Last Day to Save $300 on 4-6 Day Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC!

Cyber Defense Initiative® 2014

Washington, DC | Wed, Dec 10 - Fri, Dec 19, 2014
This event is over,
but there are more training opportunities.

MGT415: A Practical Introduction to Risk Assessment

Thu, December 11, 2014

Excellent introduction to the area of risk assessment.

Ernie Hernandez, US. Navy

A great course to help the info sec pro understand the auditor and vice-versa.

Eric Amos, Harbor Freight Tools

In this course students will learn the practical skills necessary to perform regular risk assessments for their organizations. The ability to perform a risk assessment is crucial for organizations hoping to defend their systems. There are simply too many threats, too many potential vulnerabilities that could exist, and simply not enough resources to create an impregnable security infrastructure. Therefore every organization, whether they do so in an organized manner or not, will make priority decision on how best to defend their valuable data assets. Risk assessment should be the foundational tool used to facilitate thoughtful and purposeful defense strategies.

Course Syllabus

James Tarala
Thu Dec 11th, 2014
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

  • Understanding Risk
  • How to Perform a Simple Risk Assessment
  • Risk Assessment Case Study
  • Formal Risk Management Models and Tools

Additional Information

Students need to bring a computer to class with Microsoft Office 2007 (or later) installed on it. The ability to open Microsoft Excel files is a must. Students may choose to bring a computer with another spreadsheet program installed on it, however the tools provided in class have only been thoroughly tested with Microsoft Office products, and certain functionality in the tools will not work properly with other spreadsheet programs. Therefore it is recommended that students bring a copy of Microsoft Office 2007 or later installed on their machine.

Students must also have full local administrator rights to the computer they bring to class and have the ability to fully administer any endpoint protection or security software installed on the computer. Course files will be distributed via a portable USB disk, therefore students must be able to access USB disks from their computer.

If you have additional questions about the laptop specifications, please contact

  • Any security engineers, compliance directors, managers, auditors - basically any SANS alumni potentially.
  • Auditors
  • Directors of security compliance
  • Information assurance management
  • System administrators

A basic understanding of information security and information security management topics is helpful for students attending this class. However a strong background in any of these skills is not a pre-requisite for the class. In the class students will be taught a step by step approach for performing a risk assessment regardless of their technical information security or management background.

  • Lab 1 - Performing a Simple Risk Assessment
  • Lab 2 - Risk Assessment Case Study
  • Lab 3 - Formal Risk Assessment Tools

You Will Be Able To:

  • Perform a complete risk assessment.
  • Inventory an organization's most critical information assets.
  • Assign a data owner and custodian to an information asset.
  • Assign classification values to critical information assets.
  • Prioritize risk remediation efforts as a result of performing a risk assessment.
  • Evaluate risk management models for use in their own organization.

You Will Learn

  • Students will learn step by step how to perform a risk assessment.
  • Students will learn how to map an organization's business requirements to implemented security controls.
  • Students will learn the elements of risk assessment and the data necessary for performing an effective risk assessment.
  • Students will learn about what in depth risk management models exist for implementing a deeper risk management program in their organization.

Other Courses People Have Taken

  • SEC 401Security Essentials Bootcamp Style
  • SEC 501 Advanced Security Essentials - Enterprise Defender
  • SEC 566 Implementing and Auditing the Twenty Critical Security Controls - In-Depth
  • AUD 507 Auditing Networks, Perimeters, and Systems
  • MGT 512 SANS Security Leadership Essentials For Managers with Knowledge Compression™

  • Courseware for learning how to perform a risk assessment
  • A unique course spreadsheet tool for performing a risk assessment
  • Open source tools for performing a risk assessment

Author Statement

Almost every time we talk with an organization, whether that be a private company or a government agency, we meet people who want to use risk assessment as a tool, but are not actually using it as they could. No organization has enough resources to do everything they would like to defend themselves. At some point a priority decision has to be made. We either make those decisions individually based on whatever need seems to be the most pressing in front of us today, or we take a methodical approach, getting as much input from the business as possible. Risk management is the tool we have available for taking the methodical path.

This course has been written with practicality and usability in mind. Risk models and learning ALE to pass a certification test are fine, but to defend our systems, we need practical skills in risk assessment. This course will teach students the hands-on skills necessary to immediately start using risk assessment as a tool to defend their organization. -James & Kelli Tarala