From the course: Cybersecurity Foundations
Recording, reporting, and the risk context
- [Instructor] A key part of risk management is maintaining a record of the risks that have been identified, and where relevant, tracking the progress of work to reduce the risk. The normal way to record risks is in a risk register. This could be a manual record, but more usually it's automated. The basic form of automation is using a spreadsheet as shown here. Larger organizations may use the more sophisticated governance risk and controls, or GRC solutions, although the principle as far as managing risk is the same. The risk register contains the basic risk information, such as an ID and name, classification information, and the risk owner. It also contains a summary of the consequences of a risk being realized. The risk information is usually presented in two ways. The first is the inherent risk, assuming no controls are in place. This is useful to know because it determines how strong the controls need to be. The higher the risk, the stronger the control. Then the control details are provided and a residual risk is calculated to show the current risk that is being experienced by the business. Take a few minutes to set up your own spreadsheet risk register as we've just discussed, and add an entry, malware infection. Think about your own situation. What could be the root cause, the consequence, and the inherent risk level? What controls do you have in place, and what is the residual level of risk? (jazzy music) Risks can be shown as bubbles on what's known as a risk heat map, where individual risks are charted in the cell which exists at the intersection of the likelihood row and the impact column. This is sometimes called a risk bubble chart. A typical approach to managing risks is to accept any very low risks which appear in the green area. Low risks shown in the gold area are accepted but monitored to ensure they don't increase. Medium risks in the yellow area are scheduled for routine remediation work, and high and very high risks are shown together here in the red area and require immediate remediation. This form of risk chart is very common and it provides a succinct way to present a high-level picture of the risks. Sometimes the bubble chart is enhanced to show the plan progress of mitigations using an arrow and a bubble to identify the final expected risk level after mitigation. This is a powerful way to show the work being done to reduce risk. The term "risk context" refers to the risk bubble chart in the tables used to determine likelihood and impact. Here we can see the tables representing the five levels of likelihood, which make up the vertical axis on the heat map and the multiple tables representing different perspectives on impact, which together make up the horizontal axis. These tables are typically developed specifically for the business by their risk officer. The risk context should also include guidance on the actions required to be taken at each risk level, reflecting more urgent action and more intense oversight at the higher levels of business risk.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
The Orange Book: Early concepts in computer security4m 23s
-
Understanding the NIST Cybersecurity Framework3m 20s
-
Adopting the NIST Cybersecurity Framework2m 51s
-
Understanding the basics of cyber risk4m
-
Analyzing cyber threats and controls1m 59s
-
Recording, reporting, and the risk context3m 32s
-
An advanced risk framework5m 32s
-
Managing security with COBIT3m 47s
-
COBIT for operational security5m 43s
-
Introduction to cybersecurity controls2m 35s
-
Cybersecurity control framework4m 27s
-
Cybersecurity standards of good practice3m 3s
-
-
-
-
-