Risk Management MindMap (3 of 3) | CISSP Domain 1

00:00

hey I'm Rob Witcher from destination

00:01

certification and I'm here to help you

00:03

pass the cissp exam we're going to go

00:05

through a review of the major topics

00:07

related to risk management in domain 1

00:09

to understand how they interrelate and

00:11

to guide your studies this is the third

00:13

of three videos for domain 1 I've

00:15

included links to the other mind map

00:17

videos in the description below these

00:19

mind maps are one part of our complete

00:21

cisp Master

00:23

[Music]

00:28

Class

00:33

risk management this is a super

00:36

important topic in security we as

00:39

Security Professionals have a colossal

00:41

challenge how do we best protect the

00:43

assets across an entire organization we

00:47

never have unlimited budgets or an

00:49

unlimited amount of time available to

00:51

perfectly protect everything so how do

00:54

we best protect the assets within the

00:56

organization given our limited budgets

00:58

and time once super useful method to

01:01

help us figure this out is risk

01:03

management risk management is an

01:05

essential component of any comprehensive

01:08

security program as it enables

01:10

organizations to prioritize their

01:12

security efforts and allocate resources

01:14

effectively risk management is

01:16

fundamentally focused on the

01:18

identification assessment and

01:20

prioritization of risks and the

01:22

economical application of resources to

01:24

minimize Monitor and

01:27

control the probability Andor impact of

01:29

those risks at the 10,000 ft level it's

01:33

helpful to think about risk management

01:34

comprising three major steps asset

01:37

valuation risk analysis and treatment

01:41

let's go through those three steps

01:44

starting with asset valuation asset

01:46

valuation is conceptually incredibly

01:49

simple assign a value to each asset in

01:52

other words figure out how valuable each

01:54

asset is to the organization so that we

01:56

can then rank the assets from the most

01:59

on down to the the least valuable simple

02:02

idea super hard to do in practice there

02:05

are two major ways that we can rank

02:07

risks quantitative and qualitative

02:10

analysis quantitative analysis is where

02:13

we assign monetary values to each asset

02:16

we say this asset is worth a dollar and

02:19

this asset is worth $2.7

02:21

million quantitative analysis is

02:24

absolutely the preferred method we would

02:26

ideally love to assign a nice dollar

02:28

value to every asset

02:31

unfortunately for the vast majority of

02:33

assets this just isn't possible with any

02:35

sort of reasonable accuracy can you

02:38

confidently say your organization's

02:39

reputation is worth $736 million or this

02:43

data set is worth exactly

02:46

$3,849 pesos or this critical

02:49

application is worth exactly 13.8

02:52

million EUR no for most assets we

02:56

absolutely cannot assign a monetary

02:59

value to them we may know something is

03:01

valuable but assigning an exact dollar

03:03

value to it is nigh

03:05

impossible and that is why the vast

03:07

majority of the time we use qualitative

03:10

analysis to rank assets qualitative

03:12

analysis is a simply a relative ranking

03:15

system where you compare assets and say

03:17

well this asset is more valuable than

03:20

that one which is less valuable than

03:22

that one you rank assets relative to

03:24

each other and you often create

03:27

categories like high medium and low

03:29

value and and sort assets into these

03:31

categories once you have completed asset

03:33

valuation you'll have a nicely ranked

03:36

list of assets and it is now time to

03:38

move on to step two of risk management

03:41

risk analysis risk analysis is where you

03:44

identify the risks associated with each

03:46

asset to identify and understand the

03:48

risks associated with each asset you

03:50

need to look at four things threats

03:53

vulnerabilities impact and likelihood

03:56

threats are any potential danger threats

04:01

are events situations or actions that

04:03

have the potential to cause harm or

04:05

damage to an organization's assets

04:07

operations or reputation threats can

04:09

come from a wide range of sources such

04:12

as natural disasters cyber attacks fraud

04:14

theft or human error amongst many others

04:17

a useful tool we can use to help us

04:18

systematically identify the threats

04:20

related to an asset is threat modeling

04:22

methodologies there have been many

04:24

different threat modeling methodologies

04:25

created over the years and there are

04:27

three that you should know about in

04:29

particular stride is essentially the

04:31

quick and easy but not super thorough

04:33

methodology you can use to identify

04:35

threats for the exam make sure you know

04:38

that the s in stride stands for spoofing

04:40

and that spoofing is a violation of

04:42

integrity and the T in stri in stride

04:45

stands for tampering which is a

04:46

