Using SimpleRisk to Track and Manage Your Risks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
lesson full point line using simple risk to track risks.
00:08
In this video, we're going to go over a demo off the simple risk tool,
00:12
which is a tool that I've mentioned in one of the previous lessons.
00:17
So we're just going to switch over here Thio these simple risk website
00:24
they provide a You are all for the demo.
00:27
So we're gonna follow that link.
00:32
The log in credentials are pretty simple for the demo websites.
00:46
Okay,
00:47
once you logged into the simple risk website specifically the demo website,
00:54
this is the default screen that you will see.
00:57
This is the reporting tab.
00:59
So I'm gonna
01:00
leave this screen for now. And we're gonna go firstly to the risk management have show you what's going on there and they will come in close on the reporting tab.
01:15
The risk management tab lets you add risks and assess risks.
01:21
Basically, log all the information you need Thio about your risks.
01:27
So this is the default screen. Thio add a new risk
01:36
so we can
01:38
call it whatever you want. Um,
01:41
for this demo, let's call it a cyber risk. Dimmer
01:45
risk mapping.
01:49
You can choose what they associate ID
01:53
consequences
01:56
would be for this risk,
02:00
Let us choose lost, damaged or stolen assets.
02:07
Um,
02:09
so let's say a last laptop would be the subject. The risk
02:14
category
02:15
would be.
02:16
It's so sensitive. Data management
02:20
site or location.
02:23
Let's go for Washington, D. C.
02:28
All of these parameters that you see in the drop down box is, by the way, are configurable for your own instance off the tool
02:36
so you can make it really customizable to your own organization.
02:40
Simple risk is also a free to use tool
02:45
for the basic functionality
02:46
the files are available to download and install on your own
02:52
UM
02:53
COS. Information
02:57
systems and Web service So you can host your own Internet version off this website. There is also a cloud based offering
03:05
with the company. Simple risk hosts it on your behalf.
03:09
The creator was a well known oh wasp contributor. At one stage and security professional. You can go and read up about him on the's Simple Risk website
03:23
External Reference ID.
03:25
Here, you can put in whatever identify helps you identify the risk outside of the system.
03:31
So, for example, if you wanted want to link it to your statement off applique ability.
03:37
You can put the necessary identifies in there
03:42
control regulation.
03:45
You can choose your different control
03:50
sits that are applicable to this risk.
03:53
The demo looks a little bit overloaded with everyone's inputs in here,
03:58
but for this example, let's go with ISO 27,001.
04:01
You will choose the control number that it pertains to
04:06
off the top of my head. I can't actually remember which control, but it would probably be somewhere 11 point something.
04:14
Select an acid or a group. Here, you can select your affected assets
04:19
again.
04:20
The demo has been a bit bogged down with information,
04:25
but we could basically say all workstations
04:29
would be affected by this particular
04:31
group,
04:33
the technology that is associated to it.
04:39
Let's just choose Marble,
04:41
the team that is associate ID. To manage this risk,
04:45
we will say it will be the information security team,
04:48
additional stakeholders, anyone that needs to have a look and keep abreast of this risk.
04:54
We need to select the risk owner.
04:58
We'll just say the director would be the risk owner, or let's actually say the manager
05:02
and the owners manager would be the director.
05:06
Where did we identify the source from
05:15
or what would rather be the cause of this risk.
05:18
So if your laptops are being lost or stolen, people would be the most likely risk.
05:25
If you remember back to one of the earlier lessons when we went through the risk scoring methods,
05:30
these were all of the examples that we covered.
05:33
So let us go to the contributing risk, and I'll show you that one.
05:39
We scored using the contributing risk.
05:45
Here we can see what the overall contributing risk school would be. Likelihood,
05:50
We'll say this is a credible lackey hood of happening.
05:55
The contributing
05:57
impact
05:59
Here it is divided between safety, service level, agreement, impact, financial or reputational,
06:05
and awaiting has been applied thio each.
