side rare. Hello, cyber aliens and welcome back to our siege it certification course certified in information or certified in the governance of enterprise I t. And of course, we'll talk about
Ah, we've been talking about The main focus is to deliver value
and to be able to demonstrate that we deliver value for on behalf of the I T department. That's what this section, Chapter three, was all about his value delivery. And now we're moving on in this particular chapter to risk
optimization. But I want to just do a quick review over what we've talked about last week. So
I get so choked up over siege it information. So we talked about the importance of a business case, and we said the business case really makes the argument for the I t. Endeavors that we undertake because that business case has to sell the project.
This is why we're doing what we're doing here is a problem. Here's how we're gonna fix it. Here are the costs here, the benefits
and ideally showing that that particular endeavor brings value. Um, we talk about managing our portfolio so that we have an overall picture of value that we can demonstrate. And then we talked about Val I t. And how the whole focus and purpose of al i t.
Is to make sure that we're,
um we're demonstrating value, right. It's all about the value. What are we doing for the business? So when we left off, we had left off at the end of chapter three, and we did a few review questions,
talking about return on investments and costs and so on. But that brought us up to our section on risk. So we're in Chapter four, just two more modules to G. O.
So we're just moving right along through the material. This particular chapter is all about risk optimization. It's all about how do we make the most out of risks as they present themselves? How do we mitigate the risks that need to be mitigated? How do we
optimize the ones that need to be optimized?
And so, ideally, we're going to focus on the various stages of risk management, and we will be looking at those throughout the chapter. Now I Sacha has a risk i t management or an I t risk management lifecycle.
Um, now, because this comes to us from my Sacha and I sack is the same organization that puts out siege it. We know we're going to see this particular model on the exam, and we're going to see more than just the focus that we might see in the sea risk course or something like that. But ultimately, I can assure you
that, um that the big focus is gonna be on the I t risk management framework and then the i t risk management lifecycle.
All right, so if we start looking at this, you know, we really could even begin with defining some terms in relation to risk, right? We could go through and talk about risks themselves in different definitions,
and I will certainly do that. But off the bat, I just want to stress to you, when we look at risk management what we're looking at,
we are looking at risk identification as the first step. Identify your risks, and that's gonna involve looking at assets, looking at threats and then looking at vulnerabilities.
Then we're gonna assess are risks, which means we're going to determine the value for the risks, and then we are going to figure out how to mitigate the risks based on their value. And then ultimately, we're gonna move into risk control. We're gonna monitor the controls we put in place.
All right, So let's get out of the way. Some of these definitions and one of the things that I find is different. Organizations may use thes terms differently. We want to make sure that we're using them as they were designed to be used. Okay. Ah, as I Sacha uses them.
So first, just right off the bat, we're gonna talk about the combination of the probability of an event.
And it's consequence now.
Usually when we talk about risks, we're talking about an adverse event, right? I don't say there's a risk I could win a $1,000,000
positive risks. We often refer to his opportunities, negative risks. We refer to his threats. If all we do is look at risks as negatives, when we're planning when we're budgeting, we're gonna have a very skewed approach to budgeting
because we're allowing for all of these negative events that might happen. But we're not
also addressing the fact that positive risks or opportunities could transpire as well. So to really get that balance perception off risk management. You really have to look at both the positives and the negatives, just like everything in life. You can't just look at positives. You can't just look at negatives.
All right, So some things that we have to think about when we're evaluating risks,
we have to think about the mission of the organization. What is the organization about? What are we doing? You know the way, Um and this really kind of talks a little bit. The mission of the organization plays into the idea of risk context. The line of business I'm in.
I'm an instructor that teaches certification courses.
The risks that I have to address very, very different than risks the military may face, right. Well, that's part of the risk context. Why? Because the value of what I'm protecting is much lower than the value of what the military's protected.
So ultimately, the value of our assets and the mission of our organization are going to drive the degree of risks of which were subjected. Right? So when you're looking protecting national secrets, you're gonna see cyber threats from all over. You're going to see espionage. You're going to see
Ah, political actors. You're going to see,
you know, just standard theft currency, organized crime. So the value of what you're protecting has a huge impact and the mission of your organization into what we call risk context. OK, now,
uh, other things that we have to think about with risk threats,
vulnerability, likelihood and impact.
All right, So when we talk about threats, threats or something is really any entity that could pose harm to your assets could be active like an attacker. It could be passive, like a natural disaster. Are any combination so anything that would harm your assets? That's a threat
Now. A threat only matters if you have a vulnerability that could be compromised or exploited, and that vulnerability is a weakness. I can't really control the threats that are out there, but I can very much limit the vulnerabilities. And that's certainly my job in enterprise governance.
Ah, and risk management, information, security management.
Certainly my job to do
now when we look to determine the value of a risk. So maybe I'm looking to determine the potential for gain with an opportunity or the potential for loss with a negative with a threat
we generally look at probability versus impact or likelihood you could hear impact. You could hear severity. You cure probability likelihood. The bottom line is how likely says toe happen. And if it does happen, how severe? What is the impact to the organization?
And remember, we Onley care about impact
as it impacts the organization, right? We're not focused on I t were thinking about the organization as a whole
and when we're conducting risk management or when we're overseeing risk management, as we would be doing his part of enterprise governance because governance just sets the vision right. The strategy, the big picture and usually risk management happens below that.
Where are managers figure out how to address risks,
but it's part of governance. We oversee the risk management process, and ultimately, the role of governance is to determine the philosophy on risk, the risk appetite
as well as levels of acceptable risk. Because you really can't eliminate all risks, right, you can't eliminate all risks, so there's got to be a point where we say,
Well, we produced it as faras this reasonable or as a Sfar as the cost of the countermeasure merits, right? I'm not gonna spend $50 to mitigate loss of a $20 bill. So we're constantly thinking of cost benefit, but we have a level of acceptable risk will tolerate.
