Risk Management Overview

00:00

Hello, everyone. This is instructor Gerry Roberts, and this is risk policies and security controls.

00:06

First of all, what is risk management?

00:08

Well, first, a risk is the likelihood of threat will take advantage of a vulnerability.

00:14

So that could be I didn't patch my server

00:18

and because I didn't patch my server. Maybe a specific port is open and they can go in and take advantage of it. But how likely is that going to be?

00:27

A hybrid situation would be that it's extremely likely, and a low risk would mean that it might happen.

00:35

Now risk management is the process of working towards minimizing and eliminating those risks.

00:42

One thing to note.

00:43

You can't get rid of all risk, but you can make it better by minimizing them and some risks you can actually eliminate.

00:52

Risk management involves many different people in departments,

00:56

and it includes physical and technical controls.

01:00

The process of risk management can be a long one.

01:04

First, we have risk identification.

01:08

What happens usually is you monitor for risks and you do some pen testing and other testing to locate those risks and identify them.

01:17

I want to have them identified.

01:19

You then do an assessment.

01:22

Use that information you gathered in the risk identification phase,

01:26

and then you

01:29

see whether it's quite to impact, what kind of potential impact

01:33

and what kind of tasks you're gonna need to do, such as deploying a fireball to mitigate that risk

01:41

action.

01:42

Once the assessment is done, then you take the action that's been agreed upon during the assessment. So say, for example, we said, Let's deploy some firewall rules.

01:51

Well, the action phase. We would go ahead and put those rules in place.

01:56

Then we would do continuous monitoring, testing

02:00

to ensure that the risk is mitigated. We should monitor

02:05

and Penn test again to see if we find any new risks or if the risk is still there.

02:10

Sometimes we also do what's called regression testing

02:15

to make sure that the action we took, such as the firewall rules,

02:19

was implemented properly. And it's working,

02:23

signing risk management taxed.

02:25

So one of the issues with risk management is assigning tasks

02:31

now if it requires a specific task to be completed as far as the action that we agree upon during assessment.

02:39

So say the firewall.

02:42

We have to assign someone the task

02:46

this ensures it is completed

02:49

because someone is responsible.

02:52

If the task is not assigned, it is very likely the actions not gonna be taken.

02:58

Now. This responsibility is so important

03:01

because if something does happen,

03:05

the task was not completed.

03:07

And there's an issue. As a result, we can go back to a specific person

03:12

or group of people

03:14

and find out what happened.

03:16

So in my example here, this is actually something that happened in a company I worked at.

03:22

The firewall rule was not implemented and a breach happened.

03:27

The person responsible was tracked down and we talked to that person

03:30

and they said, Yeah, I try to put the firewall, you know, in and put those rules in.

03:37

But then this application we have tohave which is, you know, critical for business stop functioning because it uses one of those ports to function.

03:46

So I asked my manager and he said, Go ahead, take the firewall, rule out.

03:52

So the action was not completed because the action would have

03:57

changed accessibility. And if we remember with C I A accessibility is important.

04:03

So at that point,

04:06

what we should have done

04:09

as we should have gone back to identification and identify that it was still a risk but the action of putting the firewall rule and was not going to work

04:17

and then gone through and see if there was a work around for

04:24

methodology for dealing with risk.

04:27

Now you're not always going to be able to take an action for a risk.

04:30

Sometimes you do different things.

04:33

But there are four main ways of dealing with risk

04:38

elimination and avoidance.

04:42

You can eliminate the risk or avoid the risk completely by resolving vulnerability.

04:47

This, obviously is the action we really want to take because that means it goes away. We don't have to deal with it,

04:55

but the next thing is mitigation.

04:59

You mitigate the likelihood of the risk. So you try to minimize the fact that the risk is gonna happen

05:04

and you also mitigate any damage. If the risk were to happen,

05:10

that could be things like network isolation, where one part of the network is not connected to the other part of the network. So if one parts affected, the other part is not.

05:19

This is usually where we kind of live when it comes to risk management,

05:27

transferring ts

05:30

transferred so we transfer the risks of someone else. For example, we might have an insurance policy that would cover the cost of data recovery,

05:39

new equipment, that kind of thing. In the case of a disaster.

05:43

Ah, here, Florida. We get a lot of hurricanes. So some places have those special insurance policies that cover hurricanes, which also have to cover flooding because we are in a floodplain and insurance requires additional coverage for flooding

06:00

so they might purchase a insurance plan for the hurricane. And then, when the hurricane comes through,

06:05

knocks down the data center. There's really nothing we can do other than maybe building a better building. And in some cases that doesn't even work.

06:14

So once that happens, they can then call the insurance company. And the cost and the

06:20

risk are now put on the insurance company because the insurance company now is liable for that equipment and for that building

06:30

acceptance. Now we rarely like to accept a risk, but acceptance means that we accept the risk and deal with it when it happens

06:38

again. This is not something we generally like to d'oh

06:41

mainly because again, we wanna live up in at least mitigation. If we can't

06:46

some things we can't, and that's why we transfer other things we just can't do anything about. And we kind of have to accept the risk and maybe, you know, have a plan for dealing with the damage when it happens.

07:00

All right, we're near the end. So it is once again time for a post assessment question.

07:04

An example of a risk mitigation might be

07:09

markets a UPS or uninterruptible power supply so that servers can be gracefully shut down in a power outage.

07:17

Just buys an insurance plan that covers flooding for the Orlando, Florida, location.

07:24

A shod patches the server so the new zero day exploit vulnerability is taken care of.

07:30

Tia realizes that there's a fire risk in the Australian location, however. Does that buy insurance or fire controls for the company?

07:39

Which one of these is an example of risk mitigation?

07:43

As always, I'll give you a few moments to figure that out. You can also pause if you would like, and then we will come back to the answer.

07:53

Our answer is, a mark gets a ups to the servers can be gracefully Shut down. Now, the UPS isn't gonna prevent the outage, but it will prevent the servers from shutting off during operation.

08:05

Now, if you know anything about servers, you know, if they shut off during operation, it is possible toe have data corruption and other damages to those servers.

08:15

So he's mitigating that possibility by making sure he can shut them down gracefully.

08:20

Now the other options

08:22

just buys an insurance plan. An insurance plan is gonna be transferred.

08:26

A shod patches a server.

08:30

He's eliminating the rest there because it says it took care of it.