WEBVTT 1 00:00:00.000 --> 00:00:01.650 In this section of the course, 2 00:00:01.650 --> 00:00:04.110 we are going to discuss Risk Management. 3 00:00:04.110 --> 00:00:06.450 The Risk Management section of the course focuses 4 00:00:06.450 --> 00:00:09.600 on Domain 1: Governance, Risk, and Compliance, 5 00:00:09.600 --> 00:00:13.140 specifically objective 1.2, which states 6 00:00:13.140 --> 00:00:16.290 that given a set of organizational security requirements, 7 00:00:16.290 --> 00:00:19.380 you must be able to perform risk management activities. 8 00:00:19.380 --> 00:00:21.930 In managing enterprise security risk, 9 00:00:21.930 --> 00:00:24.780 it is critical to protect organizational assets 10 00:00:24.780 --> 00:00:26.910 and ensure operational resilience. 11 00:00:26.910 --> 00:00:29.460 This includes safeguarding data, 12 00:00:29.460 --> 00:00:33.660 maintaining system reliability, and managing external risks. 13 00:00:33.660 --> 00:00:34.920 Comprehensive frameworks 14 00:00:34.920 --> 00:00:37.590 and assessment strategies help in this process 15 00:00:37.590 --> 00:00:40.920 by identifying and mitigating potential threats, 16 00:00:40.920 --> 00:00:43.860 while strategic responses and impact assessments 17 00:00:43.860 --> 00:00:48.120 frame the policies an organization uses to manage its risk. 18 00:00:48.120 --> 00:00:49.680 As we go through this section, 19 00:00:49.680 --> 00:00:52.710 we will cover many topics related to Risk Management, 20 00:00:52.710 --> 00:00:57.180 including Confidentiality, Integrity, Availability, 21 00:00:57.180 --> 00:00:59.370 and Privacy Risk Considerations, 22 00:00:59.370 --> 00:01:01.050 Risk Assessment Frameworks, 23 00:01:01.050 --> 00:01:04.350 Risk Assessment and Response, Impact Analysis, 24 00:01:04.350 --> 00:01:06.210 and Third-Party Risk Management. 25 00:01:06.210 --> 00:01:10.440 First, we will look at Confidentiality Risk Considerations. 26 00:01:10.440 --> 00:01:14.340 Confidentiality risk considerations are used to identify 27 00:01:14.340 --> 00:01:18.420 and mitigate threats that could lead to unauthorized access 28 00:01:18.420 --> 00:01:20.970 or disclosure of sensitive information. 29 00:01:20.970 --> 00:01:24.000 Confidentiality risk consideration concepts 30 00:01:24.000 --> 00:01:28.020 include incident response testing, encryption, 31 00:01:28.020 --> 00:01:30.840 sensitive or privileged information data breach, 32 00:01:30.840 --> 00:01:33.540 data leak response, and reporting. 33 00:01:33.540 --> 00:01:36.960 Incident response testing is simulating security breaches 34 00:01:36.960 --> 00:01:41.190 to assess and improve an organization's ability to detect, 35 00:01:41.190 --> 00:01:44.490 respond to, and recover from incidents. 36 00:01:44.490 --> 00:01:47.850 To guarantee the confidentiality of data on a network, 37 00:01:47.850 --> 00:01:50.520 encryption is used to protect the sensitive data. 38 00:01:50.520 --> 00:01:53.640 If data is not protected, then a breach of sensitive 39 00:01:53.640 --> 00:01:55.680 or privileged data may occur. 40 00:01:55.680 --> 00:01:57.090 A data breach occurs 41 00:01:57.090 --> 00:02:00.030 when unauthorized individuals gain access 42 00:02:00.030 --> 00:02:01.830 to confidential information. 43 00:02:01.830 --> 00:02:04.680 A data breach can lead to significant damage, 44 00:02:04.680 --> 00:02:06.390 if not properly addressed. 45 00:02:06.390 --> 00:02:08.100 In response to a data breach, 46 00:02:08.100 --> 00:02:11.580 data leak response includes actions taken to contain 47 00:02:11.580 --> 00:02:14.580 and mitigate the impact of a data breach. 48 00:02:14.580 --> 00:02:16.890 Data leak response procedures ensure 49 00:02:16.890 --> 00:02:18.780 that incidents are documented 50 00:02:18.780 --> 00:02:21.570 and communicated to relevant stakeholders, 51 00:02:21.570 --> 00:02:24.150 including regulatory bodies. 52 00:02:24.150 --> 00:02:26.400 This is the process of reporting. 