Risk Management MindMap (3 of 3) | CISSP Domain 1
Summary
TLDRRob Witcher's video offers an in-depth review of risk management for CISSP exam preparation, focusing on Domain 1. It outlines the essential steps of asset valuation, risk analysis, and treatment, emphasizing the importance of identifying, assessing, and prioritizing risks. The video introduces various methodologies like STRIDE, HASTA, and DREAD for threat identification and prioritization. It also covers risk ranking techniques and discusses risk treatment methods, including avoidance, transfer, mitigation, and acceptance. Additionally, it highlights the significance of controls and assurance in risk mitigation and introduces the Risk Management Framework (RMF) by NIST.
Takeaways
- 📚 Risk management is crucial for security professionals to prioritize security efforts and allocate resources effectively within limited budgets and time.
- 🔢 Asset valuation is the first step in risk management, where assets are assigned a value to determine their importance to the organization, using either quantitative or qualitative analysis.
- 🔍 Risk analysis involves identifying threats, vulnerabilities, impact, and likelihood associated with each asset, using methodologies like STRIDE, HASTA, and DREAD for systematic identification and prioritization.
- 🛡 Threat modeling helps to systematically identify potential dangers that can harm an organization's assets, operations, or reputation.
- 🚫 Vulnerabilities are weaknesses in security or control systems that can be exploited by threats, and they can be identified through assessments and penetration testing.
- ⏱ The likelihood or probability of a risk event occurring is a key component in understanding the potential risks an organization faces.
- 💥 Impact refers to the potential harm or damage that could result from a risk, such as downtime, reputational damage, or data integrity issues.
- 📉 Techniques like the Annualized Loss (AL) expectancy calculation help in quantitatively ranking risks, but often qualitative analysis is used due to the difficulty in assigning exact values.
- 🛠 Risk treatment includes four methods: avoid, transfer, mitigate, and accept, with mitigation being the primary focus involving various controls to reduce risk.
- 🔒 Controls can be categorized as safeguards to prevent risks and countermeasures to detect and respond to risks, including directive, deterrent, preventive, detective, corrective, and recovery controls.
- 🔑 Residual risk is the remaining risk after implementing mitigating controls, and it's important for organizations to manage this effectively.
- 📈 The Risk Management Framework (RMF), particularly NIST 800-37, provides a structured approach with seven steps for managing risks in information systems and data.
Q & A
What is the primary challenge that security professionals face in protecting an organization's assets?
-The primary challenge is to effectively protect the assets within an organization given the limitations of budgets and time, as they never have unlimited resources to perfectly protect everything.
Why is risk management important in a security program?
-Risk management is important because it enables organizations to prioritize their security efforts and allocate resources effectively, focusing on the identification, assessment, and prioritization of risks, and the economical application of resources to minimize, monitor, and control the probability and impact of those risks.
What are the three major steps in risk management?
-The three major steps in risk management are asset valuation, risk analysis, and risk treatment.
How is asset valuation typically conducted in practice?
-Asset valuation is typically conducted using either quantitative analysis, where monetary values are assigned to each asset, or qualitative analysis, which involves a relative ranking system comparing assets and categorizing them into high, medium, and low value groups.
What are the four elements to consider when conducting risk analysis for each asset?
-The four elements to consider are threats, vulnerabilities, impact, and likelihood.
Can you explain the STRIDE model for identifying threats?
-STRIDE is a quick and easy methodology for identifying threats, where 'S' stands for Spoofing (violation of integrity), 'T' for Tampering (violation of integrity), and so on, covering a range of threat types that need to be considered.
What is the purpose of the Annualized Loss (AL) calculation in risk analysis?
-The Annualized Loss (AL) calculation is used to determine how much a given risk is expected to cost the organization per year, helping to decide what controls are cost-justified to mitigate the risk.
What are the four major risk treatment methods?
-The four major risk treatment methods are risk avoidance, risk transfer, risk mitigation, and risk acceptance.
How are administrative, technical, and physical controls categorized in terms of safeguards and countermeasures?
-Safeguards include directive, deterrent, and preventive controls, which aim to ensure a risk doesn't occur. Countermeasures include detective, corrective, and recovery controls, which are put in place to detect, respond to, and recover from a risk that has occurred.
What is the significance of the Risk Management Framework (RMF) and what are its seven steps?
