CISM

Course
Time
8 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:01
all right,
00:02
we mentioned that this next section is gonna cover the risk register, and the risk registers a really important document.
00:10
Um, we need a central repositories to document risks. To determine whose whose ownership
00:19
of a risk. Our who has ownership of a risk
00:22
to document risk responses and to continue working with risk responses throughout.
00:29
Now, out of the four stages of the risk management lifecycle again identification, assessment, mitigation and ongoing monitoring, controlling
00:39
the risk register is created in risk identification.
00:43
But it's utilized in all four phases of the life cycle. Okay, so
00:49
what? Our job here is to identify all known risks. Now, I hate when we say to do this to document. All right, All is such a hard and fast term. You know, I could spend a year and not document
01:06
every single risk,
01:07
but ultimately, what we're going to do in the next section is we're gonna talk about qualitative analysis that's really going to kind of help us in determining the risks that we document.
01:19
Right? So if I'm having a picnic, I may very well document the risk of rain. I'm probably not going to document the risk of a family of bears coming through and stealing everybody's picnic basket.
01:32
Hey,
01:33
so
01:34
we're gonna do this within reason.
01:36
Now, this is an example of a risk register. By no means am I saying this is perfect,
01:42
but it does have some elements that are very helpful.
01:46
So you'll notice I've given the risk first of all, a category, and that risk category is gonna help us determine who owns the risk.
01:53
All right, we're looking at a distributed denial of service attack, and then we're going to give it a risk. I d a lot of times when you're charting or documenting, these words can kind of clutter up your diagrams and your charts. So we're just gonna give it an I d. Number that we can use to refer to.
02:10
All right, then, the next piece,
02:13
impact and Likelihood.
02:15
Again, you might hear severity and probability. However you hear this
02:19
now, even though you're seeing numbers here, impact three likelihood five.
02:24
That's really not a true
02:27
empirical data numeric based analysis. It's not a true quantitative analysis
02:34
cause what is three mean and what is five means?
02:38
Well, what's the scale? 1 to 10. 12 1000
02:42
right, and then the idea of who's really said out of everything.
02:46
Out of a scale of 1 to 10 it's a three. You know, usually
02:50
what we're looking for when we get quantitative analysis is dollar value of the asset times, probability of loss
02:58
to really give us a number we can act on
03:00
like this risk ranking impact three Likelihood five gives ranking of 15. That doesn't tell us how much money to spend on mitigation. And it just says, you know, it helps us prioritize
03:14
because later on, I consort by ranking and Aiken devote my resource is to those areas with the highest risk.
03:21
Hey,
03:22
triggers are gonna be an indicator that a risk is about to materialize. You can think in your mind k r I
03:30
he risked indicator.
03:31
So when I start to see increased traffic directed at this particular server,
03:37
I can, you know, start thinking, okay, this may be a denial of service attack. Now, one thing I don't like with this is what has increased. Traffic
03:46
increased by 1%
03:49
20%. So what would be a better
03:52
trigger would be something to the effect of processor utilization exceeds 50% for more than
04:00
two minutes. Okay, so being more specific,
04:02
all right, Now, how are we gonna prevent a distributed denial of service attack? And then what are we going to do if we have one?
04:11
Well, to prevent we're in a implement a firewall, and I d s won't really prevent it will notify. So we might think of changing that to an I. P. S.
04:21
Um, so this is when I've taken off the internet and it's it's decent, but just, you know, know that not anything's gonna match exactly what we do in our organization.
04:31
All right, contingency plan. So prevention plan is to keep it from happening.
04:36
And the contingency plan is it's happening now what?
04:41
So if we are under attack from a distributed denial of service, then can we fail over gracefully to an off site location or to another search?
04:50
And then what's the amount of risk that's left over
04:54
after I mitigate?
04:56
Well, when I implement these protective controls
05:00
and or if I do have to go into contingency, perhaps my performance will hit. You know, when you're inspecting traffic from a firewall, particularly depending on the type of firewall, you may see performance decrease.
05:14
Is it decreasing to a point that it's still acceptable by senior man?
05:21
All right,
05:23
now we have to train people in risk,
05:26
and the risk registers really something that we're gonna use with their risk management team That's not being distributed to the masses.
05:34
But some of the concepts about understanding what are risks are who owns those risks, what our prevention that we have in place, perhaps mitigating strategies for particular risks that information will be made public. Sometimes it's just gonna go to the owner sometimes. Like I said, it's just going to stay on the team.
05:54
But ultimately understanding who risk owners are knowing those triggers and what we're looking for, those key risk indicators
06:02
or a way that we can kind of get the jump
06:04
before a materializing risk becomes a much larger problem.
06:10
Then we want to see it
06:13
all right in that wraps up
06:15
risk identification. Next section is gonna be risk assessment

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor