Risk Management Frameworks
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi there Cybrary friends and welcome back to
00:00
the HCISPP Certification course
00:00
, Risk Management Frameworks.
00:00
My name is Schlaine Hutchins,
00:00
and I'll be your instructor today.
00:00
In this video, we're going to
00:00
discuss the exciting subject
00:00
of risk management frameworks.
00:00
We'll review at a very high level
00:00
the NIST Four-Phase Process for
00:00
risk management and touch on some other frameworks.
00:00
I want to give a little detail
00:00
around the NIST Four-Phase model
00:00
for risk management from the NIST 839.
00:00
The steps in the risk management process are
00:00
not inherently sequential in nature.
00:00
The steps are performed in different ways,
00:00
depending on the particular tier where the step is
00:00
applied and on prior activities
00:00
related to each of the steps.
00:00
What is consistent is the outputs or
00:00
post-conditions from a particular risk management step.
00:00
They directly impact one or
00:00
more of the other steps in the process.
00:00
[NOISE] Framing the risk
00:00
establishes the context and provides
00:00
a common perspective on
00:00
how an organization manages risks.
00:00
Its primary output is to
00:00
produce a strategy that addresses how
00:00
an organization intends to assess
00:00
risk and respond to and monitor risk.
00:00
The risk management strategy makes
00:00
the specific assumptions, constraints,
00:00
risk tolerances, and priorities or
00:00
trade-offs used for making
00:00
investment and operational decisions.
00:00
The strategy also includes
00:00
how risks will be managed
00:00
by senior leaders and executives.
00:00
The risk assessment includes threats and
00:00
vulnerability identification and risk determination.
00:00
Threat identification requires examination
00:00
of threats sources and events.
00:00
Identifying the threat capabilities,
00:00
intentions, and targeting information
00:00
from all available sources.
00:00
Organizations with
00:00
more established enterprise architectures
00:00
and mature life cycle processes,
00:00
have outputs that can be used to
00:00
inform the risk assessment process.
00:00
For example, within an organization
00:00
that has an internal audit department,
00:00
a regular review and monitoring of
00:00
audit findings and the remediation activities,
00:00
can be an input into the risk management process.
00:00
If there's a particular area or finding that consistently
00:00
has weaknesses in the control or lack of controls,
00:00
that can identify a potential vulnerability.
00:00
Organizations can employ a variety of
00:00
approaches to determine the likelihood
00:00
of threats exploiting vulnerabilities.
00:00
Likelihood determinations can be based on
00:00
either threat assumptions or actual threat information.
00:00
For example, historical data on cyber attacks,
00:00
or specific information on
00:00
adversary capabilities in targeting.
00:00
Risk response includes risk response identification,
00:00
evaluation of alternatives, and
00:00
risk response decision and risk response implementation.
00:00
In addition to the risk assessment
00:00
and risk framing steps,
00:00
the risk response step can receive
00:00
inputs from the risk monitoring step.
00:00
For example, when an organization experiences a breach or
00:00
compromise to their information systems
00:00
or environments of operation,
00:00
that require an immediate response
00:00
to address the incident.
00:00
A risk response can be risk acceptance, avoidance,
00:00
mitigation, sharing,
00:00
transfer, or a combination of the above.
00:00
Lastly, in the process of risk monitoring,
00:00
which includes a risk of monitoring
00:00
strategy and risk monitoring itself.
00:00
A risk management strategy,
00:00
or risk monitoring strategy,
00:00
includes the purpose, type,
00:00
and frequency of monitoring activities.
00:00
Determining the purpose directly impacts
00:00
the means used to conduct the monitoring activities,
00:00
and where monitoring occurs,
00:00
such as at the risk management tier.
00:00
A strategy also determines
00:00
which type of monitoring will be employed,
00:00
including approaches that rely on automation or will be
00:00
procedural or manual and requires human intervention.
00:00
Finally, a strategy determines
00:00
the frequency that monitoring will occur.
00:00
Areas that are typically included in risk monitoring,
00:00
are monitoring for compliance
00:00
with legal and regulatory requirements,
00:00
internal policies and procedures
00:00
in the mission and business requirements,
00:00
or monitoring for effectiveness.
00:00
This type of monitoring is used to
00:00
determine if the implemented risk response measures
00:00
have actually been effective in reducing
00:00
the identified risk to the desired level.
00:00
Failure to achieve desired levels of
00:00
effectiveness may be an indication that
00:00
the risk response measures that have been implemented
00:00
incorrectly or are not operating as intended.
00:00
Monitoring changes to information systems
00:00
and environments of operations,
00:00
is not linked directly to
00:00
previous risk response measures,
00:00
but is important to detect changes
00:00
that may affect the risk to the operations,
00:00
assets, or individuals.
00:00
Other frameworks that you will hear
00:00
about and see in the study materials,
00:00
include those listed here,
00:00
but it's not an exhaustive list.
00:00
In my personal opinion,
00:00
HITRUST is not a true framework.
00:00
HITRUST combines various other frameworks.
00:00
They've done a magnificent job of mapping
00:00
all other frameworks such as NIST, COVEY,
00:00
COSO, ITIL, and
00:00
some regulatory requirements such as
00:00
HIPAA and some other state requirements.
00:00
In that mapping, they've broken out
00:00
into various categories, and that's HITRUST.
00:00
It is a very expensive process
00:00
to perform and while you may
00:00
conduct the self-assessment
00:00
after purchasing a subscription,
00:00
it can only be validated by hiring
00:00
an external third-party CPA or auditing firm,
00:00
who's been trained to conduct the assessments.
00:00
It is based on the five-level maturity model,
00:00
and you must achieve
00:00
at least the maturity level of three in most areas with
00:00
few corrective action plans for
00:00
controls that require remediation.
00:00
Again, this is just my personal opinion and
00:00
not the opinion of anyone else at Cybrary,
00:00
and that's all I'll say about that.
00:00
Now FAIR, is a framework and not a life cycle.
00:00
FAIR is a quantitative model for
00:00
understanding, analyzing,
00:00
and quantifying cyber risk and
00:00
operational risk in financial terms.
00:00
COSO identifies five areas of
00:00
internal control necessary to meet
00:00
the financial reporting and disclosure objectives.
00:00
They include control environment, risk assessment,
00:00
control activities,
00:00
information and communication, and monitoring activities.
00:00
Now, ITIL is not a framework,
00:00
but it is the IT infrastructure library
00:00
that's based on ISO 20000.
00:00
The ISO 20000 standard is focused on service management.
00:00
The thought is because risk
00:00
can disrupt service delivery,
00:00
there is some consideration of risk management,
00:00
but not a risk management life cycle.
00:00
In summary, we've talked about
00:00
the exciting NIST Four-Phase Process for
00:00
Risk Management and other risk management frameworks
00:00
and approaches to risk management.
00:00
Thank you for joining me,
00:00
and I'll see you in the next video.
Up Next