I was out. I was out shopping
at Best Buy. It's been it's been a year to go. But I was looking at software and I saw this box for software software firewall that said eliminate all risks associated with the Internet.
I was like, Wow, that's pretty impressive.
I don't think that word means what they think it means, right? You don't eliminate all risks associate with the Internet. We mitigate the risks that we warrant mitigating till, ultimately are risks are reduced to a level that's acceptable by senior management.
We're in governance. We are governance is our responsibility. Were the ones that determined Now how do we determine what's acceptable?
We look at the business objectives. We look at the cost benefit, will talk about risk capacity.
So ultimately what we're gonna have to do is weigh the pros in the cottons and determine what's the best decision moving forward. But before we do that, let's get through some other definitions. All right?
We've already talked about assets vulnerabilities threat. The Threat agent is the entity that carries out the attack, so that could be software. It could be an attacker, whatever. All right now risk a couple of key pieces about risk.
A risk is the combination of probability and its consequence.
So there's probability and impact or likelihood and severity. Right risks are often seen as adverse events, but down below you'll see that I so 33 31,000 specifies that risks are the effect of uncertainty on objectives
All right, so in this course, we really have to address the element of risk. That's most significant is that a risk is unknown,
okay, and with a risk being unknown,
we you know, the very nature of risk management is we're unsure if it will happen. We're unsure if our strategies will work. Were unsure of what the residual risk will would really be. So we're we're estimating right now
when we talk about a risk event that's materialized, that's now an incident. Okay, so once a risk event happens, it's no longer uncertain it has happened, so it becomes an incident.
All right. A few more definitions,
Good coffee good. Good coffee.
All right. Inherent risk.
There's just inherent risk with any endeavor.
Right? And there's an inherent risk of not following through with an endeavor, Right? I mean, there's risk everywhere. So when we talk about total risk or we talk about inherent risk, what we're considering is the amount of risk that exists if we don't do anything.
So right now, where we in relation to risk for a particular event?
Okay. I don't have any fire suppression mechanisms in place. I've built a new warehouse that has nothing
to prevent fire. Well, I'm looking at a huge inherent risk, right? Have lost a life, lost a loss of property lawsuits. All these things. Okay, well, what do I do? My goal is to bring that inherent or total risk down where
to the level that it's acceptable by senior management.
So the idea is you mitigate.
Okay? Maybe I create good fire safety policies. Well, that brings down the potential for lost just a little.
Then we make sure we don't store. Um
Ah, flammable, uh, elements near ignition sources. All right. We put fire extinguishers around.
we Ah, Well, let's just say we go ahead in purchase sprinkler system. Well, that brings us way down, but we still have too much risk. So then maybe I'm gonna have fire insurance and then what's left over after I've done the things that are reasonable
and I continue to mitigate until what's left over
is acceptable. What's left over is called residual risk, and you always want to associate the goal being to reduce residual risk to the level that's acceptable by senior management.
That's us. So what is acceptable? We'll get there. Alright, secondary risk. This is a real problem because many times we look to solve problems by checking off a checklist as opposed to truly getting to the root of problems and
implementing real solutions.
It's called security Theater, and it's that idea of look busy. Someone's watching. So, you know, one of the most tragic instances of secondary risk I've seen was that after the events of 9 11 the cockpit doors were fortified
so that no one could give in because the hijackers during that time compromise those doors. So we've made the cut bit doors
but unfortunately, if the cockpit doors can't be penetrated by the bad guys they can't be penetrated by the good guys either.
So we wound up in this was in France, had a situation where a co pilot was having profound mental health issues, to say the least. And essentially he waited until the captain left the cockpit, barricaded the door, locked it and then drove the plane
into the side of a mountain into the Alps.
It was really tragic situation, and it was especially tragic because something we did that we
implemented to save lives wound that being changed in costing lives. Well, you know, So
hindsight's always 2020 right? You can look back and say, Well, did it not occur to anybody that if the good got bad, guys couldn't get in good guys? Well, that's the nature of risk.
That was something that hadn't happened.
That was something. And I'm sure it did occur to folks.
So what was evaluated then? Waas The likelihood of that happening
right? And then the loss potential if it did. And it's sad to say sometimes decisions are made on placing dollar values on human life,
and how much would it cause to implement this new strategy versus what would be the loss potential.
now what we do is we say to people must be in the cockpit at all times now, as a mitigation strategy for what happened in France. Well, what about a six foot five pilot in a four foot 11 flight attendant
or four foot 11 pilot in the six? Would five flight attendants,
right? I mean, there's such an an equity there that it seems like maybe that's not the best, um, mitigating strategy, that we're still not playing these risks through far enough. Okay,
a lot of times security Theater says, appease the public, show them we're doing something.
And as an we, as executive officers oven organization ethically owe it to our customers. Owe it to our organization to resolve problems in look. And indeed not just what appears, but to really get to the root of thes risks
and find an appropriate solution.
Okay, so that's secondary risk. Now. I've already talked a little bit about Risk appetite senior management's job to determine what our philosophy is within the organization. Hey, risk seeking risk, neutral, risk averse or anywhere along that spectrum.
Um, and a lot of times that's driven by the value of the assets. So if we're in the military and human lives are at stake, will be very, very cautious.
If you look at a company like Tesla, they're pretty risk seeking. I mean, any sort of company that's trying to launch a new automobile on a rocket into outer space. They're taking some risks there, right so
often it's the amount of risk. Capacity and capacity is the amount of loss that accompany Conover can absorb before their viability is is threatened. And you'd be amazed how much organizations have
as far as how much they can lose.
