45+ InfoSec Courses at SANS Network Security 2018 in Las Vegas! Save up to $200 thru 8/22.

Management 442- BETA

Washington, DC | Fri, Apr 19 - Sat, Apr 20, 2013
This event is over,
but there are more training opportunities.

MGT442: Information Security Risk Management Beta

Fri, April 19 - Sat, April 20, 2013

This introductory course is designed to provide students with the tools to build a comprehensive risk management program to answer one of the fundamental information security questions: what are top information risks in the organization? Some common risk assessment methodologies will be reviewed and compared in the context of selecting the right risk framework for your organization, but this is not a deep dive risk analysis course. Rather than covering advanced statistical analysis and frequency models, this course provides a roadmap to implement the basic building blocks of an effective risk program to support any level of analysis sophistication as your program matures. Students start by establishing a common terminology for various risk components, and quickly learn an easy to implement taxonomy for describing the various risk factors. An essential step early in the process of implementing a new risk program is to select the right methodology for your organization. This course shows students how to evaluate the various industry supported frameworks, and specifically compares the four most influential approaches: NIST, OCTAVE, ISO, and FAIR.

Next, students will explore each phase of the risk management lifecycle, focusing on techniques that should be used to properly identify, articulate, assess, mitigate, and report on information risk. Students will learn techniques for how to perform risk assessments for new vulnerabilities, control gaps, emerging threats, compliance violations, projects, and how to qualify the current risk level for presentation to executive level management. A common case study will be followed throughout the course to provide students with a richer hands-on experience using risk assessment tools to evaluate the most appropriate risk strategy. Once students have mastered a sensitivity-based risk assessment technique, the course will shift its focus to specific management strategies for building and implementing an information security risk management program.

Hands-on labs and exercises will be assigned to be completed by students individually or in small groups, according to the day's topic. The assignments will follow a progression of a typical risk management process, showing students how to complete each step of a real-world scenario based on the case study and scenarios. Each assignment will be based on the assessment of a fictional organization (such as a government agency, software development company, university, or regional bank) and other instructor-provided scenarios. Once students have learned to apply these techniques to assess risk, the course will focus on mitigation planning and communication of risk to senior management. Along the way, several popular security risk management frameworks and methodologies will be introduced and compared so that students understand how to best leverage existing risk models. The course concludes with a program level roadmap for building a security risk management program from scratch over the course of the first three years. In addition to a program roadmap, students will walk away from this course with basic templates for risk assessments and tracking, security risk profile, exception requests, vendor assessments, and program maturity self-assessments.

Course Syllabus

Evan Wheeler
Fri Apr 19th, 2013
8:00 AM - 7:00 PM

Evening Session:

The evening hands-on session allows students to utilize the knowledge gained throughout the course in an instructor-led environment. Each group will have the opportunity to present the results of one risk assessment to the class.


The course begins with an introduction to the basic concepts of risk management as it is applied to information security and the definition of terms and principles which will be used throughout the course. A comparison of the most common risk frameworks follows, in which the class will analyze a risk using three different approaches (NIST, OCTAVE, and FAIR) to demonstrate the advantages of each methodology. A case study will be introduced during this part of the course that students will use throughout the course to get hands-on experience applying the principles and techniques of risk assessment. The day continues with looking at how this all fits into a lifecycle of managing risks and introduces an easy to implement workflow. Students will learn how to take pieces of these various frameworks to build a lifecycle approach to risk management that fits their industry and organization. This includes a deep dive into each step of risk management lifecycle workflow, looking at how to most efficiently manage the on-going assessment of the organization's current risk posture. Students will start by taking the perspective of the risk manager who has to weigh all the risks at an enterprise level, integrate risk management into many aspects of a security program, make risk decisions, and oversee the execution of mitigation plans.

The afternoon of day one jumps right into analyzing risks and learning how to apply basic sensitivity-based risk model to everyday security activities like analyzing vulnerability advisories. The exercises focus on various techniques to qualify and measure risks by rating the severity and likelihood of a given threat/vulnerability pair, and applying the concept of an assetâs risk sensitivity to provide a complete evaluation of risk exposure.

During the evening session, students will immediately put these concepts into practice through a structured risk assessment exercise in small groups based on a provided case study. This structured and time-boxed exercise will give students a flavor for performing a focused risk assessment based on a template they can take with them. Each group will present their results to the class and have to justify their risk ratings and priorities. The instructor will play the role of senior management to help students develop their ability to explain their analysis and defend their prioritization of the risks.

Students will leave day one with hands-on experience identifying critical assets, rating risk sensitivity of assets, identifying threats, rating the severity and likelihood of particular vulnerability exploits, and describing the risk to the organization.

