Summarizing Risk Analysis General Structure: 1. Get all the intel on the system/solution you are interested in 2. Figure the use case for this solution to your organization 3. identify all of the vulnerabilities of the solution 4. Figure out the likelihood of those vulnerabilities being exploited 5. Identify the impact to your organization when they are exploited 6. Group the vulnerabilities by priority 7. Address the ones that are unacceptable to reduce the risk to lower level 8. Rinse & repeat
Its super important. Arguably the 3 most important documents you'll find in an organization is 1) the asset inventory 2) the risk analysis/inventory and 3) controls inventory. These tell you exactly what a company has, what they're afraid of and how they're protecting themselves/those assets. Great that you're shining a light on GRC topics as well!
Wow this video just summarized my Security & Risk Analysis 311 class that I took about two years ago. Everything you taught us, I literally learned in class. Thank you.
Great video I became an assurance manager and been banging my head against a brick wall trying to figure out the correct way of completing a risk assessment
Came across this video while doing research for sort of a (cyber security) risk assessor portfolio for a beginner and i think it's a great resource. Can anyone help with ideas for how to continue practicing as a beginner? Thank you :)
One of the most comprehensive video on Risk Assessment Program. I was able to relate maximum of the things. I feel happy that I found this helpful channel which is creating useful content on GRC stuff.
Great video! I recently moved over from Operations into a Cyber Security role that specifically deals with Risk to our organization. Would love more videos on the Risk side and if there any good book recommendations, etc.
This side of the house gets less love. Best reads(stay w me on this) is NIST special publication 800-37 and 800-30. Both are free and can be downloaded
I just watched "Cybersecurity Risk Assessment (A Step by Step Tutorial and WHY!)" ...its awesome! beautifully explained and to the point .... May I know how should I get in touch with you to learn more about the Cyber Risk Assessment in details...
If you're doing this professionally, like you're a security auditor or compliance manager or that's the career direction you're trying to go, do you need to know/be certified in ISO 27001 or COBIT or anything?
For the most part no, but there are a few where it’s yes (see below). You could get CISA cert to differentiate yourself but that’s it. I believe PCI auditors need to be certified by PCI to be a QSA. Also with the new us govt CMMC refs you will here to be certified to officially audit.
Yes know ISO27001-ISO27005. I just lost a contract because I started talking about the NIST and the guy was in another country and did not like the USA. If I had known I would have talked about the ISO framework but used the NIST 800-53 behind the scenes as well as the ISO. Since things are going global, know whats in those ISOs I mentioned above. Good luck ALL!!!!
If you mean for risk assessment on organization's assets, then scope the assessment to particular system(s) and use an appropriate vulnerability scanning tool
Are companies obliged to share or publish their vulnerability assessments or Penetration tests? I know some publish their SOC 2 or ISO 27K compliance papers, but I haven't seen any public pentest/VA done to the services I consume
@@SimplyCyber Agree. I misunderstood you, maybe as an auditor/Compliance external you'd ask for it, but they're absolutely not required to share them to the general public 👍
@@SimplyCyber Are you planning on making videos about Threat Modeling orgs or specific apps? That'd be amazing! I'm liking the simplicity in which you explain in a short time 👌
I’d offer the first few as free assessments in exchange for testimonials and then build on top of that. Especially if ur targeting other small biz that will recognize and appreciate the histle
@@AMR-amr1 I’m on discord and LinkedIn. And just to be fully transparent I can have a conversation but I don’t have the bandwidth to help you in a material way w your thesis
Not really but 5 questions to start and ask them. What’s their security awareness program look like? Where do they use mfa? Do they require remote access into your environment and if so how (you prefer vpn and isolated to only systems they need) How do they handle your data when in their control? (Encrypted backed up delete when not needed) After contract termination how easy is it to get your data out and they not keep it too? Bonus questions: do you sell any of our data or meta data? Are you (and of the answer isn’t yes run) going to notify us and how quickly if your confirm a incident on systems where our data is. That’s just off the cuff w my Friday afternoon happy hour beer but would say the same if you were sitting next to me. Cheers friend!
You have to factor in threat intelligence, position of the system with the vulnerability in relation to (network) access, if there is an exploit available, if its being exploited in the wild, if there is a patch out. There are a lot of factors for vuln assessment. Maybe another video idea?
Yep, not semi-quantitative. He probably said that because you can still map your results (e.g., Loss exposure) to the Low, Mid, High (qualitative scale) that most folks are used to.