53 00:02:26.400 --> 00:02:30.270 Then, we will explore Integrity Risk Considerations. 54 00:02:30.270 --> 00:02:32.100 Integrity is the assurance 55 00:02:32.100 --> 00:02:34.920 that data remains accurate and unaltered, 56 00:02:34.920 --> 00:02:38.550 and that any unauthorized changes are detectable. 57 00:02:38.550 --> 00:02:41.250 Integrity risk considerations are those taken 58 00:02:41.250 --> 00:02:45.930 to protect data and systems from unauthorized modifications 59 00:02:45.930 --> 00:02:49.860 that could compromise their accuracy and trustworthiness. 60 00:02:49.860 --> 00:02:53.940 Integrity Risk Considerations include interference, 61 00:02:53.940 --> 00:02:57.990 hashing, remote journaling, and anti-tampering. 62 00:02:57.990 --> 00:03:01.710 Interference refers to any unauthorized alteration 63 00:03:01.710 --> 00:03:03.210 or disruption of data 64 00:03:03.210 --> 00:03:06.390 or systems leading to integrity issues. 65 00:03:06.390 --> 00:03:08.850 Hashing is a cryptographic process 66 00:03:08.850 --> 00:03:12.510 that converts data into a fixed-size string of characters. 67 00:03:12.510 --> 00:03:16.710 Hashing creates a unique digital fingerprint used to verify 68 00:03:16.710 --> 00:03:18.630 that data has not been altered. 69 00:03:18.630 --> 00:03:22.440 Next, remote journaling is the continuous transmission 70 00:03:22.440 --> 00:03:25.950 of transaction logs to a remote location. 71 00:03:25.950 --> 00:03:27.210 Through this process, 72 00:03:27.210 --> 00:03:30.000 remote journaling provides a secure backup 73 00:03:30.000 --> 00:03:32.700 that helps recover from integrity breaches. 74 00:03:32.700 --> 00:03:36.570 Next, anti-tampering measures are designed to prevent 75 00:03:36.570 --> 00:03:40.890 or detect unauthorized changes to hardware or software. 76 00:03:40.890 --> 00:03:42.960 Anti-tampering measures ensure 77 00:03:42.960 --> 00:03:45.180 that systems remain trustworthy. 78 00:03:45.180 --> 00:03:48.270 In application, an organization might use hashing 79 00:03:48.270 --> 00:03:50.850 to verify the integrity of critical files, 80 00:03:50.850 --> 00:03:54.120 employ remote journaling to secure logs offsite, 81 00:03:54.120 --> 00:03:56.580 and implement anti-tampering techniques 82 00:03:56.580 --> 00:03:59.670 to protect against unauthorized modifications, 83 00:03:59.670 --> 00:04:03.210 all working together to mitigate integrity risks. 84 00:04:03.210 --> 00:04:04.590 After that, we will look 85 00:04:04.590 --> 00:04:06.960 at Availability Risk Considerations. 86 00:04:06.960 --> 00:04:09.600 Availability risk considerations ensure 87 00:04:09.600 --> 00:04:13.290 that critical systems and data remain accessible during 88 00:04:13.290 --> 00:04:15.300 and after disruptive events. 89 00:04:15.300 --> 00:04:19.530 Availability risk considerations include Business Continuity 90 00:04:19.530 --> 00:04:22.830 and Disaster Recovery Planning, Backups, 91 00:04:22.830 --> 00:04:26.340 and Business and Continuity and Disaster Recovery Testing. 92 00:04:26.340 --> 00:04:29.280 Business continuity and disaster recovery planning 93 00:04:29.280 --> 00:04:32.490 develop strategies to maintain availability 94 00:04:32.490 --> 00:04:35.940 or to quickly restore systems following a disaster. 95 00:04:35.940 --> 00:04:40.140 Backups are a key to recovery in these situations. 96 00:04:40.140 --> 00:04:42.660 Once plans and policies are developed, 97 00:04:42.660 --> 00:04:44.310 regular business continuity 98 00:04:44.310 --> 00:04:47.250 and disaster recovery testing verifies 99 00:04:47.250 --> 00:04:51.450 that the processes in place can be effectively executed. 100 00:04:51.450 --> 00:04:55.470 Next, we will explore Privacy Risk Considerations. 101 00:04:55.470 --> 00:04:59.670 Privacy risk considerations include the use of biometrics, 102 00:04:59.670 --> 00:05:02.580 data subject rights, and data sovereignty. 103 00:05:02.580 --> 00:05:06.090 The use of biometrics introduces enterprise risk 104 00:05:06.090 --> 00:05:09.330 in that sensitive biometric signatures must be protected. 