Placeholder Image

Subtitles section Play video

  • - The goal of a risk assessment

  • is to determine where an organization

  • may be most exposed or where something bad might happen

  • that could hurt the organization's ability

  • to deliver on its intended mission.

  • The quality of all other security assessments

  • will improve if you're using the results

  • of a recent risk assessment as one of your key inputs.

  • When you're conducting a risk assessment

  • your goal will be to identify threats and vulnerabilities

  • that could potentially harm the organization.

  • Knowing the difference between a threat

  • and a vulnerability is essential.

  • Fortunately, we can turn to NIST,

  • the National Institute of Standards and Technology,

  • to help us better understand that difference.

  • NIST considers a threat to be a circumstance or event

  • that could damage the confidentiality, integrity,

  • or availability of information or information systems.

  • That means if something or someone could expose

  • an organization's secret information,

  • stuff like intellectual property

  • or customer personal information

  • or if that thing could make changes

  • without the proper approvals,

  • or if that person could take a web application offline,

  • well, then that's a threat.

  • A vulnerability is a weakness that enables the threat

  • to be successful.

  • A missing security patch is a great example

  • of a vulnerability,

  • so is a default admin password still in use

  • on some internet-facing web portal.

  • When it comes to availability,

  • the fact that a data center is located in an area

  • prone to flooding or tornadoes is an example

  • of a physical vulnerability.

  • During your risk assessment

  • you'll identify the threats and vulnerabilities

  • about which the organization should be concerned

  • and then you'll score the potential likelihood

  • and the potential impact of each risk.

  • Likelihood is the probability

  • that a threat might actually succeed

  • in exploiting a vulnerability.

  • Let's look at malware, as an example.

  • What's the likelihood

  • that your laptop will get infected with a virus?

  • Well, it depends on a number of things, doesn't it?

  • Do you run an antivirus program?

  • Do you use your laptop to access the internet?

  • Do you open email attachments from people you don't know?

  • As you ask relevant questions about each threat and

  • about how exposed you might be to different attack vectors,

  • it should become apparent whether or not

  • the risk you're considering is highly likely to do harm,

  • highly unlikely, or somewhere in between.

  • That's why NIST relies on a high, medium,

  • low scale when scoring risks.

  • You also need to consider the impact though,

  • to get an accurate risk score.

  • If your laptop gets infected with malware,

  • well, that'll make for a bad day for you.

  • But what if the entire server network

  • at your company gets infected with malware?

  • The impact of an incident

  • like that would be much more expensive

  • since it impacts a lot more people.

  • NIST follows the same low, medium,

  • high scoring methodology for the impact

  • as it does for likelihood.

  • All you have to do is combine the two scores,

  • often through a simple math equation, and voila,

  • you have a risk score.

  • If you've never conducted a risk assessment

  • my advice to you is that you don't get caught up

  • in the details just yet.

  • Again, the goal of a risk assessment is to prioritize risks

  • so that you can take the necessary action to

  • reduce those scores to an acceptable level based

  • on the leadership team's risk appetite.

  • When preparing for an upcoming risk assessment

  • make sure to do your research.

  • Verizon's Data Breach Investigations Report

  • has a lot of real world data on actual security incidents

  • that resulted in data breaches.

  • And so does the Privacy Rights Clearinghouse

  • chronology of data breaches.

  • You can also turn to industry-specific

  • Information Sharing and Analysis Centers, or ISACs,

  • for threat and vulnerability information relevant

  • to your specific industry.

  • You can even turn to your internal

  • IT service management system

  • for historical help desk ticket information.

  • As a matter of fact,

  • I highly recommend that you do just that

  • before embarking on your first risk assessment.

  • At the end of the day you should have a report

  • that contains a prioritized list

  • of information security risks that your leadership team

  • will want you to keep a close eye on.

  • (upbeat music)

- The goal of a risk assessment

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it