WEBVTT 00:00.000 --> 00:02.580 >> Hi everybody. We're starting out with one of 00:02.580 --> 00:05.640 the most important topics and information security, 00:05.640 --> 00:07.620 and that's risk management. 00:07.620 --> 00:10.680 Of course, we'll look at some security basics as well. 00:10.680 --> 00:12.390 What we want to do from 00:12.390 --> 00:13.540 the very beginning is spring 00:13.540 --> 00:15.345 security in the realm of risk. 00:15.345 --> 00:17.070 Because that's what allows us to make 00:17.070 --> 00:18.840 good business decisions that support 00:18.840 --> 00:20.640 the security function while also 00:20.640 --> 00:24.070 making sure that we delivered value to the business. 00:24.230 --> 00:26.910 We're going to start off with the risk management 00:26.910 --> 00:28.425 and security overview, 00:28.425 --> 00:29.790 and then we're going to focus 00:29.790 --> 00:31.364 >> a bit more closely on risk 00:31.364 --> 00:32.790 >> and look at the four phases of 00:32.790 --> 00:34.585 the risk management life cycle. 00:34.585 --> 00:37.625 Risk identification, risk assessment, 00:37.625 --> 00:40.345 risk communication, and risk monitoring. 00:40.345 --> 00:42.230 From there, we're going to see 00:42.230 --> 00:43.549 >> how looking at risk allows 00:43.549 --> 00:46.700 >> us to identify information security priorities. 00:46.700 --> 00:48.380 We'll also discuss audits, 00:48.380 --> 00:52.355 vulnerability assessments, and penetration tests. 00:52.355 --> 00:55.280 When we talk about information security, 00:55.280 --> 00:56.920 a lot of things come to mind. 00:56.920 --> 00:58.880 But our focus here is on our need to 00:58.880 --> 01:01.160 protect organizational assets, 01:01.160 --> 01:03.290 commensurate with the value of the assets, 01:03.290 --> 01:05.525 and then threats and vulnerabilities. 01:05.525 --> 01:07.430 That last part is important, 01:07.430 --> 01:08.750 commensurate with the value of 01:08.750 --> 01:11.585 the assets and the threats and vulnerabilities. 01:11.585 --> 01:13.190 If you've ever heard the statement, 01:13.190 --> 01:15.290 you can never have too much security, 01:15.290 --> 01:16.985 that's actually not true. 01:16.985 --> 01:19.685 You can definitely have too much security. 01:19.685 --> 01:21.320 It needs to be appropriate for 01:21.320 --> 01:22.685 the asset you are protecting 01:22.685 --> 01:24.200 and be reduced to a level that is 01:24.200 --> 01:26.090 acceptable to senior leadership. 01:26.090 --> 01:28.970 For example, you probably wouldn't 01:28.970 --> 01:31.640 have a retina scan system to protect your house. 01:31.640 --> 01:33.410 Is that it's too expensive and not 01:33.410 --> 01:36.005 commensurate with the assets that you need to protect. 01:36.005 --> 01:37.415 But if you were protecting 01:37.415 --> 01:39.425 a top secret government information, 01:39.425 --> 01:42.020 a retina scan might make sense. 01:42.020 --> 01:44.345 Assets are something we value, 01:44.345 --> 01:46.805 it could be tangible like a big screen TV, 01:46.805 --> 01:50.020 or intangible, like a company's reputation. 01:50.020 --> 01:52.250 You always start with your assets, 01:52.250 --> 01:54.640 figure out what they are and what they're worth, 01:54.640 --> 01:57.010 then you look at what threats exist. 01:57.010 --> 01:58.520 Threats are those elements that would 01:58.520 --> 02:00.425 pose harm to your assets. 02:00.425 --> 02:02.660 Now, a threat is only going to be 02:02.660 --> 02:04.745 successful if there's a weakness, 02:04.745 --> 02:08.020 and another word for weakness is vulnerability. 02:08.020 --> 02:09.755 When we talk about risk, 02:09.755 --> 02:11.150 we think in terms of those 02:11.150 --> 02:12.800 >> three things coming together; 02:12.800 --> 02:16.220 >> asset, threat and vulnerability. 02:16.500 --> 02:19.940 When I'm looking to implement a security control, 02:19.940 --> 02:21.820 which is something that mitigates risk, 02:21.820 --> 02:23.390 I need to think about the value 02:23.390 --> 02:24.934 of the assets I'm protecting, 02:24.934 --> 02:27.140 as well as the threats and vulnerabilities. 02:27.140 --> 02:29.090 Otherwise, I may spend too much on 02:29.090 --> 02:32.180 security or I may not spend enough. 02:32.180 --> 02:35.825 The question is how much security is enough? 02:35.825 --> 02:39.880 The answer is just enough based on risk management. 02:39.880 --> 02:42.020 Now often, when you implement a 02:42.020 --> 02:43.519 >> control to mitigate risk, 02:43.519 --> 02:45.440 >> it doesn't eliminate all risk, 02:45.440 --> 02:47.000 and the amount of risk that is 02:47.000 --> 02:49.550 left over is called residual risk. 02:49.550 --> 02:51.650 As an example, let's say 02:51.650 --> 02:53.390 that I'm worried about malicious activity 02:53.390 --> 02:57.125 from outside my network impacting internal resources, 02:57.125 --> 02:59.510 so I might configure a firewall. 02:59.510 --> 03:01.520 That's going to go a long way to keep 03:01.520 --> 03:03.910 malicious actors off my internal network. 03:03.910 --> 03:05.330 But that doesn't eliminate 03:05.330 --> 03:06.980 any conceivable possibility of 03:06.980 --> 03:09.035 something affecting my internal network. 03:09.035 --> 03:12.140 But what it does do is bring down the total risk to 03:12.140 --> 03:13.730 a much smaller amount and 03:13.730 --> 03:15.859 >> what is left over is residual. 03:15.859 --> 03:18.035 >> Then I look at residual amount 03:18.035 --> 03:20.660 and I determine whether it's acceptable or not. 03:20.660 --> 03:22.640 Sometimes the amount of risk that is 03:22.640 --> 03:24.635 left over is acceptable, 03:24.635 --> 03:27.680 so what our job is with risk management is to 03:27.680 --> 03:29.210 reduce the risk to a degree that 03:29.210 --> 03:31.295 is acceptable to senior management. 03:31.295 --> 03:32.900 That's what risk management and 03:32.900 --> 03:34.910 information security is all about. 03:34.910 --> 03:37.370 Then of course, you need to monitor and maintain 03:37.370 --> 03:38.780 that risk to make sure it 03:38.780 --> 03:41.700 continues to stay at that acceptable level.