Cyber Security Risk Assessment & Management

Created by LEC Team
Last updated Mon, 27-Mar-2023
Download as pdf

Attendees should have a basic knowledge of business processes and technology concepts. No specialised technical knowledge is assumed

 

Course Objectives:

  • Implement standards-based, proven methodologies for assessing and managing the risks to your organization's information infrastructure

  • Select and implement security controls that ensure compliance with applicable laws, regulations, policies, and directives

  • Extend security protection to Industrial Control Systems (ICS) and the cloud

 



Day 1
Introduction to Risk Assessment and Management
  • Ensuring compliance with applicable regulatory drivers

  • Protecting the organisation from unacceptable losses

  • Describing the Risk Management Framework (RMF)

  • Applying NIST/ISO risk management processes

Characterising System Security Requirements

Defining the system

  • Outlining the system security boundary

  • Pinpointing system interconnections

  • Incorporating the unique characteristics of Industrial Control Systems (ICS) and cloud-based systems

Identifying security risk components

  • Estimating the impact of compromises on confidentiality, integrity and availability

  • Adopting the appropriate model for categorising system risk

Setting the stage for successful risk management

  • Documenting critical risk assessment and management decisions in the System Security Plan (SSP)

  • Appointing qualified individuals to risk governance roles



Day 2
Selecting Appropriate Security Controls

Assigning a security control baseline

  • Investigating security control families

  • Determining the baseline from system security risk

Tailoring the baseline to fit the system

  • Examining the structure of security controls, enhancements and parameters

  • Binding control overlays to the selected baseline

  • Gauging the need for enhanced assurance

  • Distinguishing system-specific, compensating and non-applicable controls



Day 3
Reducing Risk Through Effective Control Implementation

Specifying the implementation approach

  • Maximising security effectiveness by "building in" security

  • Reducing residual risk in legacy systems via "bolt-on" security elements

Developing an assessment plan

  • Prioritising depth of control assessment

  • Optimising validation through sequencing and consolidation

  • Verifying compliance through tests, interviews and examinations

Formulating an authorisation recommendation

  • Evaluating overall system security risk

  • Mitigating residual risks

  • Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation



Day 4
Authorising System Operation

Aligning authority and responsibility

  • Quantifying organisational risk tolerance

  • Elevating authorisation decisions in high-risk scenarios

Forming a risk-based decision

  • Appraising system operational impact

  • Weighing residual risk against operational utility

  • Issuing Authority to Operate (ATO)



Day 5
Maintaining Continued Compliance

Justifying continuous reauthorisation

  • Measuring impact of changes on system security posture

  • Executing effective configuration management

  • Performing periodic control reassessment

Preserving an acceptable security posture

  • Delivering initial and routine follow-up security awareness training

  • Collecting on-going security metrics

  • Implementing vulnerability management, incident response and business continuity processes


Enquiry form
+ View more
Other related courses
00:00:00 Hours
0 0 $0
00:00:00 Hours
Updated Mon, 27-Mar-2023
0 0 $0
00:00:00 Hours
Updated Mon, 27-Mar-2023
0 0 $0
00:00:00 Hours
Updated Mon, 27-Mar-2023
0 0 $0
00:00:00 Hours
Updated Mon, 27-Mar-2023
0 0 $0
Dates Venues Price Details