Nailed it!

Thanks Josh. Do it a few hundred times and you can cut out the excess. :)

thanks so much!

You're most welcome. i've lived it a while. The pattern begins to emerge. "Rinse and repeat." lol

You got it! Will be sprinkling them in. Thanks AS!

This side of the house gets less love. Best reads(stay w me on this) is NIST special publication 800-37 and 800-30. Both are free and can be downloaded

My pleasure!

I demonstrate the process in a lab in my GRC Analyst Master course fwiw

@@SimplyCyberis that courses here in KZbin ?

Yes, Risk manifests in many ways. Many companies are now seeing cyber as their top risk though given all the ransomware.

Glad you liked it!

Thanks so much!!

For the most part no, but there are a few where it’s yes (see below). You could get CISA cert to differentiate yourself but that’s it. I believe PCI auditors need to be certified by PCI to be a QSA. Also with the new us govt CMMC refs you will here to be certified to officially audit.

Yes know ISO27001-ISO27005. I just lost a contract because I started talking about the NIST and the guy was in another country and did not like the USA. If I had known I would have talked about the ISO framework but used the NIST 800-53 behind the scenes as well as the ISO. Since things are going global, know whats in those ISOs I mentioned above. Good luck ALL!!!!

Thank you for the kind words.

Awesome, thank you!

Simplycyber.teachable.com is a course I made all about GRC work, including a section and lab on risk assessment

Thank you kindly!

I’d offer the first few as free assessments in exchange for testimonials and then build on top of that. Especially if ur targeting other small biz that will recognize and appreciate the histle

Thanks so much. I've got red vids in here too, but I'm an equal opportunity cyber honk. :D

Glad it was helpful!

@@SimplyCyber Just gave an interview, your videos have given me very useful insights. Thank you again ❤️

If you mean for risk assessment on organization's assets, then scope the assessment to particular system(s) and use an appropriate vulnerability scanning tool

managing what? Tech, people, cyber program? I can advise, but need to know specfic.

Def not. It would show your weaknesses and gaps. It would be a blueprint for bad guys to see where you’re soft

@@SimplyCyber Agree. I misunderstood you, maybe as an auditor/Compliance external you'd ask for it, but they're absolutely not required to share them to the general public 👍

@@SimplyCyber Are you planning on making videos about Threat Modeling orgs or specific apps? That'd be amazing! I'm liking the simplicity in which you explain in a short time 👌

@@jarmandog8372 it’s not on the video schedule but a great concept. Will add it. Thx

Looking at current state and understanding what is weakness and how bad it would be if it was exploited

That’s substantial. I can speak to the concept but I don’t have the availability to actively participate in the thesis research

Thanks How can I communicate with you better ?

@@AMR-amr1 I’m on discord and LinkedIn. And just to be fully transparent I can have a conversation but I don’t have the bandwidth to help you in a material way w your thesis

Lil “why” before that but yes the meat of the RA workflow you can jump to at 2:40

You have to factor in threat intelligence, position of the system with the vulnerability in relation to (network) access, if there is an exploit available, if its being exploited in the wild, if there is a patch out. There are a lot of factors for vuln assessment. Maybe another video idea?

Not really but 5 questions to start and ask them. What’s their security awareness program look like? Where do they use mfa? Do they require remote access into your environment and if so how (you prefer vpn and isolated to only systems they need) How do they handle your data when in their control? (Encrypted backed up delete when not needed) After contract termination how easy is it to get your data out and they not keep it too? Bonus questions: do you sell any of our data or meta data? Are you (and of the answer isn’t yes run) going to notify us and how quickly if your confirm a incident on systems where our data is. That’s just off the cuff w my Friday afternoon happy hour beer but would say the same if you were sitting next to me. Cheers friend!

@@SimplyCyber thanks a lot that s a grest start :)

All Things Risk Assessments. Hope you enjoy. As the video goes on I get more frothed up. :)

@@SimplyCyber get better soon!!

Governance, risk, and compliance

@@Preshopnutrition Governance, Risk and Compliance

Yep, not semi-quantitative. He probably said that because you can still map your results (e.g., Loss exposure) to the Low, Mid, High (qualitative scale) that most folks are used to.

I’ll have to revisit this. I’ll add to my short list a video with more details. Thx for the constructive feedback. I’m dealing burnout rn but will add this to the queue