The Risk Life Cycle
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> The risk life cycle.
00:00
The learning objectives for this lesson
00:00
are to explore risk frameworks,
00:00
to identify the parts of the risk
00:00
>> management life cycle,
00:00
>> and to define risk tracking methods.
00:00
Let's get started. Risk frameworks are
00:00
a guide that help you
00:00
implement risk-management in your own organization,
00:00
but they come from an authoritative reference point.
00:00
These are created by organizations that have a lot of
00:00
experience with this and have created best practices.
00:00
They're a good starting point for you
00:00
to implement in your own organization.
00:00
The NIST cybersecurity framework
00:00
was created by NIST and it's
00:00
very popular framework that's
00:00
been adopted by the United States government.
00:00
It has five core functions.
00:00
These are to identify,
00:00
protect, detect, respond, and recover.
00:00
The risk management steps of this
00:00
are to: prioritize and scope,
00:00
orient, create a current profile, risk assessment,
00:00
and to create a target profile, then to determine,
00:00
analyze, and prioritize your gaps
00:00
and then finally to implement your action plan.
00:00
NIST also has their own risk management framework.
00:00
This is a requirement for US federal agencies to use.
00:00
The risk management framework steps
00:00
are to prepare, categorize,
00:00
select controls, implement, assess,
00:00
authorize and then monitor.
00:00
The International Organization
00:00
for Standardization or ISO,
00:00
has their own risk management framework
00:00
and this is known as ISO 31,000.
00:00
Is a comprehensive framework,
00:00
but it also considers risks that's outside of cyber.
00:00
For example, financial and legal.
00:00
For the test, you want to make sure that you
00:00
understand what each of these frameworks are.
00:00
You don't necessarily need to know
00:00
all the details and what all the steps mean,
00:00
but just make sure that you
00:00
understand the difference between
00:00
the risk management framework and the ISO 31,000.
00:00
You want to make sure that you can differentiate
00:00
those for the test.
00:00
The Control Objectives for
00:00
Information and Related Technologies or COBIT,
00:00
it frames risk according to
00:00
the leadership of a business organization.
00:00
If you see a question on the test that is
00:00
related to the leadership of an organization,
00:00
you want to think COBIT.
00:00
It's five components are
00:00
framework, process descriptions,
00:00
control objectives,
00:00
management guidelines and maturity models.
00:00
The Committee of Sponsoring Organizations of
00:00
the Treadway Commission or COSO,
00:00
has developed their own framework.
00:00
This is a group of five private
00:00
sector organizations that developed
00:00
the framework and it's known as
00:00
the Enterprise Risk Management Integrated Framework.
00:00
It defines risk management in
00:00
the approach of strategic leadership.
00:00
Typically, you're going to see questions that are
00:00
related just to the acronym COSO.
00:00
Let's talk about the risk management life cycle.
00:00
It begins with identify.
00:00
We have to know what our risks are,
00:00
what are assets are,
00:00
what our vulnerabilities are.
00:00
We begin by identifying all of those. Then we assess.
00:00
Now that we know what all of those are,
00:00
how do we go about
00:00
identifying the ones that
00:00
are the most likely to be a threat to us,
00:00
the ones that are most likely to be exploited,
00:00
and what can we end up doing.
00:00
From there, we implement our controls.
00:00
How can we protect those?
00:00
How can we mitigate the risk?
00:00
How can we transfer the risk if that's a possibility?
00:00
How do we go about ensuring that,
00:00
that risk is no longer as risky or a risk at all to us.
00:00
Then finally we review.
00:00
Whatever we put in place,
00:00
we want to make sure that it's still working.
00:00
Perhaps, a technology
00:00
that we installed was working when we installed it,
00:00
but it's no longer working now.
00:00
The thread has migrated into another form and we
00:00
have to make sure that the controls we
00:00
have in place address that as well.
00:00
As you can see, this is a continual cycle.
00:00
You're going to constantly go from identify,
00:00
to assess, to control and review,
00:00
and then back to identify again.
00:00
Because new vulnerabilities or risks
00:00
or exposures are always coming up.
00:00
We want to make sure that we keep going through
00:00
this process because it is a never-ending process.
00:00
Let's now talk about control categories.
00:00
There are three control categories.
00:00
These are the people, technology, and processes,
00:00
but they all work together
00:00
and they're inseparable from each other.
00:00
People are the most common area of
00:00
concern because they're the ones most
00:00
likely to buy these pass controls.
00:00
Processes are where we need to make sure everything
00:00
is documented and when you're thinking about processes,
00:00
think of it in terms as
00:00
a step-by-step instruction manual on
00:00
how to do things in your organization.
00:00
Then technology by itself
00:00
is not going to do anything for us.
00:00
We need to make sure that we have
00:00
processes in place that help our technology to
00:00
solve the problems and to
00:00
help people to work more efficiently
00:00
without causing an undue burden on them.
00:00
But at the same time, we want to make sure that it also
00:00
limits those same people from causing problems for us.
00:00
You can see how all three of these work together.
00:00
We can't make any changes in one
00:00
without it impacting one or the other two.
00:00
Control objectives.
00:00
The five functions of the NIST
00:00
cybersecurity framework core are,
00:00
first identify, protect,
00:00
detect, respond and recover.
00:00
You can see that we're following a standard pattern
00:00
across all of these different types of frameworks.
00:00
They all follow the same basic model.
00:00
We first have to identify.
00:00
We have to know what we need to
00:00
protect and what our risks are.
00:00
Then we have to implement
00:00
a protection mechanism therefore.
00:00
Then we have to build to detect threats that are coming
00:00
in and make sure that we're able to respond to that.
00:00
Then finally, we want to be able to recover.
00:00
Risk tracking methods.
00:00
When we're implementing all of these,
00:00
we need to know if they're working for us.
00:00
This is where these different tracking methods come in.
00:00
The first one is the Key Performance Indicator or KPI.
00:00
It measures the performances of
00:00
a program compared to the desired goals.
00:00
It will determine the effectiveness
00:00
based on current measurements against the goals.
00:00
With this, we're going to see where we are,
00:00
see what our measurements are,
00:00
and look at it as compared to where we want to be.
00:00
Is this control or is this system working well for us?
00:00
If not, we need to make some changes.
00:00
Key risk indicator or KRI,
00:00
by analyzing our key performance indicators or KPIs,
00:00
new risks may appear in the trends.
00:00
These risks should be
00:00
analyzed and then addressed proactively.
00:00
Like I mentioned before, it's an ongoing cycle.
00:00
Just because we put something in place today,
00:00
doesn't mean it's going to protect
00:00
us from everything tomorrow,
00:00
we have to keep analyzing and make sure that we're always
00:00
looking out for the new risks
00:00
that we are going to be exposed to.
00:00
Then we also have the risk register.
00:00
This was first created in ISO 27,001.
00:00
Visualization of identified risks
00:00
and their corresponding controls.
00:00
It is the most recognized output of
00:00
a risk management program and it is a working document.
00:00
Again, this is a constantly evolving process.
00:00
You have one risk today that
00:00
you have put a control into mitigate that risk,
00:00
but maybe tomorrow that's no
00:00
longer a risk and something new has come along.
00:00
>> This is an example of a risk register.
00:00
We have a website being hacked is a risk.
00:00
The threat would be a hacktivist and the impact would
00:00
be high because it would take
00:00
our corporate website offline.
00:00
The likelihood is medium.
00:00
Maybe that's because of some of
00:00
the controls we already have in place for it.
00:00
Then we have a plan in place if that were
00:00
to become a real event for us,
00:00
what we would do, and then what our risk level is.
00:00
As you can see, you can put all of
00:00
the risks that you've
00:00
identified here and then the level of threat,
00:00
the level of impact,
00:00
likelihood, and then make a plan for it.
00:00
This helps you to visualize everything on one document.
00:00
But keep in mind again, like I said,
00:00
this is ever evolving document.
00:00
It's always going to be moving forward based on
00:00
the new risks that your organization is exposed to.
00:00
Risk appetite and risk tolerance.
00:00
Risk appetite, this is often guided by
00:00
regulations that a organization is subjected to.
00:00
This is defined as what
00:00
an organization will do to address risk.
00:00
How necessary is it to address a given risk?
00:00
Many organizations will have
00:00
a low-risk tolerance because
00:00
of the regulations that they're under,
00:00
they can't allow for anything to happen.
00:00
Whereas new organizations such as
00:00
startup companies may have a high-risk appetite
00:00
because they don't have the resources in place
00:00
necessarily to put all of the controls in place.
00:00
Every organization's risk appetite is a little different.
00:00
You need to make sure that you understand what
00:00
your organization's risk appetite is
00:00
before you go about making
00:00
plans for implementing controls.
00:00
Then risk tolerance is the thresholds that
00:00
separate the different levels
00:00
of risk for an organization.
00:00
It may be defined by money, impact,
00:00
scope, compliance, privacy, or time.
00:00
The level of risk that is
00:00
acceptable to achieve a certain goal.
00:00
Risk caused by people.
00:00
People will always be the hardest part
00:00
to manage in any cybersecurity program.
00:00
People are unpredictable.
00:00
People will make mistakes because of stress,
00:00
or maybe they were tricked,
00:00
for example, a phishing email.
00:00
But sometimes they even have malicious intent.
00:00
But because of all of this,
00:00
people are going to be our biggest concern.
00:00
Technology isn't the only solution
00:00
to help us with this unique problem.
00:00
We're going to discuss some of those
00:00
other ways that we can do
00:00
things that don't necessarily
00:00
relate to technology specifically.
00:00
We can use employment policies,
00:00
for example, a separation of duties.
00:00
This is a checks and balance.
00:00
If someone is supposed to do a type of work,
00:00
they should not be the ones to audit or monitor it.
00:00
In addition, all key roles are not
00:00
given to one person in case they are compromised.
00:00
If the person who is writing the checks is
00:00
not also the one that is balancing the checkbook.
00:00
We want to make sure that it's very
00:00
easy to discover fraud
00:00
when you have separation of duties.
00:00
If one person is doing everything then it's very easy for
00:00
that person to cover up anything
00:00
that they might be doing.
00:00
We also want to use job rotation.
00:00
No one should stay in the same role
00:00
for long periods of time.
00:00
This helps to ensure that the organization
00:00
can't be controlled by a single individual,
00:00
but it also helps prevent abuse of power.
00:00
Another way of looking at this in
00:00
a positive way is that you have
00:00
cross training so that you have
00:00
multiple people that can fulfill the same role.
00:00
If someone went on vacation or
00:00
someone was out sick for an extended period of time,
00:00
you have that to help you.
00:00
But for our purposes with risk,
00:00
we want to make sure that we don't
00:00
have one person that holds all the keys to the kingdom.
00:00
We can also use mandatory vacations.
00:00
This is forcing an employee to take
00:00
their vacation time and during
00:00
that time another employee will handle their role.
00:00
This would allow for discrepancies to
00:00
be found if someone were doctoring
00:00
the books or some other type of
00:00
fraudulent transaction was occurring
00:00
and it stopped while they were on vacation,
00:00
that would help us to be able to more
00:00
quickly identify that to be an issue.
00:00
Least privilege is making sure that we're only granting
00:00
the necessary level of
00:00
access to perform a given job role.
00:00
We don't want to have authorization creep
00:00
where additional levels of authorization
00:00
were given to someone and that
00:00
overtime expanded more and more and we
00:00
never went back and remove those after
00:00
a particular task was completed.
00:00
They no longer need that level of access.
00:00
This is really hard to manage.
00:00
You have to make sure that you're
00:00
auditing your users with
00:00
what levels of privilege they have on
00:00
a regular basis that if
00:00
they needed it and they no longer
00:00
do, it needs to be removed.
00:00
This is critical to help ensure
00:00
that people aren't getting into
00:00
areas that they're not supposed to be in.
00:00
We also need to make sure we have employment
00:00
and termination procedures,
00:00
onboarding and termination procedures that will outline
00:00
all of the steps that are necessary
00:00
for each stage to be completed.
00:00
When someone new comes on,
00:00
there should be a checklist that you follow to say,
00:00
these are the things that need to be performed.
00:00
We need to issue a key to the building.
00:00
We need to give them an alarm code.
00:00
We need to give them a key access card.
00:00
We need to create
00:00
a user account and give them
00:00
these privileges, that type of thing.
00:00
Then the opposite is true when they're terminated.
00:00
We need to make sure that we collect the key,
00:00
change the alarm code, whatever needs to be done.
00:00
But so many of those things fall through the cracks.
00:00
A really common one is when a user
00:00
is terminated and no one turned off their VPN access.
00:00
That is very common.
00:00
You can see that a lot with
00:00
angry employees or former employees that had been fired,
00:00
but their VPN access was
00:00
still on and they were able to get into
00:00
the system and either wreak havoc or steal data.
00:00
We can use awareness training.
00:00
This is helping employees to understand security risks.
00:00
Employees aren't thinking about security
00:00
like cybersecurity professionals are.
00:00
We need to help them to understand
00:00
what their responsibilities and their roles are.
00:00
But the key point here is that
00:00
training needs to be tailored to the audiences.
00:00
Because, for example, management doesn't need to
00:00
receive the same type of training as technical staff.
00:00
When you create your awareness training system,
00:00
make sure that you're targeting it
00:00
towards the right content, towards the right group.
00:00
We also have auditing requirements.
00:00
Auditing is a necessary part of any security program.
00:00
It's time-consuming and it's not a lot of fun.
00:00
But we need to make sure that we're auditing
00:00
account activities such as the creation, deletion,
00:00
and modification of user accounts,
00:00
access rights, as I mentioned before, and account usage.
00:00
The frequency of audits will be determined by policies,
00:00
but also in trends.
00:00
The key is that auditing is looking for
00:00
abnormal behavior or activity.
00:00
Let's summarize. We discussed
00:00
risk frameworks and we went
00:00
over the risk management life cycle.
00:00
We went over to control categories and
00:00
risk tracking methods and then we
00:00
discussed the risk that is caused by people.
00:00
Let's do some example questions.
00:00
Question 1. This would
00:00
be used to force an employee to take
00:00
a leave of absence during which time
00:00
another person will handle their work roles.
00:00
This can spot activity that the employee was hiding.
00:00
Mandatory vacation. Question 2.
00:00
This tool outlines the risks and organization may
00:00
face where the threat could come from,
00:00
the risk level, and the actions
00:00
to be taken if it occurs.
00:00
Risk register. Question 3.
00:00
This framework is required for
00:00
US federal agencies to manage cybersecurity risks.
00:00
It has seven steps.
00:00
NIST risk management framework.
00:00
Finally, Question 4.
00:00
This would be used to combat authorization creep.
00:00
Least privilege. I hope
00:00
this lesson was helpful for you,
00:00
and I'll see you in the next one.
Up Next
Instructed By
