Hi there, Cyber your friends and welcome back to the Hcs PP certification course risk management frame words. My name is Charlene Hutchins, and I will be your instructor today.
In this video, we're going to discuss the exciting subject of risk pension. It frameworks will review at a very high level in this four phase process for risk management and touch on some other frameworks.
So I want to give a little detail around in this four days model for risk management from the missed 839.
The steps and the risk management process are not inherently sequential in nature. The steps are performed in different ways, depending on the particular tear where the step is applied and on prior activities related to each of the steps.
What is consistent is the outputs or post conditions from a particular risk management step.
They directly impact one or more of the other steps in the process.
framing the risk establishes the context and provides a common perspective on how organization manages risk.
Its primary output is pretty to producer strategy that addresses how an organization intends to assess risk and respond to and monitored risk.
The risk management strategy makes the specific assumptions constraints, risk tolerances and priorities or trade offs use for making investment and operational decisions.
The strategy also included it, or includes how risks will be managed by senior leaders and executives.
The risk assessment includes threats and vulnerability, identification and risk determination.
Threat identification requires examination of threats, sources and defense,
identifying the threat capabilities, intentions and targeting information from all available sources.
Organizations with more established enterprise architectures and mature lifecycle processes have outputs that can be used to inform the risk assessment process.
For example, within an organization that has an internal audit department,
a regular review and monitoring of audit findings and the remediation activities can be an input into the risk management process.
If there's a particular area or finding that consistently has weaknesses in the control or lack of controls that can identify a potential vulnerability,
organizations can employ a variety of approaches to determine the likelihood of threats exploiting vulnerabilities.
Likelihood Determinations can be based on eager threat assumptions or actual threat information. For example, historical data on cyber attacks or specific information on adversary capabilities and targeting
risk response includes risk response, identification, evaluation of alternatives and risk response decision and risk response implementation.
In addition to the risk assessment and risk framing steps, the risk response step can receive inputs from the risk monitoring step, for example, in an organization experiences of breach or compromise to the information systems or environments of operation that require an immediate response to address the incident.
A risk response can be risk acceptance avoidance, mitigation, sharing,
transfer or a combination of the above.
and the risk process in the process of risk monitoring, which includes a risk of monitoring strategy and risk monitoring itself. A risk management strategy or risk monitoring strategy includes the purpose,
tight and frequency of monitoring activities.
Determining the purpose directly impacts the means used to conduct the monitoring activities and where monitoring occurs,
such as at risk at the risk management tear.
A strategy also determines which type of monitoring will be employed, including approaches that rely on automation or will be procedural or manual and requires human intervention.
Finally, a strategy determines the frequency that monitoring will occur.
Areas that are typically included in risk monitoring are monitoring for compliance with legal regulatory requirements, internal policies and procedures in the mission and business requirements
or monitoring for effectiveness.
This type of monitoring is used to determine if the implemented risk response measures have actually been effective in reducing the identified risk to the desired level.
Failure to achieve desired levels of effectiveness may be an indication that the risk response measures that have been implemented and correctly or not operating as intended.
Monitoring changes to information systems and environments of operations is not linked directly to previous risk response measures, but is important to detect changes that may affect the risk to the operations, assets or individuals.
Other frame words that you were here, here about and see in this study materials include those listed here.
But it's not an exhaustive list
and my personal opinion High trust is not a true framework.
Hi Trust combines various
They've done a magnificent job of mapping all other frameworks. Such a Zionist
Kobe, It co. So I till and some regulatory requirements such as HIPPA and some other state requirements, and that mapping they've broken out into various categories and that's high trust.
It is a very expensive process to perform on. While you may conduct the self assessment
after purchasing a subscription.
It can only be validated by hiring an external third party C p A or auditing firm who's been trained to convict the assessments.
It is based on a five level maturity model, and you must achieve at least the maturity level of three in most areas, with few corrective action plans for where controls for controls that require remediation
again, This is just my personal opinion and not the opinion of anyone else. That's library,
and that's all I'll say about that
now. There is a framework and not a life cycle.
Fair is a quantitative model for understanding, analyzing and quantifying cyber risk. An operational risk in Financial Terms
identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives.
They include control, environment,
information and communication and monitoring activities.
Now I till is not a framework,
but it is the I T Infrastructure library that's based on Isil 20,000.
The Isil 20,000 standard is focused on service and management.
The thought is because risk in disrupt service delivery.
There is some consideration of risk management, but not a risk management life cycle.
So in summary, we've talked about the exciting, this four face process for risk management and other risk management frameworks and approaches to risk management.
Thank you for joining me, and I'll see you in the next video.