Risk Remediation and System Changes
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to cybrary ISSEP course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Let's talk about risk remediation and system changes.
00:00
In this lesson, we're going to define risk remediation.
00:00
We're going to talk about system
00:00
changes and how we track those,
00:00
that's a POAM, a plan of action and milestones.
00:00
As an SE, you're going to do those quite frequently.
00:00
Then we're going to talk about
00:00
some roles you need to know as related to
00:00
the risk management framework and that's come along in
00:00
the last few years as the standard for managing risks,
00:00
at least for government systems.
00:00
Risk remediation, simple.
00:00
We add some controls to mitigate something.
00:00
It could be a vulnerability, it could be a threat.
00:00
That's what you need to remember here, that's it.
00:00
That's all risk remediation is.
00:00
We're not doing anything
00:00
more than that. That's all we're doing.
00:00
We're trying to reduce the risk to
00:00
an acceptable level based on organizational contexts,
00:00
risk, attitude and appetite,
00:00
and that area of tolerance that we just talked about.
00:00
System changes. System changes
00:00
are really tied back to
00:00
something we talked about earlier,
00:00
which is configuration management or change management.
00:00
That's where we have to
00:00
create a plan of how we're going to do it.
00:00
We want to identify what items we need
00:00
to configuration control we're going to
00:00
implement that meant those controls
00:00
and manage those configuration changes.
00:00
Then we're going to monitor that because obviously
00:00
as system itself is going to change over time,
00:00
and that's because of upgrades to
00:00
software, upgrades to hardware.
00:00
I worked in an organization
00:00
previously where that was incredibly
00:00
important because of the extreme importance
00:00
of the mission of the organization itself.
00:00
We have to follow a change management processes issues.
00:00
If we don't, we're going to cause
00:00
significant problems for organizations
00:00
and we're probably going
00:00
to be doing a whole lot more remediation
00:00
that we want to,
00:00
so change management is important.
00:00
We track change management and something called a POAM,
00:00
a plan of actions and milestone.
00:00
Here's an example of that. Here's a template from NIST.
00:00
This is a great example.
00:00
What is it talking about? It talks about the control.
00:00
It talks about the weaknesses are
00:00
the vulnerabilities that allows us to identify the asset,
00:00
then that allows us to plan milestones.
00:00
When you are doing change management,
00:00
especially for a system that say
00:00
a government system that has an authority to operate.
00:00
The roles that we're going to talk about next.
00:00
There are going to be very interested in
00:00
that and they might not actually
00:00
re-approved and authority to operate if there's a lot of
00:00
outstanding POAMs that have not been completed.
00:00
As an SE, you need to know how
00:00
to do POAMs and how to follow this template.
00:00
It's a great way to track
00:00
what's going on with an organization.
00:00
You can even take the timelines and template them
00:00
out in a Gantt chart and manage it that way.
00:00
Lots of ways to do POAM work,
00:00
but know that as an SE,
00:00
and in the case of contexts,
00:00
POAMs are something you need to understand.
00:00
RMF roles, these are not
00:00
all the roles that you will see in the ISSEP content,
00:00
but these are probably the three most important.
00:00
You have at the bottom,
00:00
the information owner or steward,
00:00
that's the person that is responsible
00:00
for that hands-on keyboard stuff related to the system.
00:00
They're going to be the ones that collect a lot
00:00
of the information about
00:00
the system and are going to be ultimately the ones that
00:00
dispose of it when it's done through its life cycle.
00:00
A control assessor is someone at
00:00
an organization that actually looks at and audits,
00:00
if you will, the controls that are being used,
00:00
they determine if they're effective or not.
00:00
That's an important thing there and then
00:00
the top level one is that authorizing
00:00
official in an organization
00:00
be it government or commercial.
00:00
Somebody is going to authorize
00:00
a system to be put into production
00:00
or go to market with a product.
00:00
That person is on the hook.
00:00
They're responsible and accountable for
00:00
whether that system has a vulnerability or breach.
00:00
They're the ones that are going to decide whether it's,
00:00
gets an authority to operate or not.
00:00
You need to know these three roles
00:00
when it comes to the ISSEP content.
00:00
In this lesson, we talked about risk remediation.
00:00
We defined what that is that's
00:00
employing a control to mitigate something.
00:00
We talked about the fact that we need
00:00
to manage our system changes and we do
00:00
that through a POAM or a series of POAMs.
00:00
Then we talked about risk management framework roles
00:00
that you should be aware of. Will see you next time.
Up Next
Similar Content
