Risk Management Process Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome to
00:00
HCISPP Certification course with Cybrary,
00:00
Risk Management Process, Part 1.
00:00
I'm your instructor Schlaine Hutchins.
00:00
In today's module, we're going to
00:00
cover several definitions of
00:00
the risk management process
00:00
and the intent of the risk management process.
00:00
We've been talking a great deal about risks and
00:00
discuss some different frameworks and approaches
00:00
to risk management and we're now going to break down
00:00
the actual risk management process
00:00
beginning with several definitions.
00:00
Let's start with the definition of risk.
00:00
Risk is the possibility of loss
00:00
as defined by the American Heritage Dictionary.
00:00
Risk management is defined as a discipline for living
00:00
with the possibility that future events may cause harm,
00:00
as defined by ISC Squared.
00:00
A random house dictionary defines risk management as
00:00
the technique or profession of assessing,
00:00
minimizing, and preventing accidental loss to
00:00
a business as through the use of
00:00
insurance and other safety measures.
00:00
Now, we've already discussed vulnerabilities.
00:00
In the context of risk management,
00:00
let's revisit the definition.
00:00
A vulnerability is an inherent weakness
00:00
in an information system,
00:00
security procedures, internal controls,
00:00
or implementation that can
00:00
be exploited by a threat source.
00:00
It's common to identify
00:00
vulnerabilities as they are related to people,
00:00
processes, data, technology, and facilities.
00:00
Moving on to a threat.
00:00
A threat is defined as
00:00
any circumstance or event with the potential
00:00
to adversely impact operations in assets, individuals,
00:00
other organizations through
00:00
an information system via unauthorized access,
00:00
destruction, disclosure, or modification of information,
00:00
and/or denial of service.
00:00
In the most simple terms,
00:00
a threat is anything that could cause harm.
00:00
Now, an impact as defined by NIST SP 800-30 Revision 1 is
00:00
the magnitude of harm that can be expected to result from
00:00
the consequences of
00:00
an unauthorized disclosure of information,
00:00
unauthorized modification of information,
00:00
unauthorized destruction of information,
00:00
or loss of information
00:00
or information systems availability.
00:00
Risk management, as defined by NIST,
00:00
is the process of identifying,
00:00
estimating, and prioritizing information security risks.
00:00
A couple of more definitions.
00:00
HIPAA defines the requirement to conduct
00:00
risk assessments and stipulates that
00:00
it is a required specification
00:00
as opposed to an addressable specification.
00:00
Remember, there are two types
00:00
of requirements with HIPAA,
00:00
those that are addressable and those that are required.
00:00
Covered entities must conduct
00:00
an accurate and thorough assessment of
00:00
the potential risks and
00:00
vulnerabilities to the confidentiality,
00:00
integrity, and availability of
00:00
electronic PHI held by the covered entity.
00:00
Remember those three security terms,
00:00
CIA, confidentiality, integrity, and availability.
00:00
Now, HITECH is not a separate requirement per se.
00:00
HITECH defines breach notification requirements.
00:00
In my experience, I've seen
00:00
security questionnaires separate the questions,
00:00
are you compliant with HIPAA,
00:00
and are you compliant with HITECH?
00:00
Or do you have a HIPAA certification
00:00
or a HITECH certification?
00:00
I'll say it again, there's
00:00
absolutely no such thing as
00:00
the HIPAA certification or HITECH certification,
00:00
it can't be certified.
00:00
HITECH requires organizations to
00:00
report and publish the details of breaches of
00:00
protected or sensitive health information that
00:00
impacts more than 500 individuals, period.
00:00
Please remember this. Now, risk
00:00
assessment processes may vary
00:00
between frameworks and industries.
00:00
But at their core,
00:00
the formulas remain largely the same.
00:00
Risk is a function of threats,
00:00
vulnerabilities, likelihood, and impact.
00:00
Risk assessments may also be qualitative,
00:00
quantitative, or a hybrid of the two.
00:00
Qualitative risk assessments define risk in
00:00
terms such as high, medium, or low.
00:00
Quantitative assessments express loss
00:00
in terms of dollar figures,
00:00
such as the fair methodology mentioned earlier.
00:00
As an organization becomes more
00:00
sophisticated in its data collection and
00:00
retention and staff becomes more
00:00
experienced in conducting risk assessments,
00:00
they may find themselves moving more
00:00
toward quantitative risk assessments.
00:00
Frequency, probability,
00:00
impact, countermeasure effectiveness,
00:00
and other aspects of risk assessments have
00:00
a discrete mathematical value
00:00
in a purely quantitative analysis.
00:00
In summary, today we've covered
00:00
several definitions and the intent of risk management.
00:00
Stay tuned for the risk management process Part 2.
Up Next
