What is risk Assessment? “Am I not assessing risk already?”
What is risk Assessment? “Am I not assessing risk already?”
- I have completed a regulatory compliance review.
I’m doing vulnerability scan.
Risk assessment is about reviewing all the ways in wish risk
You can be fully compliant and still have risk.
Risk assessment is affected by: Process, Personnel, Equipment, Configurations, Products, and Vendors.
These factors are always changing and can introduce risk into your company.
Risk Assessment help you be successful by ensuring your processes are predictive, documented, communicated, planned, responsive, and evolving.
Assessment, Review, Repetition, and Improvement.
Help employees adapt with the changing landscape.
TOP Risk Areas
PR.AT-1: All users are informed and trained.
ID.RA-3: Threats, both internal and external are identify.
DE.AE-2: Detected events are analyzed and understand.
DE.CM-1: The network is monitored to detect potential threat.
DE.CM-3: Personnel activity is monitored to detect P
ID.RA-2: Threat and vulnerability information is receive. - ID.RA-1: Asset vulnerabilities are identified and documented
RS.RP-1: Response plan is executed during or after an.
Should I be assessing risk already?
Categories:
1. Risk Assessment—Identifies and analyzes potential future events that could negatively impact individuals, assets, and/or the environment.
2. Vulnerability Scanning – The inspection of the potential points of exploit on a computer or network to detect and classify system weaknesses and predict the
3. Threat Detection – Designed to detect attacks that employ advanced malware and persistent remote access to steal sensitive data over time.
Sandboxing
Behavioral Analysis
Automated Monitoring
Detection Mechanisms
Each requires a different approach.
Tools specialize for that purpose.
Resources that can properly utilize these tools.
What is your risk tolerance? Which risk will you accept? Which risk will you mitigate?
How far to go to safeguard data.
What you are doing?
What you need to do? - NIST CYBERSECURITY FRAMEWORK
Recover, Identify, Protect, Respond, Detect
Categories – Identity Management, Access Controls, Assess Your Risk. - Within each Categories – Controls and Sub-Controls
Prepare, Review, Communicate, Remediate
Cybersecurity Stats
69% of SMBs HAVE NOT identified & documented cybersecurity threats
66% of SMBs HAVE NOT identified & documented cybersecurity vulnerabilities
57% of SMBs HAVE NOT informed & trained all users on cybersecurity
48% of SMBs HAVE NOT analyzed cybersecurity attack TARGETS & METHODS
48% of SMBs DO NOT have a RESPONSE PLAN for a cybersecurity incident.
43% of SMBs DO NOT have a recovery plan for a cybersecurity incident.
Create an ACTION PLAN
“Change doesn’t happen over night”
Configuration can be modified.
Accepted risk should be well documented.
When was risk found? Reason it’s being accepted?
Control to reduce risk.
Timeframe to mitigate risk.
Milestones with shorter timeframes.
1. Access your current risks – Critical, High, Medium, Low, etc.
2. Decide the risks to add to your Action Plan. Which one will you handle this week, month, quarter, etc?
3. Which one will have to wait till next year? Decide on your timeframe for Action Plan completion.
4. Execute your Action Plan.
5. Reassess your current profile at the end of the timeframe.
6. Repeat! Remember risk change, employee change, configuration change, don’t assume you mitigate risk once, it’s gone for good.
Don’t do anything wrong today! - Don’t do anything wrong tomorrow!
- Repeat.
- https://securityawareness.usalearning.gov/ – FREE SECURITY TRAINING
Cities we served but not limited to: Austin, Cedar Park, Round Rock, Leander, Pflugerville, Wells Branch, Jollyville, Bee Cave, Hutto, Jarrell, Kyle, Georgetown, Bastrop, Anderson Mill, Lakeway, Taylor, Manor, and Elgin.