You know, look at the credit card industry and look at how much money they lose per year in theft, credit card theft and fraud over a $1,000,000,000.
That's a lot of money. A 1,000,000,000 with a B, not with an M.
Surely they could do better. Of course, they could do better. But if the cost of mitigation
is greater than the potential for loss, then they choose to accept the risk, which means they don't change.
you know that that's fine. However, you know, the loss that they suffer they may not deem is important enough But what about customers? You know when the credit card companies are going to start responding and making things more secure? When customers demanded either through, um,
having the credit card company
right now, they're self regulated. So if they were regulated by the government, they'd likely change. Or if customers stopped using credit cards, found other ways to pay that were more secure. You can bet the credit card industry would make a very quick switch, and
because the loss would be greater to them
so many times we can do better than we are.
We just don't deem it worth it. Um, so risk capacity, how much lost can weaken, sustain without threatening our viability,
And it's always amazing to me. Mention the credit card company. You know, you look at other organizations and you think, Oh, this is gonna be the end of them.
Equifax is still around. I mean, Equifax deals with credit.
And when information
about your credit history, your Social Security number, all that information is compromised by a company that overseas and documents credit reports,
that's a huge compromise. I wouldn't have been surprised if they'd been out of business two months following but they're not.
They're still here. They're gonna laying, laying a little low, and I don't blame them.
Target had 100 million credit card numbers compromised.
They made some changes. They fired their C i o. They had him replaced. They went back and re vent the architecture of their organization. But they sustained that risk.
So often, an organization has a very large risk capacity. If we're talking about these major industries Oh, I skipped over risk collards. So within my risk appetite, I may very much be a risk seeking organization.
But for very particular instances, I may have no tolerance for loss. I mentioned Tesla Well. Tesla's all in all is a risk seeking company. But because of the issues they've had with their self driving vehicles, they are no longer. They have little tolerance
for issues with their self driving cars because of the loss of human life.
So they have a very small risk tolerance. So that risk tolerance is the amount of variance between the risk appetite.
All right, Um, I'll also just mention,
um, risk utility. And that's not here. Might be on the next slide is from the next slide.
Nope, it's not. So let me just mention risk utility here. Risk utility.
That's the reason we take risks at all.
That's the good. That's the payoff of a risk
e. I love it when you see you know, the the lottery hit these astronomical figures. You know, like you know,
$700 million then all of sudden, everybody else goes out and buys a lottery ticket like that. They couldn't be bothered when it was only 25 million. I'm waiting because I only care about the 700,000,025 million's chump change.
And I mean, come on, folks, there more tickets than you've got a less. You've got less opportunity to win, but anyway, but we keep buying those tickets. Why cause the risk utility is so high? The chance for payoff
with governance were expected to balance the risk utilities with the potential for loss
in specific risk events specific situations, but also to set the overall risk appetite for the company. And to understand what is our risk threshold. What is that particular point that we will not cross? If you go to Vegas,
you take out 100 bucks and you leave your wallet in your car,
you're saying I will not exceed losing 100 bucks. I like to gamble, and it's so funny cause everybody's like, You know, I'll go occasionally lose a little more than I plan And everybody says that Hey, leave your wallet in your car.
I know where I parked. I'm not too proud to walk out to my car.
Yeah, but anyway, it's that risk utility, right? Is that potential for payoff?
The risk threshold is the point I will not cross over.
Risk capacity is overall how much I can stand to lose
risk tolerance. For instance, I may have a very small tolerance for losing money on slot machines. I don't like slot machines. They're very, very poor odds.
I do like some real left, though, right? Much better odds. So I have a very tolerant I a little tolerance. I may spend 10 bucks on the slots and just be done. Where's my overall tolerance? May be much larger. Okay,
All right, controls. So we talk about risks. What do we do about him? Well, we implement controls and controls are mechanisms we put in place to mitigate risk
and controls can be proactive or reactive, and we need both.
Proactiv controls are often referred to hiss safeguards. We safeguard our assets by putting something proactive. And when we talk about Proactiv, we're looking at preventive or deterrent, preventive or deterrent.
When we talk about reactive control, we're looking at corrective or detective.
so risk governance coming back to us water our what's our job in relation to risk? Okay, first of all, to establish and maintain a common risk view.
Now, this is gonna come through research,
alignment with the business objectives,
determining what our risk context is, what the value of our assets are with the threats and vulnerabilities. What's our philosophy? What drives our organization? Where do we want to be in five years? There's a lot of research that goes into this
all right, so it as governing entities, it's up to us to just determine what is our risk view. And along with that, what is our risk appetite?
What's your philosophy on risk
now? The next piece is that needs to be communicated throughout the organization, and we need an enterprise wide strategy for addressing risks, often a way to go about that is to take on compliance with the risk management framework.
Specifically, there's missed 800-34.
There is, um, or 37. There is Ah ah active, which is a risk management framework there. Otherness documents. I so 31,000. But ultimately, when you incorporate a framework within your organization and design your methodology
to meet the goals of that framework,
you can't help but have it permeate throughout your organization,
and we want to make sure that we're all building on the same framework. I don't want the I T department to have a different risk framework than production and so on. I want that common risk view that's integrated all the way throughout.
Ideally with that leads us to is having the capacity to make risk aware business decisions. No more business decisions based on, Well, if it ain't broke, don't fix it.
