CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:02
Okay, so we've completed our business impact analysis, and we understand what those elements that are most critical to us are. We understand the very nature of their criticality. Now, what we want to do is we want to look at the controls that we already have in place
00:19
because chances are pretty good that you're not walking into an organization that has
00:24
absolutely no security controls in place. They've got security controls in place, but it's your job to determine. Are they the right controls that serve the right purpose? Now we can find that out from just any number of ways. I've just included a few here, but
00:40
you know our controls sufficient. Look at your audit logs. Look at your incident. Response reports. Look. ATT Lessons learned.
00:47
Um, interview subject matter. Experts look to the media.
00:52
Um, look, a log files. So they're all these sort of many different ways that you can assess the current state of controls what's in place now, And how effective is it?
01:03
And then, at that point in time, we want to say, OK, we see what's in place. Is it sufficient? Well, now this is where we do the risk analysis and we start looking at the threats and vulnerabilities and we start looking at our potential for loss.
01:19
And then at that point in time, we determine is our potential for los Fine. Is it good? Have we reduced residual risk to the level that's acceptable by senior management? And if we haven't, then we've got to figure out what to do next. Okay,
01:34
so one of the ways to do that we've talked about risk scenarios, threat modeling, use and misuse cases
01:41
we looked at, um ah, root case or ah, cause and effect analysis. So ultimately our controls there and are they working?
01:52
And any time we talk about this idea of threat modeling, use and misuse
01:59
that really goes along with risks in areas

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor