MGT442: Information Security Risk Management
This introductory course is designed to provide students with the tools to build a comprehensive risk management program to answer one of the fundamental information security questions: what are top information risks in the organization? Some common risk assessment methodologies will be reviewed and compared in the context of selecting the right risk framework for your organization, but this is not a deep dive risk analysis course. Rather than covering advanced statistical analysis and frequency models, this course provides a roadmap to implement the basic building blocks of an effective risk program to support any level of analysis sophistication as your program matures. Students start by establishing a common terminology for various risk components, and quickly learn an easy to implement taxonomy for describing the various risk factors. An essential step early in the process of implementing a new risk program is to select the right methodology for your organization. This course shows students how to evaluate the various industry supported frameworks, and specifically compares the four most influential approaches: NIST, OCTAVE, ISO, and FAIR.
Next, students will explore each phase of the risk management lifecycle, focusing on techniques that should be used to properly identify, articulate, assess, mitigate, and report on information risk. Students will learn techniques for how to perform risk assessments for new vulnerabilities, control gaps, emerging threats, compliance violations, projects, and how to qualify the current risk level for presentation to executive level management. A common case study will be followed throughout the course to provide students with a richer hands-on experience using risk assessment tools to evaluate the most appropriate risk strategy. Once students have mastered a sensitivity-based risk assessment technique, the course will shift its focus to specific management strategies for building and implementing an information security risk management program.
Hands-on labs and exercises will be assigned to be completed by students individually or in small groups, according to the day's topic. The assignments will follow a progression of a typical risk management process, showing students how to complete each step of a real-world scenario based on the case study and scenarios. Each assignment will be based on the assessment of a fictional organization (such as a government agency, software development company, university, or regional bank) and other instructor-provided scenarios. Once students have learned to apply these techniques to assess risk, the course will focus on mitigation planning and communication of risk to senior management. Along the way, several popular security risk management frameworks and methodologies will be introduced and compared so that students understand how to best leverage existing risk models. The course concludes with a program level roadmap for building a security risk management program from scratch over the course of the first three years. In addition to a program roadmap, students will walk away from this course with basic templates for risk assessments and tracking, security risk profile, exception requests, vendor assessments, and program maturity self-assessments.
|MGT442.1: Designing a Risk Program|
The evening hands-on session allows students to utilize the knowledge gained throughout the course in an instructor-led environment. Each group will have the opportunity to present the results of one risk assessment to the class.
The course begins with an introduction to the basic concepts of risk management as it is applied to information security and the definition of terms and principles which will be used throughout the course. A comparison of the most common risk frameworks follows, in which the class will analyze a risk using three different approaches (NIST, OCTAVE, and FAIR) to demonstrate the advantages of each methodology. A case study will be introduced during this part of the course that students will use throughout the course to get hands-on experience applying the principles and techniques of risk assessment. The day continues with looking at how this all fits into a lifecycle of managing risks and introduces an easy to implement workflow. Students will learn how to take pieces of these various frameworks to build a lifecycle approach to risk management that fits their industry and organization. This includes a deep dive into each step of risk management lifecycle workflow, looking at how to most efficiently manage the on-going assessment of the organization's current risk posture. Students will start by taking the perspective of the risk manager who has to weigh all the risks at an enterprise level, integrate risk management into many aspects of a security program, make risk decisions, and oversee the execution of mitigation plans.
The afternoon of day one jumps right into analyzing risks and learning how to apply basic sensitivity-based risk model to everyday security activities like analyzing vulnerability advisories. The exercises focus on various techniques to qualify and measure risks by rating the severity and likelihood of a given threat/vulnerability pair, and applying the concept of an assets risk sensitivity to provide a complete evaluation of risk exposure.
During the evening session, students will immediately put these concepts into practice through a structured risk assessment exercise in small groups based on a provided case study. This structured and time-boxed exercise will give students a flavor for performing a focused risk assessment based on a template they can take with them. Each group will present their results to the class and have to justify their risk ratings and priorities. The instructor will play the role of senior management to help students develop their ability to explain their analysis and defend their prioritization of the risks.
Students will leave day one with hands-on experience identifying critical assets, rating risk sensitivity of assets, identifying threats, rating the severity and likelihood of particular vulnerability exploits, and describing the risk to the organization.
CPE/CMU Credits: 8
Business Impact Assessment
Selling the Program
|MGT442.2: Operating a Risk Program|
Day two begins with a process to identify and rate internal control standard gaps, including several individual exercises to be completed in small groups based on a fictional case study which step the students through each aspect of qualifying a risk. This includes an approach to assess a third-party provider. Together, the various exercises will resemble several sections of a typical risk assessment report. The final assessment approach, threat modeling, will be explored to demonstrate how this technique to can help to reduce bias during a risk review. Next, students will have the opportunity to learn how to most effectively present the results to senior management.
Day two of the course also shifts the focus from the security manager to the risk manager who has to weigh all the risks at an enterprise level, integrate risk management into many aspects of a security program, make risk decisions, interface with auditors and regulators, present risk metrics to executive management, and oversee the execution of mitigation plans. The course will conclude by showing students how to tie together various aspects of a security program (such as policy, threat and vulnerability management, incident response, security architecture, vendor management, and information security management systems) into one cohesive information risk management program with a normalized view of enterprise risk. Students will leave with a checklist of risk management program essentials and a multiyear implementation roadmap that they can use to self-assess the maturity of an existing program or start building their own program when they return to work.
CPE/CMU Credits: 6
Risk Management Lifecycle
Standards Self Assessment
This Class Requires a Laptop with basic Microsoft Office (or equivalent) and a PDF Reader software.
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
Really this course is geared towards anyone who is building an information security program, running a threat and vulnerability management function (analyzing new threat or vulnerabilities), performing security assessments, or providing a technology audit function. It is not meant for seasoned risk professionals who are looking for advanced risk analysis techniques.
Students are strongly encouraged to have at least an introductory Information Security course, or equivalent experience, before attempting this course.
|You Will Be Able To|
*CPE/CMU credits not offered for the SelfStudy delivery method