Risk Management Process Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Hello again and welcome to the eight CS PP. Certification course works Library Risk management process Part one on your instructor Shalane Hutchins
00:12
In today's module, we're gonna cover several definitions of the risk management process and the intent of a risk management process.
00:24
Now we've been talking a great deal about risk and discussed some different frame words and approaches to risk management, and we're now going to break down the actual risk management process,
00:35
beginning with several definitions.
00:38
Let's start with the definition of risk.
00:41
Risk is the possibility of loss as defined by the American Heritage Dictionary.
00:47
And risk management is defined as a discipline for living, with the possibility that future events may cause harm.
00:54
As defined by I S C Square.
00:57
A Random House dictionary defines risk management as the technique
01:02
or profession of assessing, minimizing and preventing accidental loss to a business as through the use of insurance and other safety measures.
01:15
Now we've already discussed vulnerabilities
01:18
and in the context of risk management, let's revisit the definition.
01:23
Vulnerability is inherent weakness in an information system,
01:29
security procedures,
01:30
internal controls or implementation that could be exploited by a threat source.
01:38
It's common to identify vulnerabilities as they are related to people, processes, data technology and facilities
01:49
moving on to a threat.
01:49
That threat is defined as any circumstances re vent with the potential to adversely impact operations and assets
01:57
individuals, other organizations through an information system
02:02
via unauthorized access,
02:06
destruction,
02:07
disclosure
02:08
or modification of information. Indoor denial service
02:14
in the most simple terms, but three others anything that cause harm.
02:23
Now an impact has defined by this S P 800-30 religion one
02:30
is the magnitude of harm that can be expected to result from the consequences often unauthorized disclosure of information,
02:38
unauthorised modification of information,
02:42
unauthorized destruction of information
02:46
or loss of the information or information systems availability.
02:50
Risk Management s defined by NIST
02:53
is the process of identifying,
02:55
estimating and prioritizing information. Security risks
03:05
a couple of more definitions.
03:07
Hippel defines a requirement to conduct risk assessments and stipulates that it is a required specifications as opposed to an addressable specifications. Remember there to type of requirements with HIPPA those that are addressable and those that are required
03:23
covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic ph I helped by the covered entity.
03:38
Remember those three security tens C I. A. Confidentiality, integrity and availability.
03:45
Now, high tech
03:46
is not a separate requirement per se.
03:50
High tech
03:51
defines breach notification requirements.
03:54
In my experience, I've seen security questionnaires separate the questions. Are you compliant with Pippa? And are you compliant with high tech?
04:03
Or do you have a hip, A certification or a high tech certification? And I'll say it again? There is absolutely no such thing as a hip, a certification or high tech certification. It can't be certified.
04:18
High tech requires organizations to report and publish the details of breaches of protected or sensitive health information that impacts more than 500 individuals. Period,
04:32
please remember this
04:38
now
04:39
Risk assessment processes Mayberry between frameworks and industries,
04:44
but at their core, the formulas remained largely the same.
04:48
Risk is a function of threats, vulnerabilities, likelihood and impact.
04:56
Risk assessments may also be qualitative,
04:59
quantitative
05:00
or a hybrid of the two
05:02
qualitative risk assessments. Defined risk in terms such is high
05:09
media or look
05:11
and quantitative assessments express loss in terms of dollar figures such as the fair methodology mentioned earlier
05:20
as an organization becomes more sophisticated in its data collection and retention and staff becomes more experienced in conducting risk assessments. They may find themselves moving more toward quantitative risk assessments.
05:36
Frequency probability, impact, countermeasure, effectiveness and other aspects of risk assessments
05:44
have a discreet mathematical value. In a purely quantitative analysis
05:53
in summary today, we've covered several definitions and the intent of risk management.
05:59
Stay tuned for the risk management process hurt, too.
Up Next