CompTIA Security+ SY0-601 – 5.4 Risk management processes and concepts Part 1

1. Risk types, terms, and Process

In this video we’re going to be talking about risk types. Now before we get into this whole section on risk, let’s just define risk. Risk is defined. The definition of risk is the probability that a threat exploits a vulnerability. So there’s a couple of quick things here about risk. First of all is the probability that a threat at threat being like a virus and a vulnerability being a holder, an unpatched machine or a machine without antivirus. So it’s the probability that virus exploits your computer. So basically that’s one type of risk. So that’s just what the definition of risk is, probability of a threat exploiting a vulnerability. Not as many vulnerabilities in our systems and there’s many threats. So in this section we want to talk about risk management in the context of our exam.

That is many types of risks that is out there. Let’s take a look at some of the different types of risks. So first of all there is external risks that can externally hit your organization. External risks are going to be things hurricanes, floods, regulations, natural disasters that can affect your business. The other one are internal risks, risk within the organization itself, user error for example, system failure that can bring down your network. You know what’s a risk using legacy systems. That’s a risk. Legacy systems may not have any one constantly talked about is end of life. Legacy systems may have no updates, may have no life left in them because there’s no updates. There is a massive risk using that because you may be storing important data in systems that doesn’t have any support left.

Multiparty multiple people involved in different types of systems can cause risk. IP theft, intellectual property, this is your private information, the secret recipe to your barbecue sauce being stolen. It’s another risk being in compliance and software license. Now these are just some of the risks that are out there. Software compliance unlicensed and risk is a big thing because it’s so easy, believe me what I’m telling you, it’s so easy to be out of compliance with software license. License software is a really complex thing because software vendors license it by process, by processor, by instance, by server, by users, by connection, by site. It’s crazy to talk about how they license their products. So we have to work with these companies when doing that.

Now to take this a little bit farther in this video guys, we’re going to be talking also about some terms because in this section of the course what we want to do is we want to be able to analyze risk, right? We want to be able to do a risk analysis where we can know our assets, know what our risks are and then go ahead and reduce the risk to acceptable levels. Always remember this, every action we take has an associated risk with it. Every action has risk. Everything I do stand in here has a risk. The senior can fall. The computer can shut off, right? There could be an earthquake getting in a car and drive. Every action you take has risks. So we need to do assessments of these risks. We have to be able and risk assessment is generally about identifying your assets, learning the value of your assets, conducting a qualitative and quantitative assessment we’ll come to later, being able to respond.

So now you know what your assets are, being able to identify your risk, being able to see how those risks affect your assets. And then you want to be able to come up with the mitigation and responses, then you want to implement them. Those are the general steps to risk response. And I’m going to write this out here for you and then we are going to go into some terms. So what is the general risk management steps? So we’re going to call this risk management steps. Okay, Andrew’s? Risk management steps. And this is generic steps. So the first thing you want to do in risk management is you want to ID your assets. First thing you want to do, identify what are the assets within the business. Then the next thing you want to do is you want to identify your risk. You cannot assess the risk if you don’t know the risk to the asset.

The third step you want to do is you want to now do an assessment, an assessment of these risks to the asset. So what that means is now you’re going to say, okay, so the asset, let’s say, is data, the risk is a virus. Now you got to say, okay, if the virus infects the data, what am I going to lose? How much am I going to lose? And then whilst you do that, now you can actually go into there and you can come up with a response, respond to the risk. So now you can say, okay, now we can go ahead in there and we can come up with a response like putting antivirus and or encrypting your data. And then the final step is to implement me and t implement those responses. So let’s take a quick look here at this chart that I’m looking at. So the first thing you want to do, once again, identify your risk.

I’m sorry, identify your assets. You’ve got to know your assets within the organizations. What are assets? People, data, equipment, furniture? Know all your assets and you want to then know your risk. What are the risks that can affect your business? Hurricanes, floods, terrorism, pandermics, viruses, hackers, internal employee threats. Then you want to go out and assess the risk. Now this here is where we’re going to do our Q UAL and Q-U-A-N. Qualitative and quantitative analysis. Have a slide for that. I have some notes on that coming up later. So we’ll talk about that in a few minutes. So this is where you do your risk assessment. You see how those risks can affect your assets, then you want to come up with the mitigation strategy.

