1
00:00:00,004 --> 00:00:02,002
- [Narrator] Once you
complete a risk assessment

2
00:00:02,002 --> 00:00:05,006
for your organization, you're
left with a prioritized list

3
00:00:05,006 --> 00:00:08,000
of risks that require your attention.

4
00:00:08,000 --> 00:00:09,009
Risk management is the process

5
00:00:09,009 --> 00:00:12,009
of systematically analyzing
potential responses

6
00:00:12,009 --> 00:00:15,009
to each risk and implementing strategies

7
00:00:15,009 --> 00:00:18,000
to control those risks appropriately.

8
00:00:18,000 --> 00:00:20,005
No matter what type of
risk you're managing,

9
00:00:20,005 --> 00:00:22,002
you have five basic options

10
00:00:22,002 --> 00:00:24,000
for addressing the situation.

11
00:00:24,000 --> 00:00:28,001
You can perform risk
avoidance, risk transference,

12
00:00:28,001 --> 00:00:32,008
risk mitigation, risk
acceptance, or risk deterrence.

13
00:00:32,008 --> 00:00:35,008
When you avoid a risk, you
change your organization's

14
00:00:35,008 --> 00:00:38,005
business practices so
that you are no longer

15
00:00:38,005 --> 00:00:41,007
in a position where that risk
can affect your business.

16
00:00:41,007 --> 00:00:44,002
In the last video we
performed a risk assessment

17
00:00:44,002 --> 00:00:46,004
of the risk that flooding posed

18
00:00:46,004 --> 00:00:48,002
to an organization's data center.

19
00:00:48,002 --> 00:00:50,009
If we chose to pursue a
risk avoidance strategy

20
00:00:50,009 --> 00:00:53,008
for that risk, we might
relocate our data center

21
00:00:53,008 --> 00:00:57,002
to a facility where there
is no risk of flood damage.

22
00:00:57,002 --> 00:01:00,002
Transferring a risk
attempts to shift the impact

23
00:01:00,002 --> 00:01:04,000
of a risk from your organization
to another organization.

24
00:01:04,000 --> 00:01:06,004
The most common example
of risk transference

25
00:01:06,004 --> 00:01:08,002
is an insurance policy.

26
00:01:08,002 --> 00:01:11,000
Many organizations are now
also considering the purchase

27
00:01:11,000 --> 00:01:13,008
of cyber liability insurance to protect

28
00:01:13,008 --> 00:01:15,005
against the financial damage caused

29
00:01:15,005 --> 00:01:17,009
by hackers and identity theft.

30
00:01:17,009 --> 00:01:19,008
It's important to remember, however,

31
00:01:19,008 --> 00:01:23,001
that you can't always
transfer a risk completely.

32
00:01:23,001 --> 00:01:25,007
For example, you can purchase insurance

33
00:01:25,007 --> 00:01:27,003
to cover the financial damage

34
00:01:27,003 --> 00:01:29,000
caused by a security breach,

35
00:01:29,000 --> 00:01:31,008
but no insurance policy can repair

36
00:01:31,008 --> 00:01:35,006
your business' reputation in
the eyes of your customers.

37
00:01:35,006 --> 00:01:37,004
In our flood risk example

38
00:01:37,004 --> 00:01:39,008
we might choose to
transfer the financial risk

39
00:01:39,008 --> 00:01:41,002
of our data center flooding

40
00:01:41,002 --> 00:01:44,001
from our organization
to an insurance company

41
00:01:44,001 --> 00:01:46,001
by purchasing flood insurance.

42
00:01:46,001 --> 00:01:48,007
Risk mitigation takes actions designed

43
00:01:48,007 --> 00:01:52,007
to reduce the likelihood
and/or impact of a risk.

44
00:01:52,007 --> 00:01:54,005
Most security professionals

45
00:01:54,005 --> 00:01:56,001
spend the majority of their time

46
00:01:56,001 --> 00:01:59,001
performing risk mitigation activities.

