By far the best Video on Risk Assessment. I am so glad that i landed up on ur channel. Super informative video!!. Exactly what i was looking for. I dont think i need to watch anymore videos on Risk now. This was so crisp and simple to understand. Thank you so much for this video. Im hooked to ur channel now. My gratitude!! Keep doing the superb work.
Hello Luv, Amazing video. your explanation and examples made my day. Thank you Sir. God keeps you and your family safe and you keep helping people like me. Love from Canada.
Thank you so much sir for giving so much regarding Risk management.. Sir, could you share the bigger vulnerability table for better understanding of Risk levels and impact.
SQL Injection: Description: Attacker inputs malicious SQL code into a login form. Risk Level: High Potential Impact: Gain unauthorized access to the database, extract sensitive information. Cross-Site Scripting (XSS): Description: Malicious script injected into a web page via user input. Risk Level: High Potential Impact: Steal user session cookies, deface websites, execute unauthorized actions. Unpatched Software: Description: Failure to update a web server with the latest security patches. Risk Level: Medium Potential Impact: Vulnerable to known exploits, leading to unauthorized access or service disruption.
A risk treatment plan is a structured approach to managing risks within an organization or project. It outlines the actions, strategies, and measures that will be implemented to mitigate, avoid, transfer, or accept risks identified during the risk assessment process. Here are the key components typically included in a risk treatment plan: Risk Identification: Clearly identifying and documenting all potential risks that could impact the project or organization. This includes assessing both internal and external factors that may pose a threat. Risk Analysis: Evaluating each identified risk in terms of its probability of occurrence, potential impact, and severity. This step helps prioritize risks based on their significance. Risk Response Strategies: Developing specific strategies for how each identified risk will be addressed. Common strategies include risk avoidance (eliminating the risk entirely), risk mitigation (reducing the likelihood or impact of the risk), risk transfer (shifting the risk to another party, such as through insurance), and risk acceptance (acknowledging the risk without taking active measures). Responsibilities and Accountabilities: Assigning roles and responsibilities to individuals or teams responsible for implementing risk treatment measures. This ensures clear accountability for managing risks effectively. Timeline and Resources: Setting timelines for implementing risk treatment measures and allocating necessary resources, such as budget, manpower, and technology, to support risk management efforts. Monitoring and Review: Establishing a process for ongoing monitoring and review of the risk treatment plan. This includes regular assessments to track the effectiveness of implemented measures, identify new risks, and make adjustments to the plan as needed. By developing a comprehensive risk treatment plan, organizations can proactively address potential threats, minimize negative impacts, and enhance overall resilience and success.
Achieving ISO 27001 certification for your organization involves a structured process that demonstrates your commitment to information security and your ability to manage and protect sensitive data effectively. Here are the general steps to follow: Management Commitment: Obtain commitment and support from top management to implement ISO 27001. Management's involvement is crucial to the success of the certification process. Gap Analysis: Conduct an initial gap analysis to assess your organization's current state of information security. Identify areas where you need to improve to meet ISO 27001 requirements. Define Scope: Clearly define the scope of your ISMS (Information Security Management System). This defines what information assets are included and what aspects of the organization's activities are covered by ISO 27001. Risk Assessment: Perform a comprehensive risk assessment to identify and evaluate information security risks. This includes understanding potential threats, vulnerabilities, and impact. Risk Treatment: Develop a risk treatment plan to mitigate identified risks through the implementation of appropriate controls. This may include policies, procedures, and technical measures. Documentation: Create and maintain documentation, including an Information Security Policy, risk assessment reports, and operational procedures. These documents should align with ISO 27001 requirements. ISMS Implementation: Implement the controls and measures identified in your risk treatment plan. Ensure that security processes and procedures are followed by employees. Training and Awareness: Provide training and awareness programs for employees to ensure they understand their roles in information security and compliance with ISO 27001. Internal Audits: Conduct regular internal audits to assess the effectiveness of your ISMS and to identify any non-conformities or areas for improvement. Management Review: Hold periodic management reviews to evaluate the performance of your ISMS, identify areas for improvement, and ensure alignment with your organizational objectives. Certification Audit: Engage with a certified ISO 27001 audit and certification body. They will perform a certification audit to evaluate your ISMS's compliance with ISO 27001. Corrective Actions: Address any non-conformities identified during the certification audit and take corrective actions to resolve them. Certification: Once your ISMS meets the requirements of ISO 27001, you will be issued a certificate, signifying that your organization is ISO 27001 certified. Surveillance Audits: After certification, regular surveillance audits are conducted to ensure ongoing compliance with ISO 27001. Continuous Improvement: Continuously improve your ISMS and information security practices based on feedback, audits, and changes in your organization's risk landscape. Remember that ISO 27001 is an ongoing process, and maintaining certification requires continual improvement and vigilance. Regularly update your documentation and processes to address changing threats and security requirements. It's also important to engage employees at all levels to ensure they understand and support information security practices.