-The RMF, particularly NIST 800-37, provides a structured seven-step process for managing risks to information systems and data. The steps include preparing to execute the RMF, categorizing systems, selecting security controls, implementing controls, assessing control effectiveness, authorizing systems for production, and monitoring controls for ongoing effectiveness.
Who should be responsible for accepting the risk associated with a particular asset?
-The asset owner should be responsible for accepting the risk associated with a particular asset, as they are accountable for the security of the asset.
Outlines
📚 Introduction to Risk Management for CISSP Exam Preparation
Rob Witcher introduces the video series focusing on risk management as part of the CISSP exam's domain 1. He outlines the importance of risk management in security, emphasizing the challenge of protecting assets with limited resources. The video aims to guide viewers through the major topics of risk management, including asset valuation, risk analysis, and treatment. Rob also mentions the three-step process of risk management and introduces the concept of quantitative and qualitative analysis for asset ranking.
🔍 In-Depth Analysis of Risk Management Techniques
This paragraph delves deeper into the risk analysis process, discussing the identification of threats, vulnerabilities, impact, and likelihood. It explains the use of threat modeling methodologies such as STRIDE, PASTA, and DREAD. The paragraph also covers the concepts of quantitative and qualitative risk analysis, including the Annualized Loss Expectancy (ALE) calculation and the Single Loss Expectancy (SLE). The importance of ranking risks and understanding their potential costs to an organization is highlighted.
🛡️ Exploring Risk Treatment Methods and Control Implementation
The third paragraph focuses on risk treatment methods, including risk avoidance, transference, mitigation, and acceptance. It discusses the implementation of controls to mitigate risks, such as administrative, technical, and physical controls. The paragraph also explains the concept of residual risk and introduces safeguards and countermeasures as categories of controls. Additionally, it touches on detective, corrective, and recovery controls, as well as compensating controls, to manage risks when other measures are not feasible.
🏛️ Risk Management Frameworks and Best Practices for CISSP Exam
The final paragraph wraps up the discussion on risk management by introducing risk management frameworks, with a focus on the Risk Management Framework (RMF) from NIST 800-37. It outlines the seven steps of the RMF process, from preparation to ongoing monitoring. The paragraph also mentions other frameworks like ISO 31000, COSO, and OCTAVE. Additionally, it provides guidance on common mistakes made during CISSP exam preparation and offers a free guide to avoid them, with a link provided in the description.
Mindmap
Keywords
💡Risk Management
💡Asset Valuation
💡Risk Analysis
💡Threat Modeling
💡Vulnerability
💡Impact
💡Risk Treatment
💡Residual Risk
💡Controls
💡Risk Acceptance
💡Risk Management Framework (RMF)
Highlights
Rob Witcher introduces the importance of risk management for CISSP exam preparation.
Risk management is essential for prioritizing security efforts within limited budgets and time.
The three major steps of risk management: asset valuation, risk analysis, and treatment.
Asset valuation involves assigning a value to each asset to rank them by importance.
Quantitative and qualitative analysis are methods for ranking risks and assets.
Threat modeling methodologies like STRIDE help identify potential threats systematically.
PASTA and DREAD are methodologies for in-depth threat analysis and prioritization.
Vulnerabilities are weaknesses that can be exploited by threats.
Risk analysis involves identifying threats, vulnerabilities, impact, and likelihood.
The Annualized Loss (AL) formula is used for quantitative risk analysis.
Qualitative analysis is often necessary when exact values are hard to determine.
Risk treatment methods include avoidance, transfer, mitigation, and acceptance.
Residual risk is the remaining risk after implementing mitigating controls.
Administrative, technical, and physical controls are used to manage risks.
Safeguards and countermeasures are categories of controls to prevent and respond to risks.
Controls must provide functionality and assurance for effective risk management.
Risk acceptance is a decision to live with a certain level of risk.
The Risk Management Framework (RMF) is a structured approach defined by NIST.
The seven steps of the RMF guide organizations in managing information system risks.
Other risk management frameworks include ISO 31000 and COBIT.
A free guide is available to help avoid common mistakes in CISSP exam preparation.