  • Scenario Discussion - Database Encryption
  • Scenario Discussion â Data Backup Failures
  • Scenario Discussion â Data Center Access Restrictions
  • Scenario Discussion â Default Configurations
  • Scenario Discussion â Distributed Denial of Service Attack
  • Scenario Discussion â Policy Violations & Sensitivity
  • Scenario Discussion â Backup Media in Transit
  • Scenario Discussion â Single Internet Provider
  • Issue Force Ranking
  • Inventory Analysis
  • Disruption Analysis
  • Profile the Asset from the Case Study
  • Assess Vulnerability Advisories
  • Perform a Short Risk Assessment of Sample Organization in Groups

CPE/CMU Credits: 8


Program Foundations

  • Risk Methodologies
  • Answering Risk Questions
  • Gathering Risk Data
  • Program Foundation
  • Resource Inventory

Risk Models

  • Goals of Risk Management
  • Choosing a Risk Model
  • Expressing Risk
  • Rating Program Maturity
  • Measuring Risk
  • Assessment Approaches
  • Industry Risk Models
  • OCTAVE Allegro
  • FAIR
  • ISO 27005

Business Impact Assessment

  • Risk Ecosystem
  • Sensitivity-based Risk Model
  • Severity
  • Likelihood
  • Risk Exposure
  • Resource Profiling
  • Security Risk Profile

Vulnerability Management

  • Managing Vulnerabilities
  • Security Advisory Sources
  • Asset & Data Inventory
  • Defining Risk Scales
  • Rating Vulnerabilities
  • Simple Qualitative Approach
  • Defining a Workflow
  • Security Content Automation Protocol

Selling the Program

  • Program Goals
  • Pitfalls to Avoid
  • Risk Management Phases
  • Design Approaches
  • Selecting the Best Fit
  • NIST Approach
  • OCTAVE Approach
  • Program Documentation
  • Program Roadmap

Evan Wheeler
Sat Apr 20th, 2013
9:00 AM - 5:00 PM


Day two begins with a process to identify and rate internal control standard gaps, including several individual exercises to be completed in small groups based on a fictional case study which step the students through each aspect of qualifying a risk. This includes an approach to assess a third-party provider. Together, the various exercises will resemble several sections of a typical risk assessment report. The final assessment approach, threat modeling, will be explored to demonstrate how this technique to can help to reduce bias during a risk review. Next, students will have the opportunity to learn how to most effectively present the results to senior management.

Day two of the course also shifts the focus from the security manager to the risk manager who has to weigh all the risks at an enterprise level, integrate risk management into many aspects of a security program, make risk decisions, interface with auditors and regulators, present risk metrics to executive management, and oversee the execution of mitigation plans. The course will conclude by showing students how to tie together various aspects of a security program (such as policy, threat and vulnerability management, incident response, security architecture, vendor management, and information security management systems) into one cohesive information risk management program with a normalized view of enterprise risk. Students will leave with a checklist of risk management program essentials and a multiyear implementation roadmap that they can use to self-assess the maturity of an existing program or start building their own program when they return to work.

  • Scenario Discussion â Policy Assessment
  • Initial Findings from the Case Study
  • Re-Rate the Findings from the Case Study
  • Mitigation Plan from the Case Study
  • Is it a Threat?
  • OCTAVE Threat Profiling

CPE/CMU Credits: 6


Risk Management Lifecycle

  • Lifecycle Approach
  • Resource Profiling
  • Risk Assessment vs. Vulnerability Assessment
  • Risk Evaluation
  • Risk Mitigation Planning
  • Process Ownership

Standards Self Assessment

  • Finding the Right Balance of Security vs. Risk
  • Qualifying the Risk
  • Implementing Process Workflow
  • Identify Findings
  • Analyze Risks
  • Risk Decision
  • Risk Exceptions
  • Mitigation Planning
  • Security Baselines
  • Assessment of Third-Party Providers
  • Process Optimization

Threat Management

  • Emerging Threats
  • Malware Motivations
  • Defining & Measuring Threat
  • Threat Trees
  • Intelligence Sources

Risk Communication

  • Assessment Process Phases
  • Areas of Concern
  • Sources of Risk Data
  • Articulating Risk
  • Business Context
  • Report Format
  • Executive Summary

Enterprise Level

  • Security Liaisons
  • Enterprise Risk Committee
  • Tying Other Security Processes to Risk Management: Incident Handling, Threat & Vulnerability Management, Architecture Analysis, Policy & Standard Development
  • Assessing Your Programâs Maturity
  • Lessons Learned

Additional Information

This Class Requires a Laptop with basic Microsoft Office (or equivalent) and a PDF Reader software.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • CISOs
  • Security managers
  • IT managers
  • Security consultants
  • IT auditors
  • Security analysts
  • IT project managers

Really this course is geared towards anyone who is building an information security program, running a threat and vulnerability management function (analyzing new threat or vulnerabilities), performing security assessments, or providing a technology audit function. It is not meant for seasoned risk professionals who are looking for advanced risk analysis techniques.

Students are strongly encouraged to have at least an introductory Information Security course, or equivalent experience, before attempting this course.

  • Select the right risk methodology for your organization
  • Implement a comprehensive risk management lifecycle
  • Assess risks from the business impact, vulnerability, threat, and standards perspectives
  • Prioritize information resources based on risk sensitivity
  • Efficiently process large volumes of vulnerability notifications
  • Document and justify risk decisions
  • Communicate risks to senior leaders
  • Integrate security risks into a larger enterprise program

Author Statement

I discovered during my graduate program that there just isnât a good curriculum established for teaching risk management concepts and techniques to information security professionals. So when I graduated, I decided that I had enough experience with how not to teach these topics and I would try to do a better job. In particular, I was frustrated that risk management courses spent so much time on the mathematics of probability and statistics that students left with no idea how to actually conduct a risk assessment or build a risk-focused program. I decided to take a different approach and design a course that follows real cases studies to illustrate the concepts and techniques that students would learn during class. I have included several hands-on labs for individuals and groups to simulate a real risk assessment scenario. I think I have developed a very practical approach to the topic, which ensures that students learn each step of a risk assessment and have the opportunity to immediately apply those skills with guidance and feedback during class. -Evan Wheeler