7 hours 35 minutes
Hey, guys, Welcome to another episode of the S S C P Exam Prep. Siri's I'm your host, Peter Similar. This is the second dope lesson in the third domain
So far in the third domain. We've talked about the risk management process, how to assess risk and organization faces any any given time by taking a risk assessment with the four steps off, prepared for the risk assessment, taking the risk assessment,
communicating the results
and finally maintaining the risk assessment.
Now in this lesson will be looking at how to properly handle or treat the risk that we assessed in the last last
Let's get started.
Once we have established our risk assessment and we know the risk an organization faces were gonna want Oh, we're gonna want to treat the risk. We're gonna want to do things to it so we can reduce it to an acceptable level or a level that is
reasonable for organization. If the risk is already
at an acceptable level, will look at that too.
Holdovers treatment is to reduce risk.
There are four main ways of reducing risk
on therefore risk treatment methods are one
where we implement controls to take care of the risk.
Risk transference. It's where we transfer the risk to 1/3 party.
Three. Risk avoidance where we just avoid the risk completely
or four. Risk acceptance where we accept the risk.
So let's look at these in a little bit more detail,
so risk mitigation reduces the risk by implementing some sort of controls. It brings the risk from a high level down to a low. This the whole point off implementing even having different controls,
transferring to want to transfer the risk to 1/3 party. An example of this would be transferring on some to 1/3 party vendor or an insurance company to where they assume responsibility for the risk. So if anything happens to you, they're on the hook for
another type of rest. Treatment is risk avoidance where we just completely avoid the risk.
Anything that we are trying to do, any any process or step that would bring too much risk to an organization should be cut off and completely avoided.
In the last step is risk acceptance
where we understand that we will have some sort of risk.
But the risk is low enough to where it won't necessarily hurt the organization a whole lot. Or if the risk is low enough and the reward for doing whatever we're doing is great enough to wear that having that risk is okay.
which, which was treatment should you use? Which one should you implement? Well, that's why we have this little diagram on the right hand side of the screen,
as we can see in the ER,
why access? We have high probability and low probability, and on the X axis, we have low impact and high impact.
So depending on e status or the state of your organization, it really depends
what you're trying to do
and what the results would be. So in a situation where
there is a high probability that something will happen and the impact to implementing whatever you're implementing is also very, very high, where it could be utterly destroyed, then you want to completely avoid that risk. Avoid that whole area in the first quadrant.
If you're going to have a high probability of something happening,
If even if it does happen, it won't hurt a whole lot. You might want to consider transferring the risk to 1/3 party or insurance company.
If you if there's a low probability off
risk happening or the vulnerability happening, and the impact is also very, very low than
you might wanna consider accepting the risk.
If the benefits outweigh the risk, then you definitely want to think about this and talk about this in your organization and the last quadrant. If there's a low probability off, something happened. But if it happens, it's going to be really, really bad. Then you might want to implant some
technical managerial war.
Risk visibility and importing
risk should always be recorded
and reported on it. Should there shouldn't be any surprises when it comes to risk. Risk should have very high visibility. Risk needs to be broken down and analyzed and aggregated
so it can be looked at easily.
Brisket that needs to be aggravated could be done in a risk register, which is a book or a sheet of paper or some sort of spread sheet that gives information about different aspects of risk in organization.
Great part about a risk register is that a lesson organization know their exposure at any given time, so if they just want a very brief, you know, high level overview off their exposure than they look at that. Or if they want to look at a specific risk,
they can do that too.
This is an example. Off a risk register. This is just
one line in the spreadsheet off the risk register, and these have been different categories. So you have an I. D. Number. They raised that where this risk was brought to the attention of the organization,
the description of the risk. What kind of risk is it?
What is the likelihood that this is gonna happen
if it actually happens? What is the impact? How severe is this impact?
You have an owner person who is responsible for handling this risk.
You want to keep track of any mitigating or contingent action you always want document every single action you have
just in terms off good visibility, so people can see that this risk is either being avoided or mitigated or transfer or accepted.
You definitely want to have a progress on any actions that are going on. And you wanna have a current status Where where what is the status over this risk
To have a good risk register right. There are four good steps. The four step for addressing risk management. One. Identify the risk
to evaluate the severity of any identified risks. How bad are these risks?
We want to apply any and all possible solutions to these risk. This comes in the form of transferring the risk to an insurance company or implementing some controls. And finally, we want to monitor and analyze the effectiveness of any of the subsequent steps taken instead through.
So we want to see okay, if we transfer this risk to 1/3 party vendor, does that reduce our level of exposure
or if we want to?
Implements and controls are the controls doing their job is our level of risk going down enough to an acceptable level?
In today's lecture, we discussed Rhys treatment. We looked at the four different ways of handling risk, and we looked at risk registers, which are a good way to look at the exposure of an organization at any given time.
all of these are acceptable ways of handling risk except a risk in hands.
Be risk mitigation,
see risk avoidance or D risk transference.
If you picked a, then you are correct. Risk enhances not an acceptable way off handling risk. There is no good reason why you'd want to enhance the rescue already currently facing.
Thanks for watching guys. I hope you learned a lot in this video and I'll see you next time.
ISC2 Systems Security Certified Practitioner (SSCP) Practice Assessment
The SSCP exam preparation package helps students prepare for the ISC2 SSCP certification exam. ...
(ISC)2 Certified Information Systems Security Professional 2015
(ISC)2 Certified Information Systems Security Professional 2015 is a practice exam preparing for the CISSP ...