47
00:01:59,001 --> 00:02:00,008
If we wanted to mitigate the risk

48
00:02:00,008 --> 00:02:02,004
of our data center flooding,

49
00:02:02,004 --> 00:02:05,001
we might engage a flood control specialist

50
00:02:05,001 --> 00:02:07,007
to install systems
designed to divert water

51
00:02:07,007 --> 00:02:09,005
away from our facility.

52
00:02:09,005 --> 00:02:12,001
In almost every risk assessment,

53
00:02:12,001 --> 00:02:14,000
managers find themselves confronted

54
00:02:14,000 --> 00:02:16,003
with a very long list of risks

55
00:02:16,003 --> 00:02:18,005
and inadequate resources to avoid,

56
00:02:18,005 --> 00:02:21,006
transfer, or mitigate all of them.

57
00:02:21,006 --> 00:02:24,001
For business reasons, they must accept

58
00:02:24,001 --> 00:02:25,008
some of those risks.

59
00:02:25,008 --> 00:02:27,006
Risk acceptance should take place

60
00:02:27,006 --> 00:02:29,009
only as part of a thoughtful analysis

61
00:02:29,009 --> 00:02:32,003
that determines the cost of performing

62
00:02:32,003 --> 00:02:34,003
another risk management action

63
00:02:34,003 --> 00:02:37,005
outweighs the benefit
of controlling the risk.

64
00:02:37,005 --> 00:02:39,009
In our flooding scenario we might conclude

65
00:02:39,009 --> 00:02:42,000
that all of the other
risk management options

66
00:02:42,000 --> 00:02:45,003
are too costly and decide
to continue operations

67
00:02:45,003 --> 00:02:47,004
in our current facility as is

68
00:02:47,004 --> 00:02:51,002
and deal with the aftermath
of a flood should it occur.

69
00:02:51,002 --> 00:02:53,007
The federal government uses a very formal

70
00:02:53,007 --> 00:02:56,003
risk acceptance process
for information systems

71
00:02:56,003 --> 00:02:58,006
known as system authorization.

72
00:02:58,006 --> 00:03:01,006
When a new information
system is put in place,

73
00:03:01,006 --> 00:03:04,005
a senior official must
make a management decision

74
00:03:04,005 --> 00:03:07,003
to authorize the operation of that system.

75
00:03:07,003 --> 00:03:09,004
According to the National Institute

76
00:03:09,004 --> 00:03:11,000
for Standards and Technology,

77
00:03:11,000 --> 00:03:13,007
this system authorization decision

78
00:03:13,007 --> 00:03:16,009
must include explicitly accepting the risk

79
00:03:16,009 --> 00:03:19,005
to organizational operations and assets,

80
00:03:19,005 --> 00:03:22,004
individuals, others organizations,

81
00:03:22,004 --> 00:03:25,007
and the nation based
upon the implementation

82
00:03:25,007 --> 00:03:29,001
of an agreed-upon set
of security controls.

83
00:03:29,001 --> 00:03:32,008
The final risk management
strategy is risk deterrence.

84
00:03:32,008 --> 00:03:34,003
When you deter a risk

85
00:03:34,003 --> 00:03:36,005
you take actions that dissuade a threat

86
00:03:36,005 --> 00:03:40,005
from exploiting a vulnerability
in your security controls.

87
00:03:40,005 --> 00:03:42,008
There's really no way
to reason with a flood

88
00:03:42,008 --> 00:03:45,000
so there aren't any
risk deterrence options

89
00:03:45,000 --> 00:03:46,008
for our flooding scenario.

90
00:03:46,008 --> 00:03:49,007
If you think about the risk of
physical intrusion, however,

91
00:03:49,007 --> 00:03:51,004
there are many ways that you could deter

92
00:03:51,004 --> 00:03:52,008
a potential burglar.

93
00:03:52,008 --> 00:03:55,009
Fences and guard dogs are great examples.

94
00:03:55,009 --> 00:03:58,006
One sight of an imposing barbed wire fence

95
00:03:58,006 --> 00:04:01,002
or a snarling dog and any intruder

96
00:04:01,002 --> 00:04:03,005
is likely to move on to a softer target.