NIST Cybersecurity Framework and Risk Management - ISG370

Description

  • For many years a large number of industries and special interest groups have created cybersecurity standards. All of these standard frameworks have been designed with a series of risk mitigating controls. In 2018, he National Institute of Standards and Technology (NIST) released the Cybersecurity Framework that provided a risk based approach to controls that consolidated programmatic and technical controls in an easy to understand management framework. Use of this framework to conduct a Risk Assessment provides an organized and flexible approach for organizations.
Risk Management is the primary process organizations use to determine their current capability to identify, manage and respond to risk. A properly conducted IT risk assessment gives organizations the best depiction of their ability to maintain the confidentiality, integrity and availability of their information assets.
Conducting an IT Risk Assessment requires a consistent and repeatable process to identify and evaluate technology risks and their potential outcomes (both positive and negative). NIST has developed an IT Risk Management process to complement the cybersecurity framework to assist organizations in this endeavor.
This course will focus on using the NIST methodology and cybersecurity framework controls to conduct an IT Risk Assessment. Some of the NIST standards that will be referenced during this course include:
  • NIST Critical Infrastructure Cybersecurity Framework Version 1.1
  • NIST SP 800-30 Guide for Conducting Risk Assessments
  • NIST SP 800-37 Risk Management Framework for Information Systems and Organizations
  • NIST SP 800-39 Managing Information Security Risk: Organization, Mission and Information System View
  • NIST SP 800-53R5 (Draft) Security and Privacy Controls for Information Systems and Organizations
  • NIST SP 800-53R4 Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Participants attending this course are going to leave with the skills necessary to initiate, plan, execute and control the adoption and integration of their own cybersecurity management system. At the end of the session, attendees will understand where and how to apply the NIST standards. Participants will be able to select and apply the appropriate standards to conduct an IT risk assessment for their organization.

Prerequisites: Introduction to Information Security (ISG101)

Advance Preparation: None
Learning Level: Advanced
Field of Study: Information Technology
Delivery Method: Group-Live

What you will learn

Day 1 Agenda​

1. Introduction to Risk Management
a. Key risk concepts
b. Risk management hierarchy
c. IT cybersecurity and risk management governance
d. Application of risk assessments
e. The risk management process: risk identification; analysis; evaluation; response; monitoring and reporting
2. Introduction to the NIST family of publications
a. Overview
b. Controls publications
i. NIST Critical Infrastructure Cybersecurity Framework
ii. NIST SP 800-53 R4 and R5
c. Risk oriented publications
i. NIST SP 800-30 Guide for conducting risk assessments
ii. NIST SP 800-37 Risk management framework
iii. NIST SP 800-39 Managing information security risk
iv. NIST SP 800-161 Supply Chain Risk Management
3. Understanding the NIST Cybersecurity Framework
a. Overview of control categories
i. Identify
ii. Protect
iii. Detect
iv. Respond
v. Recover
b. Selection of controls
c. Integration with NIST SP 800-53
4. Preparing for an IT Risk Assessment
a. Key elements to be included in an IT Risk Assessment
b. Determining critical / key stakeholders and their roles
c. Establishing context / purpose
d. Determining scope
e. Assumptions and constraints
f. Identification of information sources
g. Selection of IT Risk Models
i. Qualitative, quantitative or semi-quantitative
ii. Scenario based

Day 2 Agenda

5. Threat Determination
a. Sources, events etc.
6. IT Risk Identification
a. Identification of assets and their value to the organization
b. Selection of controls for security and privacy
c. Determining significance of controls
7. IT Risk Analysis
a. Comparing and selecting an approach to be used for analysis
b. Evaluating controls implementation
c. Documenting controls
d. Determination of vulnerabilities
e. Developing threat-vulnerability pairs
f. Helpful tools to assist
8. Evaluation of IT Risks
a. Likelihood determination
b. identifying " impact criteria" and its importance to the organization
c. Assessment of risk levels
9. IT Risk Response
a. Prioritizing, categorizing, and documenting information risks
b. Determining acceptability of risks
c. Creating an action or risk mitigation plan based on cost-benefit analysis
10. IT Risk Reporting
a. Communicating assessment results
b. Development of a Risk Matrix
c. Metrics
d. Executive and Board Reporting

Day 3 Agenda

11. Risk Monitoring
a. Determination of risk cycle
b. Maintaining the IT Risk Assessment
c. Identification of key controls or risk indicators for ongoing monitoring
d. Development of a Risk Register
e. Tracking action or mitigation plans
f. Development of metrics
12. Managing Risk in the Cloud
13. Supply Chain Risk Management (SCRM)
a. Understanding the constraints of SCRM
b. SCRM threats and threat analysis
c. Integration of SCRM into organizational risk management hierarchy
d. Developing the SCRM Plan(s) based on risk
e. Baseline controls for SCRM
14. Using risk management and the cybersecurity framework for continuous improvement
a. Roadmap development

Further information

ACI Learning
Provider:
ACI Learning
Duration:
4 Days

Contact Information

ACI Learning

6855 S. Havana St.
Suite 230
Centennial
80112 USA

Locations