Certified Cybersecurity Technician Risk Management PDF

Document Details

barrejamesteacher

Uploaded by barrejamesteacher

null

EC-Council

Tags

risk management cybersecurity information security enterprise risk management

Summary

This document discusses risk management frameworks, including the Enterprise Risk Management Framework (ERM) and the NIST Risk Management Framework. It details the processes involved in identifying, analyzing, and responding to risks within an organization. The document also touches upon implementation activities and security control considerations.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow Understand Risk Management...

Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow Understand Risk Management Concepts Discuss Various Risk Management Phases Understand Various Understand Various Risk Management Frameworks Understand Various Risk Management Frameworks Organizations establish an RMF to understand the overall risk level. Every organization has different infrastructure and potential risks specific to their infrastructure. An organization’s strategic objectives and stakeholders needs determine the RMF required. Understanding various frameworks will enable an organization to choose the most appropriate framework. This section explains various risk management frameworks. Module 22 Page 2364 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Enterprise Risk Management Framework (ERIM) The RMF defines the implementation activities specific to how an organization handles risk The ERM provides a structured process integrating information security and risk management activities ERM frameworks identify, analyze, and perform the following actions: * Risk avoidance by aborting the actions that lead to risk » Risk reduction by minimizing the likelihood or impact of risk = Provides risk management process standards Copyright © by EC I,l. All Rights Reserved. Reproductions Strictly Prohibited. Enterprise Risk Management Framework (ERM) Enterprise Risk Management (ERM) includes the methods and processes implemented by an organization to minimize the impact of risks. It involves planning, organizing, leading, and controlling organizational activities to manage risks. ERM can be considered a risk-based approach for managing organizational risks. It provides a framework for risk management that involves = |dentifying events or circumstances relevant to an organization's objectives (risks and opportunities); = Assessing the identified events for likelihood and magnitude of impact; = Determining a response strategy; and = Monitoring process. The ERM framework helps in identifying and proactively addressing the identified risks. It identifies, analyzes, and performs the following actions: = Risk avoidance by aborting the actions that lead to risks = Reducing risks by reducing the likelihood or impact of risks = Standardizing the risk management process The key activities involved in managing enterprise-level risk, that is, the risk resulting from the operation of an information system, are as follows: = (Classification of the information system = Selection of appropriate security controls Module 22 Page 2365 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Refining the selected security control set based on the risk assessment Maintaining the document for all selected security controls in a system security plan Implementation of the security controls Security controls assessment Determining agency-level risk and risk acceptability Authorizing information system operation Monitoring security controls on a continuous basis This ERM framework helps an organization understand the following: Risks coverage Risk appetite Risk governance (culture, governance, and policies) Risk data and infrastructure Risks control environment Risk measurement and evaluation Risks response Goals of the ERM Framework Organizations manage risks and have several departments or risk functions that help in identifying and managing risks. A common goal or the challenge of ERM is improving capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders. The ERM should improve an organization's ability to manage risks effectively. Integrate the ERM with an organization’s performance management Communicate the benefits of risk management Define the roles and responsibilities in an organization to manage risks Standardize the risk-reporting and escalating process Set a standard approach to manage risks in an organization Assist the resources in managing the risk Set the scope and application of risk management in an organization Mandate periodic reviews and verification for improvements of the ERM Convey an organization’s policies, approach, and attitude toward risk management Ensure that an organization should meet risk-reporting commitments Module 22 Page 2366 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management NIST Risk Management Framework L3 O NIST RMF is a structured and continuous process that integrates information security and risk management activities into the system development life cycle Define criticality/sensitivity of information system according to Categorize potential worst-case and adverse impact to mission/business Saltot Select Select baseline security controls; apply tailoring guidance and ‘ , supplement controls as needed based on risk assessment 1 ‘1 6'6 5 l ya y d Implement security controls within enterprise architecture CiagorA e &‘\‘T | [giertes Menftar J\j Ly> 'mmmm‘ S——— Ly> L,/> e S ] Authorize individuals, other organizations, and the nation; if acceptable, authorize operation Pitps/esre.nist.gov itpay/cre it gov Monitor Continuously track changes to the information system that may Monitor affect security controls and reassess control effectiveness Copyright © by EC{EC{ cll.. AlAl Rights Reserved. Reproduction Reproduction Is Strictly Prohibited Prohibited. NIST Risk Management Framework Source: https://csrc.nist.gov The National Institute of Standards and Technology (NIST) RMF is a set of information security policies and standards for the federal government developed by NIST. It is a structured and continuous risk management process that is integrated into a system development life cycle. The RMF process helps early detection and resolution of risks. — ( ) - ( ‘ — ( ) 1 6 5 y da__ y4 Categorize |\ 4< Monitor | \(\< J Authorize \ R J4 \_\ l4 \\. lJ “\_ —l _’ urity Life Cyc Security Sec le Cycle “ N - > " ‘ 4 ) 2 ( 2 ) 3 [ 3 | 4 \ A \ A \ Select F r > Implement r Assess |4 4 Vv| 4 Figure 22.1: NIST RMF security system lifecycle It identifies the following processes (tasks) for managing organizational risk, which can be applied to both new and legacy systems: = (Categorize: Categorize the information system and the information processed, stored, and transmitted by a system according to potential worst cases, adverse impact to an organizations mission/business functions, and a system. Module 22 Page 2367 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management = Select: Select the appropriate baseline security controls based on the categorization in the first step, and implement security controls based on the risk assessment. * Implement: Implement security controls and integrate security controls with legacy systems using sound system engineering practices; then apply security configuration settings and document the implemented security controls and their impact on the environment. = Assess: Evaluate the implemented security controls for effectiveness using appropriate procedures and determine if the controls implemented are working correctly and effectively; check if they are producing the desired outcome with respect to meeting the security requirements for a system. o Steps in Assessment e Develop the security assessment plan e Determine which controls are to be assessed e Select appropriate procedures to assess those controls e Determine depth and coverage needed for assurance e Tailor the assessment procedures ¢ Finalize the plan and obtain approval e Conduct the assessment e Analyze the results e Create the security assessment report = Authorize: Determine the risks to organizational operations and assets, individuals, other organizations, and the nation based on the accepted risk appetite with respect to operations and assets (how much risk an organization is willing to tolerate) if acceptable; then, authorize the operation or decide on the required needs. * Monitor: Continuously track changes to the information system for signs of attacks that may impact security controls, and regularly monitor the security controls to access their effectiveness. Module 22 Page 2368 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser