Cyber Security Risk Assessment & Management Training

Level: Intermediate
Course #: 2013


This Cyber Security Risk Assessment and Management course will teach you how to how to conduct a security risk assessment to protect your organization. You will learn about the laws and regulations that impose strict cyber security requirements on all organizations, and gain the skills to develop a compliance assessment plan and employ a standards-based risk management process while maintaining a satisfactory security posture.

Key Features of this Risk Assessment and Management Training:

After-course instructor coaching benefit

You Will Learn How To:

Implement standards-based, proven methodologies for assessing and managing the risks to your organization’s information infrastructure

Select and implement security controls that ensure compliance with applicable laws, regulations, policies, and directives Extend security protection to Industrial Control Systems (ICS) and the cloud

Risk Assessment and Management Course Information


Attendees should have a basic knowledge of business processes and technology concepts.

No specialized technical knowledge is assumed.

Risk Assessment and Management Course Outline

Introduction to Risk Assessment and Management

Ensuring compliance with applicable regulatory drivers

Protecting the organization from unacceptable losses

Describing the Risk Management Framework (RMF)

Applying NIST/ISO risk management processes

Characterizing System Security Requirements

Defining the system

Outlining the system security boundary

Pinpointing system interconnections

Incorporating the unique characteristics of Industrial Control Systems (ICS) and cloud-based systems

Identifying security risk components

Estimating the impact of compromises to confidentiality, integrity and availability

Adopting the appropriate model for categorizing system risk

Setting the stage for successful risk management

Documenting critical risk assessment and management decisions in the System Security Plan (SSP) Appointing qualified individuals to risk governance roles

Selecting Appropriate Security Controls

Assigning a security control baseline

Investigating security control families

Determining the baseline from system security risk

Tailoring the baseline to fit the system

Examining the structure of security controls, enhancements and parameters

Binding control overlays to the selected baseline

Gauging the need for enhanced assurance

Distinguishing system-specific, compensating and non-applicable controls

Reducing Risk Through Effective Control Implementation

Specifying the implementation approach

Maximizing security effectiveness by “building in” security

Reducing residual risk in legacy systems via “bolt-on” security elements

Applying NIST/ISO controls

Enhancing system robustness through selection of evaluated and validated components

Coordinating implementation approaches to administrative, operational and technical controls Providing evidence of compliance through supporting artifacts

Assessing Compliance Scope and Depth

Developing an assessment plan

Prioritizing depth of control assessment

Optimizing validation through sequencing and consolidation

Verifying compliance through tests, interviews and examinations

Formulating an authorization recommendation

Evaluating overall system security risk

Mitigating residual risks

Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation

Authorizing System Operation

Aligning authority and responsibility

Quantifying organizational risk tolerance

Elevating authorization decisions in high-risk scenarios

Forming a risk-based decision

Appraising system operational impact

Weighing residual risk against operational utility

Issuing Authority to Operate (ATO)

Maintaining Continued Compliance

Justifying continuous reauthorization

Measuring impact of changes on system security posture

Executing effective configuration management

Performing periodic control reassessment

Preserving an acceptable security posture

Delivering initial and routine follow-up security awareness training

Collecting on-going security metrics

Implementing vulnerability management, incident response and business continuity processes