Speaker 1: Alright, guys. Good evening, everyone. My name is Emmanuel Ciprian, and I'm coming to you live via Zoom and YouTube on the platform of TYTEC Consulting. So today we want to look at a very important topic, which, you know, most of you must have been confusing, you know, in a while now. So I want to share with you my few understanding of this topic. And that is difference between control assessment and risk assessment. The difference between control assessment and risk assessment. So I want to share with you, you know, that. Like I said, this is Emmanuel from TYTEC Consulting. If you have any questions or comments, please, you know, leave it below in the comment section. If you find this video and all of my videos useful, helpful, please subscribe to my channel. If you find this video useful to you, please, you know, like the video, share it with your friends, and that will help us to bring out more of this kind of educational content. Alright, so let's get started. What is control assessment? Control assessment can be either an independent assessment or self-assessment. Control assessment can be either an independent assessment or self-assessment. At its most basic, it's a review of an entity's control. These controls typically are based on industry framework. Now when we say control assessment, it is a review of the set of security controls, security procedures that has been implemented by an entity, by an organization, by an individual, either government agency, private organizations, or corporations. The controls they put in place to help safeguard their information and information system. When you review those controls, that is known as control assessments, and at its very basics, they are usually based on industry frameworks. Industry frameworks such as the NIST 800-53, you know, set of controls, NIST cybersecurity framework, FISMA, FedRAMP, CDPR, GDPR, PCI DSS, SOC 2, COVID, HITRUST, ISO 27001 series, HIPAA, security rules, just to mention a few. So these are some of the framework out there that dictates security controls that needs to be implemented, you know, in any entity's environment. So a review of these controls is known as security control assessments. Now, what is risk assessment? Risk assessment addresses the potential adverse impact to an organizational operation, assets, individuals, other organizations, and the economy and national security interest of a nation arising from the operation and use of information systems and the information process stored and transmitted by those systems. So what am I saying? Risk assessment addresses the potential adverse effect of using an information system, the potential adverse effect of the information stored in those systems. So security assessment is the umbrella. At the review of, you know, risk assessment is the umbrella, reviewing what is the adverse effect of we using this form of information system, of we using this form of document or information or data. Take for example, Equifax. Equifax has your social security number, your credit information, your bank information, maybe your balances in your credit card, your home address, your phone number, your email address. Equifax has this information. Now, you want to do a risk assessment. What is the risk of having those kinds of information, client information in your database? That is risk assessment. Now, risk assessments are not simply one-time activities. No. Rather, organizations employ risk assessment on an ongoing basis throughout the system development life cycle. Risk assessment is not a one-off thing. Risk assessment is a continuous, you know, process. It's a continuous assessment. It's a continuous activity throughout the development, throughout the system, you know, or software development life cycle. So that is risk assessment. So when risk assessment is done, if you come up with findings, that is where you now see if controls are adequate or if compensating controls need to be put in place. So that is risk assessment. Now, let's move on. When do we, you know, when risk assessment is needed? So when is risk assessment actually needed? One, you conduct risk assessment during the development of an information security architecture. When you are putting together the architecture of an information system, you conduct risk assessment. Two, you conduct risk assessment during the definitions of interconnection requirement for information systems. When you want information system to interconnect, to talk to each other, to share data, to share information, either, you know, information going both ways, there is the need to conduct risk assessment. What is the risk of allowing such interconnection agreements? Number three, you conduct risk assessment during the design of security solution for information system and environment of operation, including selection of security controls, information technology products, suppliers, supply chain, and contractors. What does this mean? You conduct risk assessment during the design of information system, its environment of operation. You conduct risk assessment when you are bringing in third party. That is why we say we have third party or vendor risk assessment. You want to make sure that those vendor, the security controls they have in their environment is adequate enough. You want to make sure that the vendor is not adversely exposed, whereby putting you, your own environment in jeopardy. You conduct risk assessment when you are selecting security controls. You want to make sure that the controls you're selecting for your information system for the environment is adequate. So those are instances where you conduct risk assessment. Another instance where you conduct risk assessment is authorization, either denial of authorization or authorization to operate of an information system or to use security controls inherited by those system. Now, during, in RMF, we have seven steps and one of those steps is authorization. That is, should we authorize this system to be deployed into production? There is a need for security, for risk assessment to be conducted. What are the risks of allowing this system to operate in production? What are the risks of exposing our system to the internet? What are the risks of storing this data in this system? So risk assessment is needed. Risk assessment is also done during the modification of mission or business function and or mission or business process permanently upon a specified time frame. If an organization decides to modify their business function, their business or mission function, there is a need for risk assessment. If they decide to modify their objective, their mission or their business function, either temporarily or permanently, there is a need to conduct risk assessment. What is the risk of doing that? Another instance where we conduct risk assessment is during the implementation and configuration of security solutions and products. For example, every day I'm involved with configuration, integration into cloud, bringing in new products, bringing in new softwares, onboarding vendors. Now, we conduct risk assessment during the implementation and configuration. What is the risk involved if we decide not to configure this system or this solution in this way? What is the risk if we decide to use another product other than the one actually involved? What is the risk? So there is always the need to conduct risk assessment during the implementation and configuration of security solution or product. And then lastly, we conduct risk assessment during the operation and maintenance phase of security solution. In RML, we call it maybe a continuous monitoring phase. We conduct risk assessment, that is, continuous monitoring strategy or program, ongoing authorization. In these phases, we conduct risk assessment. What is the risk of continuously using this system? What is the risk of continuously using the same password over multiple platforms, the same