That's one that I hear all the time, and I understand what they're getting at with that thought. What that's really saying, though, is let's just wait until it's broken until we decide to do something about right. That's a very passive you also, traditionally with I t decisions specifically,
um, folks have made decisions that won't
really balanced. So we look at our assets and we look at all the threats that are out there. And that was one approach to focus on assets and threats. We have all these wonderful resource is and look at what a big, scary world it is. So we pile on, pile on, pile on security mechanisms, and
also looked at the fact that those threats are only valid if we have vulnerabilities. So sometimes if we're to threat focused, we don't take a good look at where we are. What mechanisms we already have in place in the degree of security that we already
half our risk profile, what amount of risk exposure were already
exposed to. So ultimately,
we want to make good, risk aware business decisions. What am I protecting? What's it worth? What are the threats? What are the vulnerabilities? What is the potential for loss? What's the cost of a countermeasure?
And ultimately, that's information, security, and any other form of risk management
essentially works the same way the same concepts,
all right, so making risk where business decisions is gonna mandate that we put security controls in place to protect our assets.
Okay, so once again, talking about the risk context, one of the first things that as, um
ah is someone responsible for the governance of enterprise I t understanding I t in their alignment within the business within the organization,
understanding how the technology supports the organization,
understanding how technology helps us meet the goals or hinders us from meeting our goals. What are we protecting? What are the vulnerabilities? What are the threats, what with the potential for Los B?
How many different elements outside of our control could impact our performance? You know, changes in market changes in policy changes in billing from Medicare. You know, I did help insurance for health
care for a long time. So ultimately,
all of these elements
contribute to the risk context, the environment in which we in which we exist. And this risk context is then gonna dictate our risk appetite.
Are we risk seeking or we risk averse,
right? We gotta think about at risk capacity. Ah, lot of due diligence goes into making these decisions.
All right, so there is I saca's risk management lifecycle risk identification, assessment, mitigation and response
So with risk identification, what we're focusing on is again, a risk is made up of an asset, a threat, the vulnerability. So we start with identifying assets. We look at threats, but then we look at existing controls that are already in place.
And we want to look at the residual risk
after those controls were in place. Do we still have vulnerabilities? Because if our existing controls are preventing the compromise, then we're good, right? We can't just say look at all these threats. Look at what controls are already in place and how well they're protecting the assets. Then we look
at the severity of the risk,
and ultimately, that will take us to risk assessment.
risk culture. And I'm not gonna necessarily go through each one of these slides picking them all apart. These are from many of the slides are from my Saca's ah, study in risk in information systems controls.
So the C risk certification.
So some of these I'll spend more time on in some of them. I'll spend a little less time on a risk culture and communication. The way you affect culture
is from the top. You cannot impact company culture from the bottom. It has to be from the top. So we need that top down by in. We need to make sure senior management's onboard senior management gets it. And, you know, if the current senior management doesn't get it,
then we have to do everything that we can to convince in tow. Educate
right? Sometimes security awareness and commitment can spread can be contagious. So if as the director of I t as the c i O. If I can bring in a focus within our organization on I t risks, that's in my benefit.
is I have a sent here to a risk management framework. We talk about risks. We communicate risks. It's brought into everything that we do. We have a risk management team. We have a common risk view. All those things that we've talked about
a, um, first piece. Always, always, always make sure the risk strategy risk management goals. Risk management objectives are in alignment with the business. First step is always to understand the business. So there might be a question where
ah, you're new to an organization, have been tasked with
addressing risks within the organization. What's the first thing you should do?
Understand the business. Learn about the business goals and objectives.
Now, when we look at risks, particularly information risks, we should have three lines of defense.
So the first line, these air business units. OK, now our business units are the folks that are closest to, ah, the technology. They're the ones dealing with the data and the information. These are our end users, the business units there on the front line.
So on a day to day basis, they should be following processes
that are designed to mitigate risks. They should have processes to report risks that have materialized. They should be risk aware. Ultimately, they're following the rules to mitigate risk.
Now the second line. Usually we have management. We have policies and procedures we have and governance here to where ultimately we oversee the risk management strategy of the organization. We set the goals Theobald decked IBS
and then our third line of defense is audit right. An audit records information audits job is to review what happens on the first and second lines of defense,
and their job is to provide independent assessment off the processes and whether or not they're being followed assurance. Ultimately, so three lines of defense. And sometimes, um, you know, when we're talking about responsibilities within an organization,
we might use what's called a racy
and responsible accountable consult and inform. That's what race he stands for.
All right, now administrative controls these air the result of policy. So again, governance is especially important in the development of strategy and policy.
Separation of Judy's could be called segregation of Judy. Separation of roles. You don't get married to the specific term, but the idea separation of duties is critical.
The idea here is we want to make sure that no individual can commit fraud on their own. So the same person that signs paychecks isn't the same person that Prince paychecks, right? Sometimes it's called forcing collusion because in order to comment CA fraud, those two entities would have to collude.
Now, of course, we don't want collusion toe happen.
But if someone is to commit fraud, they would have to collude somewhere else. Okay,
job rotation is good for cross training. It's good to provide redundancy of staff. It's also a good detective mechanism. After six months, you switch roles so that someone can step in behind you and, uh, they would be able to detect any sort of fraudulent activities would be the goal.
our policies that are implemented a lot in the financial industry. So every employee might be forced to take seven consecutive days off in which they do not access their work email remote into the office. They don't show up. They don't contact, they don't phone.
And there truly out of the office for seven consecutive days,
right? And that's mandatory every year. And that's another detective means so that we can get an understanding of what happens in the enterprise without individuals there
dual control and m of in control these air controls that we put in place to prevent abuse of power. So for something particularly harmful or risky on a network with dual control,
we might require that to administrators Sign off on it, right? Like if you're gonna catch a cash, a huge check to ah bank managers have to sign em of in control. Just means, however many administrators there are a certain number have to sign off. So
eight of 12 doesn't matter what the numbers are. There just variables.
