WEBVTT

00:00.000 --> 00:02.655
>> The risk life cycle.

00:02.655 --> 00:04.965
The learning objectives
for this lesson

00:04.965 --> 00:06.959
are to explore risk frameworks,

00:06.959 --> 00:08.940
to identify the
parts of the risk

00:08.940 --> 00:10.319
>> management life cycle,

00:10.319 --> 00:12.645
>> and to define risk
tracking methods.

00:12.645 --> 00:16.080
Let's get started.
Risk frameworks are

00:16.080 --> 00:17.610
a guide that help you

00:17.610 --> 00:20.130
implement risk-management
in your own organization,

00:20.130 --> 00:22.605
but they come from an
authoritative reference point.

00:22.605 --> 00:25.320
These are created by
organizations that have a lot of

00:25.320 --> 00:28.110
experience with this and
have created best practices.

00:28.110 --> 00:29.670
They're a good
starting point for you

00:29.670 --> 00:31.695
to implement in your
own organization.

00:31.695 --> 00:33.705
The NIST cybersecurity framework

00:33.705 --> 00:35.145
was created by NIST and it's

00:35.145 --> 00:36.810
very popular framework that's

00:36.810 --> 00:38.745
been adopted by the
United States government.

00:38.745 --> 00:40.785
It has five core functions.

00:40.785 --> 00:42.665
These are to identify,

00:42.665 --> 00:45.800
protect, detect,
respond, and recover.

00:45.800 --> 00:47.270
The risk management
steps of this

00:47.270 --> 00:49.160
are to: prioritize and scope,

00:49.160 --> 00:53.480
orient, create a current
profile, risk assessment,

00:53.480 --> 00:57.350
and to create a target
profile, then to determine,

00:57.350 --> 00:59.330
analyze, and
prioritize your gaps

00:59.330 --> 01:02.460
and then finally to
implement your action plan.

01:02.780 --> 01:06.335
NIST also has their own
risk management framework.

01:06.335 --> 01:09.740
This is a requirement for
US federal agencies to use.

01:09.740 --> 01:11.780
The risk management
framework steps

01:11.780 --> 01:14.405
are to prepare, categorize,

01:14.405 --> 01:17.935
select controls,
implement, assess,

01:17.935 --> 01:19.925
authorize and then monitor.

01:19.925 --> 01:21.560
The International Organization

01:21.560 --> 01:23.255
for Standardization or ISO,

01:23.255 --> 01:25.790
has their own risk
management framework

01:25.790 --> 01:28.205
and this is known as ISO 31,000.

01:28.205 --> 01:30.050
Is a comprehensive framework,

01:30.050 --> 01:32.810
but it also considers risks
that's outside of cyber.

01:32.810 --> 01:34.980
For example,
financial and legal.

01:34.980 --> 01:37.190
For the test, you want
to make sure that you

01:37.190 --> 01:39.725
understand what each of
these frameworks are.

01:39.725 --> 01:41.045
You don't necessarily
need to know

01:41.045 --> 01:43.720
all the details and what
all the steps mean,

01:43.720 --> 01:44.930
but just make sure that you

01:44.930 --> 01:46.220
understand the
difference between

01:46.220 --> 01:49.625
the risk management framework
and the ISO 31,000.

01:49.625 --> 01:51.409
You want to make sure that
you can differentiate

01:51.409 --> 01:53.430
those for the test.

01:54.590 --> 01:56.820
The Control Objectives for

01:56.820 --> 01:59.100
Information and Related
Technologies or COBIT,

01:59.100 --> 02:00.620
it frames risk according to

02:00.620 --> 02:02.599
the leadership of a
business organization.

02:02.599 --> 02:04.910
If you see a question
on the test that is

02:04.910 --> 02:07.295
related to the leadership
of an organization,

02:07.295 --> 02:08.755
you want to think COBIT.

02:08.755 --> 02:10.200
It's five components are

02:10.200 --> 02:12.500
framework, process descriptions,

02:12.500 --> 02:13.864
control objectives,

02:13.864 --> 02:17.250
management guidelines
and maturity models.

02:18.560 --> 02:21.470
The Committee of Sponsoring
Organizations of

02:21.470 --> 02:23.180
the Treadway Commission or COSO,

02:23.180 --> 02:25.445
has developed their
own framework.