06:10
These factors are customizable, so you could turn this into your CIA impact or whatever is most appropriate for your organization.
06:18
For each of these, you can select what the impact would be.
06:21
It would have a minor safety effect. It might have a
06:26
moderate impact on your service level agreement,
06:29
probably a major impact on financial
06:31
and reputation,
06:33
possibly moderates.
06:36
Then you submit those factors
06:40
and it will give you a school. For your risk. We'll see what that is just now
06:48
the risk assessment here. You just type in the scenario
06:55
for the risk.
06:56
You describe what type of scenario would happen
06:59
and any additional notes
07:00
to consider around the risk.
07:05
You can also choose a supporting document,
07:13
and we can submit the risk.
07:17
Once the risk has been submitted.
07:19
We can see what the inherent risk is
07:23
and what the residual risk is.
07:25
The residual risk is the same as the inherent risk because no mitigating controls have been put in place,
07:30
let's say, for example, your company
07:32
would only accept risks off level three and lower.
07:36
That means risk. Acceptance is not a treatment option here,
07:41
and we would need to mitigate the risk.
07:45
Once you have answered the risk, you have the option to mitigated.
07:48
Then we go to a dad mitigation.
07:56
You enter a planned mitigation date
07:59
that is the date by which you plan to have your mitigation finished.
08:03
Here you choose what your treatment is
08:07
except mitigate research, transfer or watch.
08:11
Watch is basically
08:13
you're just going to leave it as is. It's on your radar.
08:16
This is something that's not an actual accepted risk treatment or well known risk treatment.
08:22
This is something that has been added into the specific demo. Like I say, pretty much everything in here is customizable, so you can add your own levels and whatever works for your organization.
08:33
So we will choose the mitigate if it
08:39
the effort that is required for mitigation. This is your estimate off. How much time if it resource is whatever is required to mitigate this risk.
08:48
So we'll say it's a considerable.
08:52
How much is this going to cost?
08:54
Probably under $100,000.
08:56
Who owns the mitigation? It's the manager. Generally, your risk owner would own your mitigation strategy.
09:03
Who is the team?
09:05
You can come back and update what the percentage of mitigation is
09:09
here. You would select the controls that you're going to use
09:16
to mitigate
09:18
the identified risk.
09:24
Let's just choose any
09:26
there. For now. We will implement what the current solution is. This is just the right up off
09:31
the current snore of
09:35
laptops taken home
09:37
security requirements. This is what the designed
09:41
solution would be
09:43
and security recommendations.
09:46
As you can see, there is a mitigation control listed below. You can select multiple mitigation controls,
09:54
and you would save mitigation. You can come back to this and update the mitigation as it progresses.
10:03
And that's using the simple risk tool in a natural
10:09
to
10:11
list a risk.
10:16
Once the risk has been listed, you can go and view the dynamic risk report,
10:20
and every single risk that has been entered will be available on the system.
10:28
This is just a very brief demonstration as to what the tool's capabilities are.
10:31
I would recommend you go and have a full on
10:35
play in the tool yourself. Since the demo version is out there and briefly to use, you can go and have a look at what it contains.
10:43
Just one quick note on before we leave the dimmer
10:46
Well, you're mitigating controls.
10:50
The tool comes built in with the most popular control frameworks that you can select controls from,
10:56
but you can also enter your own controls
10:58
into the tool for your mitigating control. So if you have custom controls in your statement of applicability,
11:05
you can enter that here and select those custom controls for specific risks
11:09
so you can go through the entire controls base here, see what's available
11:13
and edit controls
11:15
to suit your organization.
11:26
So to summarize
11:28
in this lesson. We went through some of these simple risk features
11:33
and how to use this tool for managing your risks. It is also a great tool to document all of your risks.
11:39
It makes it a lot easier than managing Excel spreadsheets.
11:43
Go and check it. Art at the you are all provided.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By