Cyber Security Risk Assessment & Management Event, 17.Mar.2025

Introduction

This Cyber Security Risk Assessment and Management course will teach you how how to conduct a security risk assessment to protect your organisation. You will learn about the laws and regulations that impose strict cyber security requirements on all organisations, and gain the skills to develop a compliance assessment plan and employ a standards-based risk management process while maintaining a satisfactory security posture. Attendees should have a basic knowledge of business processes and technology concepts. No specialised technical knowledge is assumed

Course Objectives:

• Implement standards-based, proven methodologies for assessing and managing the risks to your organization's information infrastructure
• Select and implement security controls that ensure compliance with applicable laws, regulations, policies, and directives
• Extend security protection to Industrial Control Systems (ICS) and the cloud

Risk Assessment and Management Course Outline:

Day 1

Introduction to Risk Assessment and Management

• Ensuring compliance with applicable regulatory drivers
• Protecting the organisation from unacceptable losses
• Describing the Risk Management Framework (RMF)
• Applying NIST/ISO risk management processes

Characterising System Security Requirements

Defining the system

• Outlining the system security boundary
• Pinpointing system interconnections
• Incorporating the unique characteristics of Industrial Control Systems (ICS) and cloud-based systems

Identifying security risk components

• Estimating the impact of compromises on confidentiality, integrity and availability
• Adopting the appropriate model for categorising system risk

Setting the stage for successful risk management

• Documenting critical risk assessment and management decisions in the System Security Plan (SSP)
• Appointing qualified individuals to risk governance roles

Day 2

Selecting Appropriate Security Controls

Assigning a security control baseline

• Investigating security control families
• Determining the baseline from system security risk

Tailoring the baseline to fit the system

• Examining the structure of security controls, enhancements and parameters
• Binding control overlays to the selected baseline
• Gauging the need for enhanced assurance
• Distinguishing system-specific, compensating and non-applicable controls

Day 3

Reducing Risk Through Effective Control Implementation

Specifying the implementation approach

• Maximising security effectiveness by "building in" security
• Reducing residual risk in legacy systems via "bolt-on" security elements

Developing an assessment plan

• Prioritising depth of control assessment
• Optimising validation through sequencing and consolidation
• Verifying compliance through tests, interviews and examinations

Formulating an authorisation recommendation

• Evaluating overall system security risk
• Mitigating residual risks
• Publishing the Plan of Action and Milestones (POA&M), the risk assessment and recommendation

Day 4

Authorising System Operation

Aligning authority and responsibility

• Quantifying organisational risk tolerance
• Elevating authorisation decisions in high-risk scenarios

Forming a risk-based decision

• Appraising system operational impact
• Weighing residual risk against operational utility
• Issuing Authority to Operate (ATO)

Day 5

Maintaining Continued Compliance

Justifying continuous reauthorisation

• Measuring impact of changes on system security posture
• Executing effective configuration management
• Performing periodic control reassessment

Preserving an acceptable security posture

• Delivering initial and routine follow-up security awareness training
• Collecting on-going security metrics
• Implementing vulnerability management, incident response and business continuity processes