violation of integrity and so forth so

04:49

make sure you know what each of letters

04:50

are and what they're a violation of

04:52

hasta the process for attack simulation

04:55

and threat analysis is the super timec

04:58

consuming super in-depth methodology for

05:01

threat modeling pasta is a seven-step

05:03

risk Centric methodology pasta provides

05:07

way more useful results and it takes

05:09

into account the business value of an

05:10

asset compliance issues and provides a

05:13

strategic threat analysis so stride is

05:15

the quick and easy way of systematically

05:17

identifying threats and pasta is the

05:20

super timec consuming method that

05:21

produces way more useful and nuanced

05:24

results the third methodology you should

05:26

know about is dread dread is different

05:29

from stride and pasta DED is not is not

05:32

used to identify threats rather it's

05:35

used to prioritize a list of threats

05:38

that have already been identified stride

05:40

and Dread are often used together stride

05:44

is used to identify the threats and

05:46

Dread is used to prioritize the

05:49

identified threats the next major piece

05:51

that we need to look at as part of risk

05:53

analysis is vulnerabilities a

05:56

vulnerability is a weakness that exists

05:59

vulnerabilities are weaknesses or gaps

06:01

in an organization's security or control

06:04

systems that can be exploited by a

06:06

threat to cause harm or damage to the

06:08

organization's assets operations or

06:11

reputation two techniques that can be

06:13

used to systematically identify

06:14

vulnerabilities are vulnerability

06:16

assessments and penetration testing

06:19

which I'll talk about in more detail in

06:21

the second mindmap video of domain 6

06:24

Link in the description below likelihood

06:26

or probability is simply the chance that

06:28

a particular risk event will occur it is

06:30

a measure of the likelihood or of a

06:33

potential risk turning into an actual

06:35

event and the final piece that we have

06:37

to look at to fully understand a risk is

06:39

the impact impact refers to the

06:41

potential harm or damage that could

06:43

result from particular risk occurring

06:45

impact is essentially whatever bad thing

06:47

is going to happen to the organization

06:49

as a result of a risk occurring downtime

06:52

reputational damage data Integrity

06:54

issues a breach ransomware the list

06:58

unfortunately goes on and on all right

07:01

so as part of risk analysis we are going

07:04

to come up with a giant list of risks we

07:07

need to rank those risks to figure out

07:09

which risk are of greater or lesser

07:11

concern there are two techniques that we

07:13

can use to rank the risks quantitative

07:15

and qualitative analysis the same exact

07:18

techniques we talked about for ranking

07:20

assets quantitative risk analysis is

07:22

where we try to calculate exactly how

07:23

much a given risk is going to cost the

07:25

organization per year it's super helpful

07:28

if we can calculate this as it makes it

07:30

much easier to determine what controls

07:32

are cost Justified to put in place to

07:34

mitigate a risk there is a super simple

07:37

formula you can use to calculate how

07:38

much a risk is going to cost the

07:39

organization per year it's known as the

07:42

AL calculation the annualized loss

07:45

expectancy calculation and you

07:48

definitely need to know this formula for

07:49

the exam to calculate the AL you need to

07:53

First calculate the SLE the single loss

07:56

expectancy which is simply how much is a

07:59

risk going to cost the organization if

08:00

the risk occurs

08:02

once to calculate the slle you multiply

08:05

the asset value times the exposure

08:08

Factor the asset value is simply what

08:10

the asset is worth and the exposure

08:13

factor is a percentage that represents

08:15

what percent of the asset you expect to

08:17

lose if the risk occurs and exposure

08:20

factor of 10% would mean you would

08:23

expect to lose 10% of the asset if the

08:25

risk occurs or an exposure factor of

08:28

100% would mean you expect to lose all

08:31

100% of the asset if the risk occurs so

08:34

to calculate the SLE multiply the asset

08:38

value with the exposure factor and that

08:40

will tell you how much it's going to

08:41

cost the organization if the risk occurs

08:44

once but of course the whole point of

08:46

this Al formula is to calculate how much

08:48

a risk is going to cost the organization

08:50

annually per

08:52

year so we need to multiply the SLE

08:55

times the Aro the Aro is the annualized

08:58

rate of occurrence the Aro represents

09:01

how many times per year you expect a

09:03

risk to occur if you expect the risk to

09:05

occur once per year the ARL will be one

09:09

five times per year the ARL would be

09:11

five and so on so super simple formula

09:15

that we would love to use all the time

09:17

but we can't because the three simple

09:19

numbers we need asset value exposure

09:22

factor and AO are often totally

