IT
Security Risk Management
Course
Objectives:
The goal
of Security Risk Management is to teach you practical techniques that will be
used on a daily basis, while also explaining the fundamentals so you understand
the rationale behind these practices. Security professionals often fall into
the trap of telling the business that they need to fix something, but they
can t explain why. This course will help you to break free from the so-called
best practices argument by articulating risk exposures in business terms. You
will learn techniques for how to perform risk assessments for new IT projects,
how to efficiently manage daily risk activities, and how to qualify the current
risk level for presentation to executive level management. While other courses
focus entirely on risk analysis methods, this is the first comprehensive guide
for managing security risks.
- Includes
case studies to provide hands-on experience using risk assessment tools to
calculate the costs and benefits of any security investment
- Explores
each phase of the risk management lifecycle, focusing on policies and
assessment processes that should be used to properly assess and mitigate
risk
- Presents
a roadmap for designing and implementing a security risk management
program
Learn how
to:
- use
a Security Risk Profile
- use
the Qualitative Risk Scale
- use
Architectural Risk Analysis
- identify
Threats and Vulnerability
1.0
Introduction
- Seminar
member introduction and overview of course material
2.0 The
Security Evolution
- Introduction
- How
We Got Here
- A
Risk-Focused Future
- Information
Security Fundamentals
- The
Death of Information Security
3.0 Risky
Business
- Introduction
- Applying
Risk Management to Information Security
- Business-Driven
Security Program
- Security
as an Investment
- Qualitative
versus Quantitative
4.0 The
Risk Management Lifecycle
- Introduction
- Stages
of the Risk Management Lifecycle
- Business
Impact Assessment
- A
Vulnerability Assessment Is Not a Risk Assessment
- Making
Risk Decisions
- Mitigation
Planning and Long-Term Strategy
- Process
Ownership
5.0 Risk
Profiling
- Introduction
- How
Risk Sensitivity is Measured
- Asking
the Right Questions
- Assessing
Risk Appetite
6.0
Formulating a Risk
- Introduction
- Breaking
down a Risk
- Who
or What Is the Threat?
7.0 Risk
Exposure Factors
- Introduction
- Qualitative
Risk Measures
- Risk
Assessment
8.0
Security Controls and Services
- Introduction
- Fundamental
Security Services
- Recommended
Controls
9.0 Risk
Evaluation and Mitigation Strategies
- Introduction
- Risk
Evaluation
- Risk
Mitigation Planning
- Policy
Exceptions and Risk Acceptance
10.0
Reports and Consulting
- Introduction
- Risk
Management Artifacts
- A
Consultant s Perspective
- Writing
Audit Responses
11.0 Risk
Management Techniques
- Introduction
- Operational
Assessments
- Project-Based
Assessments
- Third-Party
Assessments
12.0
Threat and Vulnerability Management
- Introduction
- Building
Blocks
- Threat
Identification
- Advisories
and Testing
- An
Efficient Workflow
- The
FAIR Approach
13.0
Security Risk Reviews
- Introduction
- Assessing
the State of Compliance
- Implementing
a Process
- Process
Optimization: A Review of Key Points
- The
NIST Approach
14.0 A
Blueprint for Security
- Introduction
- Risk
in the Development Lifecycle
- Security
Architecture
- Patterns
and Baselines
- Architectural
Risk Analysis
15.0
Building a Program from Scratch
- Introduction
- Designing
a Risk Program
- Prerequisites
for a Risk Management Program
- Risk
at the Enterprise Level
- Linking
the Program Components
- Program
Roadmap