CISM

Course
Time
8 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:01
all right, we move from risk identification to risk assessment,
00:05
and now we're gonna look at risk response in mitigation.
00:08
So this is the third step of the life cycle, and this is where we actually try to address risk.
00:15
And you can say that the key purpose of this function is to reduce residual risk to a degree that's acceptable by senior management. Okay, so when we say, like we always do alignment with business objectives, senior management has a risk appetite, and they have levels of
00:35
tolerance with individual risks
00:37
so that what we want to do is we want to examine the existing risk
00:41
versus what management's acceptable level is. And we want to respond with a series of mitigating controls that will lesson lesson lesson the risk until it falls within the realm of what's acceptable.
00:54
So when we do that, we have four primary solutions or four primary choices. We have risk mitigation.
01:03
We have risk avoidance, risk, transference and risk acceptance. So when we look into these options, let's take a look first at risk mitigation.
01:14
Now, risk mitigation is sometimes referred to his risk reduction, and the whole purpose of risk mitigation is to lessen the probability end or impact of a risk. This first bullet point says the frequency frequency probability remaining the same thing, right?
01:34
So we're taking II can't lessen the probability of rain.
01:38
But if I taken umbrella, I can lessen its impact, right? So in that case, I'm mitigating a risk. Or maybe I can't lessen the impact that malware would have on a system. But I can lessen the frequency with which that system is impacted by having any malware software.
01:56
So both of those air strategies for risk mitigation
02:00
so we can mitigate through
02:04
Ah very Siri's of controls, they could be technical controls. We'll talk later about a balanced response, but you know, we can mitigate risk through processes and procedures. We can mitigate risk through encryption and firewalls. We can mitigate risk through locking our doors and having a security guard.
02:23
So there are lots of different ways that we can approach, lessening the amount of risk to which were exposed.
02:30
Don't make the mistake of going into this again with just that high in sort of technical thought process.
02:38
A good administrative policy, like on boarding procedures, can salt or can prevent a ton of risks, and it's much cheaper to prevent than correct. So don't underestimate the importance of administrative controls and, uh, physical controls in addition to technical
02:59
controls as well.
03:00
Now, the thing about risk mitigation,
03:02
so we're gonna lesson either probability, frequency or impact
03:07
Well, if I can lessen either one of those or both, all the way down to zero would have really done is I've avoided the risk,
03:15
right?
03:15
You know, if if I could bring the probability of it, a risk of it down to zero, well, there's no risk any longer. Or if I can lessen the impact
03:24
20
03:27
So with risk avoidance, that's what's what we're doing now. We don't talk in terms of eliminating risks, right? We can't eliminate risks, but there are particular risks that we can avoid.
03:39
Right? I am, Um,
03:43
honestly, I don't feel like we can secure a guest wireless network to a degree
03:50
that I feel comfortable having one or offering that service. So we just don't We have avoided the risk, right? I'm just not gonna offer that as a service.
04:00
I'm concerned with opening up a location in an area of political upheaval.
04:05
Well, I do some research, and I say it's just not worth it.
04:09
And usually when you get to risk avoidance, that's kind of what you're doing is, is you're you're choosing another option because the risks associated with one solution are just so high.
04:19
So with risk reduction, we're lessening probability, indoor impact,
04:25
and if we're able to lessen either of those all the way down to zero, then we've avoided the risk.

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor