WEBVTT

00:00.000 --> 00:02.145
>> Hi everybody. By this point,

00:02.145 --> 00:03.555
we've identified our risks,

00:03.555 --> 00:04.725
and assessed our risks,

00:04.725 --> 00:06.240
and have a value for them.

00:06.240 --> 00:07.770
Now, we've got to figure out

00:07.770 --> 00:09.345
the best way to mitigate them.

00:09.345 --> 00:11.755
The most common is
risk reduction.

00:11.755 --> 00:14.010
With risk reduction,
we're going to lessen

00:14.010 --> 00:15.270
either the probability of

00:15.270 --> 00:17.790
the risk or the
impact of the risk.

00:17.790 --> 00:21.195
For example, I can't lessen
the probability of rain,

00:21.195 --> 00:24.630
but I can lessen the impact
by bringing an umbrella.

00:24.630 --> 00:26.340
I can't lessen the impact of

00:26.340 --> 00:28.380
malware infestation on a system,

00:28.380 --> 00:30.720
but I can lessen the
probability of getting

00:30.720 --> 00:33.960
that malware by having
anti-malware software installed.

00:33.960 --> 00:36.030
With risk reduction,
we're trying

00:36.030 --> 00:37.409
>> to lessen one of those.

00:37.409 --> 00:40.025
>> Again, we're going
to keep reducing risk

00:40.025 --> 00:41.270
until we get to a level that's

00:41.270 --> 00:43.130
acceptable to senior management.

00:43.130 --> 00:45.140
If we reduce all
the way to zero,

00:45.140 --> 00:46.930
we've actually avoided the risk,

00:46.930 --> 00:49.035
but you can't always do that.

00:49.035 --> 00:50.900
As a general rule,

00:50.900 --> 00:53.090
we look to reduce
or transfer risk,

00:53.090 --> 00:55.790
so we can still perform the
activities we want to do

00:55.790 --> 00:57.410
rather than not do those things

00:57.410 --> 00:59.605
in order to avoid all risks.

00:59.605 --> 01:02.780
When we talk about putting
security controls in place,

01:02.780 --> 01:04.340
we talk about doing things like

01:04.340 --> 01:05.810
implementing policies like,

01:05.810 --> 01:07.235
separation of duties,

01:07.235 --> 01:09.410
or implementing
physical controls

01:09.410 --> 01:11.670
like door locks and
security guards,

01:11.670 --> 01:14.165
these are risk
reduction controls.

01:14.165 --> 01:15.560
If we determine after

01:15.560 --> 01:17.450
research that the
risk is too great,

01:17.450 --> 01:19.590
we choose to avoid it.

01:20.050 --> 01:23.660
Another option is
risk transference.

01:23.660 --> 01:25.430
Risk transference means we're

01:25.430 --> 01:27.670
going to share in
the loss potential.

01:27.670 --> 01:30.860
For example, maybe I'm
worried about being able to

01:30.860 --> 01:32.780
provide availability
that's necessary

01:32.780 --> 01:34.430
to satisfy my customers,

01:34.430 --> 01:35.960
so I outsource, and I have

01:35.960 --> 01:38.450
my infrastructure
migrated to the Cloud,

01:38.450 --> 01:39.950
and take advantage of the uptime

01:39.950 --> 01:41.560
that's promised by Amazon.

01:41.560 --> 01:44.450
If Amazon Web Services doesn't
it provide the degree of

01:44.450 --> 01:46.010
resources necessary to get

01:46.010 --> 01:47.900
the high availability
that I want,

01:47.900 --> 01:49.280
then there's a reimbursement

01:49.280 --> 01:51.200
based on the service
level agreement,

01:51.200 --> 01:52.595
so if there's a loss,

01:52.595 --> 01:55.440
they will always share
in the loss with me.

01:55.550 --> 01:58.730
In another example,
what if I don't have

01:58.730 --> 02:01.310
the skills to develop a
certain type of software,

02:01.310 --> 02:03.020
I outsource to a third-party

02:03.020 --> 02:04.705
software development company.

02:04.705 --> 02:07.355
If they don't meet the
requirements, again,

02:07.355 --> 02:08.960
usually the contract calls for

02:08.960 --> 02:10.940
some negotiation if the parties

02:10.940 --> 02:13.465
don't perform according
to the requirements.

02:13.465 --> 02:16.280
With risk transference,
we're trying to share in

02:16.280 --> 02:19.730
the loss potential so that
it doesn't weigh us down.

02:20.650 --> 02:23.750
Now, risk acceptance comes

02:23.750 --> 02:26.285
when either there's nothing
we can do about a risk,

02:26.285 --> 02:28.010
or if we determine that it's too

02:28.010 --> 02:29.975
expensive to mitigate a risk.

02:29.975 --> 02:32.120
Sometimes the cost of mitigation

02:32.120 --> 02:34.825
is greater than the
potential for loss.

02:34.825 --> 02:38.895
We had an earthquake in the
DC area several years ago.

02:38.895 --> 02:41.150
I wondered how often
we have earthquakes in

02:41.150 --> 02:43.350
this area, so I did my research,

02:43.350 --> 02:45.530
and found out that in
the past 100 years,

02:45.530 --> 02:47.210
we've only had a
handful of them,

02:47.210 --> 02:49.300
and they've only
been low impact.

02:49.300 --> 02:51.170
Based on this information,

02:51.170 --> 02:52.790
we decided we couldn't justify

02:52.790 --> 02:54.845
the cost of mitigation
for this risk,

02:54.845 --> 02:57.270
and we would just accept it.

02:58.180 --> 03:01.625
But we do have an emergency
preparedness kit,

03:01.625 --> 03:03.800
and business continuity plan.

03:03.800 --> 03:06.230
When we choose to accept a risk,

03:06.230 --> 03:07.670
it doesn't mean we don't have

03:07.670 --> 03:09.650
some disaster recovery plan

03:09.650 --> 03:12.635
or business continuity
plan to deal with it.

03:12.635 --> 03:15.034
It's important that
with risk acceptance,

03:15.034 --> 03:17.000
we show our due
diligence because

03:17.000 --> 03:20.730
risk acceptance is not the
same as ignoring a risk.

03:22.700 --> 03:25.850
Now, when we talk about
mitigation strategies,

03:25.850 --> 03:27.680
and risk reduction, we have to

03:27.680 --> 03:29.900
remember the idea
of layered defense.

03:29.900 --> 03:32.300
With layered defense,
we want technical,

03:32.300 --> 03:35.545
physical, and administrative
controls if possible.

03:35.545 --> 03:38.300
Technical controls
include, encryption,

03:38.300 --> 03:42.065
firewalls, intrusion detection,
and things like that.

03:42.065 --> 03:43.790
Physical controls include,

03:43.790 --> 03:45.305
things like door locks,

03:45.305 --> 03:48.230
gates, lighting, and
security guards.

03:48.230 --> 03:50.810
Administrative controls
include, policies,

03:50.810 --> 03:53.605
procedures, standards,
and guidelines.

03:53.605 --> 03:55.760
Those are the things
that come down from

03:55.760 --> 03:59.000
senior leadership as directives
and influence security,

03:59.000 --> 04:00.710
so all three of these types of

04:00.710 --> 04:03.810
controls make up a
good layered defense.

04:03.850 --> 04:07.849
Now, within each of those
categories of controls,

04:07.849 --> 04:09.410
we also have other controls

04:09.410 --> 04:11.590
that serve specific functions.

04:11.590 --> 04:13.730
Within physical, administrative,

04:13.730 --> 04:15.049
>> and technical controls,

04:15.049 --> 04:16.370
>> we can have preventative,

04:16.370 --> 04:20.275
deterrent, corrective,
and detective controls.

04:20.275 --> 04:23.415
For detective controls in
the physical category,

04:23.415 --> 04:25.475
you have things like,
motion detectors,

04:25.475 --> 04:27.395
building alarms, and so forth.

04:27.395 --> 04:29.150
For preventative controls

04:29.150 --> 04:30.965
under the administrative
category,

04:30.965 --> 04:33.950
you could have the
separation of duties policy.

04:33.950 --> 04:35.750
An example of a deterrent

04:35.750 --> 04:37.130
>> administrative
control would be

04:37.130 --> 04:38.540
>> an employee
handbook that tells

04:38.540 --> 04:40.615
you what you can and cannot do.

04:40.615 --> 04:42.860
A corrective
administrative control

04:42.860 --> 04:45.095
could be a termination
procedure.

04:45.095 --> 04:48.020
Each of these major
categories of controls have

04:48.020 --> 04:49.640
these additional
types of controls

04:49.640 --> 04:51.620
that serve specific functions,

04:51.620 --> 04:54.200
this is all part of
the layered defense.

04:54.200 --> 04:55.790
You don't want to rely too

04:55.790 --> 04:57.320
heavily on one
type of control or

04:57.320 --> 05:01.290
another because any
control can be bypassed.

05:03.020 --> 05:06.090
Quick wrap-up for
risk mitigation.

05:06.090 --> 05:08.840
Primarily, responses
are to reduce,

05:08.840 --> 05:11.195
transfer or accept risk.

05:11.195 --> 05:12.830
Reducing risk is going to

05:12.830 --> 05:15.060
lessen the probability
or impact.

05:15.060 --> 05:17.000
Transference is
going to be using

05:17.000 --> 05:19.100
insurance or service
level agreements or

05:19.100 --> 05:20.990
contracts with a
third party that

05:20.990 --> 05:23.330
is going to help shoulder
part of the loss.

05:23.330 --> 05:25.460
Risk acceptance comes
when the cost of

05:25.460 --> 05:26.540
the countermeasure is more

05:26.540 --> 05:28.805
expensive than the
potential for loss,

05:28.805 --> 05:31.370
or when you just can't
mitigate the risk.

05:31.370 --> 05:34.595
When it goes back to
reduction of risk, generally,

05:34.595 --> 05:35.675
we mitigate risks,

05:35.675 --> 05:38.005
and reduce risks
through controls.

05:38.005 --> 05:40.020
Some controls are proactive,

05:40.020 --> 05:41.880
some controls are reactive,

05:41.880 --> 05:43.910
but we need to make
sure we have technical,

05:43.910 --> 05:46.760
physical, and administrative
controls in place.

05:46.760 --> 05:50.290
The proactive controls are
preventative, and deterrent.

05:50.290 --> 05:54.610
The reactive controls are
detective, and corrective.