Maturing Risk Management

ISC2 via Coursera

Go to Course: https://www.coursera.org/learn/sscp-4th-ed-course-8

Introduction

### Course Review: Maturing Risk Management If you're looking to deepen your understanding of risk management in information-intensive organizations, Coursera's "Maturing Risk Management" course is an excellent choice. Spread across six comprehensive modules, this course is meticulously designed to equip professionals with the latest tools and practices required to enhance the reliability and efficiency of risk management processes. Here’s a breakdown of what to expect, along with my recommendations. #### Course Overview The "Maturing Risk Management" course emphasizes the importance of continuous improvement in risk management systems. By adopting an evidence-based reasoning approach, professionals learn to identify risks effectively, assess their impacts, and implement strategies that enhance overall security and operational integrity. #### Syllabus Breakdown 1. **Module 1: Participate in Change Management** - **Focus:** Understanding the necessity of change management within IT departments and how to mitigate risks associated with system updates and alterations. - **Key Takeaways:** Discover how to document, test, and approve changes to prevent disruptions to business operations. 2. **Module 2: Physical Security Considerations** - **Focus:** The critical role of physical security in overall risk management and its direct relation to IT security. - **Key Takeaways:** Learn to collaborate with physical security teams to protect against threats that undermine digital data integrity. 3. **Module 3: Collaborate in Security Awareness and Training** - **Focus:** Enhancing organizational security through effective education and training strategies. - **Key Takeaways:** The module emphasizes innovative methods of training delivery, like microlearning, that can engage users and promote a proactive security culture. 4. **Module 4: Perform Security Assessment Activities** - **Focus:** The evaluation of control effectiveness through inspections, audits, and testing. - **Key Takeaways:** Build knowledge in assessing whether existing measures are functioning as intended and how to communicate these findings to management. 5. **Module 5: Understand and Support the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)** - **Focus:** Distinguishing between BCP and DRP and understanding their significance in organizational resilience. - **Key Takeaways:** Equip yourself with the skills to support both plans effectively, ensuring business operations can withstand disruptions. 6. **Module 6: Chapter 8 Review** - **Focus:** Recapping crucial concepts, tying together learned strategies and methodologies for ongoing improvement in risk management. - **Key Takeaways:** Highlights the interconnectedness of systems management, physical security, continuous improvement, and preparedness training. #### Why You Should Enroll - **Practical Application:** The course is structured to provide real-world applications of theories and strategies, making it highly relevant for professionals involved in managing information systems and security protocols. - **Expert Instructors:** Taught by industry experts, the course offers insights gleaned from extensive practical experience. Their guidance helps bridge the gap between academic theory and real-world practice. - **Interactive Learning:** The modules include a mix of video lectures, readings, and quizzes to solidify your understanding of concepts, allowing you to engage actively with the material. - **Long-Term Benefits:** Mastering the ideas presented in this course fosters a culture of continuous improvement within organizations, making them more reliable and secure in the long run. #### Conclusion Coursera's "Maturing Risk Management" course is a highly recommended resource for professionals eager to enhance their skills and knowledge in risk management. It expertly fuses essential theory with actionable practices, empowering participants to effectively manage risks in today’s complex information environments. If you are looking to fortify your organization against security threats while honing your own professional competencies, this course is a worthwhile investment in your career. Don't miss the opportunity to learn how to implement effective risk management strategies and collaborate successfully with various departments in your organization. Enroll today and take proactive steps towards maturing your risk management practices!

Syllabus

Module 1: Participate in Change Management

An important function of the IT department is to maintain information systems and upgrade, enhance and revise those systems as necessary. Information systems are subject to many changes and modifications due to system patches, new technology or functionality, correction of process errors or system failures. The IT department must be able to manage change in order to support business operations and ensure the security of the systems.  The problem is that change poses a significant risk to the organization. Because of changes, systems may fail, functionality may be lost, security vulnerabilities may be introduced and data integrity may be compromised. This requires the development and implementation of a change management process that entails the documentation, testing and approval of all changes — and that thereby avoids business interruption. 

