Enterprise Risk Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Welcome back to CyberRays. This, of course. I'm your instructor, Brad Roads. Let's talk about enterprise risk management.
00:07
So in this video, we're gonna look at the multiple levels of risk management. We're gonna talk about the risk management framework at the enterprise level. We're gonna talk about How do we track things when it comes to risk management? That's a document called a risk Register. You need to know that for the use of content, right? And then we're gonna talk about the common causes of enterprise risk.
00:25
So there are three tiers of risk in an enterprise. There's organizational level. That's that strategic focus area.
00:33
There's mission business processes or the or what we would call the organizational level. Right. So you got enterprise level. Level one organization. Level two is mission and business process the organization level, and then we get down to the system level. Level three. Just think, think Hands on keyboard. There people actually doing that
00:48
when we look at risk across an enterprise as defined by NIST here, the National Institute for Standards and Technology, we have to understand that risk tolerance goes down. The closer you get to the level of systems you think of, ah, user clicking on a link right in an email that they should or shouldn't do Well, that link is that they're accepting a much
01:07
higher level of risk or more risk tolerant than at the organization level,
01:11
whereas security related information right, there's a lot of it at Level three, but there's a whole lot less and organizational, and that's all been rolled up. And so you have to understand that when we're talking about enterprise risk, we're looking at thes three Levels Organization, Business Mission and Business Process, which is like departments and then systems themselves people hands on keyboard.
01:27
So you need to memorize this chart. You will see this again, I promise.
01:33
So when we talk about a framework for managing enterprise risk, it's defined here in this chart from NIST,
01:38
we identify the context we go through and identify all the risks. And so this isn't a one and one and done kind of thing. We look at every single risk related to a system, and then we roll it up in our priorities listing, and then we determine how we're going to execute and respond to those risk with mitigation strategies.
01:56
And here's the most important part of this chart.
01:59
Evaluate and adjust. We have to monitor. We're gonna talk about continuous monitoring a little bit later, but you need to look at your risks and relook your risk on a periodic basis. If you do not, you are going to expose your organization. So if you take away anything from this chart,
02:15
risk management at the enterprise level is a continuous process. It goes on a periodic cycle.
02:20
It is deliberate. If you don't do that, you are going to expose your organization to potential problems.
02:29
So how do we track risks? Well, we use a document called a Risk Register. This is you need to be very familiar with this. This is where you capture information and decisions about risk. We decide what we're gonna do with risks, right? We make those recommendations, Are we gonna accept it? Are we going to share it? Are we gonna ignore it,
02:44
or are we gonna just stop doing the thing that causes the risk? Right? Risks themselves can impact schedule. Remember, we talked about cost schedules on and scope. Well, guess what? Those risk areas can actually impact that. We also wanna have indicators in here. We want to know when we should go back and re look at risks. Risks themselves can be,
03:02
ah, list of hundreds of them's, depending on how complex the system is were operated.
03:07
But just like our risk management framework, if we're not doing this on a consistent basis, if we're not doing this on an iterative and periodic cycle, it does not help. We're going to miss something that is going to expose our organization.
03:22
So what are some common causes of enterprise risk? Well, first office people, right? People click on stuff they shouldn't all the time. People are attacking us all the time when we're talking about external threat actors, right? So people is a huge cause of enterprise. Risk
03:34
the technology itself if we don't understand the technology. This is one of the biggest problems I see in the industry today. If we don't understand how to operate the technology we have, we expose and cause risks. Example. Cloud based Storage solutions. How many of those breaches that we've seen over the last few years have been caused because of a bucket, if you will,
03:53
of storage of data of customer data
03:57
that wasn't secured properly and exposed to the public facing Internet. If we don't know how the technology works, that's a cause of enterprise risk. And then the last one, which sometimes gets glossed over and forgotten his natural disasters.
04:08
Obviously, a hurricane that rolls over our data center and takes out the power is a risk we should consider.
04:14
And so we have to look at all three of these as causes of enterprise risk.
04:19
So in this lesson, what do we cover? We looked at the multiple levels of risk management of the enterprise. We talked about the organizational level. We talked about mission and business processes.
04:29
We talked about the systems. That's that hands on keyword aspect. We looked at the risk management framework where you have to do that on a continuous basis, along with the risk register to track and manage risk. It is not a fire and forget a one and done risk management is a continuous process. And then we talked about the common causes of enterprise risk,
04:47
things like people, natural disasters and the technologies themselves.
04:53
We'll see you next time
Up Next
Information Systems Security Engineering Professional (ISSEP)

This ISSEP course provides students with the foundational knowledge of the concentration area of the CISSP certification that includes a focus on the processes used to develop secure systems. Students will learn key concepts and skills of the five ISSEP domains.

Instructed By