Introducing Security: Aligning Asset and Risk Management

Go to Course: https://www.coursera.org/learn/sscp-4th-ed-course-1

Introduction

## Course Review: Introducing Security: Aligning Asset and Risk Management **Platform:** Coursera **Course Name:** Introducing Security: Aligning Asset and Risk Management **Offered By:** [Insert University/Institution Name] ### Overview "Introducing Security: Aligning Asset and Risk Management" is a foundational course designed to equip participants with essential knowledge in the realms of information security, asset management, and risk management. In today's digital era, where cyber threats loom large, understanding how to protect organizational assets effectively is crucial. This course provides a comprehensive framework for grasping fundamental security concepts, the asset management lifecycle, and the intricacies of risk management. ### Course Objectives Upon completion of this course, you will be able to: - **L1.1** - Classify information security and security concepts. - **L1.2** - Summarize the components of the asset management lifecycle. - **L1.3** - Identify common risks and vulnerabilities affecting organizational assets. ### Syllabus Breakdown #### **Module 1: Understand Security** This module introduces information security, emphasizing its varied interpretations among different stakeholders. It lays the groundwork for a shared understanding of security within organizations, serving as an essential primer for the subsequent modules. #### **Module 2: Participate in Asset Management** Asset management is critical in safeguarding the organization's valuable resources throughout their lifecycle. This module explores the stages of asset management, beginning from creation and classification to protection and disposal. A key highlight is the emphasis on privacy considerations, reflecting the increasing relevance of protecting personal information in today's data-driven society. #### **Module 3: Understand the Risk Management Process** Risk management is a cornerstone of effective information security strategies. This module shifts the perspective of risk from merely a challenge to an opportunity for enhancing organizational resilience. Participants will learn how to assess risks associated with information assets and make informed decisions to mitigate them. #### **Module 4: Understand the Risk Treatment Process** Here, participants will dive deeper into risk assessment practices—identifying, evaluating, and prioritizing risks. This module culminates in the creation of a Risk Assessment Report (RAR), a vital deliverable that aids in effective communication with management. #### **Module 5: Chapter 1 Review** In this final module, the course reinforces key takeaways from the previous sections, including the CIANA+PS attributes (Confidentiality, Integrity, Availability, Non-repudiation, Authenticity, Privacy, and Safety). The course ends by highlighting the importance of fostering a security culture within organizations, advocating for policies that support robust information security practices. ### Course Experience One of the standout features of this course is its structured approach. Each module builds upon the previous one, ensuring that participants can absorb complex concepts gradually. The mix of theoretical knowledge and practical application enhances learning outcomes, making it suited for both novices and those with some background in security. The course also encourages interaction through discussion forums, allowing participants to engage with peers, share insights, and seek clarification on challenging topics. This collaborative learning environment adds significant value, fostering a sense of community among learners. ### Recommendations I highly recommend "Introducing Security: Aligning Asset and Risk Management" for anyone interested in understanding the fundamental principles of information security and risk management. Whether you're a student pursuing a career in IT security or a professional looking to enhance your security awareness, this course offers valuable principles and practical knowledge that can be applied directly in the workplace. ### Final Thoughts In today's rapidly evolving landscape of cyber threats, knowledge is power. This course serves as an essential resource for anyone aiming to protect their organization’s vital information assets. Given the increasing regulatory focus on data privacy and security, participants who complete this course will be well-positioned to contribute positively to their organizations’ security posture. Enroll today and take a significant step toward mastery in security and risk management!

Syllabus

Module 1: Understand Security

One of the first questions we should ask is, what is information security? Information security can have completely different meanings for different people. 

Asset management deals with the protection of valuable assets to the organization as those assets progress through their lifecycle. Therefore, we need to address the security of assets all through the stages of their lifecycle including creation/collection, identification and classification, protection, storage, usage, maintenance, disposal, retention/archiving and defensible destruction of assets. To properly protect valuable assets, such as information, an organization requires the careful and proper implementation of ownership and classification processes, which can ensure that assets receive the level of protection based on their value to the organization.  The enormous increase in the collection of personal information by organizations has resulted in a corresponding increase in the importance of privacy considerations. As a result, privacy protection constitutes an important part of asset security.  Appropriate security controls must be chosen to protect the asset as it progresses through its lifecycle, bearing in mind the requirements of each phase and the handling requirements throughout. 

In this module we begin to look at the risk management process. Risk management is a critical component of an information security program since it drives the selection of controls used to mitigate business and IT risk. The risk management program manages risk, but it does not eliminate it. All activities have an element of risk associated with them (even doing nothing is risky business), so risk management must be an essential part of every organization’s management and operational plans.  In the IT department, we tend to see risk from a negative viewpoint; it represents the problems and inconvenience associated with IT systems failure. We see risk as what happens when something goes wrong, and we are under pressure to fix the problem as quickly as possible. However, in the rest of the business, risk is seen as opportunity — the chance to take a risk and make a return on investment — and the larger the risk, the greater the possible reward (or loss).  First, a definition of risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of (1) the adverse impacts that would arise if the circumstance or event occurs, and (2) the likelihood of occurrence.   Note that information system-related security risks are those risks that arise from the loss or compromise of any of the information security attributes (CIANA+PS) required of information or information systems. It reflects the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.  We see from this definition (which is, first of all, IT based) that risk is associated with threats, impact, and likelihood. But this definition also states that IT risk is a subset of business risk and must be measured by the impact of the risk event on organizational operations, assets, and other third parties. 

The next step after gaining an understanding of the context for the risk management effort (through the Risk Frame process) is to perform the risk assessment. Risk assessment is the process of identifying risk and then evaluating and prioritizing risk based on the level of importance (severity) of the risk. The final deliverable from the risk assessment process is to communicate risk to management often through a Risk Assessment Report (RAR) and by updating the risk register.

Chapter 1 has shown us how information security exists to support the organization in achieving its goals and priorities by protecting its vital information assets. In doing so, the information security team starts with some very fundamental ideas about information security and applies these to understand the potential risks to those assets. We’ve looked at the most important attributes or characteristics of information security, which the mnemonic CIANA+PS represents: confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety. These are the touchstones, the criteria, by which we as information security specialists must measure our successes and our failures.  Managing information risk is a primary part of the information security job. Chapter 1 has begun the process of showing us how to manage these risks, within the framework and context of how the organization manages its information assets. Subsequent chapters and their activities will continue to examine these ideas and concepts.  Last, but certainly not least, chapter 1 reminds us that we are members of the professional cadre of information security specialists. Businesses and governments, as well as individuals and organizations, must be able to trust that their day-to-day activities are using reliable, trustworthy information as their fuel. The ethical duties of due care and due diligence, which we examined in this chapter, provide each of us with the guideposts needed as we put our skills and knowledge to work.  In chapter 2, we examine the actions needed to develop a security culture within the organization. We will delve into using policies to enforce security requirements and how we can safeguard our information systems and ensure their use only by authorized users.