Other things like secure state making sure that things fail in a secure manner.
All right, um, principle of lease privilege. No one gets more rights than they should have need to know. No one has access to more data than they should have. So lease privileges about rights and permissions need to know is about action.
Also, with senior management, we configure acceptable use policies. We determine the proper usage of company. Resource is
we also will create policy to indicate who owns Stata
because that's different from field to field
and then also system ownership as well as their just rolls that should be documented.
All right, assets. We know what assets are. We know all the things that can be of value to our company, our data, our reputation. Now greatest asset. That's her people.
But second to our people, there are a few things that can harm an organization as much as a hit to reputation. Right. It's hard to recover from a reputation head. Okay, Mubasher house. The risk assessed. You know which controls are best for the situation. Well, that's exactly it
is. We don't just look at the potential for loss
versus the cost of the control. We have to look at the potential for loss
without the control than with the control,
because that will give us an idea of how effective the control is. I don't live that I said that really well. But ultimately it's the efficiency of the control and its effectiveness. That's really going to help us select which control is in place based on its cost benefit analysis.
So you're right. It's not just enough
to figure out with the probability and impact is of a risk. You have got an 80% chance of losing $10,000. That's an $8000 risk.
Doesn't mean I want to spend 7500 to medicated, right? So I can look at various controls, examine how effective they are two minute great, mitigate that total risk and then try to find one that mitigates the risk to the point that's acceptable, right?
Purpose of risk management is not to eliminate risks,
but to reduce to the degree that's acceptable by senior management. You're exactly right. Efficiency and effectiveness perfect and one of the things that's often hard for US and information security is the idea of just enough.
when I say, reduced to the level that's acceptable by senior management, there's always that point of diminishing returns. Maybe I can reduce further and further and further and further, but I'm not getting as high return on investment.
So it's all about that return on investment versus the cost and the potential for loss
after assets, when we're determining their value, there are a lot of things that make up value of assets. It's easy to put a dollar value on hardware, but when it comes down to assessing assets of, um, you know, data people, intellectual property,
ah, customer reputation, brand recognition, all those things very, very difficult to do. So
it's You can't always quantify your assets.
Hey, we look threats, threats come from all sorts of directions. People are the weakest link vulnerabilities again, our vulnerabilities air people, But
vulnerabilities come from the software. We use poorly written code, poor implementation
policies that aren't there or more likely policies that aren't followed. And let me tell you, there is no do care
if you have a policy that is an enforced
Hey do care requires action. You put a policy in place, you have to monitor or audit. And you have to hold folks accountable through retraining or whatever that may be to enforce your policies. Ah, policies really Onley as good as its enforcement,
Oh, I think that's a great point. Lands Absolutely. My internal processes are very much an asset because you're right. That's what separates my organization from all the other organizations that are out there that produce the same product that I do.
So, yeah, that's a great point. Internal processes,
Um, and that could also fall under intellectual property. We may have patents. We may have trade secrets that are incorporated in that. That absolutely just our processes.
All right, I think that's a splendid spot to take a quick break. Um, we're gonna come back and talk about risk ownership. It is 3 45 Let's be back at 3 52
and we will pick up and continue talking about risks. Will wrap up Chapter four today with risk ownership and risk optimization.
All right, welcome back. Welcome back to
siege. It certified in governance of enterprise I t. And we're talking about probably one of the most important elements of enterprise. I t. And of governance is appropriately managing and overseeing the management of risks because risks or what it's about,
right? Every organization faces risks. Some are predictable,
some are not. But our ability to address and to continue, um, you know, moving forward. That's what separates us. So we talked about risk identification, and we're now up to the peace where we want to talk about risk ownership, risk
ownership. Your risks
should be assigned to an individual high enough in the organization that can actually make a change and be responsible for implementing mitigation. You know, sometimes we make the folks closest to the risk the owners of that risk.
But the problem is that they really can't impart change.
So what we need is we need a way to ensure that the appropriate parties that can appropriately address the risk implement mitigation fund risk response. Those are the folks who get the ownership so it could be in the business. You
It could be the head of a department could be senior manager just depending.
now, one of our essential documents that would,
um, it really help us in managing risk is a document called the Risk Register. Now I've given a risk register template. You don't have to. You're not gonna get a quiz on what's 1/3 field on the risk register,
But I wanted you to see one to just give you an idea of some of the elements that would be on a risk register.
So this document is an important piece of risk management, as its job is to provide a central repository for information about risks. So what is the risk? What category is the risk? Sometimes technical, sometimes administrative sometime.
Um, HR related software related whatever. So we categorize the risk and by categories ing the risk. Often that'll help us figure out who the risk owner should be. You see, it's a technical rip.
The owner is the chief technical officer, so that makes sense. We give a risk, i d just that we can reference that probability and impact or impact and likelihood
are addressed. Ah, impact times Likelihood gives a risk ranking weaken, then sort based on the ranking so that we can put
risk management strategies in place in the areas that have the greatest risk
we have a prevention plan and a contingency plan. So your prevention plan, Ideally, we want to keep that risk from happening at all. But if it does happen, then what's our plan? So preventive stops it from happening in theory, and then contingency. If it does happen now, what? OK,
and then residual risk.
Wonder what's that left over amount of risk that we're left with.
All right, now risk scenarios conducting risk scenarios. And I've got a lot of slides here. I'm not gonna go through every single one. Ah, but conducting risk scenarios thes air your what ifs. Okay, so when we think about risks related with I t and Differs,
we have to play these through okay, because everything we might be implementing for good can be used for evil out in the world. We've seen this time and time again. So when we're looking at business related risks or risk scenarios, we think about the different categories of risk.