105 00:05:09.330 --> 00:05:11.940 Data subjects are the owners of the data 106 00:05:11.940 --> 00:05:13.620 that is collected and stored. 107 00:05:13.620 --> 00:05:16.890 Data subject rights include the ability of individuals 108 00:05:16.890 --> 00:05:20.250 to control their personal information, including rights, 109 00:05:20.250 --> 00:05:24.030 to access, correct, and delete their own data. 110 00:05:24.030 --> 00:05:26.340 Data sovereignty is the idea that laws, 111 00:05:26.340 --> 00:05:29.070 which govern how data can be collected, stored, 112 00:05:29.070 --> 00:05:33.060 and used are based on where the data is stored or processed. 113 00:05:33.060 --> 00:05:35.610 For example, if you are an American, 114 00:05:35.610 --> 00:05:38.970 but your upcoming travel data is being stored in Europe, 115 00:05:38.970 --> 00:05:42.510 the privacy of that data is subject to European laws, 116 00:05:42.510 --> 00:05:44.370 not American laws. 117 00:05:44.370 --> 00:05:48.480 Following that, we will look at Risk Assessment Frameworks. 118 00:05:48.480 --> 00:05:52.830 A risk assessment framework is used to identify, assess, 119 00:05:52.830 --> 00:05:56.280 and manage risks within an enterprise organization. 120 00:05:56.280 --> 00:06:00.300 Frameworks further help enterprise organizations address 121 00:06:00.300 --> 00:06:03.570 potential threats, ensure compliance with regulations 122 00:06:03.570 --> 00:06:05.790 and protect assets and operation. 123 00:06:05.790 --> 00:06:07.920 Commonly used risk assessment frameworks 124 00:06:07.920 --> 00:06:11.970 include the National Institute of Standards and Technology 125 00:06:11.970 --> 00:06:14.610 or NIST Risk Management Framework, 126 00:06:14.610 --> 00:06:17.490 which focuses on integrating security controls 127 00:06:17.490 --> 00:06:19.200 and continuous monitoring, 128 00:06:19.200 --> 00:06:21.720 particularly in federal environments. 129 00:06:21.720 --> 00:06:23.444 The International Organization for 130 00:06:23.444 --> 00:06:27.000 Standards or ISO 27005, 131 00:06:27.000 --> 00:06:28.950 which provides a standardized approach 132 00:06:28.950 --> 00:06:31.200 to information security risk management. 133 00:06:31.200 --> 00:06:33.420 The Committee of Sponsoring Organizations 134 00:06:33.420 --> 00:06:34.890 of the Treadway Commission 135 00:06:34.890 --> 00:06:38.100 or COSO Enterprise Risk Management Framework, 136 00:06:38.100 --> 00:06:40.890 which emphasizes the alignment of risk management 137 00:06:40.890 --> 00:06:43.050 with business strategy and objectives, 138 00:06:43.050 --> 00:06:45.750 the operationally critical threat assessment 139 00:06:45.750 --> 00:06:49.830 and vulnerability evaluation, also known as OCTAVE, 140 00:06:49.830 --> 00:06:51.720 which helps organizations assess 141 00:06:51.720 --> 00:06:54.240 and manage security risks specific 142 00:06:54.240 --> 00:06:56.310 to their operational environment. 143 00:06:56.310 --> 00:07:00.060 And finally, a Factor Analysis of Information Risk 144 00:07:00.060 --> 00:07:04.530 or FAIR, which focuses on financial impact as a way 145 00:07:04.530 --> 00:07:06.990 to prioritize and manage risk. 146 00:07:06.990 --> 00:07:09.720 Then, we will explore Risk Assessment. 147 00:07:09.720 --> 00:07:12.510 A risk assessment identifies, analyzes, 148 00:07:12.510 --> 00:07:15.180 and evaluates potential risk impact, 149 00:07:15.180 --> 00:07:18.990 and guides the implementation of mitigation strategies. 150 00:07:18.990 --> 00:07:23.820 Risk assessment concepts include quantitative analysis, 151 00:07:23.820 --> 00:07:28.820 qualitative analysis, risk appetite, risk tolerance, 152 00:07:28.950 --> 00:07:30.660 and risk prioritization. 153 00:07:30.660 --> 00:07:33.330 Let's take a moment to define each of these. 