All those years of experience in risk assesment and not being able to gothrough a real example or showing a real risk assesment doc ofc not mentioning company details, or atleast give real timeline of the project, resources in the project roles and responsibilities or not showing a sample risk docuement.. nothing.. just generic generic stuff which is available everywhere
I’ll have to revisit this. I’ll add to my short list a video with more details. Thx for the constructive feedback. I’m dealing burnout rn but will add this to the queue
Summarizing Risk Analysis General Structure:
1. Get all the intel on the system/solution you are interested in
2. Figure the use case for this solution to your organization
3. identify all of the vulnerabilities of the solution
4. Figure out the likelihood of those vulnerabilities being exploited
5. Identify the impact to your organization when they are exploited
6. Group the vulnerabilities by priority
7. Address the ones that are unacceptable to reduce the risk to lower level
8. Rinse & repeat
Its super important. Arguably the 3 most important documents you'll find in an organization is 1) the asset inventory 2) the risk analysis/inventory and 3) controls inventory. These tell you exactly what a company has, what they're afraid of and how they're protecting themselves/those assets. Great that you're shining a light on GRC topics as well!
Thanks for these vids! I'm an older person looking to change careers and these are helpful.
Wow this video just summarized my Security & Risk Analysis 311 class that I took about two years ago. Everything you taught us, I literally learned in class. Thank you.
Nailed it!
This video is too dope! Very informational . Thank you
thanks so much!
This was the most thorough, succinct explanation of risk management I've ever seen.
Thanks Josh. Do it a few hundred times and you can cut out the excess. :)
Great video I became an assurance manager and been banging my head against a brick wall trying to figure out the correct way of completing a risk assessment
May be a longer version where you actually do it will be great
I demonstrate the process in a lab in my GRC Analyst Master course fwiw
@@SimplyCyberis that courses here in UA-cam ?
Came across this video while doing research for sort of a (cyber security) risk assessor portfolio for a beginner and i think it's a great resource. Can anyone help with ideas for how to continue practicing as a beginner? Thank you :)
More GRC videos!! Thanks so much Gerald!
You got it! Will be sprinkling them in. Thanks AS!
We have a GRC department on my previous company but they don't focus on IT Security but more on with company operations/financials etc.
Yes, Risk manifests in many ways. Many companies are now seeing cyber as their top risk though given all the ransomware.
One of the most comprehensive video on Risk Assessment Program. I was able to relate maximum of the things. I feel happy that I found this helpful channel which is creating useful content on GRC stuff.
You're most welcome. i've lived it a while. The pattern begins to emerge. "Rinse and repeat." lol
Great video! I recently moved over from Operations into a Cyber Security role that specifically deals with Risk to our organization. Would love more videos on the Risk side and if there any good book recommendations, etc.
This side of the house gets less love. Best reads(stay w me on this) is NIST special publication 800-37 and 800-30. Both are free and can be downloaded
Thank you so much! This was really helpful!
I just watched "Cybersecurity Risk Assessment (A Step by Step Tutorial and WHY!)" ...its awesome! beautifully explained and to the point ....
May I know how should I get in touch with you to learn more about the Cyber Risk Assessment in details...
Simplycyber.teachable.com is a course I made all about GRC work, including a section and lab on risk assessment
If you're doing this professionally, like you're a security auditor or compliance manager or that's the career direction you're trying to go, do you need to know/be certified in ISO 27001 or COBIT or anything?
For the most part no, but there are a few where it’s yes (see below). You could get CISA cert to differentiate yourself but that’s it. I believe PCI auditors need to be certified by PCI to be a QSA. Also with the new us govt CMMC refs you will here to be certified to officially audit.
Yes know ISO27001-ISO27005. I just lost a contract because I started talking about the NIST and the guy was in another country and did not like the USA. If I had known I would have talked about the ISO framework but used the NIST 800-53 behind the scenes as well as the ISO. Since things are going global, know whats in those ISOs I mentioned above. Good luck ALL!!!!
Thanks for this Gerald. This is really awesome and well explained. 😤😤
Thanks alot.
My pleasure!
Such a great video, even without all the fancy studio stuff. 🤣I wish everybody watched this getting started!
Thanks so much!!
Thanks for the lecture,it's very Interesting❤
Glad you liked it!
Thank you for the awesome video. I feel that you skip 1 big major step, is to identify all vulnerability. How one can identify them all ?
If you mean for risk assessment on organization's assets, then scope the assessment to particular system(s) and use an appropriate vulnerability scanning tool
This was a helpful video and well explained! Thank you Gerald.