02:25.445 --> 02:27.080
This is a group of five private

02:27.080 --> 02:28.700
sector organizations
that developed

02:28.700 --> 02:29.960
the framework and it's known as

02:29.960 --> 02:33.070
the Enterprise Risk Management
Integrated Framework.

02:33.070 --> 02:35.030
It defines risk management in

02:35.030 --> 02:37.220
the approach of
strategic leadership.

02:37.220 --> 02:39.050
Typically, you're going
to see questions that are

02:39.050 --> 02:42.270
related just to
the acronym COSO.

02:44.210 --> 02:47.550
Let's talk about the risk
management life cycle.

02:47.550 --> 02:49.520
It begins with identify.

02:49.520 --> 02:52.135
We have to know
what our risks are,

02:52.135 --> 02:53.440
what are assets are,

02:53.440 --> 02:54.610
what our vulnerabilities are.

02:54.610 --> 02:58.175
We begin by identifying all
of those. Then we assess.

02:58.175 --> 03:00.010
Now that we know what
all of those are,

03:00.010 --> 03:01.795
how do we go about

03:01.795 --> 03:04.480
identifying the ones that

03:04.480 --> 03:06.220
are the most likely
to be a threat to us,

03:06.220 --> 03:08.380
the ones that are most
likely to be exploited,

03:08.380 --> 03:10.225
and what can we end up doing.

03:10.225 --> 03:12.430
From there, we
implement our controls.

03:12.430 --> 03:13.720
How can we protect those?

03:13.720 --> 03:15.115
How can we mitigate the risk?

03:15.115 --> 03:17.800
How can we transfer the risk
if that's a possibility?

03:17.800 --> 03:19.600
How do we go about
ensuring that,

03:19.600 --> 03:23.455
that risk is no longer as
risky or a risk at all to us.

03:23.455 --> 03:25.100
Then finally we review.

03:25.100 --> 03:26.550
Whatever we put in place,

03:26.550 --> 03:28.250
we want to make sure
that it's still working.

03:28.250 --> 03:30.410
Perhaps, a technology

03:30.410 --> 03:32.450
that we installed was working
when we installed it,

03:32.450 --> 03:33.920
but it's no longer working now.

03:33.920 --> 03:36.860
The thread has migrated
into another form and we

03:36.860 --> 03:38.330
have to make sure
that the controls we

03:38.330 --> 03:39.950
have in place address
that as well.

03:39.950 --> 03:42.500
As you can see, this
is a continual cycle.

03:42.500 --> 03:44.640
You're going to constantly
go from identify,

03:44.640 --> 03:46.130
to assess, to
control and review,

03:46.130 --> 03:47.660
and then back to identify again.

03:47.660 --> 03:49.940
Because new
vulnerabilities or risks

03:49.940 --> 03:53.060
or exposures are
always coming up.

03:53.060 --> 03:55.310
We want to make sure that
we keep going through

03:55.310 --> 03:59.220
this process because it is
a never-ending process.

03:59.900 --> 04:03.065
Let's now talk about
control categories.

04:03.065 --> 04:04.820
There are three
control categories.

04:04.820 --> 04:07.220
These are the people,
technology, and processes,

04:07.220 --> 04:08.810
but they all work together

04:08.810 --> 04:10.280
and they're inseparable
from each other.

04:10.280 --> 04:12.590
People are the most
common area of

04:12.590 --> 04:14.120
concern because
they're the ones most

04:14.120 --> 04:15.950
likely to buy these
pass controls.

04:15.950 --> 04:18.530
Processes are where we need
to make sure everything

04:18.530 --> 04:21.064
is documented and when you're
thinking about processes,

04:21.064 --> 04:22.295
think of it in terms as

04:22.295 --> 04:24.140
a step-by-step
instruction manual on

04:24.140 --> 04:26.199
how to do things in
your organization.

04:26.199 --> 04:28.160
Then technology by itself

04:28.160 --> 04:30.335
is not going to do
anything for us.

04:30.335 --> 04:32.510
We need to make
sure that we have

04:32.510 --> 04:34.940
processes in place that
help our technology to

04:34.940 --> 04:36.380
solve the problems and to

04:36.380 --> 04:38.255
help people to work
more efficiently

04:38.255 --> 04:42.530
without causing an
undue burden on them.

04:42.530 --> 04:45.110
But at the same time, we want
to make sure that it also

04:45.110 --> 04:47.770
limits those same people from
causing problems for us.

04:47.770 --> 04:50.465
You can see how all three
of these work together.

04:50.465 --> 04:52.250
We can't make any changes in one

04:52.250 --> 04:54.930
without it impacting
one or the other two.

04:56.330 --> 04:58.760
Control objectives.

04:58.760 --> 05:00.470
The five functions of the NIST

05:00.470 --> 05:02.540
cybersecurity
framework core are,

05:02.540 --> 05:04.760
first identify, protect,

05:04.760 --> 05:07.100
detect, respond and recover.

05:07.100 --> 05:09.110
You can see that we're
following a standard pattern

05:09.110 --> 05:11.485
across all of these different
types of frameworks.

05:11.485 --> 05:13.850
They all follow the
same basic model.

05:13.850 --> 05:15.170
We first have to identify.

05:15.170 --> 05:16.430
We have to know what we need to

05:16.430 --> 05:18.005
protect and what our risks are.

05:18.005 --> 05:19.415
Then we have to implement

05:19.415 --> 05:21.200
a protection
mechanism therefore.

05:21.200 --> 05:23.510
Then we have to build to
detect threats that are coming

05:23.510 --> 05:26.330
in and make sure that we're
able to respond to that.

05:26.330 --> 05:29.430
Then finally, we want
to be able to recover.

05:31.490 --> 05:34.185
Risk tracking methods.

05:34.185 --> 05:36.020
When we're implementing
all of these,

05:36.020 --> 05:37.490
we need to know if
they're working for us.

05:37.490 --> 05:40.625
This is where these different
tracking methods come in.

05:40.625 --> 05:43.735
The first one is the Key
Performance Indicator or KPI.

05:43.735 --> 05:45.410
It measures the performances of

05:45.410 --> 05:47.660
a program compared to
the desired goals.

05:47.660 --> 05:49.520
It will determine
the effectiveness

05:49.520 --> 05:52.205
based on current measurements
against the goals.

05:52.205 --> 05:54.620
With this, we're going
to see where we are,

05:54.620 --> 05:56.690
see what our measurements are,

05:56.690 --> 05:59.375
and look at it as compared
to where we want to be.

05:59.375 --> 06:03.665
Is this control or is this
system working well for us?

06:03.665 --> 06:05.780
If not, we need to
make some changes.

06:05.780 --> 06:08.515
Key risk indicator or KRI,

06:08.515 --> 06:12.335
by analyzing our key
performance indicators or KPIs,

06:12.335 --> 06:14.335
new risks may appear
in the trends.

06:14.335 --> 06:15.545
These risks should be

06:15.545 --> 06:18.020
analyzed and then
addressed proactively.

06:18.020 --> 06:20.405
Like I mentioned before,
it's an ongoing cycle.

06:20.405 --> 06:22.310
Just because we put
something in place today,

06:22.310 --> 06:23.330
doesn't mean it's
going to protect

06:23.330 --> 06:24.580
us from everything tomorrow,

06:24.580 --> 06:27.650
we have to keep analyzing and
make sure that we're always

06:27.650 --> 06:29.300
looking out for the new risks

06:29.300 --> 06:31.270
that we are going
to be exposed to.

06:31.270 --> 06:33.585
Then we also have
the risk register.

06:33.585 --> 06:37.185
This was first created
in ISO 27,001.

06:37.185 --> 06:40.295
Visualization of
identified risks

06:40.295 --> 06:42.365
and their corresponding
controls.

06:42.365 --> 06:44.765
It is the most
recognized output of

06:44.765 --> 06:47.630
a risk management program and
it is a working document.

06:47.630 --> 06:50.855
Again, this is a constantly
evolving process.

06:50.855 --> 06:52.950
You have one risk today that

06:52.950 --> 06:55.420
you have put a control
into mitigate that risk,

06:55.420 --> 06:56.720
but maybe tomorrow that's no

06:56.720 --> 06:59.610
longer a risk and something
new has come along.

07:00.959 --> 07:04.555
>> This is an example
of a risk register.

07:04.555 --> 07:08.230
We have a website being
hacked is a risk.

07:08.230 --> 07:11.320
The threat would be a
hacktivist and the impact would

07:11.320 --> 07:12.370
be high because it would take

07:12.370 --> 07:14.500
our corporate website offline.

07:14.500 --> 07:16.045
The likelihood is medium.

07:16.045 --> 07:17.380
Maybe that's because of some of

07:17.380 --> 07:19.300
the controls we already
have in place for it.