154 00:07:33.330 --> 00:07:36.960 Quantitative analysis uses numerical data 155 00:07:36.960 --> 00:07:39.600 and statistical methods to measure risk. 156 00:07:39.600 --> 00:07:44.520 Qualitative analysis uses subjective non-numerical criteria 157 00:07:44.520 --> 00:07:48.240 and the experience of analysts and subject matter experts. 158 00:07:48.240 --> 00:07:50.100 Risk appetite is the amount 159 00:07:50.100 --> 00:07:52.770 of risk an organization is willing to accept. 160 00:07:52.770 --> 00:07:55.200 Risk tolerance is a specific level 161 00:07:55.200 --> 00:07:58.950 of acceptable risk within an organization's risk appetite. 162 00:07:58.950 --> 00:08:01.350 Risk prioritization is the ranking 163 00:08:01.350 --> 00:08:04.800 of risks based on their potential impact and likelihood 164 00:08:04.800 --> 00:08:08.370 to ensure the most critical risks are addressed first. 165 00:08:08.370 --> 00:08:10.950 After that, we will look at Risk Response. 166 00:08:10.950 --> 00:08:13.890 Risk response is the implementation of controls 167 00:08:13.890 --> 00:08:16.020 to mitigate identified risk. 168 00:08:16.020 --> 00:08:19.500 Risk response concepts include validation, 169 00:08:19.500 --> 00:08:21.180 which confirms the accuracy 170 00:08:21.180 --> 00:08:25.320 and completeness of identified risks; severity impact, 171 00:08:25.320 --> 00:08:27.660 which quantifies the potential consequences 172 00:08:27.660 --> 00:08:30.810 of validated risks, guiding prioritization; 173 00:08:30.810 --> 00:08:34.230 and remediation, which results in the implementation 174 00:08:34.230 --> 00:08:37.680 of actionable risk management and mitigation strategies. 175 00:08:37.680 --> 00:08:41.070 Then, we will explore Impact Analysis. 176 00:08:41.070 --> 00:08:44.010 Impact analysis in enterprise risk management 177 00:08:44.010 --> 00:08:47.040 involves evaluating the potential consequences 178 00:08:47.040 --> 00:08:50.370 of identified risks on organizational operations, 179 00:08:50.370 --> 00:08:52.350 assets, and objectives. 180 00:08:52.350 --> 00:08:55.740 This process quantifies how adverse events 181 00:08:55.740 --> 00:08:59.430 could affect business continuity, financial performance, 182 00:08:59.430 --> 00:09:04.350 and compliance, thereby enabling informed decision-making 183 00:09:04.350 --> 00:09:07.320 and prioritization of risk mitigation efforts. 184 00:09:07.320 --> 00:09:10.290 I will highlight impact analysis with extreme 185 00:09:10.290 --> 00:09:12.060 but plausible examples. 186 00:09:12.060 --> 00:09:15.600 Finally, we will explore Third-party Risk Management. 187 00:09:15.600 --> 00:09:18.060 Third-party risk management involves assessing 188 00:09:18.060 --> 00:09:22.200 and mitigating risks associated with external parties 189 00:09:22.200 --> 00:09:26.160 that provide commodities or services to an organization. 190 00:09:26.160 --> 00:09:28.380 Third party risk management considerations 191 00:09:28.380 --> 00:09:30.960 include Subprocessor Risk, 192 00:09:30.960 --> 00:09:34.860 which arises when a third-party vendor subcontracts work; 193 00:09:34.860 --> 00:09:38.160 Vendor risk, which focuses on the potential impact 194 00:09:38.160 --> 00:09:40.620 of direct suppliers to the organization; 195 00:09:40.620 --> 00:09:42.120 and Supply Chain Risk, 196 00:09:42.120 --> 00:09:44.700 which encompasses risks across all stages 197 00:09:44.700 --> 00:09:47.241 of the supply chain, including both 198 00:09:47.241 --> 00:09:49.416 subprocessors and vendors. 199 00:09:49.416 --> 00:09:51.720 To finish things off, we'll take a short quiz 200 00:09:51.720 --> 00:09:54.630 to see what you learned during this section of the course. 201 00:09:54.630 --> 00:09:58.230 And we will review each of those quiz questions fully 202 00:09:58.230 --> 00:10:01.680 to ensure you can explain why the right answers were right, 203 00:10:01.680 --> 00:10:03.540 and the wrong answers were wrong. 204 00:10:03.540 --> 00:10:06.300 So, let's get ready to dive into risk management 205 00:10:06.300 --> 00:10:08.313 in this section of the course!