So there's some risks that just come from business with being in business,
so risks and areas will play through all the various elements. What if our product isn't well received? What if our product is well received, and we don't have the staff to produce more product. What if we don't have the training in staff? Project related risks?
What if scope creep happens? What if we can't keep our staff motivated?
What if we fight to meet the requirements of the contracts we've signed? So the idea is risks come from all over risk scenarios, And I just had to I had business risks and project risks. There's technology risks. There's legacy equipment, risk their control risks
right there, risks from across the board,
but with risk identification. My job in risk identification is strictly identify the assets. Look at threats and vulnerabilities. Risk scenarios can help with that.
As you play the what if and you look at your assets and think, What are the things that could threaten?
Okay, now our next step. Once we've identified our risk, what we want to do is we want to find a value for those risks, a loss potential, and that's where risk assessment comes in.
So with I t risk assessment, what we want is there the difference here? Identification just names, assets, threats, vulnerabilities, risk assessment, which can also be called analysis or evaluation.
Risk assessment gives me about you.
That wasn't in all your years. Hang up
and all right. Got a frog in my throat
and it literally feels like a frog.
So all right, so risk assessment is all about Valley
I think I'm out of honey and tea, and I'm gonna need to get some more, but that's OK. Wait a few minutes. All right?
Cracks me up sometimes. I literally do. I just get choked up, and
I am. Anyway, um, so risk and control analysis current state versus desired state. That's one of the things that were responsible for with their policies
and with oversight of risk management and really technology management. Are we where we want to be?
How do I know? Well, figure out where you wanna be. Look where you are and see how far apart and then you've got to figure out how to close the gap.
So Ah, some of the tools that we might use We might use capability, maturity models and thes maturity models. Any coming here? The terms maturity models.
Ultimately, it's looking at the maturity of your process. The more mature process, the better the product. That's kind of the philosophy here. So for organizations that have been in project management or have very solid processes in place and have so for years, they may
get a very high level
of rating from the capability maturity model. Now that's beneficial to me because the higher my rating, the more customers will buy my product, right? Just like any kind of evaluation and their restrictions at certain government agencies,
they can't even do business with you unless you're at a Level three or greater. So maturity models are one of the things that we use for gap analysis. We can look at certifications that were wanting to get, you know, we want to get ice. 0 27,001 certificate
certified I So 9000 was really big. So we look at what we want
and where our way and our goal is gonna be to close the gap.
How do we close the gap? We change our policies, procedures In our guidelines, we implement security controls or controls to better mitigate risk.
Now, when we are trying to get a value for risks, two types of value that air helpful qualitative and quantitative. So when we talk about qualitative analysis, were using terms like there's a very low likelihood there's a medium likelihood or moderate. There's high. There's very high these air, very subjective words.
They're good to give a quick idea
of the potential for the risk. Yeah, it's highly likely it's going to snow today.
Uh, it's snowing today, so
I didn't check the my barometer. I'm not a meteorologist, I simply said, based on what it looks like outside fact, that feels cold and it's cloudy. Will probably get some snow. Okay, that's a qualitative assessment. So what did I do about that? Well,
I didn't know how much money or how big a deal or how much snow,
but it did allow me to act. I went get my son from school a little bit early. That wasn't based on any fact. I don't. You know, I didn't make a profound business decision based on it. I just said, Well, probabilities high impact on the roads is high here in Maryland, so let's go ahead, make a decision
what I'd rather have owned. By the way.
This is a probability and impact matrix and this comes from on the risk register just we saw a few minutes ago where we looked at probability and impact, where you see impact and, like ability, likelihood
multiplied together to give a risk ranking. Usually that's illustrated to our team or to stakeholders on a probability and impact matrix, so you can see where you multiply them together. High probability. High impact. Those are situations where you need a very
active risk response. You can't be passive,
right? Get an active risk response.
Um, in the orange areas, we want to be probably pretty active to yellow a little bit less, and in the green areas were much more tempted to accept a risk.
in the event that you accept a risk and that risk materializes and has large amount of impact. You should still have your disaster recovery plan in business continuity to keep you going. That doesn't mean that we want to fall to that degree. But
ultimately, disaster recovering business continuity should be that safety net underneath.
All right, so qualitative assessment says, Yeah, this is a high priority. This is less, but quantitative analysis gives us empirical data that we can act on. Okay, um, I want to find out,
for instance, that 80% of the time ah, network that has no anti malware is 80% of time. A network that has no anti malware. That organization is compromised,
right? And the average losses Three days? Well, three days worth of our company's data is $6000 a day. So that's an $18,000 loss. I want numbers. I want empirical data
because when I get that, then that will help me justify my risk response. Do I spend 200 dressed in 2002 has been 200,000. It depends on the potential for loss and the value of the asset
and the cost of the control.
So we have to evaluate those. And the more quantitative results I get, the better. You know, if I have a loss potential of $20,000 I may be able to just about justify spending 15,000 to protect it,
right? But I don't know that if we're just using words like high, medium low,
so quantitative gives me a better understanding of the dad I'm working with, and it's much better for cost benefit and then also
you can't forget disaster recovering business continuity that falls under the oversight of governance. Ensuring that we have a disaster recovery plan business continuity plan that is sufficient for our organization were responsible for ensuring that plan is tested,
that the results of the tests are reviewed
and improvements are made as necessary.
Liability for these issues always comes back on senior management.
