Okay, so we've completed our business impact analysis, and we understand what those elements that are most critical to us are. We understand the very nature of their criticality. Now, what we want to do is we want to look at the controls that we already have in place
because chances are pretty good that you're not walking into an organization that has
absolutely no security controls in place. They've got security controls in place, but it's your job to determine. Are they the right controls that serve the right purpose? Now we can find that out from just any number of ways. I've just included a few here, but
you know our controls sufficient. Look at your audit logs. Look at your incident. Response reports. Look. ATT Lessons learned.
Um, interview subject matter. Experts look to the media.
Um, look, a log files. So they're all these sort of many different ways that you can assess the current state of controls what's in place now, And how effective is it?
And then, at that point in time, we want to say, OK, we see what's in place. Is it sufficient? Well, now this is where we do the risk analysis and we start looking at the threats and vulnerabilities and we start looking at our potential for loss.
And then at that point in time, we determine is our potential for los Fine. Is it good? Have we reduced residual risk to the level that's acceptable by senior management? And if we haven't, then we've got to figure out what to do next. Okay,
so one of the ways to do that we've talked about risk scenarios, threat modeling, use and misuse cases
we looked at, um ah, root case or ah, cause and effect analysis. So ultimately our controls there and are they working?
And any time we talk about this idea of threat modeling, use and misuse
that really goes along with risks in areas