7 hours 52 minutes
lesson full point line using simple risk to track risks.
In this video, we're going to go over a demo off the simple risk tool,
which is a tool that I've mentioned in one of the previous lessons.
So we're just going to switch over here Thio these simple risk website
they provide a You are all for the demo.
So we're gonna follow that link.
The log in credentials are pretty simple for the demo websites.
once you logged into the simple risk website specifically the demo website,
this is the default screen that you will see.
This is the reporting tab.
So I'm gonna
leave this screen for now. And we're gonna go firstly to the risk management have show you what's going on there and they will come in close on the reporting tab.
The risk management tab lets you add risks and assess risks.
Basically, log all the information you need Thio about your risks.
So this is the default screen. Thio add a new risk
so we can
call it whatever you want. Um,
for this demo, let's call it a cyber risk. Dimmer
You can choose what they associate ID
would be for this risk,
Let us choose lost, damaged or stolen assets.
so let's say a last laptop would be the subject. The risk
It's so sensitive. Data management
site or location.
Let's go for Washington, D. C.
All of these parameters that you see in the drop down box is, by the way, are configurable for your own instance off the tool
so you can make it really customizable to your own organization.
Simple risk is also a free to use tool
for the basic functionality
the files are available to download and install on your own
systems and Web service So you can host your own Internet version off this website. There is also a cloud based offering
with the company. Simple risk hosts it on your behalf.
The creator was a well known oh wasp contributor. At one stage and security professional. You can go and read up about him on the's Simple Risk website
External Reference ID.
Here, you can put in whatever identify helps you identify the risk outside of the system.
So, for example, if you wanted want to link it to your statement off applique ability.
You can put the necessary identifies in there
You can choose your different control
sits that are applicable to this risk.
The demo looks a little bit overloaded with everyone's inputs in here,
but for this example, let's go with ISO 27,001.
You will choose the control number that it pertains to
off the top of my head. I can't actually remember which control, but it would probably be somewhere 11 point something.
Select an acid or a group. Here, you can select your affected assets
The demo has been a bit bogged down with information,
but we could basically say all workstations
would be affected by this particular
the technology that is associated to it.
Let's just choose Marble,
the team that is associate ID. To manage this risk,
we will say it will be the information security team,
additional stakeholders, anyone that needs to have a look and keep abreast of this risk.
We need to select the risk owner.
We'll just say the director would be the risk owner, or let's actually say the manager
and the owners manager would be the director.
Where did we identify the source from
or what would rather be the cause of this risk.
So if your laptops are being lost or stolen, people would be the most likely risk.
If you remember back to one of the earlier lessons when we went through the risk scoring methods,
these were all of the examples that we covered.
So let us go to the contributing risk, and I'll show you that one.
We scored using the contributing risk.
Here we can see what the overall contributing risk school would be. Likelihood,
We'll say this is a credible lackey hood of happening.
Here it is divided between safety, service level, agreement, impact, financial or reputational,
and awaiting has been applied thio each.
These factors are customizable, so you could turn this into your CIA impact or whatever is most appropriate for your organization.
For each of these, you can select what the impact would be.
It would have a minor safety effect. It might have a
moderate impact on your service level agreement,
probably a major impact on financial
Then you submit those factors
and it will give you a school. For your risk. We'll see what that is just now
the risk assessment here. You just type in the scenario
for the risk.
You describe what type of scenario would happen
and any additional notes
to consider around the risk.
You can also choose a supporting document,
and we can submit the risk.
Once the risk has been submitted.
We can see what the inherent risk is
and what the residual risk is.
The residual risk is the same as the inherent risk because no mitigating controls have been put in place,
let's say, for example, your company
would only accept risks off level three and lower.
That means risk. Acceptance is not a treatment option here,
and we would need to mitigate the risk.
Once you have answered the risk, you have the option to mitigated.
Then we go to a dad mitigation.
You enter a planned mitigation date
that is the date by which you plan to have your mitigation finished.
Here you choose what your treatment is
except mitigate research, transfer or watch.
Watch is basically
you're just going to leave it as is. It's on your radar.
This is something that's not an actual accepted risk treatment or well known risk treatment.
This is something that has been added into the specific demo. Like I say, pretty much everything in here is customizable, so you can add your own levels and whatever works for your organization.
So we will choose the mitigate if it
the effort that is required for mitigation. This is your estimate off. How much time if it resource is whatever is required to mitigate this risk.
So we'll say it's a considerable.
How much is this going to cost?
Probably under $100,000.
Who owns the mitigation? It's the manager. Generally, your risk owner would own your mitigation strategy.
Who is the team?
You can come back and update what the percentage of mitigation is
here. You would select the controls that you're going to use
the identified risk.
Let's just choose any
there. For now. We will implement what the current solution is. This is just the right up off
the current snore of
laptops taken home
security requirements. This is what the designed
solution would be
and security recommendations.
As you can see, there is a mitigation control listed below. You can select multiple mitigation controls,
and you would save mitigation. You can come back to this and update the mitigation as it progresses.
And that's using the simple risk tool in a natural
list a risk.
Once the risk has been listed, you can go and view the dynamic risk report,
and every single risk that has been entered will be available on the system.
This is just a very brief demonstration as to what the tool's capabilities are.
I would recommend you go and have a full on
play in the tool yourself. Since the demo version is out there and briefly to use, you can go and have a look at what it contains.
Just one quick note on before we leave the dimmer
Well, you're mitigating controls.
The tool comes built in with the most popular control frameworks that you can select controls from,
but you can also enter your own controls
into the tool for your mitigating control. So if you have custom controls in your statement of applicability,
you can enter that here and select those custom controls for specific risks
so you can go through the entire controls base here, see what's available
and edit controls
to suit your organization.
So to summarize
in this lesson. We went through some of these simple risk features
and how to use this tool for managing your risks. It is also a great tool to document all of your risks.
It makes it a lot easier than managing Excel spreadsheets.
Go and check it. Art at the you are all provided.