Transcripts
hey I'm Rob Witcher from destination
certification and I'm here to help you
pass the cissp exam we're going to go
through a review of the major topics
related to risk management in domain 1
to understand how they interrelate and
to guide your studies this is the third
of three videos for domain 1 I've
included links to the other mind map
videos in the description below these
mind maps are one part of our complete
cisp Master
[Music]
Class
risk management this is a super
important topic in security we as
Security Professionals have a colossal
challenge how do we best protect the
assets across an entire organization we
never have unlimited budgets or an
unlimited amount of time available to
perfectly protect everything so how do
we best protect the assets within the
organization given our limited budgets
and time once super useful method to
help us figure this out is risk
management risk management is an
essential component of any comprehensive
security program as it enables
organizations to prioritize their
security efforts and allocate resources
effectively risk management is
fundamentally focused on the
identification assessment and
prioritization of risks and the
economical application of resources to
minimize Monitor and
control the probability Andor impact of
those risks at the 10,000 ft level it's
helpful to think about risk management
comprising three major steps asset
valuation risk analysis and treatment
let's go through those three steps
starting with asset valuation asset
valuation is conceptually incredibly
simple assign a value to each asset in
other words figure out how valuable each
asset is to the organization so that we
can then rank the assets from the most
on down to the the least valuable simple
idea super hard to do in practice there
are two major ways that we can rank
risks quantitative and qualitative
analysis quantitative analysis is where
we assign monetary values to each asset
we say this asset is worth a dollar and
this asset is worth $2.7
million quantitative analysis is
absolutely the preferred method we would
ideally love to assign a nice dollar
value to every asset
unfortunately for the vast majority of
assets this just isn't possible with any
sort of reasonable accuracy can you
confidently say your organization's
reputation is worth $736 million or this
data set is worth exactly
$3,849 pesos or this critical
application is worth exactly 13.8
million EUR no for most assets we
absolutely cannot assign a monetary
value to them we may know something is
valuable but assigning an exact dollar
value to it is nigh
impossible and that is why the vast
majority of the time we use qualitative
analysis to rank assets qualitative
analysis is a simply a relative ranking
system where you compare assets and say
well this asset is more valuable than
that one which is less valuable than
that one you rank assets relative to
each other and you often create
categories like high medium and low
value and and sort assets into these
categories once you have completed asset
valuation you'll have a nicely ranked
list of assets and it is now time to
move on to step two of risk management
risk analysis risk analysis is where you
identify the risks associated with each
asset to identify and understand the
risks associated with each asset you
need to look at four things threats
vulnerabilities impact and likelihood
threats are any potential danger threats
are events situations or actions that
have the potential to cause harm or
damage to an organization's assets
operations or reputation threats can
come from a wide range of sources such
as natural disasters cyber attacks fraud
theft or human error amongst many others
a useful tool we can use to help us
systematically identify the threats
related to an asset is threat modeling
methodologies there have been many
different threat modeling methodologies
created over the years and there are
three that you should know about in
particular stride is essentially the
quick and easy but not super thorough
methodology you can use to identify
threats for the exam make sure you know
that the s in stride stands for spoofing
and that spoofing is a violation of
integrity and the T in stri in stride
stands for tampering which is a
violation of integrity and so forth so
make sure you know what each of letters
are and what they're a violation of
hasta the process for attack simulation
and threat analysis is the super timec
consuming super in-depth methodology for
threat modeling pasta is a seven-step
risk Centric methodology pasta provides
way more useful results and it takes
into account the business value of an
asset compliance issues and provides a
strategic threat analysis so stride is
the quick and easy way of systematically
identifying threats and pasta is the
super timec consuming method that
produces way more useful and nuanced
results the third methodology you should
know about is dread dread is different
from stride and pasta DED is not is not
used to identify threats rather it's
used to prioritize a list of threats
that have already been identified stride
and Dread are often used together stride
is used to identify the threats and
Dread is used to prioritize the
identified threats the next major piece
that we need to look at as part of risk
analysis is vulnerabilities a
vulnerability is a weakness that exists
vulnerabilities are weaknesses or gaps
in an organization's security or control
systems that can be exploited by a
threat to cause harm or damage to the
organization's assets operations or
reputation two techniques that can be
used to systematically identify
vulnerabilities are vulnerability
assessments and penetration testing
which I'll talk about in more detail in
the second mindmap video of domain 6
Link in the description below likelihood
or probability is simply the chance that
a particular risk event will occur it is
a measure of the likelihood or of a
potential risk turning into an actual
event and the final piece that we have
to look at to fully understand a risk is
the impact impact refers to the
potential harm or damage that could
result from particular risk occurring
impact is essentially whatever bad thing
is going to happen to the organization
as a result of a risk occurring downtime
reputational damage data Integrity
issues a breach ransomware the list
unfortunately goes on and on all right
so as part of risk analysis we are going
to come up with a giant list of risks we
need to rank those risks to figure out
which risk are of greater or lesser
concern there are two techniques that we
can use to rank the risks quantitative
and qualitative analysis the same exact
techniques we talked about for ranking
assets quantitative risk analysis is
where we try to calculate exactly how
much a given risk is going to cost the
organization per year it's super helpful
if we can calculate this as it makes it
much easier to determine what controls
are cost Justified to put in place to
mitigate a risk there is a super simple
formula you can use to calculate how
much a risk is going to cost the
organization per year it's known as the
AL calculation the annualized loss
expectancy calculation and you
definitely need to know this formula for
the exam to calculate the AL you need to
First calculate the SLE the single loss
expectancy which is simply how much is a
risk going to cost the organization if
the risk occurs
once to calculate the slle you multiply
the asset value times the exposure
Factor the asset value is simply what
the asset is worth and the exposure
factor is a percentage that represents
what percent of the asset you expect to
lose if the risk occurs and exposure
factor of 10% would mean you would
expect to lose 10% of the asset if the
risk occurs or an exposure factor of
100% would mean you expect to lose all
100% of the asset if the risk occurs so
to calculate the SLE multiply the asset
value with the exposure factor and that
will tell you how much it's going to
cost the organization if the risk occurs
once but of course the whole point of
this Al formula is to calculate how much
a risk is going to cost the organization
annually per
year so we need to multiply the SLE
times the Aro the Aro is the annualized
rate of occurrence the Aro represents
how many times per year you expect a
risk to occur if you expect the risk to
occur once per year the ARL will be one
five times per year the ARL would be
five and so on so super simple formula
that we would love to use all the time
but we can't because the three simple
numbers we need asset value exposure
factor and AO are often totally
impossible to determine without with any
sort of reasonable action accuracy and
that is why we are forced to use
qualitative analysis most of the time
and like I said before qualitative
analysis is a relative ranking system
not great but a whole lot better than
nothing which brings us to the third
major step in Risk Management treatment
treatment is where we figure out how to
treat the risks we've identified to do
something about the risks there are four
major treatment methods avoid transfer
mitigate and accept let's go through
them starting with risk avoidance risk
avoidance means implementing measures to
prevent the risk from occurring or
choosing not to engage in activities
that would cause the risk to occur don't
want to face the risk of near certain
death of jumping out of an airplane with
no parachute don't joke boto airplane
with no parachute that's risk avoidance
risk transference means buying an
insurance policy an organization can
purchase an insurance policy to transfer
the financial burden of a particular
risk to their insurer super critical to
remember from a security perspective
though you can never transfer or
delegate accountability so if an
organization has purchased an insurance
policy they are not transferring the
accountability for a risk to their
insurer risk mitigation is where we
spend most of our time as Security
Professionals risk mitigation is
implementing various controls to reduce
the risk we'll talk through a bunch of
different types of controls in just a
moment preventative controls deductive
controls corrective controls Etc so risk
mitigation is about reducing the risk by
implementing various controls which
brings up another important term
residual risk residual risk is the risk
that is left over after we've
implemented mitigating
controls there are three major methods
we can use to implement mitigating
controls administrative means policies
procedures and other organizational
practices that we put in place to manage
risks administrative controls are things
like security policies employee training
and awareness
Etc technical or logical controls are
the technologies that we put in place to
manage risk things like firewalls
intrusion detection systems encryption
automated backups Etc and physical
controls are the physical security such
as fences cameras locks fire suppression
systems Etc so we can Implement controls
using any of the three major methods
administrative technal technical
sociological and physical
and one more layer here to Define before
we get into the actual controls we can
categorize the controls into two major
groups safeguards and counter measures
safeguards are the things that we put in
place the controls that we put in place
to try and ensure a risk doesn't occur
So within this category of safeguards we
have the following three controls
directive controls are measures that
provide guidance and instructions to
Personnel on how to handle risks
directive controls Direct Behavior how
do we tell someone to do something
within an organization policies policies
are a perfect example of directive
controls Thou shalt do this deterrent
controls discourage individuals from
engaging risky behaviors key word here
is discourage deterrent controls don't
