Using SimpleRisk to Track and Manage Your Risks

00:01

lesson full point line using simple risk to track risks.

00:08

In this video, we're going to go over a demo off the simple risk tool,

00:12

which is a tool that I've mentioned in one of the previous lessons.

00:17

So we're just going to switch over here Thio these simple risk website

00:24

they provide a You are all for the demo.

00:27

So we're gonna follow that link.

00:32

The log in credentials are pretty simple for the demo websites.

00:46

Okay,

00:47

once you logged into the simple risk website specifically the demo website,

00:54

this is the default screen that you will see.

00:57

This is the reporting tab.

00:59

So I'm gonna

01:00

leave this screen for now. And we're gonna go firstly to the risk management have show you what's going on there and they will come in close on the reporting tab.

01:15

The risk management tab lets you add risks and assess risks.

01:21

Basically, log all the information you need Thio about your risks.

01:27

So this is the default screen. Thio add a new risk

01:36

so we can

01:38

call it whatever you want. Um,

01:41

for this demo, let's call it a cyber risk. Dimmer

01:45

risk mapping.

01:49

You can choose what they associate ID

01:53

consequences

01:56

would be for this risk,

02:00

Let us choose lost, damaged or stolen assets.

02:07

Um,

02:09

so let's say a last laptop would be the subject. The risk

02:14

category

02:15

would be.

02:16

It's so sensitive. Data management

02:20

site or location.

02:23

Let's go for Washington, D. C.

02:28

All of these parameters that you see in the drop down box is, by the way, are configurable for your own instance off the tool

02:36

so you can make it really customizable to your own organization.

02:40

Simple risk is also a free to use tool

02:45

for the basic functionality

02:46

the files are available to download and install on your own

02:52

UM

02:53

COS. Information

02:57

systems and Web service So you can host your own Internet version off this website. There is also a cloud based offering

03:05

with the company. Simple risk hosts it on your behalf.

03:09

The creator was a well known oh wasp contributor. At one stage and security professional. You can go and read up about him on the's Simple Risk website

03:23

External Reference ID.

03:25

Here, you can put in whatever identify helps you identify the risk outside of the system.

03:31

So, for example, if you wanted want to link it to your statement off applique ability.

03:37

You can put the necessary identifies in there

03:42

control regulation.

03:45

You can choose your different control

03:50

sits that are applicable to this risk.

03:53

The demo looks a little bit overloaded with everyone's inputs in here,

03:58

but for this example, let's go with ISO 27,001.

04:01

You will choose the control number that it pertains to

04:06

off the top of my head. I can't actually remember which control, but it would probably be somewhere 11 point something.

04:14

Select an acid or a group. Here, you can select your affected assets

04:19

again.

04:20

The demo has been a bit bogged down with information,

04:25

but we could basically say all workstations

04:29

would be affected by this particular

04:31

group,

04:33

the technology that is associated to it.

04:39

Let's just choose Marble,

04:41

the team that is associate ID. To manage this risk,

04:45

we will say it will be the information security team,

04:48

additional stakeholders, anyone that needs to have a look and keep abreast of this risk.

04:54

We need to select the risk owner.

04:58

We'll just say the director would be the risk owner, or let's actually say the manager

05:02

and the owners manager would be the director.

05:06

Where did we identify the source from

05:15

or what would rather be the cause of this risk.

05:18

So if your laptops are being lost or stolen, people would be the most likely risk.

05:25

If you remember back to one of the earlier lessons when we went through the risk scoring methods,

05:30

these were all of the examples that we covered.

05:33

So let us go to the contributing risk, and I'll show you that one.

05:39

We scored using the contributing risk.

05:45

Here we can see what the overall contributing risk school would be. Likelihood,

05:50

We'll say this is a credible lackey hood of happening.

05:55

The contributing

05:57

impact

05:59

Here it is divided between safety, service level, agreement, impact, financial or reputational,

06:05

and awaiting has been applied thio each.