09:26

impossible to determine without with any

09:28

sort of reasonable action accuracy and

09:30

that is why we are forced to use

09:33

qualitative analysis most of the time

09:36

and like I said before qualitative

09:37

analysis is a relative ranking system

09:40

not great but a whole lot better than

09:42

nothing which brings us to the third

09:44

major step in Risk Management treatment

09:47

treatment is where we figure out how to

09:49

treat the risks we've identified to do

09:51

something about the risks there are four

09:54

major treatment methods avoid transfer

09:57

mitigate and accept let's go through

10:00

them starting with risk avoidance risk

10:03

avoidance means implementing measures to

10:05

prevent the risk from occurring or

10:07

choosing not to engage in activities

10:09

that would cause the risk to occur don't

10:11

want to face the risk of near certain

10:13

death of jumping out of an airplane with

10:14

no parachute don't joke boto airplane

10:17

with no parachute that's risk avoidance

10:20

risk transference means buying an

10:23

insurance policy an organization can

10:25

purchase an insurance policy to transfer

10:27

the financial burden of a particular

10:29

risk to their insurer super critical to

10:32

remember from a security perspective

10:33

though you can never transfer or

10:36

delegate accountability so if an

10:38

organization has purchased an insurance

10:40

policy they are not transferring the

10:43

accountability for a risk to their

10:44

insurer risk mitigation is where we

10:47

spend most of our time as Security

10:48

Professionals risk mitigation is

10:51

implementing various controls to reduce

10:53

the risk we'll talk through a bunch of

10:55

different types of controls in just a

10:57

moment preventative controls deductive

10:59

controls corrective controls Etc so risk

11:02

mitigation is about reducing the risk by

11:04

implementing various controls which

11:06

brings up another important term

11:07

residual risk residual risk is the risk

11:10

that is left over after we've

11:12

implemented mitigating

11:14

controls there are three major methods

11:17

we can use to implement mitigating

11:20

controls administrative means policies

11:22

procedures and other organizational

11:24

practices that we put in place to manage

11:26

risks administrative controls are things

11:28

like security policies employee training

11:31

and awareness

11:32

Etc technical or logical controls are

11:35

the technologies that we put in place to

11:36

manage risk things like firewalls

11:38

intrusion detection systems encryption

11:40

automated backups Etc and physical

11:44

controls are the physical security such

11:46

as fences cameras locks fire suppression

11:49

systems Etc so we can Implement controls

11:52

using any of the three major methods

11:55

administrative technal technical

11:57

sociological and physical

11:59

and one more layer here to Define before

12:01

we get into the actual controls we can

12:03

categorize the controls into two major

12:05

groups safeguards and counter measures

12:09

safeguards are the things that we put in

12:11

place the controls that we put in place

12:13

to try and ensure a risk doesn't occur

12:16

So within this category of safeguards we

12:19

have the following three controls

12:21

directive controls are measures that

12:23

provide guidance and instructions to

12:25

Personnel on how to handle risks

12:27

directive controls Direct Behavior how

12:30

do we tell someone to do something

12:31

within an organization policies policies

12:34

are a perfect example of directive

12:36

controls Thou shalt do this deterrent

12:38

controls discourage individuals from

12:41

engaging risky behaviors key word here

12:43

is discourage deterrent controls don't

12:46

prevent someone from doing something

12:48

they discourage them a perfect example

12:50

of a deterrent control is a sign that

12:52

says private property all trespassers

12:54

will be shot that sign wouldn't prevent

12:56

me from walking onto a property but if

12:59

this sign was in the US where everyone

13:00

has at least 37 guns and the healthcare

13:02

sucks uh it would definitely discourage

13:04

me sorry for picking on the US here but

13:06

I'm Canadian I'm allowed to all right

13:08

we're like the annoying younger siblings

13:10

of the us all right now preventive

13:12

controls are measures that aim to

13:14

prevent stop a risk from occurring

13:16

examples of preventive controls include

13:18

razor wire top defenses login mechanisms

13:21

and firewalls they prevent someone from

13:24

doing something as I said we can

13:26

categorize the controls into two major

13:27

categories into major groupings

13:29

safeguards and counter measures counter

13:32

measures are the controls we put in

13:33

place to detect and respond to a risk

13:36

that has occurred So within this

13:38

category of counter measures we have the

13:40

following three controls detective

13:42

controls are measures that help identify

13:45

that risks have occurred or are