password over a long period of time? What is the risk of doing that? What is the risk of not disabling your USB port? What is the risk of not allowing your USB port to be open? What is the risk of you downloading multiple browsers on your production server, production systems? So these are areas where we conduct risk assessment. Now, how do we conduct risk assessment? How do we conduct, how do we determine risk? You determine risk through threat identification. So how do we determine threat identification? How do we determine risk? You determine risk through threat identification, vulnerability identification, likelihood determination, impact analysis, and inherent risk determination. So these are the five instances that helps us to determine risk. First of all, for us to arrive at risk, we must identify the threat. What are threats? Threat is anything that exploits vulnerability, that takes advantage of vulnerability, either intentionally or unintentionally to destroy it, to modify it, or whatsoever. So that is threat. And then what is motivating those threats? Number two, we must also identify vulnerabilities. What are the different vulnerabilities that we have? What is vulnerability? Vulnerability means a loophole. It means a gap in our security apparatus. What is that gap? So we need to first identify vulnerabilities. For example, if you are missing a security update on your server, that is a vulnerability. That vulnerability, can it be exploited by threats? And then what else do we need to determine? Likelihood. What is likelihood? Likelihood means chance. It means probability. What is the likelihood that something will happen? What is the likelihood that this threat will exploit this vulnerability that has been identified? So likelihood determination, it's also important. And then we need to determine the impact. Impact is the magnitude of harm, severity of damage that can be resulted when the threat exploits the vulnerability. When there's a cyber breach on an organization, what is the impact? What is the level of damage? What is the magnitude of harm caused by that cyber breach? That is known as impact. So the combination of likelihood and impact helps us to arrive at the risk that is this table you are seeing. So you can see here, we have probability, which is also known as likelihood on the left-hand corner. And then you have impact, which is on the top left, on the top, you know, sphere of this table. So when you say, for example, you're saying here, this is the probability, also known as likelihood. We have low, medium, or high. This is the impact. In impact, we have low, medium, or high. If the impact is low and the likelihood is low, what is the risk? The risk is low. If impact is medium and the likelihood is medium, what is the risk? The risk is medium. If impact is medium and the likelihood is high, what is the risk? Medium. If impact is high, likelihood is high, what is the risk? High. So risk determination is arrived at when you analyze the threats, you identify the threats, you identify vulnerability, you determine your likelihood, and then you also analyze your impact. More of this will be said in, you know, my next video entirely on risk assessment. So for details of risk assessment, you can consult NIST 800-10, revision one. In conclusion, once we have calculated inherent risk, which could either be high, medium, or low, we come to the set up. We come to the step that causes the most confusing, you know, between control and risk assessment. Now, to go from inherent risk to residual risk, what is the difference between inherent risk and residual risk? While we are calculating the risk here, whatsoever risk we determine from here is known as inherent risk. Inherent risk, it could either be high, medium, or low. Now, what is residual risk? Residual risk are the risk remaining after you have implemented all the security controls. That is where security control comes in. Security controls comes in once you have identified the inherent risk, identify the inherent risk, you apply the necessary security control if they are not enough, and then you have your residual risk. The security control helps to reduce the impact, reduce the risk. Risk cannot be eliminated. Risk cannot be destroyed. We apply security controls to reduce the impact of any damage. So, we need to identify whether we have a control in place to address the risk. This is where the real value of risk assessment comes into play. We don't have a control in place. If we don't have a control in place, we now have justification for implementing new controls. So, after identifying the inherent risk, we determine if we have enough control in place, or we need to implement new control, or we need to provide compensating control. So, lastly, in summary, risk assessment identifies applicable risk thereby serving to inform control decisions. Control assessment gives us insight into our control performance, which can help with detailed end of a risk assessment when we need to determine how to treat risk. Both are valuable related activities, but are not the same thing. So, risk assessment and control assessment, they are valuable resources, they are valuable activities, but they are not the same thing. So, this is what we need to understand when it comes to risk assessment and security control assessment. My next video will center entirely on risk assessment. How do you conduct risk assessment? I will take you in step by step on how you can conduct risk assessment. What are the processes? What are the information you need to look for? What are the documentation you need to ask for? And how do you arrive at if a risk is high, if a risk is medium, if a risk is low? Now, what would be the risk response for every organization? What is the risk response? So, those are how you conduct risk assessment. Like I said, if you find this video valuable, helpful, do not hesitate to like it, share it with your friends, and also subscribe to my YouTube video, my YouTube channel. This helps us to keep producing and bringing out educational content such as this. I appreciate you guys. If you have any questions, please, I will dedicate maybe a few minutes to answer any of your questions. If you have questions, you can drop it in the chat box before I call it a day. Is anyone there wanting to ask me questions? For more details, if you want to reach out to me in terms of communication, my contact information is at the description of this YouTube. The description is there. You can send me an email at info at titechconsult.com. And then you can also shoot me a call, give me a call. Now, for the benefit of some of you who might be joining for the first time, I have an RMF class that I teach, Risk Management Framework class that I teach. My upcoming classes schedule is on my YouTube channel. You can browse through to see the schedules, which one that best benefits you. I have the four weeks class, which runs on Mondays and on Wednesdays, 7 p.m. to 10 p.m. Eastern Standard Time. And then I have the seven weeks class, which is totally on Saturdays for seven straight Saturdays, 9 a.m. to 1 p.m. Eastern Standard Time. Now, for those that might not be able to join my virtual classes live, I equally have my recorded video, which is self-paced. You can learn at your own pace. You can pause the videos. You can watch it over again. Now, those ones is another package for you. Reach out to me, whichever one that works for your schedule, so we can discuss the fees and the pricing. And then when you wish to start, there is discount available. You know, I understand in our peculiar situations, there is discount available. So, give me a call. And thank you very much for always being there for me. Thank you. I appreciate you guys. Let me see if I can end the chat here. Okay. All right. Thank you, guys. If you have any further questions, please just send me an email when you watch this video. Thank you. And thank you.