Module 2: Physical Security Considerations

Physical and environmental security are often the responsibilities of departments other than IT, such as the physical security department or the facilities management group. These departments play an important role in providing resilient and reliable information to other areas of the organization, including IT. The security professional may be required to work with these other departments to ensure that information systems are supported with electrical power, fire protection, physical access security, surveillance and protection from threats such as theft, vandalism and natural disasters.  It can even be said that physical security should be a higher priority than most other forms of security such as passwords, firewalls and procedures. If an adversary can gain physical access to a server room, then the adversary can bypass all of the other forms of control and circumvent the security defenses. An adversary in a server room or wiring closet can install a wireless device or sniffer, cut or re-route cables or disable equipment, among other things. 

Module 3: Collaborate in Security Awareness and Training

Experience shows that it’s relatively easy to establish and maintain a security education, awareness and training program for almost any organization. The difficulty with such a program is measurably demonstrating the program’s effectiveness.  Two major conflicts present themselves when the security team tries to engage with the end users at large. The first is rooted in the perception that security measures cost the end user time and effort to comply with. Work could get done so much more quickly and easily, this view argues, if all these extra security hurdles didn’t have to be jumped over all the time. The second reflects the users’ perception that most security training is an even further waste of their time. Both perceptions act to oppose the effective adoption of security controls by end users and discourage them from taking responsibility for their own learning and thus gaining the most value possible from the training that’s presented to them.  As with access control and identity management, it may be that it’s more than high time for a healthy dose of just-in-time learning for security. Security training consultants and specialist firms have made significant changes in their approaches to helping users learn what they need and when they need it. Microtraining, for example, breaks the training experience down into steps that might last less than one minute. In that minute, the microtraining engages the learner-user, has them take actions related to how they perform their normal jobs but is structured as part of the teaching and learning process.  Measuring the effectiveness of a training program has also been suffering from lack of innovation and maturation as well. This can change. User behavior modeling and analysis tools can gather data that highlights when individual users or groups of users are in need of specific refresher learning opportunities.  Let’s see how ideas like these can be put into practice and how we can assess their effectiveness. 

Module 4: Perform Security Assessment Activities

Security assessment determines whether the controls implemented to reduce risk have been implemented as designed, are operating as expected and are achieving the desired result.  This assurance can be the result of outside organizations evaluating the control environment or actions taken by the organization itself to evaluate the performance of the controls.  Security assessment is performed by conducting inspections, audits and tests.  Additionally, the results of investigations into anomalies and security incidents can also provide valuable insights into a security assessment process.  The assessment and testing processes must be performed consistently and the results communicated properly so that the organization’s management understands the risks they face.  Security or controls audits are formal assessments that are normally performed to assure external evaluators that an organization’s controls meet compliance expectations.  Ultimately, the results of audit, assessment and testing activities will allow the organization to identify control gaps and inefficiencies.  This information will be the starting point for continual process improvement activities.  The security professional should be familiar with the strategies, techniques and processes by which organizational expectations for control are set, evaluated and improved.  They should be able to explain the basic flow of audit and assessment activities and describe the tools and artifacts that support data-driven decision-making.  Collectively, this information should enable the security professional to develop an organizationally appropriate assessment program.  It is tempting to think that much of the burden of security assessment and testing takes place during the development phase of the lifecycle of a major software system. Two factors, however, show us that this would be an unwise and unsafe assumption for security professionals or systems owners to make.   The first is that many systems are turned over to operational users with inadequate functional testing having been completed. Experience shows that many systems development projects fall behind schedule, and since it’s the last tasks on the timeline that feel the pressure to cut corners, testing often is rushed, abbreviated or skipped.   The second is that many commercial systems are developed with a less robust view of the need for security, safety, resilience and data protection than are required to defend against today’s sophisticated threats.  Both factors mean that many organizations today are failing security assessments, audits and compliance reviews or are failing to win new business opportunities, as a result of building their business processes atop an insecure software and systems base.  It also means that security professionals are often confronted with deployed, in-use systems in need of a thorough security assessment, including testing, to meet evolving business needs and the changing threat landscape. This starts (as does this module) by first understanding the objectives of a security assessment, which lead to developing the strategy that will guide its accomplishment. This provides the framework for vulnerability assessments and the testing techniques used to perform it. This includes a deeper dive into wireless network security testing.  Ethical penetration testing can and should be a regular component in nearly every organization’s security assessment and operations plan. We’ll take a closer look at what makes this unique and valuable, and how the ethical penetration testers work with the organization’s leadership and its technical and security teams to preserve the integrity of the testing at minimal disruption to the daily business of the organization. Audits, both formal and informal, provide a structured way to review all of the control systems the organization has in place. Many of these are known as internal controls over financial reporting (ICOFR or ICFR); in this era of ransom attacks as big business, security professionals need to be far more conversant with how the flow of information about the flow of money must be protected. 

Module 5: Understand and Support the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)

The incident triage process (described in module 1) may identify that a particular event or set of events needs more than just the incident response process to handle itself. Two specific types of plans are typically used to define these responses, prepare the organization and guide their teams in dealing with such events.  It’s an easy mistake to make to think that disaster recovery plans (DRPs) are broad and all-encompassing to deal with recovering from earthquakes, hurricanes, fires or major cyberattacks; in reality, the scope of DRPs is much narrower.  DRPs and their activities deal with the restoration of information and communications systems and technologies that support urgent business or organizational needs.  (It would not be surprising that organizations which rely on IoT, SCADA or process control systems will start reshaping their classic DRPs to also address their OT critical systems and capabilities.)    It is the business continuity plan (BCP) that takes into account the much broader scope of activities required to keep an organization alive and operating, as it recovers from both the immediate effects of a disruptive incident and restoring non-critical services and activities so it can move forward. Let’s see how the security professional would support these plans, during both their development and operational activation and use. 

Module 6: Chapter 8 Review

Chapter 8 brought together many different aspects of information systems security, binding them together with several important ideas. First, systems must be managed, if they are to be protected and kept secure. One form of management is configuration management, in which we ensure that changes are only made when authorized; when effective, CM systems can become part of the arsenal of intrusion detection capabilities.  Physical security measures were placed in the context of protecting and sustaining the organization, its systems and its people. In many organizations, these physical security control systems are data-driven and thus tightly integrated with overall IAAA and incident detection capabilities. SUNBURST and other recent attacks on SCADA, ICS and other operational technology (OT) systems highlighted the need for many organizations and security professionals to expand their horizons to include things beyond the edge of the TCP/IP networks, databases and web page views of the organization and the threat landscape.  We also saw that effective systems management requires measurement, observation, test and analysis in order to know what today’s security posture really is, and to inform considerations of where, when and how to improve that posture. Inspections, assessments, audits and ethical penetration testing were all viewed in this context.  Two other major topic areas — business continuity and security education, training and awareness — actually come together in surprising ways. Many of us who’ve served in our nation’s militaries, police or emergency first responder corps know that humans in highly disruptive situations often must fall back on their training, if they are to remain calm, not panic and thoughtfully deal with the situation one step at a time. Microtraining is an excellent example of this. By popping up a mock phishing or malware-based attack activity when an end user least expects it, microtraining presents users with the chance to either fall back unthinkingly to habit, or stop, observe, orient themselves to a potential security issue and then make decisions. Awareness, training and education efforts can provide employees with the skills and the frame of mind they need to deal with disruptions, no matter what scale and no matter whether they are simulated or real. As with other aspects of information systems security, continuity of operations and disaster recovery require extensive preparation, and one of the most important tasks in that is preparing one’s people to adapt and overcome as a team.