14 hours 39 minutes
Okay, folks, we've completed domain one, which was all about security, governance.
And so ultimately, of course, what that said is security has to come from the top has to come from senior management board of director steering committees.
Those are the folks that can really impact that culture of an organization. They can approve security strategy, sign often security program. They can budget and fund. So that's essential.
But now, okay, so we've got the approval from senior management. Now we've got to think about what we're gonna do, right? Senior management says go and let's close the gap between where we wanna be and where we are. But how
and the answer that is you've gotta look at risk management because there's a 1,000,000 ways that we could implement security,
right? But our goal is to be cost effective, to truly support the organization, to be in alignment with business goals and that ultimately comes down to managing risks in such a degree
that we support the organization that senior management approves. All right, so in this particular chapter, we're gonna start off with just a introduction. We'll talk about some risk terms because different people will define risk a little bit differently,
and we have to make sure that we're in alignment with I. Saca's definitions of the words. As a matter of fact, I would certainly recommend going through a glossary
in relation offices. Um, I don't love any of you. Been to quisling dot com,
but they have an online glossary, and if you just type out schism and I'll give you that address in just a second, but quisling dot com will allow you to go through and make sure that you're using the lexicon. The terminology in the way that I Sacha would have you. Okay, so we're gonna go over some of those key terms that you need tohave.
Then we'll move into talking about the risk
management life cycle.
We will talk about that risk management life cycle that again comes to us for my sacha as having four distinct steps
risk identification, risk assessment,
risk response in mitigation and then risk control and monitoring because we're never done managing risks. All right, so let's go ahead and let's get in and we'll talk about an introduction to risk manage.
So, first of all, we should probably define risk and risk is defined as the probability of an event and its consequence.
And so what we're looking at is probability and likelihood of an event happening,
because that's really what significant, how likely is it toe happen? And if it does,
what's the damage?
All right. And so, yes, we will be talking about risk as a negative event.
That is unknown, right? So it's it's, um,
in some organizations and some documents risk. May you know, they may say risk is both positive and negative.
Positive risk is an opportunity. A negative risk is a threat.
You know what? I've never heard anybody in my life go. Oh, there's a big risk I could win the lottery,
right, So we will focus on it as a negative.
Okay, So when I'm looking at risk, first thing have to think about is what's the mission of my organization. And, of course, what are our assets? What's the purpose of what we do
and whether I'm in the government, the private sector, the military, we're gonna all have a different context for the risk in which we operate. So we need to understand that right off the bat.
All right, then we have threats, those things that would propose harm to our assets.
Vulnerabilities are our weaknesses. You have to have both a threat and a vulnerability in order to have a risk.
If I don't have one or the other, there's no risk,
all right, and then we talk about likelihood, an impact,
likelihood again, probability, impact, severity or consequence.
And ultimately, what we want to do with risk management is to reduce residual risks to a level that's acceptable. By whom? Who do you think?
the ultimate decision makers?
All right, So some of our definitions have already said assets, something we value a threat poses harm and vulnerabilities a weakness.
The Threat agent is the entity that carries out the attack,
the exploits when it happens. And then we said the risk is the probability and likelihood off that happening. So my asset, maybe my data,
the vulnerabilities that I have weak passwords, protecting my dad,
the threat is an attacker could come along, compromise the passwords and access my data.
The threat agent would be the attacker, but also would be the software that they use, like loft, crack and cane enable in some of those others.
Uh, and should that happen, that would indicate an exploit
and the risk.
If I do nothing, I would say the risk is pretty high that that would have
Hey, so that's how all these terms come together in their fume or terms that we have to look at as well.
First of all, we have to talk about inherent risk,
and there's a certain amount of risk that just goes with most things. There is inherent risk in just getting out of bed in the morning, right?
after you apply risk treatment, what's left
because rarely can you totally eliminate or totally avoid a risk. I mean, you can totally avoid a risk, but that's not as common right. Usually, we just think to mitigate transfer. So what's left? That's residual
secondary risk. Sometimes you fix a problem, just calls enough
risk appetite. That's what the organization
feels about. That's how the organization feels about risk and that's determined by senior management. Are we risk aggressive or we risk neutral or we risk seeking.
So what's our general philosophy on risk?
now, within that general philosophy of risk, we may deviate from that standard with risk tolerance.
So I may be a very risk seeking organization because we're young. Start up company. Nothing ventured, nothing gained.
But in matters concerning human life, I have a very small tolerance for loss.
So that's risk appetite. That's risk seeking. But risk tolerance being looked
all right. A risk capacity. How much total risk can we absorb before suffering a loss
that that we can't handle before it really threatens the viability of the business?
Our risk threshold is that point that we won't cross
so often at the top of risk tolerance, that risk threshold. We won't cross it.
And then we implement controls either proactive controls like fences and encryption and
or reactive controls that essentially we think of auditing in reviewing longs.
So we put controls in place to mitigate risks.
All right, now,
consider risk governance, it really is just a subset of corporate governance. So those same questions we have to ask,
are we managing a common risk view throughout the organization? Do we truly understand the nature of risk and what our organization's approach
is? Risk management embedded into the enterprise?
Do we in the enterprise use risk management for decisions,
which means we're not making decisions on things like, Well, if it ain't broke, don't fix it.
We're not making
decisions based on all they'll never give us buy in or it can't be funded.
What we have to look at is the potential for loss versus the cost of the countermeasure. And that's
integrating risk management business decisions.
All right, risk aware business decisions exactly that. Just each one ties into the one before
and then make sure that the controls are implemented properly
properly, which means we're gonna have to test right. Sometimes you implement a control and you wind up more vulnerable
default passwords, default settings, poorly configured firewalls and so on and so forth can wind up causing more damage than good.
All right, so the contents of the text of risk management just mentioned this amended to go. But the idea is, what is our environment like?
Because every organization has a slightly different context for risk.
A lot of that's driven just first of all by the industry and laws and regulations, but also each
senior management team has a unique perspective
and unique goals in relation to risk
so we have to look at our context. So what that means is again, we've gotta know the business.
What is it about our environment?
What type of assets are we protecting? What are the vulnerabilities? Are those vulnerabilities likely to change as time goes by or the threats?
Is there, um, the potential that new regulations could send us off a different direction, Right? So all these ideas are part of the context of risk, and that's what we've got a base, our decisions off.
So as I mentioned before, what we're going to use in order to address risk is the risk management life's like
and you can see
response in mitigation and risk monitoring in control. And that's where we're going to go through in the next handful of slides. And, uh
and that's what we're gonna use to describe risks within our organization.