45 min listen
Unavailable
Currently unavailable
2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA
Currently unavailable
2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA
ratings:
Length:
77 minutes
Released:
Oct 30, 2019
Format:
Podcast episode
Description
OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE https://www.owasp.org/index.php/Women_In_AppSec OWASP Women in AppSec Twitter: 2013_Nayak (reach and ask to be added) https://www.tagnw.org/events/ Risk in Infosec Risk - a situation which involves extreme danger and extensive amount of unrecovered loss What about risks that are positive in nature? PMP calls them ‘opportunities’ Risk Analysis - systemic examination of the components and characteristics of risk Analysis Steps - Understanding and Assessment Understand there is a risk What if a company does not have security standards? Identification Identify and categorize risk - Informational risk Network risk Hardware risk Software risk Environment risk? https://en.wikipedia.org/wiki/Routine_activity_theory Scope of risk analysis? Threat modeling to find risks? https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling SWOT (strength/weakness/opportunities/threats) analysis will discover risks? Risk analysis methodologies? https://www.project-risk-manager.com/blog/qualitative-risk-techniques/ https://securityscorecard.com/blog/it-security-risk-assessment-methodology https://en.wikipedia.org/wiki/Probabilistic_risk_assessment https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration Estimation Chance that risk will occur (once a decade, once a week) Design controls to remediate Implementation Risk assessment is a combined approach Combined approach for a risk analysis You mentioned a lot of people, what’s the scope? How do you do the risk assessment? Framework? Evaluation Evaluation approach Like an agile approach Provides an informed conclusion Report must be clear (no jargon) Decision Making Examples to Reduce Risk Training and education what kind of testing? Annual Security training? Publishing policies Agreement with organization BAA with 3rd parties Timely testing -
Released:
Oct 30, 2019
Format:
Podcast episode
Titles in the series (100)
2020-018- Masha Sedova, bespoke security training, useful metrics to tailor training: Masha Sedova - Founder, Elevate Security Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this... by BrakeSec Education Podcast