Risk Assessment

Video Activity

In this lesson, instructor Kelly Handerhan will detail the specifics of effective risk management as a whole. You will find out what risk management is and what elements make up risk management. Risk management consists of four main components: Risk assessment: identifying assets, threats, and vulnerabilities Risk analysis: the value of potential r...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 54 minutes
Difficulty
Advanced
CEU/CPE
4
Video Description

In this lesson, instructor Kelly Handerhan will detail the specifics of effective risk management as a whole. You will find out what risk management is and what elements make up risk management. Risk management consists of four main components:

  • Risk assessment: identifying assets, threats, and vulnerabilities
  • Risk analysis: the value of potential risks
  • Risk mitigation: the response to risk
  • Risk monitoring: risk is forever!

You will become familiarized with important risk assessment methodologies such as: - OCTAVE: an approach where analysts identify assets and their criticality, identify vulnerabilities and threats and base the protection strategy to reduce risk.

  • FRAP: Facilitated Risk Analysis Process. Qualitative analysis is used to determine whether or not to proceed with a quantitative analysis.
  • NIST-800-30: is the risk management guide for information technology systems

Learn about the NIST 800-30 9 step process: - System characterization

  • Threat identification
  • Vulnerability identification
  • Control analysis
  • Likelihood determination
  • Impact analysis
  • Risk determination
  • Control recommendations
  • Results documentation

Discover the benefits of using the NIST 800-30 9 step risk assessment activities process to establish an effective and thorough risk assessment protocol. The NIST 800-30 process will go far to improve your data security while ensuring that limited resources are dedicated where they can do the most good.

Video Transcription
00:04
as we talk about risk, we want to talk about risk management as a whole and what risk management is and what elements make up risk management and risk management really kind of an umbrella term. And what that means is, if you're talking about risk, you're doing some form of risk management
00:22
and their various elements of risk management. There's assessment, there's analysis, there's mitigation
00:28
and then ongoing monitoring of risks. So when we talk about risk assessment and we'll look at each of these in detail, more risk assessments really more about identification. Identify your assets, identify your threats and your vulnerabilities. Start out by identifying Figure out what's out there.
00:47
What am I protecting?
00:48
What are the things that could pose harm to what I'm protecting as well as what weaknesses would exist to allow that,
00:55
Then we're gonna look at risk analysis, risk analysis. We're trying to get a value.
01:00
What is the value of the potential for harm, which that risk worth and often we start off with getting a subjective value like that's a high risk and then we move into wanting a quantitative or a numeric assessment of the risk
01:15
saying things like that has the lost potential of $8000.
01:21
Ultimately, we generally do wantto leave, uh, wind out working towards that dollar value of the risk, because when I find out the dollar value of risk potential or lost potential, that will guide how much money I'll spend in order to mitigate the roots. That's the cost benefit analysis right there.
01:40
All right, so risk analysis leads us directly to risk mitigation. And after we determined those values from analysis, we figure out a risk response. How are we going to respond to the risk? And remember, we're gonna respond in such a way that we reduce residual risk toe a level that's acceptable by senior management.
02:00
We
02:00
don't think of eliminating risks. We think about lowering risks to a level that's acceptable
02:07
all right, and then we wind up or we wrap up risk with continuous monitoring because risk never dies. Risk is forever and ever, and we always have to be very cognizant of risks. Risks are frequently changing, especially in this field, so there is no rest for someone in risk management.
02:25
So let's talk about each of these areas. Let's talk about risk assessment analysis and so on. So when we do talk about assessment, the most important thing in the first step of risk management and what drives all of our decisions, what are we protecting and what it's worth?
02:43
Identify our assets many times our assets are gonna be the data that we protect
02:49
and how much value is associate ID by that data.
02:53
So let's just talk for a second. What drives the value of data?
02:58
You know, if you think about if I go to ensure my dad, I'm probably not gonna get much money from the insurance company if I've lost my cattle. But what gives it its value? And I kind of referred to this a little bit earlier. What's the value to meet? How much time did I take in creating the information?
03:14
What's the value to my customers? You know, if I hold customer personally identifiable information, I have their credit card information, their health care information that becomes very valuable, what type of fines and my susceptible to
03:29
if the information gets compromised. So all of that goes into the value of the asset,
03:34
then we look at the threats and vulnerabilities, and that's our risk assessment Now there are several different methodologies and approaches to accepting. I'm sorry to assessing risks. There's octave frack and the NIST 800-30 which would be my focus on for this particular Sam
03:53
Active is really a self based assessment.
03:57
Ah, where someone internally looks to criticality and the value of the assets, the threats and the vulnerabilities frappe, facilitated risk analysis process. This is a qualitative analysis, and ultimately what it is is. It's a way of prioritizing
04:15
my assets to determine which ones are worthy or my risks rather
04:19
which ones are worthy of going on to a quantitative analysis. We may decide with qualitative that this is such a low potential for loss. It's not even worth looking at the dollar value. So that's what frappe does now missed 800. Dash 30
04:35
is the Risk Management Guide for Information Technology Systems, and it walks us through a nine step
04:43
process of dealing with risk. And this isn't just risk assessment. This really goes through the full gamut of dealing with risks where we characterize our system. And basically what that means is we look at the value of the assets. Is the city system hold top secret data for sensitive but unclassified.
05:02
Then we look ATT, threats and vulnerabilities, just like we talked about. Ah, threat is what could cause harm to the system of vulnerabilities, where the weaknesses,
05:12
then we analyze the controls that are already in place, and then we look at likelihood and impact. Sometimes you'll hear me talk about probability and impact or likelihood and severity. Those ideas were the same probability and impact. How likely is it to happen? And if it does happen,
05:30
how big is the impact?
05:32
Then we determine the amount of risk, and that risk determination is really the analysis piece that will drive us to recommend controls. Then ultimately, we're gonna document our decisions and be able to justify the decisions that we've made. So all of this ties in together, whether you're
05:50
following the framework from Oct Ivar frappe or NIST, or
05:55
any of the other organizations that have a say in risk management, even though everyone says it perhaps a slightly different way, the premises all the same. Identify your assets assets, evaluate them,
06:08
look at your threats and your vulnerabilities. Figure out your potential for loss, which will guide your mitigation strategy, implement your mitigation strategy tested, and then document
Up Next
Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By