Time
33 hours 23 minutes
Difficulty
Beginner
CEU/CPE
33

Video Transcription

00:00
Hello and welcome to side Berries. 2019. Cop Tia Security Plus Certification Profession Course. We continue our discussion on marginal of five, which in fact, is domain five, and the subject would be risk management.
00:15
Surprising enough. We have a brand new learning objective where we have to explain risk management processes and concepts.
00:22
The first item, Arjuna, is a pre assessment quiz, and it reads as follows.
00:27
You prepare to perform a risk assessment for customer.
00:31
The customer has issued the following requirements for the assessment number one assessment must be objected.
00:38
Secondly, the assessment must report on the financial costs and or implication of each risk.
00:44
Which risk assessment approach shoot you use?
00:48
Is it a
00:50
be
00:51
C or D?
00:55
In this case, if you select that D, you're absolutely correct, because in this scenario, you need an objective. In other words, instead of subjective analysis,
01:03
the quantitative approach is objective. Looking at numbers and costs,
01:10
then we have our qualitative approach is a subjective, less precise and open to judgment.
01:17
The other two Adam Single loss expectancy or S l E and A l E, or Aniela suspects are not risk assessment approaches, so those both answers are definitely incorrect.
01:29
As mentioned earlier, We have a brand new loon object, which is 5.3 where we had explained Richmond Processes and concept. Here again are the topics which encompasses this particular learning objective.
01:42
Let's not turn outage toward discussed risk mansion In terms of an overview,
01:46
the first thing I want to point out here is that risk is a lightning hood that a loss will in fact, occur.
01:52
The loss occur when a threat exposes
01:55
a vulnerability.
01:56
Owners age of all sizes face risks. Some risks are so severe that it can cause a business to fail.
02:02
Other risks are minor and can be accepted without another thought.
02:07
Companies use risk management techniques to identify and different eight severe risk from minor risks. When this is done properly, administrators and managers can intelligently decide what to do about any type of risk. The Amazon decision to avoid, transfer, mitigate or accept the risk.
02:25
The common thing of these definitions are a threat.
02:30
Vona 1,000,000,000 laws, even though the common body of knowledge doesn't specifically mention loss as it implies. But remember, a risk could be defined as a combination or probability or likelihood of an event and the consequences.
02:45
We also learned that a threat refers to a source that isn't finance any circumstance or event with the potential to cause harm to an I T system. And last, their vulnerability refers to an era, a weakness in the system,
02:57
the worst of security system itself
03:01
now forced threat assessment. And when you think about the various threats, they often fall within the following categories. They could be external or internal.
03:10
External threats are outside of the boundaries of the organization. They can also be thought of as rested are outside the control of an organization.
03:17
They can also be natural or man made, their often related to whether hurricanes and so forth.
03:23
We also have intentional, accidental.
03:27
Any deliberate attempts to compromise company out integrity or availability is obviously intentional.
03:34
They also could be environmental. Other words. Mother Nature threats are tornadoes, hurricanes, earthquakes and so forth.
03:45
This brings us to again continuing the discussion of this brand new learning objective. We're gonna turn out teacher tore, discussion of risk assessment, single loss expectancy, annual loss expectancy all way down to arrest registry.
03:59
So that begs the question. What is the risk assessment
04:00
It's a key step in your risk management processes involved. The termination of the quantitative ah qualitative value risk is conducted for concrete situations and recognize threats
04:12
is used to help identify which safeguards to implement.
04:15
It's a quiet for valuing your risk or contro and often conducted at the implementation of a control.
04:21
Here again on the steps of your risk assessment. First of all, identification. You wanna isolate the potential risk to the organization and involves our risk analysis, where you analyze the types of risk to the organization.
04:33
Then you go about the process called risk privatisation. Other words. You place the risk in the order of hierarchy.
04:41
The first terminal highlights, called single loss expectancy, is the monetary value expected from the occurrence of a risk on I set. It's related to risk manager and risk assessment. Single or suspected is mathematically expressed as where the
04:55
exposure factors represented in the impact of the risk over the asset or the percentage of the asset loss
05:00
when you look at a single loss expects it is the expected monetary loss. Every time it rests, occurs the single all suspects. In other words, when you look at you like the asset value and exposure factor are related by former other words. Single loss expected equal again are a V, which is our accent value, and then we also look at exposure factor.
05:23
Then we have our annual loss expectancy, which is a product of the annual rate of occurrence and a single loss expectancy are other worse. U S l E. It is a mathematical expressed supposed that an asset
05:35
we had was valued at 100,000 and exposure fact before the asset was 25%.
05:42
The annual loss expensive is expected. Monitor laws that can be expected for an asset do the risk over one year period. It's the finest access again. Your annual loss expects the equal your single, all suspected
05:56
multiplied by your annual. What we call your annual rate of occurrence
06:00
you're single loss expected is a single loss expectancy and your annual
06:05
Danny. We have what we call an annualized rate of occurrence, an important feature of the annual on suspects. It is that it can be used directly in a cost benefit analysis. If a threat arrest has a annual loss, expects up 5000 then it may not be worth spending $10,000 per year on the security manager, which
06:25
which would eliminate that particular situation.
06:28
Now. One thing remember when you knew that I was an annual loss expected value is that when the annualized rate of occurrence is the order of one loss per year, that can be considerable variance in the actual loss. For example, suppose you had your a r O is 00.0 point five and you're single. Suspect is 10,000.
06:47
In this case, the angles in your loss expects is then 5000 a fever we may may be comfortable with using again the position distribution. We can calculate the probability of a specific number of losses current in a given year,
07:04
continuing our discussion, any laws expectancy we can see from this table that the probability of a loss is 20,000 is 2000 is 0.0, 758 and that's the probability of a loss bad 30,000 orm or if a partly
07:23
if it's approx it somewhere around 0.1 44
07:26
now that depends upon our tolerance to risk and our organization ability to withstand the higher lost values we may consider that a security measure which caused $10,000 per year to implement, is worthwhile, even though it's more than expected loss due to that particular threat.
07:46
So, again we mentioned before is the annual rate of occurrence is a property. That risk will occur in a particular year.
07:53
For example, if insurance data suggests that the serious they satisfied likely occur once in 25 years, then you annualized rate of occurrences
08:01
basically equates to 0.4
08:05
We look at the asset value is the value assigned to an asset that could be specific and encompasses tangible costs as well as that intangible we talk about. Tangible is something you can touch entitlements, something that perhaps that we cannot touch.
08:22
We look at a risk treasury. It is a basic, a scatter plot used as a risk manager tool to fulfill regulatory compliance. It acts as a repository for all the risks, have been identified and includes additional information about each breast. In other words, the nature of the risk.
08:39
The ref isn't owner and also mitigation methods.
08:43
In essence, in short, a risk Treasurys called a wrist law. It's a master document that is maintained by the organization doing risk assessment to track issues and address problems as they arise.
08:54
Continual discussion of this particular objective. 5.3. Where we had explained the wrist bands of processes in concepts we're going. Take a look at the risk assessment terms on Continuation, the likelihood of a current supply chain assessment impact
09:09
quantitative and we'll ask Qualitative.
09:11
We look at the likelihood of occurrence is sometimes referred to as a probability in risk match terminology. Although these terms are often used interchangeably, there are distinctions to take into consideration.
09:26
Forces Applied Chain assessment and Organization performs a supply chain in assessment for the purpose of reducing your vulnerability and insurance business. Continuity
09:37
for the impact. The impact of risk is the consequences if it occurs in other words, the cost of a risk.
09:45
So it encompassed the impact of a tolerable uncertainty of the consequences. If it occurs.
09:52
We look at quantitative and qualitative risk assessment. Quantitative risk assessment involves calculating absolute financial value losses and cause, while qualitative with assessment, calculates relative value losses and calls
10:09
continue on a discussion. Taking a look again, we're gonna look at take a look at the terms call penetrates and tested authorization
10:16
vulnerably tested an authorization. Again. These topics sub topic encompasses again
10:22
the learner gently 5.3
10:26
Now test and basically involved. The process you might choose involved what we call a risk based testing. To evaluate a system you can use risk based test of A with system quality and to reduce the likelihood of system defects as well.
10:43
Now for spitting, trace and testing authorization.
10:46
Do proper security organization information technology assets the size of came cybersecurity Team must be granted permission and authorisation to conduct penetration testing. Before that team can perform Assimilate attack of an organization network system, they must obtain permission from the organization. The authors that might include the scope of the testing,
11:07
the library in order,
11:09
physical acts that excess as well.
11:11
Now, when you look at vulnerably testing authorization
11:16
to probably secure an organization embracing technology assets, the infamous security must be granted authorisation to conduct what we call a vulnerably test.
11:26
Now this involved basically looking for assessing vulnerabilities within your picture organization. This involves scanning your organization, but it's less intrusive than what we call a penetration testing.
11:39
Continue our discussion. We'll take a look at the risk of spineless technique in terms of except transfer, avoid as well as mitigate
11:50
now at the risk have been identified. You need to decide what you want to do about them. Risk Manager could be thought of as Helen Risk. It's important to realize that risk manager not risk elimination a minute. Doesn't take any risk. It doesn't stay. It doesn't take any breast. It doesn't day in Venice. Obviously, their costs and limit all rest will consume all your profits.
12:09
So one of things that we can actually look at we could either border risk
12:15
remain. In other words, moving overseas out of the foot zone is a good example.
12:18
We can also go involve the prices of mitigation
12:22
basic to institute measures to eliminate or reduce the Barnum Bailey says that we can prioritise, evaluate and implement appropriate what we call risk reducing type controls.
12:33
We can also engage what we call cost benefit analysis that what we compared the impact of a realize risk to the costs associated with its mitigation. A cost benefit analysis will include an elimination would like to have occurrence and the impact of losses. For example, if your own is this is located on a mountaintop.
12:52
It is cost effective approaches
12:54
brought insurance. If it's not located on top of a mountain, or if it's fact motive I don't want you might want to consider purchase some type of insurance.
13:03
We can also transfer the risk
13:05
example by using other options, such as purchasing insurance is a good option or
13:11
an opt option you can employ,
13:13
by other words, person insurance or perhaps ah higher third party to perform that service.
13:18
We can also accept the risk, basically what that does to accept the risk. You cannot control the weather causing a power outage, and you only this is temporary disabled because you can't control it. So getting there are some risks that you meant except as was doing business. Now, despite all your best effort, that's still gonna be so rest. We have a term called residual risk. Despite all your best effort,
13:39
risk remained that have been identified and have been mitigated. So again.
13:43
A good example. Department determines that the calls for installing maintaining Adeline security software for its standalone person computer that stores this sensitive files it's not justifiable, but that administrative and physical chose should be implemented to make the physical access to the PC much more difficult. We can also involve a press accorded term
14:03
in this case, an organization. Might
14:05
the turret risk by implement, determines do the violators off security policies, for example? Oh, there's my infant auditing security cameras in or school with indication
14:15
you can also choose to ignore it was just my ignore or reject the risk. Denying that the risk exists in this scenario, the organization hopes that the risk would never really realized this should be considered an unacceptable risk response technique.
14:31
Another process called we call change management.
14:33
It's the systematic approach to dealing with the transition or transformation of an organization, goals, processes and or technology.
14:41
At this point in time, we have a post assessment question a heated determine whether, in fact, this question either a true or a false statement, and it reads as follows an older. They should perform a supply chain assessment for the purpose of reducing vulnerabilities and ensuring business continuity. That true or false?
15:03
If you said it true, you're absolutely correct. Let's not take a look at the key takeaways from this particular presentation learned that an owner's. They should perform a supply chain
15:11
assessment for the purpose of reducing vulnerably and insurance business continuity.
15:16
We also learned that change mentions used by organizations to ensure that no change leads to reduce our compromise security.
15:24
We also discussed that before a cyber security team can scan the system and a network of our organization identified security vulnerabilities, they must first all attain permission from that particular organization.
15:37
We learned that a quant quantitative risk analysis prioritized identified project risk using what we call it pre defined ridden scale. The risk will be score based on their probably or lightly over current and the impact on the project objectives they should they occur,
15:54
continue on. We learned of the impact of risk is the consequence, if occurs, other words, the cost of risk.
16:00
We also learned that the lightning was something sometimes referred to as a probability and risk manager technology. Although these terms are often used interchangeably,
16:08
there are distinctions to take into consideration,
16:12
we learned also London at Risk Bridge, also called a wrist Long, is a master document that is maintained
16:19
by an organization doing risk assessment to track issues and address problems,
16:25
particularly as they arrive
16:26
arises. In other words,
16:30
in our welcoming video will be taking a look at a brand new objective, which is 5.4 and which will be given a scenario. We're gonna follow the incident response procedures. And again, I look forward to seeing you in a very next video.

Up Next

CompTIA Security+

Interested in the cybersecurity industry? The CompTIA Security+ is the gold standard for those looking to enter the cybersecurity industry. Join thousands of professionals who have gained this certification through this course and launched their careers in information security.

Instructed By

Instructor Profile Image
Jim Hollis
Independent Contractor
Instructor