CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:01
Okay, so we've completed our risk assessment. We have looked at what the risks are.
00:09
We've looked at their probability, an impact. We've determined a potential for laws. What we're getting ready to do in the next section is gonna be based our mitigation base from what we've learned. But before we can do that, we have to take what we've learned, and we have to formalize it and create a report called the Risk Assessment Report.
00:28
So this risk risk assessment report is gonna be a tool that I used to share. What I've learned through the risk assessment process with senior management and with other key stakeholders. So, like we've said, one of the first things that we look at doing is meeting with senior management,
00:45
making sure we understand the role of the business, that context of the business.
00:50
And from there, we go to looking at gap analysis. Where army are we? Where do we wanna be?
00:57
So we're gonna provide where we're still exposed to risk, and we're gonna use that to determine if we're still within compliance with senior management wants based on their risk acceptance. So ultimately, we include remediation strategies as well
01:15
making sure that they're tied into
01:19
the risk assessment now also is part of the preliminary information of the risk assessment. We have to indicate what methodologies were used, and we're also gonna prioritize our risk. Now each risk needs to be assigned to an owner.
01:36
One of the best ways that you can make sure that risk management
01:40
works or that the mitigation strategies are implemented and monitored is toe. Have folks have some accountability? So we're gonna sign risks to an owner, and that's gonna be documented in the report. And as we've said in the past, risk owners must be
01:57
someone high enough in the organization toe actually make changes
02:00
someone high enough in the organization that actually has a stake in the game. And
02:07
excuse me that they have the ability to release funds or to authorize controls.
02:14
Um, now, other considerations for the risk report.
02:22
Excuse me.
02:23
Other considerations for the risk report. We've got to, you know, and this is just structuring your report, Start off with the objectives we describe the process we use for acceptance, any sort of external or internal factors that are going to
02:39
have a play on how we conduct our criteria, our assessment.
02:45
And ultimately, throughout this whole risk assessment, we you know, we start with justifying what we're doing and how we're doing it. And then we bring in the meat of the material. What are the risks that we've identified? What air? The assets, threats, vulnerabilities, right, Because that's what it takes to make up a risk.
03:04
Then
03:05
we look at framing the threat and vulnerability payers
03:10
in relationship to lost potential. And then eventually, what we're going to do and not even eventually in the next chapter, we're gonna take our potential for loss and try to make a good decision based on mitigating strategies. All of that information gets wrapped up in the risk assessment report,
03:29
and then ultimately, we're gonna communicate.
03:30
We're gonna communicate those results along with ah, the risk register and any sort of remediation that risk register is just gonna be used throughout the risk management process. And that risk register will be part of your overall risk assessment results.
03:50
Once we're done with the risk assessment,
03:52
ideally will then be able to transform pretty quickly and seamlessly into the risk mitigation process.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor