Conducting Cybersecurity Risk Assessments - Private Class
Conducting Cybersecurity Risk Assessments - Private Class
Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value.
Based on best practices and approaches detailed in, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition this course gives you detailed instruction on how to conduct a risk assessment effectively and efficiently.
Trusted to assess security for leading organizations (Hospitals, Universities, Retailers, Pharmaceuticals) and government agencies, including CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. He details time-tested methods to help you:
At the completion of this course attendees will be able to:
· Better negotiate the scope and rigor of security assessments,
· Effectively interface with security assessment teams,
· Effectively assess any security control (administrative, technical, or physical),
· Gain an improved understanding of final report recommendations, and
· Deliver insightful comments on draft reports.
This course covers all of the elements of conducting an information security risk assessment from the statement of work to the final report. Walking you through the process of conducting an effective security assessment, it provides the tools and up-to-date understanding you need to select the security measures best suited to your organization.
Lantego Training. The Lantego classes are not limited to coverage of regulations and technology. Lantego classes extends the class effectiveness by drawing on real-life examples, infusing INFOSEC principles, and including a workshop day to work directly with attendees on how best to apply the techniques to their organization. Lantego instructors are not only experts at information security but also experts at teaching information security.
Who Should Attend? The Lantego course: Conducting Information Security Risk Assessments will benefit anyone involved in information security. This course is designed for those who want to know more about Information Security Risk Assessments, how to conduct them and how to apply the results to their organization: security consultants, IS auditors, system managers, security compliance professionals, privacy officers, information system security officers/managers, network administrators, and security engineers.
Your Lantego Instructor
Douglas Landoll, CISSP, MBA. Mr. Landoll, author of the best selling “Security Risk Assessment Handbook” will be teaching this course. His ability to provide INFOSEC training is unequal. Mr. Landoll started providing INFOSEC training exam instruction over 20 years ago, has created the customer INFOSEC training for multiple organizations, and has delivered over 180 INFOEC training classes. He is a recognized as a Distinguished Fellow by the ISSA for his outstanding efforts in security education and by his students for the real-world practical experience he brings to the classroom.
Course materials include course slides, handouts, and a copy of The Information Security Risk Assessment Handbook, Second Edition.
Prior to Class Reading and Homework Assignment
· Chapter 1: Introduction.
o Complete Questions 1-3.
· Chapter 2: Security Risk Assessment Basics
o Be prepared to discuss question 3a.
· Chapter 3: Project Definition
o Be prepared to discuss question 5.
Be prepared for the following discussion:
· Purpose of an information security risk assessment?
· When can/should one be performed?
· Who should perform them?
1. Introduction: Information Security Risk Assessment (ISRA)
· Purpose and Use
· Independence and Objectivity
· Risk Equation Components (Assets, Threats, Vulnerabilities, Countermeasures)
· Risk Assessment Components (Scope, Data Gathering, Data Analysis, Recommendations, Reporting)
2. ISRA Scoping and Planning
· Scoping and Budgeting an ISRA (Parameters, Controls, Boundaries, Scope-creep)
· ISRA Subjects (systems, applications)
· ISRA Project Management (phases, resources, tracking progress, status reporting)
· Defining ISRA Project and Project Success / Completion (Statement of Work)
· Exercise: Estimate resources required to complete an information security risk assessment as defined in a public RFP (provided).
3. Data Gathering Introduction (Chapter 5)
· Data Gathering Approaches (survey, interview, test)
o Data Gathering Challenges (completeness, accuracy, relevance)
· RIIOT Data Gathering Approach
o Introduction to RIIOT
o Sampling techniques
4. Advanced RIIOT Data Gathering (Chapters 6, 7, 8)
· Review Documents – How to review documents for the 3 C’s
o Exercise: Review Vulnerability scanning report
· Interview Key Staff – Interview techniques
o Exercise: Mock Interview
· Inspect Equipment – Inspection Discussion
o Exercise: Inspect Fire / Emergency Controls
· Observe Behavior – Observation techniques
o Exercise: Create physical walk-thru checklist
· Test Technical Controls – Discussion security testing tools
o Exercise: TBD
o Homework: Create Data Gathering template for a selected/assigned control
5. Security Control Frameworks
· Security Controls
o Administrative, Physical, Technical Controls
· Security Control Frameworks
o Importance of a framework
o Example frameworks:
· NIST CyberSecurity Framework
· NIST 800-53 / NIST 800-171
· COBIT Version 5
· ISO 27001/2
o Exercise: Tailoring Frameworks
6. Quantitative vs. Qualitative Measurements
· Qualitative Measurements
o Introduction (Ordinal Numbers)
o Application to Security Risk Assessments (Asset Classification, Threat Frequency, Vulnerability Exploitation Likelihood)
o Industry Examples (NIST, HHS)
· Quantitative Measurements
o Introduction (Cardinal Numbers & Estimation)
o Application to Security Risk Assessments (Asset Valuation, Threat Frequency, Vulnerability Exploitation Probability)
o Exercise: Estimation Calibration Workshop
o Industry Examples: Applied Information Economics, FAIR
7. Risk Analysis
· Reviewing Evidence
· Scenario-based Risk Assessment
o Scenario Frequency/Probability Factors
o Scenario Cost/Damage Factors
o Exercise: Example scenario
· Control-based Risk Assessment
o Determining Weak and Non-existent Controls
o Determining Control-based risk
o Determining Control-based risk cost/damage
o Exercise: Example control group risk determination
8. Safeguard Selection
· Safeguard types (administrative, technical, physical)
· Determining residual risk
· Safeguard implementation horizons (near, mid, far)
· Safeguard costing / estimating
· Introduction to the “9-cell”
· Exercise: Brainstorm safeguards for example scenario
9. Risk Reporting
· Components of Reporting / Documenting
o Executive Summary / Presentation
o Documenting approach used
o Documenting findings
o Documenting recommendations