WEBVTT 1 00:00:00.000 --> 00:00:00.840 In this lesson, 2 00:00:00.840 --> 00:00:04.110 we will learn about Risk Assessment Frameworks. 3 00:00:04.110 --> 00:00:06.570 A Risk Assessment Framework is a toolkit 4 00:00:06.570 --> 00:00:09.750 for addressing different aspects of risk management. 5 00:00:09.750 --> 00:00:13.350 Risk Assessment Frameworks are used to identify, assess, 6 00:00:13.350 --> 00:00:14.730 and manage risks. 7 00:00:14.730 --> 00:00:16.740 They help enterprise organizations 8 00:00:16.740 --> 00:00:18.450 address potential threats, 9 00:00:18.450 --> 00:00:20.700 ensure compliance with regulations, 10 00:00:20.700 --> 00:00:23.850 and protect assets and operations. 11 00:00:23.850 --> 00:00:26.820 Commonly used Risk Assessment Frameworks include 12 00:00:26.820 --> 00:00:28.740 the National Institute of Standards 13 00:00:28.740 --> 00:00:31.170 and Technology Risk Management Framework, 14 00:00:31.170 --> 00:00:34.590 or NIST RMF, the International Organization 15 00:00:34.590 --> 00:00:39.210 for Standardization or ISO 27005, 16 00:00:39.210 --> 00:00:41.550 the Committee of Sponsoring Organizations 17 00:00:41.550 --> 00:00:44.820 of the Treadway Commission Enterprise Risk Management, 18 00:00:44.820 --> 00:00:47.880 or the COSO ERM Framework, 19 00:00:47.880 --> 00:00:50.730 the Operationally Critical Threat, Asset, 20 00:00:50.730 --> 00:00:54.390 and Vulnerability Evaluation or OCTAVE, 21 00:00:54.390 --> 00:00:58.470 and finally, the Factor Analysis of Information Risk, 22 00:00:58.470 --> 00:01:00.450 or FAIR Framework. 23 00:01:00.450 --> 00:01:02.430 Each of these frameworks is designed 24 00:01:02.430 --> 00:01:04.740 for a specific environment or task, 25 00:01:04.740 --> 00:01:08.220 so keeping in mind a framework's key environment 26 00:01:08.220 --> 00:01:12.570 or task makes it easier to distinguish among the frameworks. 27 00:01:12.570 --> 00:01:15.510 Let's discuss each framework individually. 28 00:01:15.510 --> 00:01:18.300 First, we have the NIST RMF. 29 00:01:18.300 --> 00:01:21.540 The NIST RMF framework is specifically designed 30 00:01:21.540 --> 00:01:25.170 for organizations in critical sectors like defense, 31 00:01:25.170 --> 00:01:27.780 healthcare, and federal agencies. 32 00:01:27.780 --> 00:01:31.410 NIST RMF provides a detailed step-by-step process 33 00:01:31.410 --> 00:01:35.400 to help organizations manage cybersecurity risks 34 00:01:35.400 --> 00:01:36.870 while ensuring compliance 35 00:01:36.870 --> 00:01:39.960 with federal standards such as FISMA 36 00:01:39.960 --> 00:01:43.200 or the Federal Information Security Management Act. 37 00:01:43.200 --> 00:01:46.980 The NIST RMF is similar to a government issued safety manual 38 00:01:46.980 --> 00:01:49.770 that focuses on selecting, implementing, 39 00:01:49.770 --> 00:01:52.200 and monitoring security controls 40 00:01:52.200 --> 00:01:54.780 to the organization's specific needs. 41 00:01:54.780 --> 00:01:57.570 One of the key features of NIST RMF 42 00:01:57.570 --> 00:02:00.360 is its emphasis on continuous monitoring, 43 00:02:00.360 --> 00:02:02.490 and ongoing risk assessment. 44 00:02:02.490 --> 00:02:05.760 These features ensure that risks are managed proactively 45 00:02:05.760 --> 00:02:09.210 and that security controls remain effective over time. 46 00:02:09.210 --> 00:02:12.300 This structured process is vital for organizations 47 00:02:12.300 --> 00:02:14.760 that need to align their security risk, 48 00:02:14.760 --> 00:02:18.510 and risk management efforts with regulatory requirements. 49 00:02:18.510 --> 00:02:23.070 Second, we have the ISO 27005. 50 00:02:23.070 --> 00:02:27.180 The ISO 27005 framework is a structured, 51 00:02:27.180 --> 00:02:30.000 and standardized framework designed specifically 52 00:02:30.000 --> 00:02:32.670 for information security risk management. 53 00:02:32.670 --> 00:02:37.590 The ISO 27005 functions as an international rule book. 54 00:02:37.590 --> 00:02:41.550 It helps organizations systematically identify, assess, 55 00:02:41.550 --> 00:02:43.950 and mitigate security risks throughout 56 00:02:43.950 --> 00:02:45.780 the information lifecycle. 57 00:02:45.780 --> 00:02:50.580 Furthermore, the ISO 27005 emphasizes the importance 58 00:02:50.580 --> 00:02:53.160 of documenting and evaluating risks 59 00:02:53.160 --> 00:02:55.470 to ensure they are managed effectively. 60 00:02:55.470 --> 00:02:57.510 This framework often compliments 61 00:02:57.510 --> 00:03:01.350 the ISO 27001 framework, which focuses 62 00:03:01.350 --> 00:03:04.530 on implementing information security management systems 63 00:03:04.530 --> 00:03:09.090 or ISMS to create a comprehensive approach to managing, 64 00:03:09.090 --> 00:03:11.550 and securing information together. 65 00:03:11.550 --> 00:03:16.550 The ISO 27005 and the ISO 27001 66 00:03:17.243 --> 00:03:22.230 provide a robust framework for both security management and risk assessment. 