CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:02
getting started with the main zero introduction to information security Risk. This is the domain that just make sure that we all have some of the basics down with risk management. We know a few of the key concepts, and then we want to kind of turn it around and related specifically to I t. So
00:20
we'll talk about information, security, risk
00:24
risk, governance versus risk management. Those air, sometimes terms that get used interchangeably, not interchangeable. Go through some definitions. We'll talk about risk management because that's where a lot of our focus is going to be. It's not gonna be so much on governance. It'll be on management.
00:41
Then we'll talk specifically about information security, and we'll talk about some of the threats to our information. Some of the vulnerabilities and then the corresponding risks will look a TTE ai Saca's risk management life cycle. And since I Sacha is the organization that puts out the sea risk exam,
01:00
you can imagine that I saca's see risk
01:03
risk management life cycle that that's gonna be on the sea risk exam. And then, of course, we'll wrap up and do a review.
01:11
So getting started with an introduction to risk. We want to make sure we have a couple of important terms. So first of all, a risk is an unknown,
01:22
and the value of the risk is a combination of probability and impact. How likely somethingto happen? And if it does happen, what's the consequence? So when you have low probability, low impact risks, you don't have a huge potential for loss, right? You don't have a huge risk value,
01:40
but for those events that really likely to happen and have a huge impact,
01:45
you got a problem. And that's going to drive. Of course, you're mitigation strategies.
01:49
All right, So since a risk is unknown once that risk event materializes, it's now an incident. So risks are always unknown. Once they happen, they're no longer unknown. Right?
02:01
Um,
02:02
we will always talk in this course about risk as an adverse event. However, there some documents and some courses that teach risks as being positive and negative. A positive risk is an opportunity, and negative risk is a threat.
02:17
I kind of get that, especially when you're doing, like, estimation of costs and those things. But for this class, we're gonna look at risk sous negatives. I don't ever hear anybody say, Ooh, there's a risk I'm gonna win the lottery, right? That's that's not what we think about with risks.
02:34
All right, So when I'm developing or evaluating rather risks there a couple of things that have to be considered, actually there a zillion things that have to be considered. But these are the ones we're gonna focus on first.
02:46
First of all, the organization We want our risk management strategy to be aligned with the mission of the organization. So if the organization is very conservative than we're gonna have a conservative strategy towards risk,
03:00
If the organization's very aggressive and very much fueled by venture capital and let's get out there and try it,
03:07
then my risk strategy should reflect that. So always we're gonna be in alignment with the mission of the organization
03:15
assets, threats, vulnerabilities, assets. What I value
03:20
threats would cause harm to the asset vulnerabilities or weaknesses. So when we talk about the risk triad, your assets,
03:30
the threats that would harm them and the vulnerabilities that would allow the at exploit as a matter of fact, if you look at the bottom bullet point, a risk equals asset times threat times probability. So you have to have all three of those toe have a risk if you don't have an asset and you don't have a risk. If you don't have a threat, no risk.
03:49
There's It's impossible the risk would happen.
03:52
No risk, right or the event would happen
03:54
now. Likelihood. An impact. Like I said, that's gonna be the the two elements that we used to determine the value of a list of a risk. There's an 80% chance I'm gonna lose $10,000 while my potential for losses. 8000 right? I've got an $8000 risk.
04:13
So we're gonna use that when we're trying to figure out how much risk we have,
04:17
and then what would be what would make sense to mitigate those risks? We need that value

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor