Risk Register

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Once we've identified our risk,
00:00
which means we figured our assets,
00:00
threats and vulnerabilities because where we
00:00
have an asset and a threat
00:00
vulnerability, there's our risk.
00:00
Now we need somewhere where we can document this risk,
00:00
that we can keep track of them,
00:00
we can find out what the status is,
00:00
what our resolution strategies are, risks owners.
00:00
That's exactly what we get in the risk register.
00:00
Now your risk register may be,
00:00
an Excel spreadsheet,
00:00
it might be software
00:00
that facilitate data entry
00:00
and reports a little bit better.
00:00
But whatever, we need
00:00
a central location where we can consolidate
00:00
our information about risks
00:00
so that we know what document to
00:00
go to if we need to
00:00
find out what the status on a risk is,
00:00
or who the owner or any information about the risk.
00:00
Now it's not accessible for anybody.
00:00
It's on a need-to-know basis,
00:00
but for the folks that do have that need to know,
00:00
it should be stored in a central location
00:00
that we can get to it easily.
00:00
We're going to think about, Let's see,
00:00
I've got a copy of a risk register here.
00:00
This particular risk register is pretty basic.
00:00
There are certainly others that you might feel like
00:00
contain more fields that might be more meaningful to you,
00:00
but this is a good place to start.
00:00
What's going to happen is for
00:00
each phase of risk management,
00:00
we're going to be populating some of these columns.
00:00
For instance, right now we're in risk identification.
00:00
We're going to figure out the category of
00:00
the risk and we're going to describe it.
00:00
For instance, I'm worried about
00:00
a denial of service attack or distributed denial
00:00
of service attack then that goes in my risk register.
00:00
It's a technical attack and by
00:00
marking it as the technical attack,
00:00
that helps me know who to assign the risk to.
00:00
The owner in this case
00:00
becomes our chief technical officer.
00:00
Now your risk owners.
00:00
These are the folks that are
00:00
responsible for implementing the solution,
00:00
for monitoring the solution,
00:00
for ensuring that the asset
00:00
maintains the risk profile that's necessary.
00:00
You and I as risk practitioners
00:00
are going to advise the risk owner.
00:00
They are the decision-makers,
00:00
those are the ones who are
00:00
accountable for the risk management.
00:00
As part of risk identification,
00:00
those were really the fields that we figure out.
00:00
We figured out category, description and owner.
00:00
Then when we move into analysis,
00:00
we're going to be looking at
00:00
probability and impact or likelihood and
00:00
impact of the risk and we're going to give a risk value.
00:00
Now that can be a qualitative value
00:00
or quantitative value.
00:00
In this case, even though you might
00:00
think this is quantitative because you can see impact.
00:00
What is it? Three likelihood five rankings, 15.
00:00
Even though we're using numbers,
00:00
it looks to me like those are subjective numbers,
00:00
would be like if I come to you and I say,
00:00
what's the chance it's going to rain this weekend.
00:00
Give me that on a scale of one to 15 and
00:00
you look out the window and go maybe about an eight.
00:00
Even though we're using numbers that's still subjective
00:00
and based on opinion and knowledge and experience.
00:00
This looks to me to be a qualitative ranking.
00:00
Now, we'll talk more about
00:00
qualitative and quantitative evaluation in
00:00
the next little section or
00:00
analysis in the next little section,
00:00
but you may also want to include a field on
00:00
your risk register where you
00:00
can document quantitative evaluation.
00:00
There's an 80 percent chance of rain.
00:00
We've spent $10,000 on this asset and
00:00
if it rains we'll lose 50 percent of the asset.
00:00
Here's the dollar value for that risk event.
00:00
We'll go over some of the little formulas you can
00:00
use in order to determine risk value.
00:00
But the idea is,
00:00
this risk register is going to also help me prioritize
00:00
the risk based on it's risk ranking or like I said,
00:00
if it were me, I'd probably add
00:00
an additional field for
00:00
the expected monetary value of a risk,
00:00
or at least somewhere to
00:00
indicate a more quantitative value.
00:00
Once we get a quantitative value,
00:00
we've completed analysis.
00:00
Now I take that value up against the cost of
00:00
a countermeasure and I evaluate,
00:00
does this decision makes sense or not?
00:00
Now that's coming in later sections in this chapter,
00:00
but just the idea of what we're working towards.
00:00
At any point in time I can see
00:00
our proactive strategy for this type of attack is,
00:00
we're going to have firewalls.
00:00
We're also going to have intrusion detection
00:00
system firewall doesn't work,
00:00
we can still detect there's an attack.
00:00
Then what's our plan if it does happen?
00:00
Then also notice I've got a field here for
00:00
residual risk because we always
00:00
have to remember there's risk leftover.
00:00
We could also have a column.
00:00
This could also be secondary risk
00:00
that we document here as well.
00:00
You correct one problem, just cause another.
00:00
Now cross the next slides.
00:00
What I have is I just have a breakdown
00:00
of each element on this particular risk register.
00:00
You don't have to get married to it.
00:00
I'm just going to show them to you in case
00:00
you wanted to do a screen capture,
00:00
case you wanted to have that.
00:00
But really, I think that what's on
00:00
your risk register is driven more by
00:00
your organization in your projects
00:00
and less written in stone.
00:00
But ultimately you want your risk name,
00:00
the category risk owners
00:00
response strategy prioritization.
00:00
Those are the pieces of information
00:00
that you just have to have if
00:00
the risk register is really going to be
00:00
a suitable tool to help you address risks.
00:00
Just showing you the other slides if you do want to do
00:00
a quick screen capture of that. That's terrific.
00:00
You'll have what you need,
00:00
and then the last element,
00:00
again, just tried to address
00:00
each area on the risk register.
Up Next