What Is a Cybersecurity Risk Assessment (and HOW TO DO THEM!)

Рет қаралды 42,190

Күн бұрын

In this video, we're taking you on step by step tutorial on how to conduct a cybersecurity risk assessment and showing you what a cybersecurity risk assessment is and why it is important.
Risk assessments are a critical piece of an information security program and understanding how to do them and why we do them will enable you to understand a critical piece of the GRC side of the house.
📒 Show Notes 📒
⏰ Markers
0:10 Preview
0:32 Why cyber risk assessment?
2:30 How do you do a Cyber Risk Assessment (case study walkthrough)
4:00 Getting intel on how your organization is going to use a system
5:23 Why we call it information security really (over cybersecurity)
7:02 You got the data, now which risk assessment method to choose
10:40 Now you have your risks, how to prioritize them
12:03 What is and how to use a risk register (aka POAM)
Simply Cyber's mission is to help purpose driven professionals make and and take a cybersecurity career further, faster.
---------------------------------------------------------------------------------
🤝 Social Media 🤝
LinkedIn: / geraldauger
Twitter: / gerald_auger
KZbin: / geraldauger
Discord: / discord
Twitch: / gerald_auger_simplycyber
---------------------------------------------------------------------------------
🔥 My Curated Free Cyber Resources: SimplyCyber.io
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
🙌🏼 Donate 🙌🏼
Like the channel and got value? Please consider supporting the channel
www.buymeacoff...
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
😎 Merch 😎
👉🏼 SimplyCyber Branded Gear: teespring.com/...
---------------------------------------------------------------------------------
🎥 My livestreams are produced through StreamYard. Get a $10 credit using my referral link below if you ever upgrade to pro plan.
STREAMYARD $10 REFERRAL - streamyard.com?pal=6534222448689152
Disclaimer: All content reflects the thoughts and opinions of Gerald Auger and the speakers themselves, and are not affiliated with the employer of those individuals unless explicitly stated.

Пікірлер: 88

@LuisGonzalez-qi6hn Жыл бұрын

Summarizing Risk Analysis General Structure: 1. Get all the intel on the system/solution you are interested in 2. Figure the use case for this solution to your organization 3. identify all of the vulnerabilities of the solution 4. Figure out the likelihood of those vulnerabilities being exploited 5. Identify the impact to your organization when they are exploited 6. Group the vulnerabilities by priority 7. Address the ones that are unacceptable to reduce the risk to lower level 8. Rinse & repeat

@MarcusJGrey 2 жыл бұрын

Its super important. Arguably the 3 most important documents you'll find in an organization is 1) the asset inventory 2) the risk analysis/inventory and 3) controls inventory. These tell you exactly what a company has, what they're afraid of and how they're protecting themselves/those assets. Great that you're shining a light on GRC topics as well!

@robertalvarado884 3 жыл бұрын

Wow this video just summarized my Security & Risk Analysis 311 class that I took about two years ago. Everything you taught us, I literally learned in class. Thank you.

@SimplyCyber 3 жыл бұрын

Nailed it!

@NTG2396 2 жыл бұрын

Great video I became an assurance manager and been banging my head against a brick wall trying to figure out the correct way of completing a risk assessment

@moechaudhry6412 3 жыл бұрын

Great video! I recently moved over from Operations into a Cyber Security role that specifically deals with Risk to our organization. Would love more videos on the Risk side and if there any good book recommendations, etc.

@SimplyCyber 3 жыл бұрын

This side of the house gets less love. Best reads(stay w me on this) is NIST special publication 800-37 and 800-30. Both are free and can be downloaded

@hassanjibrilkamba Ай бұрын

Thanks for the lecture,it's very Interesting❤

@SimplyCyber Ай бұрын

Glad you liked it!

@udohpele1696 2 жыл бұрын

Thanks for this Gerald. This is really awesome and well explained. 😤😤 Thanks alot.

@SimplyCyber 2 жыл бұрын

My pleasure!

@mmughal 2 жыл бұрын

May be a longer version where you actually do it will be great

@SimplyCyber 6 ай бұрын

I demonstrate the process in a lab in my GRC Analyst Master course fwiw

@mmughal 6 ай бұрын

@@SimplyCyberis that courses here in KZbin ?

@zubairusaidu6638 Ай бұрын

Very nice lecture I am Zubairu saidu cyber security

@SatishSingh-ni8bu Жыл бұрын

I just watched "Cybersecurity Risk Assessment (A Step by Step Tutorial and WHY!)" ...its awesome! beautifully explained and to the point .... May I know how should I get in touch with you to learn more about the Cyber Risk Assessment in details...

@SimplyCyber Жыл бұрын

Simplycyber.teachable.com is a course I made all about GRC work, including a section and lab on risk assessment

@jashandeep8192 3 жыл бұрын

@SimplyCyber 3 жыл бұрын

Thanks so much. I've got red vids in here too, but I'm an equal opportunity cyber honk. :D

@khoapham1821 2 жыл бұрын

Thank you for the awesome video. I feel that you skip 1 big major step, is to identify all vulnerability. How one can identify them all ?

@oberlinio Жыл бұрын

If you mean for risk assessment on organization's assets, then scope the assessment to particular system(s) and use an appropriate vulnerability scanning tool

@Enyalus87 3 жыл бұрын

If you're doing this professionally, like you're a security auditor or compliance manager or that's the career direction you're trying to go, do you need to know/be certified in ISO 27001 or COBIT or anything?

@SimplyCyber 3 жыл бұрын

For the most part no, but there are a few where it’s yes (see below). You could get CISA cert to differentiate yourself but that’s it. I believe PCI auditors need to be certified by PCI to be a QSA. Also with the new us govt CMMC refs you will here to be certified to officially audit.

@lyndonmodomo2973 7 ай бұрын

Yes know ISO27001-ISO27005. I just lost a contract because I started talking about the NIST and the guy was in another country and did not like the USA. If I had known I would have talked about the ISO framework but used the NIST 800-53 behind the scenes as well as the ISO. Since things are going global, know whats in those ISOs I mentioned above. Good luck ALL!!!!

@xssoverflow798 3 жыл бұрын

Great Summary! Just subscribed!

@SimplyCyber 3 жыл бұрын

Awesome, thank you!

@rmcgraw7943 3 жыл бұрын

Very good video on Integration Risk assessments.

@SimplyCyber 3 жыл бұрын

Thank you for the kind words.

@manhalfamazing00 3 жыл бұрын

Subscribed. I need more cyber management skills. Any recommendation on reading material?

@SimplyCyber 3 жыл бұрын

managing what? Tech, people, cyber program? I can advise, but need to know specfic.

@victorchez9847 Жыл бұрын

You are simply awesome.

@3num3r8r 3 жыл бұрын

Nice presentation, methodology is spot-on.

@SimplyCyber 3 жыл бұрын

Thank you kindly!

@nicolasmaiques121 Жыл бұрын

Hi Gerald, from all your experience what do you think about EBIOS RM methodology ?

@jarmandog8372 2 жыл бұрын

Are companies obliged to share or publish their vulnerability assessments or Penetration tests? I know some publish their SOC 2 or ISO 27K compliance papers, but I haven't seen any public pentest/VA done to the services I consume

@SimplyCyber 2 жыл бұрын

Def not. It would show your weaknesses and gaps. It would be a blueprint for bad guys to see where you’re soft

@jarmandog8372 2 жыл бұрын

@@SimplyCyber Agree. I misunderstood you, maybe as an auditor/Compliance external you'd ask for it, but they're absolutely not required to share them to the general public 👍

@jarmandog8372 2 жыл бұрын

@@SimplyCyber Are you planning on making videos about Threat Modeling orgs or specific apps? That'd be amazing! I'm liking the simplicity in which you explain in a short time 👌

@SimplyCyber 2 жыл бұрын

@@jarmandog8372 it’s not on the video schedule but a great concept. Will add it. Thx

@maisaalghamdi8068 9 ай бұрын

Amazingggggg!

@ArafatAliProfile 3 жыл бұрын

Very good explanation. Thank you

@SimplyCyber 3 жыл бұрын

Glad it was helpful!

@ArafatAliProfile 3 жыл бұрын

@@SimplyCyber Just gave an interview, your videos have given me very useful insights. Thank you again ❤️

@zubairusaidu6638 Ай бұрын

What Analysis is an General description

@SimplyCyber Ай бұрын

Looking at current state and understanding what is weakness and how bad it would be if it was exploited

@Compliance237 Жыл бұрын

Can you please let us have the transcript of the video?

@Ad000121 Жыл бұрын

Does anyone know of some risk assessment case studies

@jamesclark9380 6 ай бұрын

Content actually starts at 2:40

@SimplyCyber 6 ай бұрын

Lil “why” before that but yes the meat of the RA workflow you can jump to at 2:40

@ericlb8769 2 жыл бұрын

is there a place where i can find some TRA template for cyber security ? thanks

@SimplyCyber 2 жыл бұрын

Not really but 5 questions to start and ask them. What’s their security awareness program look like? Where do they use mfa? Do they require remote access into your environment and if so how (you prefer vpn and isolated to only systems they need) How do they handle your data when in their control? (Encrypted backed up delete when not needed) After contract termination how easy is it to get your data out and they not keep it too? Bonus questions: do you sell any of our data or meta data? Are you (and of the answer isn’t yes run) going to notify us and how quickly if your confirm a incident on systems where our data is. That’s just off the cuff w my Friday afternoon happy hour beer but would say the same if you were sitting next to me. Cheers friend!

