we mentioned that this next section is gonna cover the risk register, and the risk registers a really important document.
Um, we need a central repositories to document risks. To determine whose whose ownership
of a risk. Our who has ownership of a risk
to document risk responses and to continue working with risk responses throughout.
Now, out of the four stages of the risk management lifecycle again identification, assessment, mitigation and ongoing monitoring, controlling
the risk register is created in risk identification.
But it's utilized in all four phases of the life cycle. Okay, so
what? Our job here is to identify all known risks. Now, I hate when we say to do this to document. All right, All is such a hard and fast term. You know, I could spend a year and not document
but ultimately, what we're going to do in the next section is we're gonna talk about qualitative analysis that's really going to kind of help us in determining the risks that we document.
Right? So if I'm having a picnic, I may very well document the risk of rain. I'm probably not going to document the risk of a family of bears coming through and stealing everybody's picnic basket.
we're gonna do this within reason.
Now, this is an example of a risk register. By no means am I saying this is perfect,
but it does have some elements that are very helpful.
So you'll notice I've given the risk first of all, a category, and that risk category is gonna help us determine who owns the risk.
All right, we're looking at a distributed denial of service attack, and then we're going to give it a risk. I d a lot of times when you're charting or documenting, these words can kind of clutter up your diagrams and your charts. So we're just gonna give it an I d. Number that we can use to refer to.
All right, then, the next piece,
impact and Likelihood.
Again, you might hear severity and probability. However you hear this
now, even though you're seeing numbers here, impact three likelihood five.
That's really not a true
empirical data numeric based analysis. It's not a true quantitative analysis
cause what is three mean and what is five means?
Well, what's the scale? 1 to 10. 12 1000
right, and then the idea of who's really said out of everything.
Out of a scale of 1 to 10 it's a three. You know, usually
what we're looking for when we get quantitative analysis is dollar value of the asset times, probability of loss
to really give us a number we can act on
like this risk ranking impact three Likelihood five gives ranking of 15. That doesn't tell us how much money to spend on mitigation. And it just says, you know, it helps us prioritize
because later on, I consort by ranking and Aiken devote my resource is to those areas with the highest risk.
triggers are gonna be an indicator that a risk is about to materialize. You can think in your mind k r I
he risked indicator.
So when I start to see increased traffic directed at this particular server,
I can, you know, start thinking, okay, this may be a denial of service attack. Now, one thing I don't like with this is what has increased. Traffic
20%. So what would be a better
trigger would be something to the effect of processor utilization exceeds 50% for more than
two minutes. Okay, so being more specific,
all right, Now, how are we gonna prevent a distributed denial of service attack? And then what are we going to do if we have one?
Well, to prevent we're in a implement a firewall, and I d s won't really prevent it will notify. So we might think of changing that to an I. P. S.
Um, so this is when I've taken off the internet and it's it's decent, but just, you know, know that not anything's gonna match exactly what we do in our organization.
All right, contingency plan. So prevention plan is to keep it from happening.
And the contingency plan is it's happening now what?
So if we are under attack from a distributed denial of service, then can we fail over gracefully to an off site location or to another search?
And then what's the amount of risk that's left over
Well, when I implement these protective controls
and or if I do have to go into contingency, perhaps my performance will hit. You know, when you're inspecting traffic from a firewall, particularly depending on the type of firewall, you may see performance decrease.
Is it decreasing to a point that it's still acceptable by senior man?
now we have to train people in risk,
and the risk registers really something that we're gonna use with their risk management team That's not being distributed to the masses.
But some of the concepts about understanding what are risks are who owns those risks, what our prevention that we have in place, perhaps mitigating strategies for particular risks that information will be made public. Sometimes it's just gonna go to the owner sometimes. Like I said, it's just going to stay on the team.
But ultimately understanding who risk owners are knowing those triggers and what we're looking for, those key risk indicators
or a way that we can kind of get the jump
before a materializing risk becomes a much larger problem.
Then we want to see it
all right in that wraps up
risk identification. Next section is gonna be risk assessment