5 hours 58 minutes
Welcome back to cyber is is of course I'm your instructor, Brad Roads.
Let's talk about risk remediation and system changes.
So in this lesson, we're gonna define risk for mediation. We're gonna talk about system changes in how we track those That's a poem, a plan of action and milestones. As an ISI, you're gonna do those quite frequently. And then we're gonna talk about some roles you need to know as related to the risk management framework and that that's come along in the last few years as the standard
for managing risk, at least four
So Rick Remediation.
right? We add some controls
to mitigate something. It could be a vulnerability. It could be a threat.
That's what you need to remember here. That's it. That's all. Risk remediation is right. We are not doing anything more than that. That's all we're doing. We're trying to reduce the risk
to a an acceptable level based on organizational context, risk, attitude and appetite
and that area of tolerance that we just talked about.
System changes. So system changes are really tied back to something we talked about earlier, which is configuration management and change management right. That's where we have toe. Create a plan of how we're gonna do it. We want to identify what items we need to configuration control. We're gonna implement that, implement those controls and manages configuration changes. Now, we're gonna monitor that
because obviously a system itself is going to change over time. Right? And that's because of
upgrades to software upgrades. The hardware worked in an organization previously where that was incredibly important because of the extreme importance of the mission of the organization itself. So we have to follow a change. Management processes issues if we don't. If we don't, we're going to
cause significant problems for organizations, and we're probably gonna be doing a whole lot more remediation that we want to.
So change management is important.
We track change management in something called a poem. A Plan of actions and milestones.
Here's an example of that. Here's a template from this,
uh, this is a great example. What is it talking about? Talks about the controls. It talks about the weaknesses or the vulnerabilities that allows us to identify the asset and then it allows us to plan milestone. So when you are doing change management especially for a system that say, a government system that has an authority to operate right? The the
roll that we're gonna talk about next, right? They're gonna be very interested in that. And they might not actually re approving authority to operate if there's a lot of outstanding poems that have not been completed. So as an ISI, you need to know how to do poems and how to follow this kind of template. It's a great way to track what's going on with an organization.
You can even take the time lines and,
you know, template them out in a Gant chart and managed it that way. So lots of ways to do poem work. But know that as an ISI and in the East of context poems or something you need to understand.
RMF rolls these air not all the roles that you will see in the use of contacts content, but these were probably the three most important
you have at the bottom. The information owner or steward. That's the person that is responsible for that hands on keyboard stuff related to the system. They're gonna be the ones that collect a lot of the information about the system and are gonna be ultimate, the ones that dispose of it when it's done through its life cycle.
A control assessor is someone in an organization that actually looks at an audits, if you will, the controls that are being used, they determine if they're effective or not. That's an important thing. And then the top level one is that authorizing official in an organization, be it government or commercial, right?
Somebody is going to authorize the system to be put into production or go to market with a product.
Right? That person is on the hook. They're responsible and accountable for whether that system has a vulnerability or breach, and they're the ones they're gonna decide whether it's gets an authority to operate or not. So you need to know these three rolls when it comes to the use of content.
So in this lesson we talked about risk remediation. We define what that is that's employing a control to mitigate something. We talked about the fact that we need to manage our system changes and we do that through a poem
or a Siris of poems. And then we talked about risk management framework roles that you should be aware of.
We'll see you next time
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...