1 00:00:00,005 --> 00:00:03,000 - [Instructor] Risk management is a complex topic, 2 00:00:03,000 --> 00:00:05,007 and fortunately organizations don't need 3 00:00:05,007 --> 00:00:08,002 to design their own risk management processes 4 00:00:08,002 --> 00:00:09,007 from the ground up. 5 00:00:09,007 --> 00:00:11,002 Risk management frameworks 6 00:00:11,002 --> 00:00:14,001 provide proven, time-tested techniques 7 00:00:14,001 --> 00:00:17,001 for performing enterprise risk management. 8 00:00:17,001 --> 00:00:18,005 One of the most widely used 9 00:00:18,005 --> 00:00:20,006 risk management frameworks was developed 10 00:00:20,006 --> 00:00:24,000 by the National Institute of Standards and Technology, 11 00:00:24,000 --> 00:00:26,007 a US federal government agency. 12 00:00:26,007 --> 00:00:28,005 The NIST process is mandatory 13 00:00:28,005 --> 00:00:31,000 for many government computer systems, 14 00:00:31,000 --> 00:00:34,003 but private organizations have also widely adopted it 15 00:00:34,003 --> 00:00:37,002 because they find it a helpful approach. 16 00:00:37,002 --> 00:00:42,009 The framework is found in NIST Special Publication 800-37. 17 00:00:42,009 --> 00:00:45,006 This document runs over 60 pages 18 00:00:45,006 --> 00:00:48,001 and includes great detail on the framework 19 00:00:48,001 --> 00:00:51,009 that is good reading for anyone involved in risk management. 20 00:00:51,009 --> 00:00:56,000 The publication is available for free on NIST's website. 21 00:00:56,000 --> 00:00:57,003 For our purposes, 22 00:00:57,003 --> 00:00:59,009 an overview of the six steps in the process 23 00:00:59,009 --> 00:01:03,006 will be more than enough to prepare for the CISSP exam. 24 00:01:03,006 --> 00:01:06,002 This diagram shows the six steps involved 25 00:01:06,002 --> 00:01:09,001 in risk management, according to NIST. 26 00:01:09,001 --> 00:01:11,000 Before beginning the process, 27 00:01:11,000 --> 00:01:13,002 the organization should gather information 28 00:01:13,002 --> 00:01:15,004 from two categories. 29 00:01:15,004 --> 00:01:17,003 The first set of information involves 30 00:01:17,003 --> 00:01:19,003 the technology architecture 31 00:01:19,003 --> 00:01:21,004 and includes reference models, 32 00:01:21,004 --> 00:01:23,001 technical details, 33 00:01:23,001 --> 00:01:25,002 business process information, 34 00:01:25,002 --> 00:01:27,006 and information system boundaries. 35 00:01:27,006 --> 00:01:29,005 The second input to the process 36 00:01:29,005 --> 00:01:32,004 is organization-specific information, 37 00:01:32,004 --> 00:01:36,009 including the laws, regulations, and policies that apply, 38 00:01:36,009 --> 00:01:39,004 the strategy of the organization, 39 00:01:39,004 --> 00:01:41,002 its priorities, 40 00:01:41,002 --> 00:01:43,000 resource availability, 41 00:01:43,000 --> 00:01:45,001 and supply chain information. 42 00:01:45,001 --> 00:01:46,009 After gathering this information, 43 00:01:46,009 --> 00:01:49,001 the organization enters step one 44 00:01:49,001 --> 00:01:51,002 of the risk management framework, 45 00:01:51,002 --> 00:01:55,000 where it categorizes the information system being assessed, 46 00:01:55,000 --> 00:01:58,006 as well as the information that will be stored, processed, 47 00:01:58,006 --> 00:02:00,009 and transmitted by the system. 48 00:02:00,009 --> 00:02:04,008 This is normally done by performing an impact assessment. 49 00:02:04,008 --> 00:02:08,007 In step two, the organization selects the security controls 50 00:02:08,007 --> 00:02:12,005 that should be use to manage risk to the information system. 51 00:02:12,005 --> 00:02:14,000 This selection is based upon 52 00:02:14,000 --> 00:02:17,001 the system's categorization from step one. 53 00:02:17,001 --> 00:02:19,003 The organization will likely begin 54 00:02:19,003 --> 00:02:22,004 by selecting a standard baseline of controls 55 00:02:22,004 --> 00:02:25,008 and then adding or subtracting specific controls 56 00:02:25,008 --> 00:02:30,001 to tailor that baseline to the system's specific needs. 57 00:02:30,001 --> 00:02:32,000 After selecting controls, 58 00:02:32,000 --> 00:02:34,004 the organization moves to step three, 59 00:02:34,004 --> 00:02:37,006 where it implements the selected controls. 60 00:02:37,006 --> 00:02:39,008 Then, in step four, 61 00:02:39,008 --> 00:02:42,008 the organization performs a control assessment 62 00:02:42,008 --> 00:02:44,005 to determine whether the controls 63 00:02:44,005 --> 00:02:46,003 were correctly implemented, 64 00:02:46,003 --> 00:02:48,002 if they're operating correctly, 65 00:02:48,002 --> 00:02:51,003 and whether they meet the security requirements. 66 00:02:51,003 --> 00:02:53,003 After this assessment is complete, 67 00:02:53,003 --> 00:02:56,001 the organization then enters step five, 68 00:02:56,001 --> 00:02:59,009 where it authorizes operation of the information system. 69 00:02:59,009 --> 00:03:01,001 In the federal government, 70 00:03:01,001 --> 00:03:03,009 authorization is a very formal process, 71 00:03:03,009 --> 00:03:06,004 where a senior government official must accept 72 00:03:06,004 --> 00:03:08,005 any remaining risks. 73 00:03:08,005 --> 00:03:11,000 Once a system is authorized and running, 74 00:03:11,000 --> 00:03:14,002 we move to step six of the risk assessment framework, 75 00:03:14,002 --> 00:03:17,001 where the organization monitors the security controls 76 00:03:17,001 --> 00:03:21,005 on an ongoing basis to ensure their continued effectiveness 77 00:03:21,005 --> 00:03:24,007 and respond to any environmental changes. 78 00:03:24,007 --> 00:03:27,005 If this monitoring detects significant issues, 79 00:03:27,005 --> 00:03:29,002 the cycle may begin anew.