Hello again and welcome to the eight CS PP. Certification course works Library Risk management process Part one on your instructor Shalane Hutchins
In today's module, we're gonna cover several definitions of the risk management process and the intent of a risk management process.
Now we've been talking a great deal about risk and discussed some different frame words and approaches to risk management, and we're now going to break down the actual risk management process,
beginning with several definitions.
Let's start with the definition of risk.
Risk is the possibility of loss as defined by the American Heritage Dictionary.
And risk management is defined as a discipline for living, with the possibility that future events may cause harm.
As defined by I S C Square.
A Random House dictionary defines risk management as the technique
or profession of assessing, minimizing and preventing accidental loss to a business as through the use of insurance and other safety measures.
Now we've already discussed vulnerabilities
and in the context of risk management, let's revisit the definition.
Vulnerability is inherent weakness in an information system,
internal controls or implementation that could be exploited by a threat source.
It's common to identify vulnerabilities as they are related to people, processes, data technology and facilities
moving on to a threat.
That threat is defined as any circumstances re vent with the potential to adversely impact operations and assets
individuals, other organizations through an information system
via unauthorized access,
or modification of information. Indoor denial service
in the most simple terms, but three others anything that cause harm.
Now an impact has defined by this S P 800-30 religion one
is the magnitude of harm that can be expected to result from the consequences often unauthorized disclosure of information,
unauthorised modification of information,
unauthorized destruction of information
or loss of the information or information systems availability.
Risk Management s defined by NIST
is the process of identifying,
estimating and prioritizing information. Security risks
a couple of more definitions.
Hippel defines a requirement to conduct risk assessments and stipulates that it is a required specifications as opposed to an addressable specifications. Remember there to type of requirements with HIPPA those that are addressable and those that are required
covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic ph I helped by the covered entity.
Remember those three security tens C I. A. Confidentiality, integrity and availability.
is not a separate requirement per se.
defines breach notification requirements.
In my experience, I've seen security questionnaires separate the questions. Are you compliant with Pippa? And are you compliant with high tech?
Or do you have a hip, A certification or a high tech certification? And I'll say it again? There is absolutely no such thing as a hip, a certification or high tech certification. It can't be certified.
High tech requires organizations to report and publish the details of breaches of protected or sensitive health information that impacts more than 500 individuals. Period,
please remember this
Risk assessment processes Mayberry between frameworks and industries,
but at their core, the formulas remained largely the same.
Risk is a function of threats, vulnerabilities, likelihood and impact.
Risk assessments may also be qualitative,
or a hybrid of the two
qualitative risk assessments. Defined risk in terms such is high
and quantitative assessments express loss in terms of dollar figures such as the fair methodology mentioned earlier
as an organization becomes more sophisticated in its data collection and retention and staff becomes more experienced in conducting risk assessments. They may find themselves moving more toward quantitative risk assessments.
Frequency probability, impact, countermeasure, effectiveness and other aspects of risk assessments
have a discreet mathematical value. In a purely quantitative analysis
in summary today, we've covered several definitions and the intent of risk management.
Stay tuned for the risk management process hurt, too.