How are you going to respond? You can transfer the risk, you’re going to mitigate the risk, you can accept the risk and then finally you’re going to implement that and hopefully it is now the 6th step is really just to monitor it all, make sure it’s all moving well. These are some generic risk response, puts it in perspective what we’re going to be talking about coming up now before I end this video, we’re going to talk about some other thing here called some terms. If you just learned about the process, let’s talk about some risk analysis term. So two terms here you have is going to be a risk register Risk Metrics heat map. Risk register or risk metrics is basically a listing of all the identified risks within the business.

The heat map could be, this could be more of a color coded one. That this is a hot risk, like a Pandoramic in today’s world of 2020. It’s a hot risk hackers or data is stolen. It’s a hot risk also. So risk register is basically a listing of all the risks that the organization is faced in. So as you’re identifying the risk, you would add it to the risk register, such as what? Hurricanes, floods, viruses, hackers, equipment failure, DDoS attacks, you name all the attacks in the section of this course, they’re going to fall into the risk section, right? So make a listing of all your risk and that’s going to be considered your risk register. The next one is going to be Control risk Control Assessment or risk Control self Assessment.

So a risk control assessment is when an organization or self assessment is when an organization basically goes through an overall assessment of the controls they’re using to mitigate risk. The whole risk program of itself. Do we have a good risk management program? Are the controls that we are using assess the control? Are the controls. Remember, controls are a way to mitigate risk, right? So if the risk is a hacker breaking in, then the control is a firewall. If the risk is virus infection, the control is antivirus. So control risk control assessment is articulate adequate for the risk. Do an overall assessment on this. The other thing we have here is risk awareness. How aware is the organization of those risks? You must know your risks. If you do not know your risk, you cannot respond to them because you will not, you wouldn’t know they exist.

The way to understand your risk is by using some of the many tools that I’ve talked about, the center for Internet Security. We talked about CVE for example. When you look at a CVE risk or a vulnerability, you can see the CVE score. This is good ways to make yourself more risk. Certain systems comes with inherent risks. For example using legacy systems come with inherent risk. People say windows has a lot of inherent risk because of the fact that it’s windows. I’m not going to agree with that. But there are certain system that comes with risk that has to be mitigated. Control risk. This is one of the things we must do is there are risks that are associated with controls. Certain controls. Like a firewall. Yeah, the firewall will implement and stop.

When implemented, it can stop you from breaking in. But that control of itself has risk that the firewall may fail. So there are control risks that do present themselves. There’s a probability that the antivirus does not detect the virus. How much risk are you willing to accept? Well, that’s known as the risk appetite. The risk appetite is how much risk you’re willing to accept. Everybody has a different appetite for risk. Now, here’s what I mean by that. You see, everyone goes around and does things at different levels and does things at different levels because of their risk. Drive them. Some people get on a highway, they drive it exactly the speed limit. Some people are even scared of that they go under. Please don’t do that. Some people may drive 5 miles over speed limit.

Some people may drive 10 mph, speed limit may drive 20 miles. Everybody has a different level of tolerance. Some people are scared to fly. Some people are scared to go on boats. We all have a different appetite for risk. Now, the risk appetite really affects the controls you do. For example, if your risk appetite is you’re scared of flying, then you’re never going to fly. You’re always going to drive. But then again, driving to me has a higher risk than flying. But I’m still scared of flying. I don’t like heights. I really hate flying. I prefer just to drive. Doesn’t sound weird. I know, I know. Driving has more inherent risks. Like I said, inherent risk. The inherent risk of driving is very big. The other thing here that’s going to have a drastic impact on how we manage risk is regulations that affect their risk posture.

We may have a posture towards intake and risk or handling more risk, but regulation says otherwise. Regulations may say, no, you must mitigate that risk. There’s a lot of regulations, especially data regulations like GDPR, that makes it mandatory to encrypt information, especially PCI compliance, too, makes it mandatory to encrypt credit card information, private information, when managing our systems. Okay, so quite a lot of terms in this section. Rewatch this video so you understand some of the risk analysis terms. Understand the risk process. Don’t forget, the risk process is you’re going to have to do what? Identify your assets, identify your risk, conduct your risk assessment. Come up with your responses, implement your response. Okay, let’s move on now into the other processes of how to actually assess risk.