Q- who will decide the score for likelihood and Impact.. is any guide line for determining the these numerical values? Or management/ higher authorities.. who?
As mentioned in the table of Risk acceptance criteria- from 6 to 12 it is being taken as moderate risk and after 12 it is unacceptable risk. But sir, one confusion: in the cell of (unlikely-2, Severe-5) the multiplication is coming out to be 10. Therefore, how it has become red and considered as unacceptable? It should be considered as yellow ( moderate risk)..right? Thank you.
First of all Thank you so much for your contain and your effort. i have some doubt. For example: - We have only one external firewall, that firewall also have some critical level vulnerability. How do I determine which number to assign? - The data center is running on a single power backup. - The infrastructure is not implemented with the organization's password policy (non-compliance). in that situation 1st, i have to "Risk level" with - Vulnerability (here we need VAPT report?), Impact, Likelihood, Risk Level based on the Asset criticality. here My Question is : During the evaluation if i found more dependencies; like backend server, network, applications in this case how can i set the Asset priority and risk level with dependencies ! should i mention all dependencies? if yes then which should come first which come 2nd how to decide that ? is it based on the again Risk level or Criticality level for the system or service? 2nd, as you describe, I have to evaluate the Acceptable, Moderate & Unacceptable Risks by some number (Impact x Likelihood = Risk) here My Question is : how can i identify which risk number represent for which asset and which risk!! (for example as mentioned "Severe - 5" and Very "Likely - 5" with the Risk number 25!!). I confused about the 'Risk Evaluation'. 🙏 kindly help me to clear the doubt. Again, Thank you so much 🙏
Mai aapko samjha ke rahunga....loved it.....great job Luv. Superbly informative
thanks bhai
Thanks for the efforts you made for all of us... Thanks a ton again Luv Bhaai..
thanks, please keep watching and share if you like this video :)
By far the best Video on Risk Assessment. I am so glad that i landed up on ur channel. Super informative video!!. Exactly what i was looking for. I dont think i need to watch anymore videos on Risk now. This was so crisp and simple to understand. Thank you so much for this video. Im hooked to ur channel now. My gratitude!! Keep doing the superb work.
thanks, please keep watching and share if you like this video :)
One most amazing and most informative video on UA-cam for RART... Thanks Boss.. keep making videos.. thanks once again..
thanks, please keep watching and share if you like this video :)
very well explained
Thanks 🤗 please share these videos and help me grow this channel
Thankyou soo much sir🎉
Thanks 🤗 please share these videos and help me grow this channel
Liked the way you explained.. 👍
thanks, please keep watching and share if you like this video :)
Hello Luv, Amazing video. your explanation and examples made my day. Thank you Sir. God keeps you and your family safe and you keep helping people like me. Love from Canada.
thanks brother
Sir plz I'm Beginner in iso 27001 plz make session of exam and about NCR and investigation reports at writing exam papers
thanks, please keep watching and share if you like this video :)
Thank you so much sir for this video 🙏
thanks for watching!
Very well explained sir..
thanks, please keep watching and share if you like this video :)
Best video
thanks for watching!
Thank you so much sir for giving so much regarding Risk management..