@ericlb8769 2 жыл бұрын

@@SimplyCyber thanks a lot that s a grest start :)

@24reyeser 3 жыл бұрын

Yeahhhhhhh!!!!!!

@SimplyCyber 3 жыл бұрын

All Things Risk Assessments. Hope you enjoy. As the video goes on I get more frothed up. :)

@24reyeser 3 жыл бұрын

@@SimplyCyber get better soon!!

@JohnEButton 2 жыл бұрын

FAIR isnt semi-quantitative....totally false.

@bggees Жыл бұрын

Yep, not semi-quantitative. He probably said that because you can still map your results (e.g., Loss exposure) to the Low, Mid, High (qualitative scale) that most folks are used to.

@havefun8834 2 күн бұрын

All those years of experience in risk assesment and not being able to gothrough a real example or showing a real risk assesment doc ofc not mentioning company details, or atleast give real timeline of the project, resources in the project roles and responsibilities or not showing a sample risk docuement.. nothing.. just generic generic stuff which is available everywhere

@SimplyCyber Күн бұрын

I’ll have to revisit this. I’ll add to my short list a video with more details. Thx for the constructive feedback. I’m dealing burnout rn but will add this to the queue

@ArachnaeNonafel Жыл бұрын

Thanks for these vids! I'm an older person looking to change careers and these are helpful.

@adambala8525 Ай бұрын

❤❤❤ care is is taking need more knowledge from you sir

@adeyinkaakinnukawe3048 6 ай бұрын

Came across this video while doing research for sort of a (cyber security) risk assessor portfolio for a beginner and i think it's a great resource. Can anyone help with ideas for how to continue practicing as a beginner? Thank you :)

@alieconteh7407 8 ай бұрын

How do you approach institutions for them to provide you with risk assessment information as a start-up cybersecurity company

@SimplyCyber 8 ай бұрын

I’d offer the first few as free assessments in exchange for testimonials and then build on top of that. Especially if ur targeting other small biz that will recognize and appreciate the histle

@Ruffgemm 8 ай бұрын

Shouldn’t RAs cater beyond technical controls. Aren’t administrative, operational and physical controls a part of the risk analysis/assessment?

@tsuyax6054 3 жыл бұрын

We have a GRC department on my previous company but they don't focus on IT Security but more on with company operations/financials etc.

@SimplyCyber 3 жыл бұрын

Yes, Risk manifests in many ways. Many companies are now seeing cyber as their top risk though given all the ransomware.

@Preshopnutrition Ай бұрын

Please what is the meaning of GRC?

@SimplyCyber Ай бұрын

Governance, risk, and compliance

@SAnderson54 3 жыл бұрын

More GRC videos!! Thanks so much Gerald!

@SimplyCyber 3 жыл бұрын

You got it! Will be sprinkling them in. Thanks AS!

@Peyo3729 4 ай бұрын

Thank you so much! This was really helpful!

@realdragonking7779 Жыл бұрын

This was a helpful video and well explained! Thank you Gerald.

@AMR-amr1 2 жыл бұрын

I want to write a master's thesis on risk assessment in drones .can you help me

@SimplyCyber 2 жыл бұрын

That’s substantial. I can speak to the concept but I don’t have the availability to actively participate in the thesis research

@AMR-amr1 2 жыл бұрын

Thanks How can I communicate with you better ?

@SimplyCyber 2 жыл бұрын

@@AMR-amr1 I’m on discord and LinkedIn. And just to be fully transparent I can have a conversation but I don’t have the bandwidth to help you in a material way w your thesis

@waz1167 7 ай бұрын

Thank you!

@Cwhitlock-StudyGRC 3 ай бұрын

Such a great video, even without all the fancy studio stuff. 🤣I wish everybody watched this getting started!

@SimplyCyber 3 ай бұрын

Thanks so much!!

@TanujPandey18 3 жыл бұрын

One of the most comprehensive video on Risk Assessment Program. I was able to relate maximum of the things. I feel happy that I found this helpful channel which is creating useful content on GRC stuff.

@SimplyCyber 3 жыл бұрын

You're most welcome. i've lived it a while. The pattern begins to emerge. "Rinse and repeat." lol

@amarullohripai3745 3 жыл бұрын

How vulnerabilities assessment?

@SimplyCyber 3 жыл бұрын

You have to factor in threat intelligence, position of the system with the vulnerability in relation to (network) access, if there is an exploit available, if its being exploited in the wild, if there is a patch out. There are a lot of factors for vuln assessment. Maybe another video idea?