Risk Remediation and System Changes

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Welcome back to cyber is is of course I'm your instructor, Brad Roads.
00:04
Let's talk about risk remediation and system changes.
00:08
So in this lesson, we're gonna define risk for mediation. We're gonna talk about system changes in how we track those That's a poem, a plan of action and milestones. As an ISI, you're gonna do those quite frequently. And then we're gonna talk about some roles you need to know as related to the risk management framework and that that's come along in the last few years as the standard
00:27
for managing risk, at least four
00:29
government systems.
00:32
So Rick Remediation.
00:34
Simple,
00:35
right? We add some controls
00:37
to mitigate something. It could be a vulnerability. It could be a threat.
00:41
That's what you need to remember here. That's it. That's all. Risk remediation is right. We are not doing anything more than that. That's all we're doing. We're trying to reduce the risk
00:50
to a an acceptable level based on organizational context, risk, attitude and appetite
00:58
and that area of tolerance that we just talked about.
01:02
System changes. So system changes are really tied back to something we talked about earlier, which is configuration management and change management right. That's where we have toe. Create a plan of how we're gonna do it. We want to identify what items we need to configuration control. We're gonna implement that, implement those controls and manages configuration changes. Now, we're gonna monitor that
01:21
because obviously a system itself is going to change over time. Right? And that's because of
01:26
upgrades to software upgrades. The hardware worked in an organization previously where that was incredibly important because of the extreme importance of the mission of the organization itself. So we have to follow a change. Management processes issues if we don't. If we don't, we're going to
01:44
cause significant problems for organizations, and we're probably gonna be doing a whole lot more remediation that we want to.
01:49
So change management is important.
01:51
We track change management in something called a poem. A Plan of actions and milestones.
01:57
Here's an example of that. Here's a template from this,
02:00
uh, this is a great example. What is it talking about? Talks about the controls. It talks about the weaknesses or the vulnerabilities that allows us to identify the asset and then it allows us to plan milestone. So when you are doing change management especially for a system that say, a government system that has an authority to operate right? The the
02:17
roll that we're gonna talk about next, right? They're gonna be very interested in that. And they might not actually re approving authority to operate if there's a lot of outstanding poems that have not been completed. So as an ISI, you need to know how to do poems and how to follow this kind of template. It's a great way to track what's going on with an organization.
02:37
You can even take the time lines and,
02:38
you know, template them out in a Gant chart and managed it that way. So lots of ways to do poem work. But know that as an ISI and in the East of context poems or something you need to understand.
02:51
RMF rolls these air not all the roles that you will see in the use of contacts content, but these were probably the three most important
02:58
you have at the bottom. The information owner or steward. That's the person that is responsible for that hands on keyboard stuff related to the system. They're gonna be the ones that collect a lot of the information about the system and are gonna be ultimate, the ones that dispose of it when it's done through its life cycle.
03:14
A control assessor is someone in an organization that actually looks at an audits, if you will, the controls that are being used, they determine if they're effective or not. That's an important thing. And then the top level one is that authorizing official in an organization, be it government or commercial, right?
03:30
Somebody is going to authorize the system to be put into production or go to market with a product.
03:35
Right? That person is on the hook. They're responsible and accountable for whether that system has a vulnerability or breach, and they're the ones they're gonna decide whether it's gets an authority to operate or not. So you need to know these three rolls when it comes to the use of content.
03:51
So in this lesson we talked about risk remediation. We define what that is that's employing a control to mitigate something. We talked about the fact that we need to manage our system changes and we do that through a poem
04:01
or a Siris of poems. And then we talked about risk management framework roles that you should be aware of.
04:06
We'll see you next time
Up Next
Information Systems Security Engineering Professional (ISSEP)

This ISSEP course provides students with the foundational knowledge of the concentration area of the CISSP certification that includes a focus on the processes used to develop secure systems. Students will learn key concepts and skills of the five ISSEP domains.

Instructed By