Description
- For many years a large number of industries and special interest groups have created cybersecurity standards. All of these standard frameworks have been designed with a series of risk mitigating controls. In 2018, he National Institute of Standards and Technology (NIST) released the Cybersecurity Framework that provided a risk based approach to controls that consolidated programmatic and technical controls in an easy to understand management framework. Use of this framework to conduct a Risk Assessment provides an organized and flexible approach for organizations.
- NIST Critical Infrastructure Cybersecurity Framework Version 1.1
- NIST SP 800-30 Guide for Conducting Risk Assessments
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations
- NIST SP 800-39 Managing Information Security Risk: Organization, Mission and Information System View
- NIST SP 800-53R5 (Draft) Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-53R4 Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Prerequisites: Introduction to Information Security (ISG101)
Advance Preparation: None
Learning Level: Advanced
Field of Study: Information Technology
Delivery Method: Group-Live
What you will learn
Day 1 Agenda
1. Introduction to Risk Management
a. Key risk concepts
b. Risk management hierarchy
c. IT cybersecurity and risk management governance
d. Application of risk assessments
e. The risk management process: risk identification; analysis; evaluation; response; monitoring and reporting
2. Introduction to the NIST family of publications
a. Overview
b. Controls publications
i. NIST Critical Infrastructure Cybersecurity Framework
ii. NIST SP 800-53 R4 and R5
c. Risk oriented publications
i. NIST SP 800-30 Guide for conducting risk assessments
ii. NIST SP 800-37 Risk management framework
iii. NIST SP 800-39 Managing information security risk
iv. NIST SP 800-161 Supply Chain Risk Management
3. Understanding the NIST Cybersecurity Framework
a. Overview of control categories
i. Identify
ii. Protect
iii. Detect
iv. Respond
v. Recover
b. Selection of controls
c. Integration with NIST SP 800-53
4. Preparing for an IT Risk Assessment
a. Key elements to be included in an IT Risk Assessment
b. Determining critical / key stakeholders and their roles
c. Establishing context / purpose
d. Determining scope
e. Assumptions and constraints
f. Identification of information sources
g. Selection of IT Risk Models
i. Qualitative, quantitative or semi-quantitative
ii. Scenario based
Day 2 Agenda
5. Threat Determination
a. Sources, events etc.
6. IT Risk Identification
a. Identification of assets and their value to the organization
b. Selection of controls for security and privacy
c. Determining significance of controls
7. IT Risk Analysis
a. Comparing and selecting an approach to be used for analysis
b. Evaluating controls implementation
c. Documenting controls
d. Determination of vulnerabilities
e. Developing threat-vulnerability pairs
f. Helpful tools to assist
8. Evaluation of IT Risks
a. Likelihood determination
b. identifying " impact criteria" and its importance to the organization
c. Assessment of risk levels
9. IT Risk Response
a. Prioritizing, categorizing, and documenting information risks
b. Determining acceptability of risks
c. Creating an action or risk mitigation plan based on cost-benefit analysis
10. IT Risk Reporting
a. Communicating assessment results
b. Development of a Risk Matrix
c. Metrics
d. Executive and Board Reporting
Day 3 Agenda
11. Risk Monitoring
a. Determination of risk cycle
b. Maintaining the IT Risk Assessment
c. Identification of key controls or risk indicators for ongoing monitoring
d. Development of a Risk Register
e. Tracking action or mitigation plans
f. Development of metrics
12. Managing Risk in the Cloud
13. Supply Chain Risk Management (SCRM)
a. Understanding the constraints of SCRM
b. SCRM threats and threat analysis
c. Integration of SCRM into organizational risk management hierarchy
d. Developing the SCRM Plan(s) based on risk
e. Baseline controls for SCRM
14. Using risk management and the cybersecurity framework for continuous improvement
a. Roadmap development