Sir, could you share the bigger vulnerability table for better understanding of Risk levels and impact.
SQL Injection:
Description: Attacker inputs malicious SQL code into a login form.
Risk Level: High
Potential Impact: Gain unauthorized access to the database, extract sensitive information.
Cross-Site Scripting (XSS):
Description: Malicious script injected into a web page via user input.
Risk Level: High
Potential Impact: Steal user session cookies, deface websites, execute unauthorized actions.
Unpatched Software:
Description: Failure to update a web server with the latest security patches.
Risk Level: Medium
Potential Impact: Vulnerable to known exploits, leading to unauthorized access or service disruption.
@@LearnITSecuritywithLuvJohar Thank you so much sir for quick response 🙏
ITGC domains- Logical access, change management, backup in hindi please
thanks, please keep watching and share if you like this video :)
Thank you!! This is great video to simply overall risk management. How can i get copy of document referred during this video?
Thanks 🤗 please share these videos and help me grow this channel
Do you have a English version
thanks, please keep watching and share if you like this video :)
Amazing video on RARTP, great job Lov, keep it up. Plz share more example on RA related to manufacturing functional department. 🙏🙏
thanks, please keep watching and share if you like this video :)
Dear Sir, vendor risk management video banaye.
hm is pr video jaror banye aap sir
thanks, please keep watching and share if you like this video :)
thanks, please keep watching and share if you like this video :)
Can you please make the same tutorial in English
Sure I will definitely
Hi, if you asked about the risk treatment plan what is the answer ? as interview question
A risk treatment plan is a structured approach to managing risks within an organization or project. It outlines the actions, strategies, and measures that will be implemented to mitigate, avoid, transfer, or accept risks identified during the risk assessment process.
Here are the key components typically included in a risk treatment plan:
Risk Identification: Clearly identifying and documenting all potential risks that could impact the project or organization. This includes assessing both internal and external factors that may pose a threat.
Risk Analysis: Evaluating each identified risk in terms of its probability of occurrence, potential impact, and severity. This step helps prioritize risks based on their significance.
Risk Response Strategies: Developing specific strategies for how each identified risk will be addressed. Common strategies include risk avoidance (eliminating the risk entirely), risk mitigation (reducing the likelihood or impact of the risk), risk transfer (shifting the risk to another party, such as through insurance), and risk acceptance (acknowledging the risk without taking active measures).
Responsibilities and Accountabilities: Assigning roles and responsibilities to individuals or teams responsible for implementing risk treatment measures. This ensures clear accountability for managing risks effectively.
Timeline and Resources: Setting timelines for implementing risk treatment measures and allocating necessary resources, such as budget, manpower, and technology, to support risk management efforts.
Monitoring and Review: Establishing a process for ongoing monitoring and review of the risk treatment plan. This includes regular assessments to track the effectiveness of implemented measures, identify new risks, and make adjustments to the plan as needed.
By developing a comprehensive risk treatment plan, organizations can proactively address potential threats, minimize negative impacts, and enhance overall resilience and success.
Bhai bana do app yaar, 25 table wala bh
you are the gem, Sir 😘
thanks, please keep watching and share if you like this video :)
ITGC 2nd video link
thanks luv sir
welcome my brother!
@@LearnITSecuritywithLuvJohar , WHAT IS RISK ASSESSMENT ? QUESTION KA KYA ANS IDEAL HOGA INTERVIEW ME?
ua-cam.com/video/SQ_IJy1l5gc/v-deo.html
I need to pass iso 27001 for our organization what step need to follow
Achieving ISO 27001 certification for your organization involves a structured process that demonstrates your commitment to information security and your ability to manage and protect sensitive data effectively. Here are the general steps to follow:
Management Commitment:
Obtain commitment and support from top management to implement ISO 27001. Management's involvement is crucial to the success of the certification process.
Gap Analysis:
Conduct an initial gap analysis to assess your organization's current state of information security. Identify areas where you need to improve to meet ISO 27001 requirements.
Define Scope:
Clearly define the scope of your ISMS (Information Security Management System). This defines what information assets are included and what aspects of the organization's activities are covered by ISO 27001.