67 00:03:22.230 --> 00:03:25.680 Third, we have the COSO ERM. 68 00:03:25.680 --> 00:03:29.520 The COSO ERM framework aligns risk management 69 00:03:29.520 --> 00:03:33.000 with business strategy functioning like a strategic planner 70 00:03:33.000 --> 00:03:35.400 for risk, unlike other frameworks 71 00:03:35.400 --> 00:03:37.440 which focus on specific areas. 72 00:03:37.440 --> 00:03:42.120 The COSO ERM framework is designed to address risks across 73 00:03:42.120 --> 00:03:46.590 the entire organization from financial and operational risks 74 00:03:46.590 --> 00:03:48.630 to cybersecurity risks. 75 00:03:48.630 --> 00:03:52.710 The COSO ERM framework emphasizes strong governance, 76 00:03:52.710 --> 00:03:55.140 and decision making at all levels, 77 00:03:55.140 --> 00:03:58.500 integrating risk management into the corporate strategy, 78 00:03:58.500 --> 00:04:00.870 and daily decision processes. 79 00:04:00.870 --> 00:04:05.370 So the COSO ERM framework is particularly useful 80 00:04:05.370 --> 00:04:07.350 for organizations to ensure 81 00:04:07.350 --> 00:04:10.500 that risks are considered in both their strategic planning 82 00:04:10.500 --> 00:04:13.200 and day-to-day operations. 83 00:04:13.200 --> 00:04:15.540 Fourth, we have OCTAVE. 84 00:04:15.540 --> 00:04:19.350 OCTAVE is a hands-on framework designed to assess risks, 85 00:04:19.350 --> 00:04:22.080 threats, and vulnerabilities specific 86 00:04:22.080 --> 00:04:26.670 to organizational assets with a focus on IT infrastructure. 87 00:04:26.670 --> 00:04:30.360 OCTAVE operates like a tactical operations guide 88 00:04:30.360 --> 00:04:33.000 for analyzing and managing risk. 89 00:04:33.000 --> 00:04:36.120 OCTAVE emphasizes identifying vulnerabilities, 90 00:04:36.120 --> 00:04:38.940 and threats from an internal perspective 91 00:04:38.940 --> 00:04:41.370 to create a tailored risk management plan 92 00:04:41.370 --> 00:04:45.030 that reflects an organization specific operational needs, 93 00:04:45.030 --> 00:04:46.920 and business priorities. 94 00:04:46.920 --> 00:04:49.770 Fifth and finally, we have FAIR. 95 00:04:49.770 --> 00:04:51.000 FAIR is a framework 96 00:04:51.000 --> 00:04:55.050 that focuses on quantifying risk in financial terms, 97 00:04:55.050 --> 00:04:56.430 enabling decision makers 98 00:04:56.430 --> 00:04:58.740 to better understand the monetary impact 99 00:04:58.740 --> 00:05:00.240 of security threats. 100 00:05:00.240 --> 00:05:04.350 It acts like a risk analyst tool set translating cyber risk 101 00:05:04.350 --> 00:05:06.360 into financial language. 102 00:05:06.360 --> 00:05:07.410 In this way, 103 00:05:07.410 --> 00:05:11.130 the FAIR framework helps businesses view risk not just 104 00:05:11.130 --> 00:05:12.660 as a technical issue, 105 00:05:12.660 --> 00:05:15.330 but as a financial one, making it easier 106 00:05:15.330 --> 00:05:18.150 to communicate the importance of risk management 107 00:05:18.150 --> 00:05:21.630 to non-technical stakeholders such as senior leadership 108 00:05:21.630 --> 00:05:23.070 or board members. 109 00:05:23.070 --> 00:05:26.070 This approach enables clearer decision making 110 00:05:26.070 --> 00:05:29.400 when allocating resources for risk mitigation. 111 00:05:29.400 --> 00:05:32.490 So remember, a risk assessment framework 112 00:05:32.490 --> 00:05:35.580 helps organizations identify, evaluate, 113 00:05:35.580 --> 00:05:37.230 and manage potential threats 114 00:05:37.230 --> 00:05:40.410 to their operations systems and data. 115 00:05:40.410 --> 00:05:44.040 Furthermore, risk management frameworks ensure compliance 116 00:05:44.040 --> 00:05:45.720 with regulatory standards, 117 00:05:45.720 --> 00:05:49.320 and guide organizations in protecting critical assets. 118 00:05:49.320 --> 00:05:52.800 Specifically, the NIST RMF is tailored 119 00:05:52.800 --> 00:05:55.080 for sectors like defense and healthcare, 120 00:05:55.080 --> 00:05:58.890 focusing on cybersecurity and compliance with federal laws. 121 00:05:58.890 --> 00:06:03.890 While the ISO 27005 emphasizes a systematic approach 122 00:06:03.960 --> 00:06:06.540 to information security risk management. 123 00:06:06.540 --> 00:06:09.660 The COSO ERM integrates risk management 124 00:06:09.660 --> 00:06:12.720 into corporate strategy addressing risks across 125 00:06:12.720 --> 00:06:16.470 the financial, operational and information domains. 126 00:06:16.470 --> 00:06:20.790 OCTAVE is a hands-on internal assessment framework aimed 127 00:06:20.790 --> 00:06:24.360 at identifying risks in IT infrastructures. 128 00:06:24.360 --> 00:06:29.070 And finally, FAIR quantifies risk in financial terms, 129 00:06:29.070 --> 00:06:32.340 helping businesses understand the monetary impact 130 00:06:32.340 --> 00:06:36.453 of cybersecurity threats for more effective decision making.