06:10

These factors are customizable, so you could turn this into your CIA impact or whatever is most appropriate for your organization.

06:18

For each of these, you can select what the impact would be.

06:21

It would have a minor safety effect. It might have a

06:26

moderate impact on your service level agreement,

06:29

probably a major impact on financial

06:31

and reputation,

06:33

possibly moderates.

06:36

Then you submit those factors

06:40

and it will give you a school. For your risk. We'll see what that is just now

06:48

the risk assessment here. You just type in the scenario

06:55

for the risk.

06:56

You describe what type of scenario would happen

06:59

and any additional notes

07:00

to consider around the risk.

07:05

You can also choose a supporting document,

07:13

and we can submit the risk.

07:17

Once the risk has been submitted.

07:19

We can see what the inherent risk is

07:23

and what the residual risk is.

07:25

The residual risk is the same as the inherent risk because no mitigating controls have been put in place,

07:30

let's say, for example, your company

07:32

would only accept risks off level three and lower.

07:36

That means risk. Acceptance is not a treatment option here,

07:41

and we would need to mitigate the risk.

07:45

Once you have answered the risk, you have the option to mitigated.

07:48

Then we go to a dad mitigation.

07:56

You enter a planned mitigation date

07:59

that is the date by which you plan to have your mitigation finished.

08:03

Here you choose what your treatment is

08:07

except mitigate research, transfer or watch.

08:11

Watch is basically

08:13

you're just going to leave it as is. It's on your radar.

08:16

This is something that's not an actual accepted risk treatment or well known risk treatment.

08:22

This is something that has been added into the specific demo. Like I say, pretty much everything in here is customizable, so you can add your own levels and whatever works for your organization.

08:33

So we will choose the mitigate if it

08:39

the effort that is required for mitigation. This is your estimate off. How much time if it resource is whatever is required to mitigate this risk.

08:48

So we'll say it's a considerable.

08:52

How much is this going to cost?

08:54

Probably under $100,000.

08:56

Who owns the mitigation? It's the manager. Generally, your risk owner would own your mitigation strategy.

09:03

Who is the team?

09:05

You can come back and update what the percentage of mitigation is

09:09

here. You would select the controls that you're going to use

09:16

to mitigate

09:18

the identified risk.

09:24

Let's just choose any

09:26

there. For now. We will implement what the current solution is. This is just the right up off

09:31

the current snore of

09:35

laptops taken home

09:37

security requirements. This is what the designed

09:41

solution would be

09:43

and security recommendations.

09:46

As you can see, there is a mitigation control listed below. You can select multiple mitigation controls,

09:54

and you would save mitigation. You can come back to this and update the mitigation as it progresses.

10:03

And that's using the simple risk tool in a natural

10:09

to

10:11

list a risk.

10:16

Once the risk has been listed, you can go and view the dynamic risk report,

10:20

and every single risk that has been entered will be available on the system.

10:28

This is just a very brief demonstration as to what the tool's capabilities are.

10:31

I would recommend you go and have a full on

10:35

play in the tool yourself. Since the demo version is out there and briefly to use, you can go and have a look at what it contains.

10:43

Just one quick note on before we leave the dimmer

10:46

Well, you're mitigating controls.

10:50

The tool comes built in with the most popular control frameworks that you can select controls from,

10:56

but you can also enter your own controls

10:58

into the tool for your mitigating control. So if you have custom controls in your statement of applicability,

11:05

you can enter that here and select those custom controls for specific risks

11:09

so you can go through the entire controls base here, see what's available

11:13

and edit controls

11:15

to suit your organization.

11:26

So to summarize

11:28

in this lesson. We went through some of these simple risk features

11:33

and how to use this tool for managing your risks. It is also a great tool to document all of your risks.

11:39

It makes it a lot easier than managing Excel spreadsheets.