1
00:00:00,005 --> 00:00:02,003
- [Instructor] Cybersecurity teams have

2
00:00:02,003 --> 00:00:06,000
a wide variety of risk
identification, assessment,

3
00:00:06,000 --> 00:00:08,007
and management tools at their disposal.

4
00:00:08,007 --> 00:00:10,005
You've already learned about many of them

5
00:00:10,005 --> 00:00:12,002
in this course.

6
00:00:12,002 --> 00:00:15,006
Risk visibility and
reporting techniques ensure

7
00:00:15,006 --> 00:00:18,003
that the results of these
risk management processes are

8
00:00:18,003 --> 00:00:23,000
clearly documented and tracked over time.

9
00:00:23,000 --> 00:00:25,005
The core tool that most organizations use

10
00:00:25,005 --> 00:00:28,009
for maintaining ongoing
visibility into risks is

11
00:00:28,009 --> 00:00:30,009
the risk register.

12
00:00:30,009 --> 00:00:33,004
The risk register is
a centralized document

13
00:00:33,004 --> 00:00:35,007
that attracts information about the nature

14
00:00:35,007 --> 00:00:39,006
and status of each risk
facing the organization.

15
00:00:39,006 --> 00:00:43,001
Risk registers may be used
on an organization wide basis

16
00:00:43,001 --> 00:00:46,001
or they may be used to
track the risks associated

17
00:00:46,001 --> 00:00:49,007
with a single project or subject domain.

18
00:00:49,007 --> 00:00:51,008
In some cases risk registers may be

19
00:00:51,008 --> 00:00:55,001
referred to as risk logs.

20
00:00:55,001 --> 00:00:58,006
Risk registers vary from
organization to organization,

21
00:00:58,006 --> 00:01:00,002
but they typically contain the following

22
00:01:00,002 --> 00:01:02,001
types of information.

23
00:01:02,001 --> 00:01:04,003
A description of each risk.

24
00:01:04,003 --> 00:01:07,001
A categorization scheme
used to group the risks

25
00:01:07,001 --> 00:01:09,004
into similar segments.

26
00:01:09,004 --> 00:01:11,005
The results of a risk assessment including

27
00:01:11,005 --> 00:01:14,007
the probability and impact of each risk.

28
00:01:14,007 --> 00:01:17,003
And a risk rating
calculated by multiplying

29
00:01:17,003 --> 00:01:20,003
the probability and impact scores.

30
00:01:20,003 --> 00:01:23,000
The risk register may
also include actions taken

31
00:01:23,000 --> 00:01:25,005
to manage the risk including specific

32
00:01:25,005 --> 00:01:28,005
risk mitigation steps
that are either completed

33
00:01:28,005 --> 00:01:32,004
or still in progress.

34
00:01:32,004 --> 00:01:34,004
Here's an example of a risk register

35
00:01:34,004 --> 00:01:37,002
that I helped develop with
a group called Educos.

36
00:01:37,002 --> 00:01:40,001
This is a tool used to
help higher education

37
00:01:40,001 --> 00:01:43,004
IT organizations manage
high-level technology risks

38
00:01:43,004 --> 00:01:45,004
facing their institutions.

39
00:01:45,004 --> 00:01:47,006
For example, the first risk here is stated

40
00:01:47,006 --> 00:01:50,005
as IT governance and
priorities are not aligned

41
00:01:50,005 --> 00:01:52,005
with institutional priorities.

42
00:01:52,005 --> 00:01:54,004
It then goes on to explain the cause

43
00:01:54,004 --> 00:01:57,002
and potential impact of that risk.

44
00:01:57,002 --> 00:01:59,005
If we move further down
to risk number four,

45
00:01:59,005 --> 00:02:01,009
it talks about what might
happen if the institution

46
00:02:01,009 --> 00:02:06,005
lacks a succession plan
for key IT leaders.

47
00:02:06,005 --> 00:02:08,007
This risk register also includes a place

48
00:02:08,007 --> 00:02:12,000
for organizations to input
the likelihood, impact,

49
00:02:12,000 --> 00:02:14,000
and time horizon that they think

50
00:02:14,000 --> 00:02:16,003
this risk might face their institution.