All right now the disaster recovery plan and business continuity plans. Sometimes those terms are used interchangeably, and they're really not, um, with business continuity that is business continuity, the over all
impact on the business as a whole and being able to keep the business going no matter what
we keep moving forward.
we have to think about all the business processes, and we need to make sure that we ever done, etc. In place is necessary and that operations continue
business focused Now, disaster recovery tends to be more I t focused. Okay, um, businesses about the business business Continuity is about the business, but disaster recovery is about restoring I t operations
as quickly as possible, based on criticality of those resource is And when we say criticality, we're talking about? What are those elements? What are those processes? Those systems that causes the greatest loss, the longer they're down,
All right. Now there have to be specific metrics that are included in our our disaster recovery plans and business continuity plans so that we know what is an acceptable time frame. So recovery time objective is gonna indicate the amount of time that's necessary
to restore a resource.
Two full operations.
How quickly we can restore resource to its full capability.
Acceptable in eruption window is how quickly we can get back up and running.
And often that maybe with a skeleton crew that maybe with duct tape and chewing gum But we're running
right, we're not fully restored. But are critical services air back online?
So it's along the lines of recovery time objective. But Rto is full recovery. Ai w is, um, a portion where we can continue operations and then r p o recovery point objective. That's our tolerance for data loss.
And when we talk about data loss,
do you know how current must our information be?
Are we okay with losing a day's worth of data?
Well, if we're just doing nightly backups were saying, We're OK losing a day's worth of data
so we may decide to do off site Elektronik vaulting or remote journaling or some other way mirroring data. But something else. So recovery point objective is how current our data must be. These terms air almost always defined in a document called the Business
Analysis the B I. A.
Okay, when we have policies, there will be exceptions, but we don't change policy to meet exceptions. Policy is policy, and exceptions are
you guessed it exceptions documented exceptions, but they not they don't have an impact on policy.
All right, we talked about risk ownership,
our next section. So we've identified risks. We figured out the value and the purpose of quantitative analysis is to justify our mitigation strategy. Well, when we look at mitigation, we really have
four appropriate responses. Risk, acceptance, risk mitigation,
risk avoidance and risk transforms, so risk acceptance. Sometimes you just have to accept a risk. Sometimes the cost of the countermeasure for a risk is just too high, and you can't justify spending a cost of the counter measure. So you accept the risk,
or sometimes there literally is no choice. That looks like we're gonna be behind schedule. But there's nothing we can do about it. You just have to accept.
Okay, so we want to make sure
that we understand risk. Acceptance is absolutely a valid response. But I will tell you,
if you go back and you look this probability and impact matrix risk, acceptance is probably only going to be viable in these areas that are green, right? You don't want to accept risks with very high impact and very high probability.
So you know your risk management judgment strategy may include okay. Risk areas and green will be accepted. Risk areas in red will be actively mitigated until the remainder. The residual risk is in the green area.
So that's part of your,
you know, documentation or plan.
All right, so risk acceptance
is a viable option. It's frequently when the cost of the countermeasure is greater than the potential for loss. It is a decision that involves due diligence. It isn't one of those la la la, la, la I don't want to think about it. That's risk rejection and risk rejection does not show due diligence, sometimes called risk
all right. Now, um, just some examples again when you're in a situation where you have no choice but to accept the risk or when the cost of the countermeasure is more than
the potential for loss. Now, with risk mitigation, what we're looking to do here is we're looking toe lesson probability and or impact of the risk. Okay, so we're lessening probability. Indoor impact. I can't lessen the probability of snow,
but I can take an umbrella and snow boots with me when I go out.
I can't lessen the probability of a virus hitting my network, but I can have any virus software that'll mitigating lessen the loss.
Okay, so risk mitigation, and often we implement multiple factors of mitigation, right? Like with fire safety. I have fire policy in place. I choose where? Store my information. I trained my team members. I have fire extinguishers. I have sprinkler systems. Right, and we continue to mitigate
and what's left over. We might transfer through insurance
or we might just accept.
Even though we don't eliminate risks, there are specific risks we can avoid.
And with risk avoidance, we're gonna lessen the probability and or impact all the way down to zero. It's the ultimate risk mitigation,
and we're gonna choose to avoid risks when the potential for loss is so great,
particularly matters involving human life
or anything that would have a catastrophic result with the organization.
So, for instance, I'm looking at opening a branch office in an area of political unrest.
It's too risky. I'll just not do it. That's risk avoidance. You can't avoid all your risks but specific risks you can't avoid
and then risk sharing in transference. We're gonna share the potential for loss with someone else. Insurance is a good example. Service level agreements are good examples.
Remember, though you can transfer risk,
you cannot transfer liability.
I can transfer risk. I cannot transfer liability.
So I'm a health care provider, and I've determined that I just
cannot store my information locally in a manner that's compliant with HIPPA.
So I found the Cloud service provider specializing in HIPAA compliance. I store my data in the Cloud
Cloud Service provider has a compromise and the data is leaked. Who's responsible for the leakage of data?
I am. I'm the owner of the data. It is my responsibility legally under HIPPA I'm responsible
now. I get my fine from HIPPA. Can I turn around and sue the cloud service provider for not meeting? There s L. A. Sure, but that's not liability, right? That's not liability under hip.
So I've got resource recourse by sharing the risk. But I do not have the ability to transfer liability,
And ultimately, what we want to make sure that we're doing is mitigating in the manner that brings the highest return on investment. There we come right back around to talking about value, value, value,
right. We mitigate to the degree that risk is acceptable to senior management,
us at the lowest cost with the highest return on investment.
And then, of course, after that I'll just mention So we design, implement our controls. I just want to get to the fact that after we implement those controls and we put them in place than the final step
monitoring and controlling
when we implement controls, we have expectations and well documented objectives. Once the mitigation strategies air implemented, the controls are in place. We then monitor to determine if the controls air meeting their objectives.