13:47

currently ongoing examples of detective

13:50

controls include Sim systems security

13:52

information event management systems

13:54

intrusion detection systems smoke

13:56

detectors Etc correct controls are

13:59

measures that aim to reduce the negative

14:01

impact of risks that have occurred a

14:04

perfect example of a corrective control

14:05

would be a fire suppression system that

14:07

activates the put out of fire recovery

14:09

controls are measures that help

14:11

organizations recover from the negative

14:13

impacts of a risk occurring getting back

14:15

to business as usual a good example of a

14:17

recovery control is a disaster recovery

14:19

plan a DRP and finally compensating

14:23

controls are the measures we put in

14:25

place to mitigate the negative impacts

14:26

of risks when other control are not

14:29

effective or feasible so essentially

14:31

compensating controls make up for the

14:32

lack of a better control somewhere else

14:35

okay now the final piece to cover

14:36

related to controls functional and

14:39

Assurance every good control is

14:42

supported by these two aspects

14:44

functional and Assurance the functional

14:47

aspect refers to the function that a

14:49

control is meant to perform for example

14:52

what is the function of a firewall

14:54

firewalls control the flow of traffic

14:55

between two Network segments so a good

14:57

firewall control is going to provide

14:59

this functionality the ability to

15:01

control the flow of traffic any good

15:04

control is going to perform some sort of

15:05

useful function the second aspect that

15:08

any good control needs to provide is

15:09

Assurance we need to be able to get

15:11

assurance that a control is working

15:12

correctly on an ongoing basis so going

15:15

back to a firewall how would we

15:17

typically get assurance that a firewall

15:18

is working correctly on an ongoing basis

15:20

by logging and monitoring the firewall

15:23

so any good control is going to provide

15:24

this assurance aspect and that finally

15:28

wraps up discussion of risk mitigation

15:31

so let's Zoom back up to the final risk

15:32

treatment method risk acceptance risk

15:36

acceptance is a deliberate decision to

15:38

accept a certain level of risk and its

15:40

potential consequences who within an

15:43

organization should be accepting the

15:45

risk associated with a particular asset

15:47

the asset owner owners are accountable

15:50

for the security of an asset so owners

15:52

our best position to deliberately accept

15:54

a risk or not risk management Frameworks

15:58

provided a structured and systematic

16:00

approach for managing risks within an

16:01

organization there are a few risk

16:04

management Frameworks that you should

16:05

recognize the names of and there is one

16:08

framework in particular that you really

16:09

need to focus on let's start with the

16:11

framework that you really need to focus

16:13

on the RMF the risk management framework

16:16

this is a National Institute of

16:17

Standards and Technology nist

16:19

publication specifically nist

16:22

800-37 the RMF defines a structured

16:25

seven-step process that helps

16:27

organizations to manage r to their

16:29

information systems and data you need to

16:31

remember the seven steps at a high level

16:34

the order of the steps and what is

16:36

happening at each step the seven steps

16:38

of the RMF are number one prepare to

16:42

execute the RMF number two categorize

16:46

systems this step is essentially focused

16:48

on identifying the risks step three

16:51

select security controls select the

16:53

appropriate mtiga controls for risks you

16:55

identified step four implement the

16:58

controls step five assess the

17:01

effectiveness of the implemented

17:03

controls step six authorized based on

17:06

the results of the assessment ideally

17:09

the owner of the system should make the

17:11

decision as to whether or not the system

17:13

can be put into production is authorized

17:14

to go into production and then step

17:16

seven monitor perform ongoing monitoring

17:18

of the controls to ensure they continue

17:20

to operate effectively in production the

17:23

other three Frameworks that you should

17:25

be able to recognize as being risk

17:26

management Frameworks are ISO 31,000 the

17:30

Koso risk management framework and a

17:33

saaka risk it and that is an overview of

17:36

risk management within domain one

17:37

covering the most critical Concepts you

17:39

need to know for the exam in our 20 plus

17:43

years of teaching cisp classes we've

17:45

noticed that folks tend to make a few

17:48

critical mistakes in their cisp press

17:50

preparation accordingly we've created

17:53

this super useful free guide that will

17:55

explain three of the most common

17:57

mistakes and most importantly how to

18:00

avoid them you can access the free guide

18:02

here at desert.com slre mistakes toavoid

18:05

link is in the description below as

18:10

[Music]

18:16

well