51
00:02:16,003 --> 00:02:18,008
For example, if I think
about my own organization

52
00:02:18,008 --> 00:02:20,005
and assess that I really don't have

53
00:02:20,005 --> 00:02:23,003
any secession plan in place, I might rate

54
00:02:23,003 --> 00:02:25,004
the likelihood of this risk as high,

55
00:02:25,004 --> 00:02:27,008
give it a value of three.

56
00:02:27,008 --> 00:02:29,006
I then might go on to say the impact

57
00:02:29,006 --> 00:02:31,000
of this is maybe a two.

58
00:02:31,000 --> 00:02:34,000
It might have a medium
impact on my organization.

59
00:02:34,000 --> 00:02:36,000
If I lose a key leader and don't have

60
00:02:36,000 --> 00:02:39,003
a succession plan in
place, in the time horizon

61
00:02:39,003 --> 00:02:41,003
I might think that my
current leadership team is

62
00:02:41,003 --> 00:02:44,003
pretty stable so I'm
going to rate this a one.

63
00:02:44,003 --> 00:02:47,001
I color coded these risks
green, yellow, or red depending

64
00:02:47,001 --> 00:02:50,002
upon whether they were
low, medium, or high,

65
00:02:50,002 --> 00:02:52,001
and then it computed a risk score

66
00:02:52,001 --> 00:02:56,001
as the product of those three values.

67
00:02:56,001 --> 00:02:57,008
When developing a risk register,

68
00:02:57,008 --> 00:02:59,007
the organization has many sources

69
00:02:59,007 --> 00:03:02,000
of information available to help populate

70
00:03:02,000 --> 00:03:04,000
the register with risks.

71
00:03:04,000 --> 00:03:05,009
These include the results of formal

72
00:03:05,009 --> 00:03:08,006
risk assessments conducted
by the organization,

73
00:03:08,006 --> 00:03:11,001
audit findings identified by internal

74
00:03:11,001 --> 00:03:15,004
or external auditors,
risks identified by members

75
00:03:15,004 --> 00:03:19,000
of the IT team, and threat
intelligence information

76
00:03:19,000 --> 00:03:22,000
contributed by third parties.

77
00:03:22,000 --> 00:03:24,003
Threat intelligence is
playing an increasingly

78
00:03:24,003 --> 00:03:27,000
important role in many
organizations' efforts

79
00:03:27,000 --> 00:03:30,008
to maintain visibility into
the risks that they face.

80
00:03:30,008 --> 00:03:32,008
By sharing threat intelligence,

81
00:03:32,008 --> 00:03:34,008
organizations may pool their knowledge

82
00:03:34,008 --> 00:03:37,003
to help combat external threats

83
00:03:37,003 --> 00:03:39,003
either by purchasing a threat intelligence

84
00:03:39,003 --> 00:03:41,007
service from a vendor or by joining

85
00:03:41,007 --> 00:03:45,004
a threat intelligence sharing consortium.

86
00:03:45,004 --> 00:03:47,006
Threat intelligence
sharing efforts provide

87
00:03:47,006 --> 00:03:49,009
an anonymized way for organizations

88
00:03:49,009 --> 00:03:52,007
to communicate with each
other about the nature

89
00:03:52,007 --> 00:03:56,002
and characteristics of
attacks that they experience.

90
00:03:56,002 --> 00:03:58,002
Threat intelligence
information may be used

91
00:03:58,002 --> 00:04:01,000
to monitor risk trends in a general way

92
00:04:01,000 --> 00:04:03,009
or this information may
be used operationally

93
00:04:03,009 --> 00:04:07,004
to create for example a
blacklist of IP addresses

94
00:04:07,004 --> 00:04:10,001
known to be the source of attacks.

95
00:04:10,001 --> 00:04:13,000
Today's cybersecurity
environment is complex

96
00:04:13,000 --> 00:04:16,002
with many different risks
facing organizations.

97
00:04:16,002 --> 00:04:19,002
The use of risk registers,
threat intelligence,

98
00:04:19,002 --> 00:04:21,009
and similar solutions help organizations

99
00:04:21,009 --> 00:04:24,002
maintain visibility into these risks

100
00:04:24,002 --> 00:04:25,007
as the seek to manage them.