Objetivo

Após concluir este Curso Cyber Security Risk Assessment & Management, você será capaz de:

• Implemente uma metodologia comprovada e baseada em padrões para avaliar e gerenciar os riscos para a infraestrutura de informações da sua organização
• Aplicar Gestão de Risco Operacional (ORM) aos sistemas de informação
• Institua mecanismos de segurança acionáveis ​​com resultados mensuráveis
• Selecione e personalize controles de segurança que atendam aos requisitos
• Mantenha uma postura de segurança aceitável durante o ciclo de vida do sistema

Publico Alvo

• É ideal para qualquer pessoa na posição de responsabilidade pelo desenvolvimento, aquisição, operação e manutenção de um sistema de informação.

Materiais

Conteúdo Programatico

Introduction to Risk Assessment and Management

1. Ensuring compliance with applicable regulatory drivers
2. Protecting the organization from unacceptable losses
3. Describing the Risk Management Framework (RMF)
4. Applying NIST/ISO risk management processes

Characterizing System Security Requirements

• Defining the system
  1. Prescribing the system security boundary
  2. Pinpointing system interconnections
  3. Incorporating the unique characteristics of Industrial Control Systems (ICS) and cloud-based systems
• Identifying security risk components
  1. Estimating the impact of compromises to confidentiality, integrity and availability
  2. Adopting the appropriate model for categorizing system risk
• Setting the stage for successful risk management
  1. Documenting critical risk assessment and management decisions in the System Security Plan (SSP)
  2. Appointing qualified individuals to risk governance roles

Selecting Appropriate Security Controls

• Assigning a security control baseline
  1. Investigating security control families
  2. Determining the baseline from system security risk
• Tailoring the baseline to fit the system
  1. Examining the structure of security controls, enhancements and parameters
  2. Binding control overlays to the selected baseline
  3. Gauging the need for enhanced assurance
  4. Distinguishing system-specific, compensating and non-applicable controls

Reducing Risk Through Effective Control Implementation

• Specifying the implementation approach
  1. Maximizing security effectiveness by “building in” security
  2. Reducing residual risk in legacy systems via “bolt-on” security elements
• Applying NIST/ISO controls
  1. Enhancing system robustness through selection of evaluated and validated components
  2. Coordinating implementation approaches to administrative, operational and technical controls
  3. Providing evidence of compliance through supporting artifacts

Assessing Compliance Scope and Depth

• Developing an assessment plan
  1. Prioritizing depth of control assessment
  2. Optimizing validation through sequencing and consolidation
  3. Verifying compliance through tests, interviews and examinations
• Formulating an authorization recommendation
  1. Evaluating overall system security risk
  2. Mitigating residual risks
  3. Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation

Authorizing System Operation

• Aligning authority and responsibility
  1. Quantifying organizational risk tolerance
  2. Elevating authorization decisions in high-risk scenarios
• Forming a risk-based decision
  1. Appraising system operational impact
  2. Weighing residual risk against operational utility
  3. Issuing Authority to Operate (ATO)

Maintaining Continued Compliance

• Justifying continuous reauthorization
  1. Measuring impact of changes on system security posture
  2. Executing effective configuration management
  3. Performing periodic control reassessment
• Preserving an acceptable security posture
  1. Delivering initial and routine follow-up security awareness training
  2. Collecting on-going security metrics
  3. Implementing vulnerability management, incident response and business continuity processes