2. Risk management strategies

In this video I’m going to be talking about risk management strategies. In other words, how do we respond to these risks? In the previous video we took a look at knowing, hey, this risk is going to cost us this much money. So in this one now what we’re going to do is we’re going to go in here and we’re going to say, you know what, here’s how we’re going to respond to these risks and let’s take a look at what I have here. Oh, I’ve not, that okay. So let’s take a look at what I have here. So the first thing we could do when it comes to a risk is to accept the risk. So risk acceptance basically means to do nothing. Okay, let’s talk about that. Earthquakes in New York City. You know what I’m doing about earthquake in New York City? I live in New York City.

Nothing, absolutely nothing. I acknowledge it, I know it’s here, but I’m not doing anything about it. Why? Because it’s probability is too low. I don’t have earthquake insurance, I don’t have an earthquake proof house. Risk acceptance is when the organization makes a decision that maybe because the impact is too low or the probability is too low or both, that they have determined that they will take no actions against the risk. Risk acceptance is a legal risk response method, but the organization needs to show proof of why it’s determined and not to take any actions. Something like earthquake in New York City is definitely acceptable but flooding in New York City is not because we are prone to hurricanes.

In fact a small hurricane like hurricane, not even Hurricane Superstorm Sandy took out power from many parts of New York City for extended periods of time a few years ago. Another thing we can do is to avoid the risk. So avoiding the risk means to go down a different path. Avoiding the risk will eliminate the risk completely. Avoidance is to go down a different path. You’re going to eliminate this risk. So you’re scared to fly. Why? Because you don’t want to die in a plane crash. So you decide I’ll never fly and I’m going to go somewhere, I’m going to do something else, I’m going to drive. So not a risk of flying is completely eliminated. But remember what I said earlier in this class, every action has a risk and when you take that action has another risk.

So you can eliminate that risk but you’re not going to eliminate another one. Remember avoiding a risk eliminates that risk, that risk is completely gone. Oh, there’s a risk with virus A, infected windows, okay, don’t use windows but then when you use Linux there is virus B. So remember risk avoidance eliminates that particular risk. The other one is transference, which is generally buying insurance. Risk transference is basically given away the risk to some others and this is generally buying cybersecurity risk which is a real insurance now that companies purchase in case there’s a cybersecurity breach and there is a loss of data, and the company then has PR or regulation fines that they have to deal with.

So transferring the risk is buying insurance, hiring consultants, transferring the risk of fire, for example, is having fire insurance. Another thing, and the most popular one to do is call mitigation. Now, mitigation does not eliminate risk. Mitigation reduces risk to your appetite, to your tolerance. How much risk are you going to bear? Installing antivirus does not eliminate the risk of getting a virus. What it does do is that it will make it okay. It lowers the risk to the point where it lowers the risk to the point where it will be able to actually make the action. Doable, for example, using a computer without antivirus to me and going shopping online, not acceptable to me.

But if I was to mitigate the risk, I’m going to lower the risk to a tolerance level where I am comfortable using the computer. But remember, there’s still a little bit of risk that’s left over. Not because you have antivirus on your computer doesn’t mean you can’t get a virus. There’s two things we should do when it comes to malware. Install antivirus, train your users. So when it comes to mitigation, we’re going to do those two things. But you can still get a virus. That little bit of risk that’s left over after the mitigation or after any of these responses, that leaves a little bit of risk left over. We generally refer to that as residual risk. Residual risk is risk that’s left over.

After is the risk that’s left over after you have implemented the controls. After you’ve implemented your controls to bring the risk to your appetite. For example, using a computer with antivirus, there’s a little bit of risk left over. You can still get a virus driving a car. Well, driving a car has a lot of risk associated with it. You can easily die in a car crash or get severely injured. But you get into the car, you don’t drink a drive. You don’t do things like texting. You pay attention to road. Basically, in these kinds of risks, what you want to do is you’re going to make sure that you’re bringing it down to what you feel comfortable with, but you can still get into an accident.

Okay, so that is mitigation. Mitigation and also the others, some of them will have risk that’s left over. Remember, for your exam, residual risk is acceptable. It’s known, and it’s what you’re willing to accept. Okay? So that concludes this section. Guys, don’t forget, acceptance means to do nothing. You’re willing to accept the risk. Avoidance is to go down a different path, eliminate the risk transference to give it away by insurance. And then mitigation is to lower the risk to your tolerance. These are the different, different strategies when it comes to managing risk.

• Category: Uncategorized