutions, we identified mitigating controls for risk involved

02:10

for laptop insecurity. We can request that the developers install anti fires and malware detection software as well as probiotic updates

02:21

for universal database access. We can restrict the database to do the only appropriate users and enforce the use of of managed database account for production access.

02:30

We can improve password security by enforcing complex passwords and create an 80 group with rights restricted to the service acquiring access.

02:40

In immediate risk scenario,

02:43

we had a few more controls, such as preventing use of external laptops and providing in house devices with domain membership, batch management,

02:51

antivirus and malware detection

02:54

to mitigate database concerns, we had test database instances with test data restrict access to production database for only authorized users and user managed database account for production access.

03:07

We can also enforce documentation for development and co delivery

03:10

and forcing a more stricter password policies also recommended.

03:15

And of course the same restrictions to service

03:17

To the members of the 80 group

03:20

for Enterprise risk mitigation.

03:22

We take the media risk controls and elevate them further.

03:25

We can restrict installation for unauthorized software from regular users and infrastructure controls for installation and laptop management.

03:32

We can create two other different database synthesis with test data and force used to manage database account for production access.

03:40

We can also enforce the control where debates are the only ones who have access to implement production changes, along with change management control and track changes in the center repository.

03:52

We can also include back out the rollback plans. If the deployment fails,

03:57

Passenger rules can be improved by adding a 45 day password expiration and enforce its all users in the network

04:03

for the server admin access, we can enforce a separate elevated account instead of allowing the same accounts that users use on their workstations,

04:12

as you can see as you add more controls for risk mitigation. So does the cost of implementation

04:17

adding? Devious become expensive as we add more instances and databases

04:23

Managing the axis of machines and rights of users become exponentially expensive as we manage a 10,000 employee enterprise with adding or removing hundreds of users a day,

04:32

providing laptops and workstations and servers

04:35

and managing the security and patches on these devices and servers will require full time staff.

04:41

Let's do a quick quiz.

04:43

Which of the following is natural about risk mitigation.

04:46

Is it a it's the most common way of handling risk

04:49

be? It involves implementation of safeguards and countermeasures.

04:54

See it is the most cost restrictive solution

04:58

or D A transfers risk to a third party

05:02

and the answer is d

05:04

Risk mitigation does not transfer risk to a 3rd party.

05:12

In summary,

05:13

we talked about risk mitigation,

05:15

they talked about being a cost restrictive solution, and we discussed different risk mitigations. In our examples,