prevent someone from doing something
they discourage them a perfect example
of a deterrent control is a sign that
says private property all trespassers
will be shot that sign wouldn't prevent
me from walking onto a property but if
this sign was in the US where everyone
has at least 37 guns and the healthcare
sucks uh it would definitely discourage
me sorry for picking on the US here but
I'm Canadian I'm allowed to all right
we're like the annoying younger siblings
of the us all right now preventive
controls are measures that aim to
prevent stop a risk from occurring
examples of preventive controls include
razor wire top defenses login mechanisms
and firewalls they prevent someone from
doing something as I said we can
categorize the controls into two major
categories into major groupings
safeguards and counter measures counter
measures are the controls we put in
place to detect and respond to a risk
that has occurred So within this
category of counter measures we have the
following three controls detective
controls are measures that help identify
that risks have occurred or are
currently ongoing examples of detective
controls include Sim systems security
information event management systems
intrusion detection systems smoke
detectors Etc correct controls are
measures that aim to reduce the negative
impact of risks that have occurred a
perfect example of a corrective control
would be a fire suppression system that
activates the put out of fire recovery
controls are measures that help
organizations recover from the negative
impacts of a risk occurring getting back
to business as usual a good example of a
recovery control is a disaster recovery
plan a DRP and finally compensating
controls are the measures we put in
place to mitigate the negative impacts
of risks when other control are not
effective or feasible so essentially
compensating controls make up for the
lack of a better control somewhere else
okay now the final piece to cover
related to controls functional and
Assurance every good control is
supported by these two aspects
functional and Assurance the functional
aspect refers to the function that a
control is meant to perform for example
what is the function of a firewall
firewalls control the flow of traffic
between two Network segments so a good
firewall control is going to provide
this functionality the ability to
control the flow of traffic any good
control is going to perform some sort of
useful function the second aspect that
any good control needs to provide is
Assurance we need to be able to get
assurance that a control is working
correctly on an ongoing basis so going
back to a firewall how would we
typically get assurance that a firewall
is working correctly on an ongoing basis
by logging and monitoring the firewall
so any good control is going to provide
this assurance aspect and that finally
wraps up discussion of risk mitigation
so let's Zoom back up to the final risk
treatment method risk acceptance risk
acceptance is a deliberate decision to
accept a certain level of risk and its
potential consequences who within an
organization should be accepting the
risk associated with a particular asset
the asset owner owners are accountable
for the security of an asset so owners
our best position to deliberately accept
a risk or not risk management Frameworks
provided a structured and systematic
approach for managing risks within an
organization there are a few risk
management Frameworks that you should
recognize the names of and there is one
framework in particular that you really
need to focus on let's start with the
framework that you really need to focus
on the RMF the risk management framework
this is a National Institute of
Standards and Technology nist
publication specifically nist
800-37 the RMF defines a structured
seven-step process that helps
organizations to manage r to their
information systems and data you need to
remember the seven steps at a high level
the order of the steps and what is
happening at each step the seven steps
of the RMF are number one prepare to
execute the RMF number two categorize
systems this step is essentially focused
on identifying the risks step three
select security controls select the
appropriate mtiga controls for risks you
identified step four implement the
controls step five assess the
effectiveness of the implemented
controls step six authorized based on
the results of the assessment ideally
the owner of the system should make the
decision as to whether or not the system
can be put into production is authorized
to go into production and then step
seven monitor perform ongoing monitoring
of the controls to ensure they continue
to operate effectively in production the
other three Frameworks that you should
be able to recognize as being risk
management Frameworks are ISO 31,000 the
Koso risk management framework and a
saaka risk it and that is an overview of
risk management within domain one
covering the most critical Concepts you
need to know for the exam in our 20 plus
years of teaching cisp classes we've
noticed that folks tend to make a few
critical mistakes in their cisp press
preparation accordingly we've created
this super useful free guide that will
explain three of the most common
mistakes and most importantly how to
avoid them you can access the free guide
here at desert.com slre mistakes toavoid
link is in the description below as
[Music]
well
تصفح المزيد من مقاطع الفيديو ذات الصلة
ISTQB FOUNDATION 4.0 | Tutorial 51 | Product Risk Analysis | Risk Control | Test Management | CTFL
CompTIA Security+ SY0-701 Course - 5.2 Explain Elements of the Risk Management Process - PART B
PMI Risk Management Professional Exam Free Practice Questions Part 1
Risk Management Basics | Google Project Management Certificate
Risk Management Strategies - CompTIA Security+ SY0-701 - 5.2
What is Risk Management? | Risk Management process
5.0 / 5 (0 votes)