Risk Assessment:
Perform a comprehensive risk assessment to identify and evaluate information security risks. This includes understanding potential threats, vulnerabilities, and impact.
Risk Treatment:
Develop a risk treatment plan to mitigate identified risks through the implementation of appropriate controls. This may include policies, procedures, and technical measures.
Documentation:
Create and maintain documentation, including an Information Security Policy, risk assessment reports, and operational procedures. These documents should align with ISO 27001 requirements.
ISMS Implementation:
Implement the controls and measures identified in your risk treatment plan. Ensure that security processes and procedures are followed by employees.
Training and Awareness:
Provide training and awareness programs for employees to ensure they understand their roles in information security and compliance with ISO 27001.
Internal Audits:
Conduct regular internal audits to assess the effectiveness of your ISMS and to identify any non-conformities or areas for improvement.
Management Review:
Hold periodic management reviews to evaluate the performance of your ISMS, identify areas for improvement, and ensure alignment with your organizational objectives.
Certification Audit:
Engage with a certified ISO 27001 audit and certification body. They will perform a certification audit to evaluate your ISMS's compliance with ISO 27001.
Corrective Actions:
Address any non-conformities identified during the certification audit and take corrective actions to resolve them.
Certification:
Once your ISMS meets the requirements of ISO 27001, you will be issued a certificate, signifying that your organization is ISO 27001 certified.
Surveillance Audits:
After certification, regular surveillance audits are conducted to ensure ongoing compliance with ISO 27001.
Continuous Improvement:
Continuously improve your ISMS and information security practices based on feedback, audits, and changes in your organization's risk landscape.
Remember that ISO 27001 is an ongoing process, and maintaining certification requires continual improvement and vigilance. Regularly update your documentation and processes to address changing threats and security requirements. It's also important to engage employees at all levels to ensure they understand and support information security practices.
Q- who will decide the score for likelihood and Impact.. is any guide line for determining the these numerical values? Or management/ higher authorities.. who?
the score will be decided by the one who is performing risk assessment. or it can be a mutual dicision.
thanks, please keep watching and share if you like this video :)
thanks, please keep watching and share if you like this video :)
As mentioned in the table of Risk acceptance criteria- from 6 to 12 it is being taken as moderate risk and after 12 it is unacceptable risk. But sir, one confusion: in the cell of (unlikely-2, Severe-5) the multiplication is coming out to be 10. Therefore, how it has become red and considered as unacceptable? It should be considered as yellow ( moderate risk)..right?
Thank you.
thanks, please keep watching and share if you like this video :)
how can i reach you ??
thanks, please keep watching and share if you like this video :)
Please always present in English
thanks, please keep watching and share if you like this video :)
Provide in english ..we r unable to understand
thanks, please keep watching and share if you like this video :)
First of all Thank you so much for your contain and your effort.
i have some doubt.
For example:
- We have only one external firewall, that firewall also have some critical level vulnerability. How do I determine which number to assign?
- The data center is running on a single power backup.
- The infrastructure is not implemented with the organization's password policy (non-compliance).
in that situation
1st, i have to "Risk level" with - Vulnerability (here we need VAPT report?), Impact, Likelihood, Risk Level based on the Asset criticality.
here My Question is : During the evaluation if i found more dependencies; like backend server, network, applications in this case how can i set the Asset priority and risk level with dependencies ! should i mention all dependencies? if yes then which should come first which come 2nd how to decide that ? is it based on the again Risk level or Criticality level for the system or service?
2nd, as you describe, I have to evaluate the Acceptable, Moderate & Unacceptable Risks by some number (Impact x Likelihood = Risk)
here My Question is : how can i identify which risk number represent for which asset and which risk!! (for example as mentioned "Severe - 5" and Very "Likely - 5" with the Risk number 25!!).
I confused about the 'Risk Evaluation'.
🙏 kindly help me to clear the doubt.
Again, Thank you so much 🙏
sure, please whatsapp me on +91 971 860 3114 to discuss this further