07:19.300 --> 07:21.520
Then we have a plan
in place if that were

07:21.520 --> 07:24.190
to become a real event for us,

07:24.190 --> 07:27.205
what we would do, and then
what our risk level is.

07:27.205 --> 07:29.860
As you can see,
you can put all of

07:29.860 --> 07:30.880
the risks that you've

07:30.880 --> 07:32.980
identified here and then
the level of threat,

07:32.980 --> 07:34.750
the level of impact,

07:34.750 --> 07:36.865
likelihood, and then
make a plan for it.

07:36.865 --> 07:39.925
This helps you to visualize
everything on one document.

07:39.925 --> 07:41.410
But keep in mind
again, like I said,

07:41.410 --> 07:43.240
this is ever evolving document.

07:43.240 --> 07:45.250
It's always going to be
moving forward based on

07:45.250 --> 07:49.250
the new risks that your
organization is exposed to.

07:50.070 --> 07:53.230
Risk appetite and
risk tolerance.

07:53.230 --> 07:56.530
Risk appetite, this
is often guided by

07:56.530 --> 07:59.980
regulations that a
organization is subjected to.

07:59.980 --> 08:01.270
This is defined as what

08:01.270 --> 08:03.640
an organization will
do to address risk.

08:03.640 --> 08:06.805
How necessary is it to
address a given risk?

08:06.805 --> 08:08.890
Many organizations will have

08:08.890 --> 08:11.080
a low-risk tolerance because

08:11.080 --> 08:12.595
of the regulations
that they're under,

08:12.595 --> 08:14.830
they can't allow for
anything to happen.

08:14.830 --> 08:16.840
Whereas new
organizations such as

08:16.840 --> 08:19.120
startup companies may
have a high-risk appetite

08:19.120 --> 08:21.100
because they don't have
the resources in place

08:21.100 --> 08:23.920
necessarily to put all of
the controls in place.

08:23.920 --> 08:26.500
Every organization's risk
appetite is a little different.

08:26.500 --> 08:28.630
You need to make sure
that you understand what

08:28.630 --> 08:30.310
your organization's
risk appetite is

08:30.310 --> 08:31.840
before you go about making

08:31.840 --> 08:34.045
plans for implementing controls.

08:34.045 --> 08:36.700
Then risk tolerance is
the thresholds that

08:36.700 --> 08:38.425
separate the different levels

08:38.425 --> 08:40.164
of risk for an organization.

08:40.164 --> 08:42.490
It may be defined
by money, impact,

08:42.490 --> 08:45.205
scope, compliance,
privacy, or time.

08:45.205 --> 08:46.600
The level of risk that is

08:46.600 --> 08:49.580
acceptable to achieve
a certain goal.

08:51.120 --> 08:53.545
Risk caused by people.

08:53.545 --> 08:55.900
People will always
be the hardest part

08:55.900 --> 08:58.300
to manage in any
cybersecurity program.

08:58.300 --> 08:59.740
People are unpredictable.

08:59.740 --> 09:03.040
People will make mistakes
because of stress,

09:03.040 --> 09:04.480
or maybe they were tricked,

09:04.480 --> 09:06.070
for example, a phishing email.

09:06.070 --> 09:08.215
But sometimes they even
have malicious intent.

09:08.215 --> 09:09.625
But because of all of this,

09:09.625 --> 09:12.535
people are going to be
our biggest concern.

09:12.535 --> 09:14.620
Technology isn't
the only solution

09:14.620 --> 09:16.705
to help us with this
unique problem.

09:16.705 --> 09:18.535
We're going to
discuss some of those

09:18.535 --> 09:19.660
other ways that we can do

09:19.660 --> 09:20.920
things that don't necessarily

09:20.920 --> 09:23.570
relate to technology
specifically.

09:24.810 --> 09:27.415
We can use employment policies,

09:27.415 --> 09:29.785
for example, a
separation of duties.

09:29.785 --> 09:31.375
This is a checks and balance.

09:31.375 --> 09:33.760
If someone is supposed
to do a type of work,

09:33.760 --> 09:37.225
they should not be the ones
to audit or monitor it.

09:37.225 --> 09:39.850
In addition, all
key roles are not

09:39.850 --> 09:42.475
given to one person in
case they are compromised.

09:42.475 --> 09:44.680
If the person who is
writing the checks is

09:44.680 --> 09:47.050
not also the one that is
balancing the checkbook.