Hi Gerald, from all your experience what do you think about EBIOS RM methodology ?
You are simply awesome.
Very good video on Integration Risk assessments.
Thank you for the kind words.
Shouldn’t RAs cater beyond technical controls. Aren’t administrative, operational and physical controls a part of the risk analysis/assessment?
❤❤❤ care is is taking need more knowledge from you sir
Subscribed. I need more cyber management skills. Any recommendation on reading material?
managing what? Tech, people, cyber program? I can advise, but need to know specfic.
Great Summary! Just subscribed!
Awesome, thank you!
Thanks so much. I've got red vids in here too, but I'm an equal opportunity cyber honk. :D
Very nice lecture I am Zubairu saidu cyber security
Are companies obliged to share or publish their vulnerability assessments or Penetration tests? I know some publish their SOC 2 or ISO 27K compliance papers, but I haven't seen any public pentest/VA done to the services I consume
Def not. It would show your weaknesses and gaps. It would be a blueprint for bad guys to see where you’re soft
@@SimplyCyber Agree. I misunderstood you, maybe as an auditor/Compliance external you'd ask for it, but they're absolutely not required to share them to the general public 👍
@@SimplyCyber Are you planning on making videos about Threat Modeling orgs or specific apps? That'd be amazing! I'm liking the simplicity in which you explain in a short time 👌
@@jarmandog8372 it’s not on the video schedule but a great concept. Will add it. Thx
How do you approach institutions for them to provide you with risk assessment information as a start-up cybersecurity company
I’d offer the first few as free assessments in exchange for testimonials and then build on top of that. Especially if ur targeting other small biz that will recognize and appreciate the histle
Nice presentation, methodology is spot-on.
Thank you kindly!
Thank you!
Amazingggggg!
I want to write a master's thesis on risk assessment in drones .can you help me
That’s substantial. I can speak to the concept but I don’t have the availability to actively participate in the thesis research
Thanks
How can I communicate with you better ?
@@AMR-amr1 I’m on discord and LinkedIn. And just to be fully transparent I can have a conversation but I don’t have the bandwidth to help you in a material way w your thesis
Very good explanation. Thank you
Glad it was helpful!
@@SimplyCyber Just gave an interview, your videos have given me very useful insights. Thank you again ❤️
is there a place where i can find some TRA template for cyber security ? thanks
Not really but 5 questions to start and ask them.
What’s their security awareness program look like?
Where do they use mfa?
Do they require remote access into your environment and if so how (you prefer vpn and isolated to only systems they need)
How do they handle your data when in their control? (Encrypted backed up delete when not needed)
After contract termination how easy is it to get your data out and they not keep it too?
Bonus questions: do you sell any of our data or meta data?
Are you (and of the answer isn’t yes run) going to notify us and how quickly if your confirm a incident on systems where our data is.
That’s just off the cuff w my Friday afternoon happy hour beer but would say the same if you were sitting next to me.
Cheers friend!
@@SimplyCyber thanks a lot that s a grest start :)
Can you please let us have the transcript of the video?
Does anyone know of some risk assessment case studies
What Analysis is an General description
Looking at current state and understanding what is weakness and how bad it would be if it was exploited
How vulnerabilities assessment?
You have to factor in threat intelligence, position of the system with the vulnerability in relation to (network) access, if there is an exploit available, if its being exploited in the wild, if there is a patch out. There are a lot of factors for vuln assessment. Maybe another video idea?
Yeahhhhhhh!!!!!!
All Things Risk Assessments. Hope you enjoy. As the video goes on I get more frothed up. :)
@@SimplyCyber get better soon!!
Content actually starts at 2:40
Lil “why” before that but yes the meat of the RA workflow you can jump to at 2:40
FAIR isnt semi-quantitative....totally false.
Yep, not semi-quantitative. He probably said that because you can still map your results (e.g., Loss exposure) to the Low, Mid, High (qualitative scale) that most folks are used to.
Please what is the meaning of GRC?
Governance, risk, and compliance
@@Preshopnutrition Governance, Risk and Compliance
All those years of experience in risk assesment and not being able to gothrough a real example or showing a real risk assesment doc ofc not mentioning company details, or atleast give real timeline of the project, resources in the project roles and responsibilities or not showing a sample risk docuement.. nothing.. just generic generic stuff which is available everywhere
I’ll have to revisit this. I’ll add to my short list a video with more details. Thx for the constructive feedback. I’m dealing burnout rn but will add this to the queue