Risk Mitigation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hi everybody. By this point,
00:00
we've identified our risks,
00:00
and assessed our risks,
00:00
and have a value for them.
00:00
Now, we've got to figure out
00:00
the best way to mitigate them.
00:00
The most common is risk reduction.
00:00
With risk reduction, we're going to lessen
00:00
either the probability of
00:00
the risk or the impact of the risk.
00:00
For example, I can't lessen the probability of rain,
00:00
but I can lessen the impact by bringing an umbrella.
00:00
I can't lessen the impact of
00:00
malware infestation on a system,
00:00
but I can lessen the probability of getting
00:00
that malware by having anti-malware software installed.
00:00
With risk reduction, we're trying
00:00
>> to lessen one of those.
00:00
>> Again, we're going to keep reducing risk
00:00
until we get to a level that's
00:00
acceptable to senior management.
00:00
If we reduce all the way to zero,
00:00
we've actually avoided the risk,
00:00
but you can't always do that.
00:00
As a general rule,
00:00
we look to reduce or transfer risk,
00:00
so we can still perform the activities we want to do
00:00
rather than not do those things
00:00
in order to avoid all risks.
00:00
When we talk about putting security controls in place,
00:00
we talk about doing things like
00:00
implementing policies like,
00:00
separation of duties,
00:00
or implementing physical controls
00:00
like door locks and security guards,
00:00
these are risk reduction controls.
00:00
If we determine after
00:00
research that the risk is too great,
00:00
we choose to avoid it.
00:00
Another option is risk transference.
00:00
Risk transference means we're
00:00
going to share in the loss potential.
00:00
For example, maybe I'm worried about being able to
00:00
provide availability that's necessary
00:00
to satisfy my customers,
00:00
so I outsource, and I have
00:00
my infrastructure migrated to the Cloud,
00:00
and take advantage of the uptime
00:00
that's promised by Amazon.
00:00
If Amazon Web Services doesn't it provide the degree of
00:00
resources necessary to get
00:00
the high availability that I want,
00:00
then there's a reimbursement
00:00
based on the service level agreement,
00:00
so if there's a loss,
00:00
they will always share in the loss with me.
00:00
In another example, what if I don't have
00:00
the skills to develop a certain type of software,
00:00
I outsource to a third-party
00:00
software development company.
00:00
If they don't meet the requirements, again,
00:00
usually the contract calls for
00:00
some negotiation if the parties
00:00
don't perform according to the requirements.
00:00
With risk transference, we're trying to share in
00:00
the loss potential so that it doesn't weigh us down.
00:00
Now, risk acceptance comes
00:00
when either there's nothing we can do about a risk,
00:00
or if we determine that it's too
00:00
expensive to mitigate a risk.
00:00
Sometimes the cost of mitigation
00:00
is greater than the potential for loss.
00:00
We had an earthquake in the DC area several years ago.
00:00
I wondered how often we have earthquakes in
00:00
this area, so I did my research,
00:00
and found out that in the past 100 years,
00:00
we've only had a handful of them,
00:00
and they've only been low impact.
00:00
Based on this information,
00:00
we decided we couldn't justify
00:00
the cost of mitigation for this risk,
00:00
and we would just accept it.
00:00
But we do have an emergency preparedness kit,
00:00
and business continuity plan.
00:00
When we choose to accept a risk,
00:00
it doesn't mean we don't have
00:00
some disaster recovery plan
00:00
or business continuity plan to deal with it.
00:00
It's important that with risk acceptance,
00:00
we show our due diligence because
00:00
risk acceptance is not the same as ignoring a risk.
00:00
Now, when we talk about mitigation strategies,
00:00
and risk reduction, we have to
00:00
remember the idea of layered defense.
00:00
With layered defense, we want technical,
00:00
physical, and administrative controls if possible.
00:00
Technical controls include, encryption,
00:00
firewalls, intrusion detection, and things like that.
00:00
Physical controls include,
00:00
things like door locks,
00:00
gates, lighting, and security guards.
00:00
Administrative controls include, policies,
00:00
procedures, standards, and guidelines.
00:00
Those are the things that come down from
00:00
senior leadership as directives and influence security,
00:00
so all three of these types of
00:00
controls make up a good layered defense.
00:00
Now, within each of those categories of controls,
00:00
we also have other controls
00:00
that serve specific functions.
00:00
Within physical, administrative,
00:00
>> and technical controls,
00:00
>> we can have preventative,
00:00
deterrent, corrective, and detective controls.
00:00
For detective controls in the physical category,
00:00
you have things like, motion detectors,
00:00
building alarms, and so forth.
00:00
For preventative controls
00:00
under the administrative category,
00:00
you could have the separation of duties policy.
00:00
An example of a deterrent
00:00
>> administrative control would be
00:00
>> an employee handbook that tells
00:00
you what you can and cannot do.
00:00
A corrective administrative control
00:00
could be a termination procedure.
00:00
Each of these major categories of controls have
00:00
these additional types of controls
00:00
that serve specific functions,
00:00
this is all part of the layered defense.
00:00
You don't want to rely too
00:00
heavily on one type of control or
00:00
another because any control can be bypassed.
00:00
Quick wrap-up for risk mitigation.
00:00
Primarily, responses are to reduce,
00:00
transfer or accept risk.
00:00
Reducing risk is going to
00:00
lessen the probability or impact.
00:00
Transference is going to be using
00:00
insurance or service level agreements or
00:00
contracts with a third party that
00:00
is going to help shoulder part of the loss.
00:00
Risk acceptance comes when the cost of
00:00
the countermeasure is more
00:00
expensive than the potential for loss,
00:00
or when you just can't mitigate the risk.
00:00
When it goes back to reduction of risk, generally,
00:00
we mitigate risks,
00:00
and reduce risks through controls.
00:00
Some controls are proactive,
00:00
some controls are reactive,
00:00
but we need to make sure we have technical,
00:00
physical, and administrative controls in place.
00:00
The proactive controls are preventative, and deterrent.
00:00
The reactive controls are detective, and corrective.
Up Next