Risk Management Process Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP Certification course with Cybrary,
00:00
Risk Management Process part 2.
00:00
I'm your instructor Schlaine Hutchins.
00:00
In this video, we're going to cover,
00:00
life cycle and continuous monitoring desired outcomes,
00:00
and internal or external audits.
00:00
We spoke earlier in the course about
00:00
data or information life cycle.
00:00
We will review this subject matter again because it's
00:00
important in the context of the risk management process.
00:00
Information has a life cycle which consists of creation,
00:00
use, and finally destruction.
00:00
Several important security activities
00:00
surround the life cycle of information to protect it.
00:00
Insurance available to only those who require access to
00:00
it and to destroy it when it is no longer needed.
00:00
Information ownership means that
00:00
when information is created,
00:00
someone in the organization
00:00
must be directly responsible for it.
00:00
Most times, it is the individual or group that created,
00:00
purchase, or acquire the information.
00:00
The information owner is
00:00
typically responsible for determining
00:00
the impact the information
00:00
has on the mission of the organization.
00:00
Understanding replacement cost of
00:00
the information, determining who,
00:00
within or outside of the organization has a need for
00:00
the information and under
00:00
what circumstances the information should be released,
00:00
and finally, to know when the information is
00:00
inaccurate or no longer needed and should be destroyed.
00:00
As you may remember,
00:00
the purpose of the classification system
00:00
is to ensure information is marked in
00:00
such a way that only those with an appropriate level
00:00
of clearance can have access to the information.
00:00
Many organizations will use
00:00
terms confidential, restricted,
00:00
sensitive, or protected health information PHI,
00:00
to mark the information.
00:00
Categorization is the process of determining
00:00
the impact of the loss of confidentiality,
00:00
integrity, or availability of
00:00
the information to an organization.
00:00
Classification and categorization systems are
00:00
used to help standardize the defense baseline for
00:00
information systems and the level of suitability and
00:00
trust an employee may need to access information.
00:00
All information must eventually come to an end.
00:00
Organizations often hoard owed information,
00:00
assuming it will be useful at some point when
00:00
really most information outlives
00:00
its value and usefulness in a matter of years,
00:00
and sometimes even months.
00:00
Organizations should document retention schedules and
00:00
requirements for information
00:00
in their administrative policies.
00:00
The schedule should mandate
00:00
the destruction of information after a set date,
00:00
a set period, or a non-use trigger.
00:00
The risk analysis process should be an ongoing activity.
00:00
Healthcare organizations should conduct
00:00
continuous risk analysis to identify
00:00
when security measures need to be
00:00
modified to keep up with the organizational realities.
00:00
Additionally, anytime that there's
00:00
a significant update to policies, procedures,
00:00
organizations, or technologies,
00:00
the security documentation should be
00:00
updated to reflect the new or evolving risks.
00:00
One of the principal outcomes of
00:00
risk assessment is the definition
00:00
and identification of threats,
00:00
vulnerability, and countermeasures which are either
00:00
present or desired within the organization.
00:00
Those counter measures are controls.
00:00
It will then be useful to reuse the data gathered
00:00
during the risk assessment
00:00
for other security initiatives.
00:00
Such as business continuity plan,
00:00
security incident response plan,
00:00
or disaster recovery plan.
00:00
The act of reusing data gathered during
00:00
a risk assessment when possible and
00:00
appropriate, can save dollars,
00:00
time and resources and can demonstrate to management
00:00
the tangible value of return on
00:00
investment in the risk management program.
00:00
Auditors provide a central role for
00:00
maintaining and improving information security.
00:00
They provide an independent view of the design,
00:00
effectiveness and implementation of controls.
00:00
The results of audits generate
00:00
findings that require management response
00:00
and corrective action plans to resolve
00:00
the issue and to mitigate the risk.
00:00
Auditors often requests information prior
00:00
to the start of an audit to facilitate the review.
00:00
Some audits are performed at
00:00
a high level without substantive testing.
00:00
While other audits will identify test samples
00:00
to determine if a control is
00:00
implemented and being followed.
00:00
The security office cooperates with
00:00
the internal and external auditors to
00:00
ensure that the control environment
00:00
is adequate and functional.
00:00
Let's do a knowledge check.
00:00
The information life cycle consists of creation,
00:00
use, and blank of information.
00:00
[MUSIC]
00:00
Did you guess destruction?
00:00
If so, you're correct.
00:00
True or false.
00:00
Reuse of data from
00:00
a risk assessment can be
00:00
used for other security initiatives.
00:00
[MUSIC] That answer is true.
00:00
Finally, true or false.
00:00
The risk assessment process should be a one-time event.
00:00
[MUSIC] That answer is false.
00:00
The risk assessment process should be
00:00
an ongoing, continuous activity.
00:00
Today we discussed life cycle, continuous monitoring,
00:00
desired outcomes,
00:00
and information around internal and external audits.
00:00
I'll see you in the next video.
Up Next