Risk Response and Reporting Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:01
>> In the previous chapter we talked
00:01
>> about risk assessment,
00:01
>> and when we talk about risk assessment,
00:01
ultimately, what we're looking to be able to do is to
00:01
make a good decision on
00:01
how we're going to mitigate risks.
00:01
Domain 3 is going to look at what
00:01
the various mitigation techniques
00:01
are, and then of course,
00:01
reporting, that piece is going to be
00:01
>> making sure that we
00:01
>> communicate well to all those parties
00:01
involved in the decision.
00:01
What are we going to talk about?
00:01
Here's what we're going to talk about,
00:01
we're going to give an overview of risk response,
00:01
we're also going to talk about the tool,
00:01
a risk action plan, and of course,
00:01
that risk action plan is
00:01
exactly what it sounds like it's going to be.
00:01
We have this risk, what's our plan?
00:01
Well, our plan is going to come from
00:01
four basic strategies in dealing with risk,
00:01
risk acceptance, risk mitigation,
00:01
risk avoidance, and risk transfer.
00:01
Those are the choices and we'll talk
00:01
about some of the ways that those could be implemented.
00:01
Now, everything comes down to cost benefit analysis,
00:01
and that's what we got in the assessment piece.
00:01
But we're going to talk about that
00:01
just a little bit more because it's
00:01
critical that we get a higher benefit than the cost.
00:01
I know that sounds like really common sense,
00:01
but so many times
00:01
risk management decisions are
00:01
based on things other than just cost benefit.
00:01
Also, remember, cost is not just dollars,
00:01
cost can be performance, user acceptance,
00:01
it can be ease of use, backwards compatibility.
00:01
We really have to look at all the trade-offs for
00:01
security and choose the correct amount.
00:01
What is the correct amount going to do?
00:01
It's going to give us a return on our investment.
00:01
We put so much out,
00:01
we expect something in return.
00:01
Now, return on investment
00:01
generally does tend to be just focused on financial,
00:01
and ideally, we'd like a financial gain.
00:01
But again, remember, if the benefits outweigh the costs,
00:01
even if we don't see that dollar value
00:01
when we think about it in things
00:01
like customer confidence,
00:01
and stakeholder satisfaction, and that thing.
00:01
Really, cost-benefit analysis is going to
00:01
trump return on investment in most instances.
00:01
We'll talk about that a little bit more.
00:01
Now, secondary risks we're going to mention
00:01
because we respond to a risk,
00:01
but every way you respond to
00:01
a risk is going to include additional risk.
00:01
Don't if you do, don't if you don't.
00:01
I don't know if any you've ever fixed
00:01
one problem just to cause another,
00:01
that's what secondary risk is.
00:01
If we don't interpret the secondary risk,
00:01
if we don't play that all the way
00:01
through when we implement controls,
00:01
then we may wind up with
00:01
a bigger problem than we started with.
00:01
Another name for secondary risk is called a control risk.
00:01
Now, the control design and implementation.
00:01
Security controls are designed
00:01
to reduce the amount of risk.
00:01
Ideally, we're going to reduce the amount of
00:01
risk to the degree that is
00:01
acceptable by senior management.
00:01
Most of your controls we're going to
00:01
talk about are certainly your technical controls,
00:01
we're going to talk about in
00:01
the next chapter or the next domain.
00:01
But we'll talk just at
00:01
a high level about the various controls we have here,
00:01
and then the various groups of
00:01
controls and their methods.
00:01
Let's get started.
00:01
Just an overview for risk response.
00:01
This is going to shock you,
00:01
but we're going to go back and say,
00:01
your risk response should be in
00:01
alignment with business objectives.
00:01
By Domain 3,
00:01
we've probably heard this once or twice.
00:01
Just want to stress again,
00:01
it's not a matter of so much security.
00:01
Let's just say it's not a matter of
00:01
the mindset that you can't have enough security,
00:01
it's a matter of
00:01
applying the appropriate amount of security.
00:01
What is the appropriate amount of security?
00:01
Well, it falls within the tolerance and
00:01
acceptance levels that have been set out before us.
00:01
We want to apply enough security,
00:01
and by that again,
00:01
I'm not saying get away with
00:01
the least amount of security you can,
00:01
do the absolute minimum.
00:01
Of course, we're not saying that,
00:01
but what we are saying is we
00:01
keep our focus on the priorities of the business.