09:47.050 --> 09:49.540
We want to make
sure that it's very

09:49.540 --> 09:50.860
easy to discover fraud

09:50.860 --> 09:52.315
when you have
separation of duties.

09:52.315 --> 09:55.120
If one person is doing everything
then it's very easy for

09:55.120 --> 09:56.470
that person to cover up anything

09:56.470 --> 09:58.210
that they might be doing.

09:58.210 --> 10:00.190
We also want to
use job rotation.

10:00.190 --> 10:01.750
No one should stay
in the same role

10:01.750 --> 10:03.070
for long periods of time.

10:03.070 --> 10:04.900
This helps to ensure
that the organization

10:04.900 --> 10:06.985
can't be controlled by
a single individual,

10:06.985 --> 10:09.595
but it also helps
prevent abuse of power.

10:09.595 --> 10:11.110
Another way of
looking at this in

10:11.110 --> 10:12.520
a positive way is that you have

10:12.520 --> 10:14.110
cross training so that you have

10:14.110 --> 10:16.090
multiple people that can
fulfill the same role.

10:16.090 --> 10:17.920
If someone went on vacation or

10:17.920 --> 10:19.885
someone was out sick for an
extended period of time,

10:19.885 --> 10:21.220
you have that to help you.

10:21.220 --> 10:23.275
But for our purposes with risk,

10:23.275 --> 10:25.150
we want to make
sure that we don't

10:25.150 --> 10:28.820
have one person that holds
all the keys to the kingdom.

10:30.180 --> 10:33.130
We can also use
mandatory vacations.

10:33.130 --> 10:35.350
This is forcing an
employee to take

10:35.350 --> 10:37.180
their vacation time and during

10:37.180 --> 10:39.610
that time another employee
will handle their role.

10:39.610 --> 10:41.350
This would allow for
discrepancies to

10:41.350 --> 10:43.120
be found if someone
were doctoring

10:43.120 --> 10:45.400
the books or some other type of

10:45.400 --> 10:47.230
fraudulent transaction
was occurring

10:47.230 --> 10:49.660
and it stopped while
they were on vacation,

10:49.660 --> 10:51.100
that would help us
to be able to more

10:51.100 --> 10:53.350
quickly identify
that to be an issue.

10:53.350 --> 10:56.830
Least privilege is making
sure that we're only granting

10:56.830 --> 10:58.450
the necessary level of

10:58.450 --> 11:00.445
access to perform
a given job role.

11:00.445 --> 11:02.860
We don't want to have
authorization creep

11:02.860 --> 11:05.290
where additional levels
of authorization

11:05.290 --> 11:06.970
were given to someone and that

11:06.970 --> 11:09.370
overtime expanded
more and more and we

11:09.370 --> 11:11.200
never went back and
remove those after

11:11.200 --> 11:14.365
a particular task was completed.

11:14.365 --> 11:16.675
They no longer need
that level of access.

11:16.675 --> 11:18.310
This is really hard to manage.

11:18.310 --> 11:20.230
You have to make
sure that you're

11:20.230 --> 11:23.440
auditing your users with

11:23.440 --> 11:25.360
what levels of
privilege they have on

11:25.360 --> 11:27.340
a regular basis that if

11:27.340 --> 11:28.390
they needed it and
they no longer

11:28.390 --> 11:29.710
do, it needs to be removed.

11:29.710 --> 11:32.260
This is critical to help ensure

11:32.260 --> 11:33.460
that people aren't getting into

11:33.460 --> 11:35.305
areas that they're not
supposed to be in.

11:35.305 --> 11:37.330
We also need to make
sure we have employment

11:37.330 --> 11:38.680
and termination procedures,

11:38.680 --> 11:41.710
onboarding and termination
procedures that will outline

11:41.710 --> 11:43.240
all of the steps
that are necessary

11:43.240 --> 11:44.965
for each stage to be completed.

11:44.965 --> 11:46.360
When someone new comes on,

11:46.360 --> 11:48.445
there should be a checklist
that you follow to say,

11:48.445 --> 11:50.455
these are the things that
need to be performed.

11:50.455 --> 11:51.835
We need to issue a
key to the building.

11:51.835 --> 11:53.080
We need to give
them an alarm code.

11:53.080 --> 11:55.540
We need to give them
a key access card.

11:55.540 --> 11:56.830
We need to create

11:56.830 --> 11:57.880
a user account and give them

11:57.880 --> 11:59.485
these privileges,
that type of thing.