Some controls become less effective over time.
The threat. Landscape changes, new threats are emerging all the time.
Vulnerabilities that were previously undetected are now being detected, So we have to continue to monitor the control elements that we put in place and ultimately again. The purpose here is to verify if the control is effectively addressing the risk.
should ensure that the risk is being. They should oversee the monitoring, controlling,
and they are ultimately responsible
for the mitigation off the risk with whatever the asset is. If they're the owner, they have the accountability, and that's why risks have to be assigned up the food chain.
Okay, so when you're looking to monitor controls,
first step is Who's the owner?
Hey, communicate with your stakeholders,
right? I'm a risk practitioner. You know, if I'm a risk practitioner, we want to make sure that risk practitioners communicating with us and helping us determine what the best mitigating strategy is.
My job is to make sure that risk control is in alignment with the business
and is implemented in such a way that we see a return on investment again. Return on investment is not always dollars dollars of value does not always transfer to money,
right? We could improve efficiency. We can prevent loss. We have all of these different ways improve the goodwill of the community. Lots of things that aren't necessarily dollar driven.
But we monitor the controls and make sure that they're mitigating the risk as we have determined.
And then ultimately, our control assessment is provided through a report where we document and we need to do this in a timely fashion, Right? We need that report to indicate, um, how the risk control is mitigating the risk
we need to skilled analysts. We have to use the best data that we can. Sometimes data isn't available. Sometimes data isn't complete. You know, we could put a mitigation strategy in place, and that risk never materializes. So we don't know if that mitigation strategy had any impact on the risk.
So we may not have all the information,
but we document what we have
now some tools that are very helpful for use and monitoring risks. Something called a k r I and a k r. I is a key risk indicator k r. I. A key risk indicator. You can think about this as a trigger.
It's an indication that a risk is about to materialize, and this should be documented on the risk register.
So, for instance, I'm worried about a denial of service attack at my Web server. So a key risk indicator might be processor utilization on that server exceeds 50%.
Whoa, something's going on there. That's a warning sign that a risk event, maybe materializing. And that's what a k R I is. It's designed to give us early warning
and ultimately help us collect information so that we can better manage risks.
Okay, some good KR eyes,
Um, you know, again, not going to read all these. But like I said, performance on particular servers, um, rogue devices on the network or unaccounted for devices. Things like how long it takes to patch systems are their service level agreements that aren't being met. They're all types
off key risk indicators.
Those should be documented on the risk register, and they should be monitored.
All right. And again, just some elements that help us optimize our risk indicators. You know, again, we want to make sure that we have risk indicators that give us enough time
to mitigate the risk.
Like we don't want an indication up. Yep, CPS that 99% utilization. Probably problem. Yeah, you can't do anything at that point, right? We want to make sure that it's sensitive enough to detect critical errors without having too many false positives.
We want to determine how frequently we want a monitor
early and often. But how early? How often? And then we also want that contingency plan or are corrective actions. Should we see the KR eyes yet right doesn't guarantee the risk is gonna happen, but it's an indication that it's coming.
Monitor logs, monitor logs, monitor logs. Now again, that's not the responsibility of governance. But
governance is responsible for being for making sure this happens. Logs. We need a policy on how often to evaluate logs off how we filter through logs so that we can limit the information that really isn't relevant.
How can we pull the log information together in a timely manner,
the way log should be monitored.
We can also look to external sources of information for risk. You know it's difficult keeping up with all the risks related to technology. Today there is Ilyin, different risks from a 1,000,000 different directions from hardware from software from firmware
operating system kernel, you know, malicious attacks. So on and so forth. So due diligence says we keep ourselves knowledgeable. We look to external sources like Miter and Sirte.
Um, we could look at a WASP, which would help give us information about Web applications. But the bottom line is
part of due diligence is to stay knowledgeable.
so that brings us to the end of risk optimization. You really want to make sure that you understand i saca's risk. I t lifecycle. Start with identifying your risks, assess them to get a value, mitigate accordingly
and then continue to monitor.
All right, we look at identification by examining assets, threats and vulnerabilities.
Assessment could be either qualitative or quantitative.
Qualitative. The subjective quantitative is objective, and it uses empirical data, so that's very helpful.
The empirical data from quantitative analysis is then used to help us determine which mitigation strategies air the best forests in that particular situation.
And then we continue to monitor and control risks throughout the lifespan of the control because the threat landscape changes.
All right, we're pretty close to running out of time, and I've already had that happened once today. So that's the end of risk optimization, and we're going to go ahead and wrap things up and call it a day. I do like to close with finding out if anybody has any questions
or anything that I can explain a little better or elaborate on
Good. Good point there.
what a maturity model looks at is the maturity of the process, and it provides assurance. So when we're talking about assurance,
a tried and true process.
Now that assurance is going to include things like testing,
you know, change control.
Ah, certification process. So, ultimately, the maturity model should validate that those processes that will test effectiveness, like penetration, testing vulnerability assessments should ensure that those processes are completed.
So it doesn't tell you held to assess vulnerabilities, but it verifies that those processes are in place.
Does that help? A little bit.
So one of the processes that gets verified would are the testing elements that are part of your project management.
folks. It is for 27th
So we're gonna wrap things up this afternoon. Listen, thanks for spending your afternoon with me today, and I look forward to seeing you on Thursday. Will be close to wrapping things up. So, you know, just give you an idea. Chapters five and six are pretty pretty short, so it's possible will be able to do that. So I hope you have a great
afternoon. I look forward to seeing you in future classes.