00:01
At the point where the amount of security that we
00:01
implement costs business functionality, that's too much.
00:01
We think about risk in terms of the organization.
00:01
We think about IT risk,
00:01
we think about project risks,
00:01
and we want to have
00:01
a consistent approach throughout the enterprise.
00:01
Now in talking about the alignment of
00:01
risk management strategy with
00:01
the organizational objectives,
00:01
I just wanted to add a couple of things here,
00:01
so first bullet point is that risk management
00:01
should be enterprise-wide, absolutely.
00:01
We want to promote a holistic,
00:01
enterprise-wide,
00:01
integrated risk management strategy
00:01
throughout the organization.
00:01
Rather than treating each individual department
00:01
like a separate island unto itself,
00:01
we want to look at them as pieces of a whole,
00:01
and so when we talk about a holistic approach,
00:01
that approach permeates throughout
00:01
all the departments and we don't have
00:01
everybody doing their own thing.
00:01
We also want to make sure that we have risk owners
00:01
assigned and that that
00:01
is part of someone's job description,
00:01
it is a responsibility associated with that role.
00:01
Then on individual projects,
00:01
we can use something called a RACI chart,
00:01
and that RACI chart can
00:01
indicate the level of responsibility,
00:01
accountability, whether or not someone needs to
00:01
be informed or consulted.
00:01
So that's RACI. Responsible,
00:01
A is accountable,
00:01
C is consult, I is inform.
00:01
Responsible means I'm the one who does it,
00:01
I carry out the work.
00:01
Accountable,
00:01
that's usually senior manager
00:01
or the head of a department.
00:01
You should only ever have
00:01
a single individual that is accountable,
00:01
although you can have many parties responsible.
00:01
Accountable is the back stops here.
00:01
Consult means I let you know or
00:01
I ask you about a decision before I make it,
00:01
and then inform,
00:01
I'll come to you and tell you I made a decision.
00:01
I think you could see
00:01
RACI charts perhaps come up because there's
00:01
such an important piece for folks to
00:01
understand what their degree of responsibility is,
00:01
particularly in relation to risk and
00:01
particularly on projects that
00:01
might be outside of their native environment.
00:01
Now the other thing I wanted to mention is that
00:01
when we're implementing our risk mitigation strategies,
00:01
we want to make sure that we're aware of
00:01
need and/or understand the need
00:01
for three lines of defense.
00:01
When we talk about these three lines of defense,
00:01
we first start off with the individual lines of business.
00:01
Then we have the governing entity and then we
00:01
have internal audit or the assurance team.
00:01
When we talk about the lines of business,
00:01
we're talking about the individual departments.
00:01
Now remember, these individual department heads
00:01
are usually the data owner.
00:01
They're usually the asset owner,
00:01
they're the decision maker.
00:01
These are the folks that implement the solutions,
00:01
that monitor the solutions.
00:01
Now they may have consultation from other entities,
00:01
but when it comes down to it,
00:01
it's the risk owner that makes the choices,
00:01
implements the choices, monitors the choices
00:01
to make sure that
00:01
the controls are working as they should.
00:01
Now behind that though,
00:01
we had to have a risk management strategy in place,
00:01
that enterprise risk management strategy,
00:01
we had to have assurance that our organization looks at
00:01
risk to be in compliance with laws and regulations,
00:01
maybe industry standards or best practices.
00:01
But ultimately, governance we know
00:01
is responsible for ensuring that
00:01
our risk management strategy is in
00:01
alignment with the needs of
00:01
the organization, so that's governance.
00:01
Then of course, audit is going to make sure that
00:01
the policies that had been set
00:01
out by governance, procedures,
00:01
frameworks, making sure that they're being followed,
00:01
and that those frameworks or policies,
00:01
procedures are also being
00:01
effective that we've made the right choices.
00:01
We have these three lines of defense,
00:01
and then on the next slide,
00:01
I just have a little chart here that shows you
00:01
the individual responsibilities along those lines.
00:01
Just like we said, your first line of defense,
00:01
they are the ones who identify the risk and management.
00:01
They are the ones with their hands on.
00:01
Governance, high level policy and strategy,
00:01
and then audit, providing
00:01
assurance that the risk management strategy
00:01
is working and that it's being followed.
Up Next