11:59.485 --> 12:01.870
Then the opposite is true
when they're terminated.

12:01.870 --> 12:03.745
We need to make sure
that we collect the key,

12:03.745 --> 12:06.040
change the alarm code,
whatever needs to be done.

12:06.040 --> 12:09.280
But so many of those things
fall through the cracks.

12:09.280 --> 12:12.220
A really common
one is when a user

12:12.220 --> 12:14.905
is terminated and no one
turned off their VPN access.

12:14.905 --> 12:16.150
That is very common.

12:16.150 --> 12:17.830
You can see that a lot with

12:17.830 --> 12:20.950
angry employees or former
employees that had been fired,

12:20.950 --> 12:22.030
but their VPN access was

12:22.030 --> 12:23.380
still on and they
were able to get into

12:23.380 --> 12:27.800
the system and either
wreak havoc or steal data.

12:30.420 --> 12:32.920
We can use awareness training.

12:32.920 --> 12:36.040
This is helping employees to
understand security risks.

12:36.040 --> 12:37.750
Employees aren't
thinking about security

12:37.750 --> 12:39.610
like cybersecurity
professionals are.

12:39.610 --> 12:41.020
We need to help
them to understand

12:41.020 --> 12:43.150
what their responsibilities
and their roles are.

12:43.150 --> 12:44.890
But the key point here is that

12:44.890 --> 12:47.019
training needs to be
tailored to the audiences.

12:47.019 --> 12:49.030
Because, for example,
management doesn't need to

12:49.030 --> 12:51.550
receive the same type of
training as technical staff.

12:51.550 --> 12:54.685
When you create your
awareness training system,

12:54.685 --> 12:56.335
make sure that
you're targeting it

12:56.335 --> 12:59.095
towards the right content,
towards the right group.

12:59.095 --> 13:01.450
We also have auditing
requirements.

13:01.450 --> 13:04.360
Auditing is a necessary part
of any security program.

13:04.360 --> 13:07.795
It's time-consuming and
it's not a lot of fun.

13:07.795 --> 13:09.310
But we need to make sure
that we're auditing

13:09.310 --> 13:11.500
account activities such as
the creation, deletion,

13:11.500 --> 13:13.225
and modification
of user accounts,

13:13.225 --> 13:16.540
access rights, as I mentioned
before, and account usage.

13:16.540 --> 13:19.629
The frequency of audits will
be determined by policies,

13:19.629 --> 13:21.025
but also in trends.

13:21.025 --> 13:22.930
The key is that
auditing is looking for

13:22.930 --> 13:25.670
abnormal behavior or activity.

13:27.000 --> 13:29.740
Let's summarize. We discussed

13:29.740 --> 13:31.150
risk frameworks and we went

13:31.150 --> 13:32.980
over the risk
management life cycle.

13:32.980 --> 13:35.170
We went over to
control categories and

13:35.170 --> 13:36.850
risk tracking
methods and then we

13:36.850 --> 13:39.550
discussed the risk that
is caused by people.

13:39.550 --> 13:41.935
Let's do some example questions.

13:41.935 --> 13:44.710
Question 1. This would

13:44.710 --> 13:46.390
be used to force an
employee to take

13:46.390 --> 13:47.980
a leave of absence
during which time

13:47.980 --> 13:50.275
another person will
handle their work roles.

13:50.275 --> 13:54.320
This can spot activity that
the employee was hiding.

13:54.600 --> 13:58.765
Mandatory vacation. Question 2.

13:58.765 --> 14:01.210
This tool outlines the
risks and organization may

14:01.210 --> 14:03.650
face where the threat
could come from,

14:03.650 --> 14:05.525
the risk level, and the actions

14:05.525 --> 14:07.920
to be taken if it occurs.

14:08.520 --> 14:12.910
Risk register. Question 3.

14:12.910 --> 14:14.660
This framework is required for

14:14.660 --> 14:17.300
US federal agencies to
manage cybersecurity risks.

14:17.300 --> 14:19.500
It has seven steps.

14:19.890 --> 14:23.065
NIST risk management framework.

14:23.065 --> 14:24.895
Finally, Question 4.

14:24.895 --> 14:28.740
This would be used to
combat authorization creep.

14:29.550 --> 14:31.975
Least privilege. I hope

14:31.975 --> 14:33.245
this lesson was helpful for you,

14:33.245 --> 14:35.220
and I'll see you
in the next one.