Certified Cybersecurity Technician Risk Management PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document details risk management concepts, key risk indicators, key roles, and responsibilities in managing network security. It provides a framework for understanding and addressing potential risks.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow 2:::::::dmsknamgemm Iclx;:c...
Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow 2:::::::dmsknamgemm Iclx;:ce:;:ndmskMmgemnt Discuss Various Risk Management Phases Understand Various Risk Management Frameworks Understand Risk Management Concepts Risk and vulnerability management is a pro-active approach to manage network security. This section will introduce risk management concepts, key risk indicators (KRls), key roles, and responsibilities in risk management. Module 22 Page 2336 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Q Risk management is the process of reducing and maintaining risk at an Risk Management acceptable level by means of a well- — defined and actively employed h ‘‘ Risk Management Benefits: security program Focuses on potential risk impact It involves identifying, assessing, and areas responding to the risks by implementing controls to the help Addresses risks according to the risk the organization manage the level potential effects Improves the risk handling process Risk management has a prominent Allows the security officers to act place throughout the system security effectively in adverse situations life-cycle Enables effective use of risk handling resources Minimizes the effect of risk on the organization’s revenue Identifies suitable controls for security Risk Management Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program. It involves identifying, assessing, and responding to the risks by implementing controls to the help the organization manage the potential effects. Risk management has a prominent place throughout the security life cycle. It is a continuous and increasingly complex process that requires anticipating risks and creating a plan to overcome the risk when it occurs. The type of risks varies by organization, but all organizations should prepare a management plan. Risk management helps save time, money, and efforts. Risk Management Objectives Identify the potential risks Identify the impact of risks and help an organization develop better risk management strategies and plans Depending on the impact/severity of the risk, prioritize the risks and use established risk management methods, tools, and techniques to assist Understand and analyze the risks and report identified risk events Control the risk and mitigate the risk impact Create awareness among the security staff; develop long-term, reliable strategies and plans for risk management Module 22 Page 2337 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Benefits Risk management provides a structured approach to identifying risks. Having a clear idea of all risks allows an organization to analyze, prioritize, and take the appropriate actions to reduce loses. Focuses on the potential risk impact areas = Addresses risks according to a level = |mproves the risk handling process = Allows security officers to act effectively in adverse situations = Enables effective use of resources = Minimizes the impact of risk on an organization’s revenue = |dentifies suitable controls for security Module 22 Page 2338 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Key Roles and Responsibilities in Risk Management LL3 Es B L L3 o i Senior : - -. : Management Mo ¢ Responsible to design the steps required for handling future risks '| Chief Chief Information Information Responsible for IT planning, budgeting, and performance based on a Officer (CIO) risk management program System and Responsible for implementing appropriate security controls to maintain Information Owners confidentiality, integrity, and availability of an information system Business and Responsible for making trade-off decisions in the risk management Functional Managers process IT Security Program Managers and Computer Responsible for an organization’s information security programs Security Officers (ISSO) IT Security Practitioners Responsible for implementing security controls Security Awareness Awareness Responsible for developing and providing appropriate training in the Trainers risk management process Key Roles and Responsibilities in Risk Management = Senior Management It is the responsibility of the senior management to supervise the risk management plans of an organization. They develop policies and techniques required to handle common risks. Senior managers, through their expertise, can design the steps required for handling future risks. = Chief Chief Information Officer (CIO) The CIO is responsible for executing the policies and plans required for supporting the information technology and computer systems of an organization. The CIO plays a vital role in the formation of basic plans and policies for risk management. The main responsibility of a ClO is to train employees and other executive management regarding the possible risks in IT and its impact on business. = System and Information Owners System and information owners mainly monitor the plans and policies developed for information systems. They are mainly responsible for implementing appropriate security controls to maintain confidentiality, integrity, and availability of an information system. Their responsibilities include the following: o Take partin part in all discussions on the configuration management process o Keep arecord of the information system’s components o Investigate all changes in the information systems and their impact o Prepare a security status report for all information systems Module 22 Page 2339 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management o Update the security controls required for protecting the information systems o Update the security related documents on a regular basis o Examine and evaluate the existing security controls in order to confirm their efficiency in protecting a system = Business and Functional Managers They are responsible for maintaining all management processes in an organization. They are empowered with the authority to manage almost all processes in an organization. They responsible for making trade-off decisions in the risk management process. The roles defining functional managers are: o Development team manager o Sales manager o Accounts receivable manager o Customer service manager = |T Security Program Managers and Computer Security Officers (1SSOs) ISSOs provide the required support to information system owners with a selection of security controls needed for protecting a system. They also play an important role in the selection and amendment of security controls in an organization. They are responsible for an organization’s information security programs. = IT Security Practitioners IT security practitioners protect the personnel as well as physical and information security in an organization. Their main responsibilities include: o Implementing security controls o Framing better security methods in an organization o Developing methods that fulfill the company’s standards o Examining the company’s security approach to risk management and business planning o Handling and recording security incidents o Assigning roles and responsibilities for security in an organization o Supervising the overall security measures taken in an organization = Security Awareness Trainers Security awareness trainers provide IT security awareness and training programs in an organization. They are often subject matter experts and ensure that only proper content is included in the program. They are mainly responsible for developing and providing appropriate training in the risk management process. Module 22 Page 2340 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
