Cybersecurity Masterclass: Risk Management & Compliance

Identify valuable information assets, including tangible assets like servers and data centers, and intangible assets such as software, source code, and PII, and explain varying value and cost-justified protection.

Understand how loss to confidentiality, integrity, and availability drives risk, and learn cost-justified, multilayer countermeasures to reduce vulnerability, likelihood, and impact against natural, manmade, technical, and supply-system threats.

Learn how liability and negligence drive litigation risk, and how due diligence, due care, and prudent controls reduce losses by enforcing safety measures and prudent risk management.

Explore roles and responsibilities in security and risk management, from senior management defining risk tolerance and governance to security professionals delivering cost justified recommendations and implementing controls.

Establish a governance framework to build the security program through risk assessment, policy implementation, and educating users and third parties, with ongoing monitoring and remediation.

Understand the governance framework through policies, procedures, baselines, standards, and guidelines, aligned with recognized frameworks like ISO and IEC, and compliant with applicable laws 100%.

Identify the purpose, scope, background, and responsibilities of policy documents; outline the policy statement, required actions, related documents, exceptions, revision history, approvals, training, and legal compliance.

Learn how policy documents collectively govern enterprise security through governance, ethics, and compliance. Discover data classification, risk management, incident response, disaster recovery, and third-party governance within a formal control framework.

Assess governance frameworks for enterprise risk and information security, including ISO/IEC 27000 series, SP 800 series, Kosovo, Corbett, Zaman, Sherwood Applied Business Security Architecture, ISP, and ITIL.

Integrate legal and regulatory compliance requirements into your governance framework and policy documents, including Sarbanes-Oxley, GLBA, HIPAA, and PCI DSS.

Explore EU privacy compliance requirements for personally identifiable information, including notification, purpose, consent, secure protection, disclosure, and accountability, and compare codified, common, customary, and religious legal systems worldwide.

Explore the United States legal system's civil, criminal, and administrative law, including burdens of proof and penalties. Review export controls on cryptography and privacy laws protecting medical and financial information.

Explore digital rights management, data loss prevention, and software licensing to protect audio and video content, detect exfiltration, and enforce ethical IP protection across enterprise systems.

Understand how corporate regulatory compliance governs software licensing, shareware, and bloatware, and how PCI DSS enforces controls like firewalls, data protection, secure coding, access control, and audits.

Learn how governance frameworks enforce legal and regulatory compliance through internal and external audits, documented procedures, remediation of findings, and ongoing metrics against security benchmarks.

Examine the social engineer as a common cyber crime attacker who elicits unwarranted trust to gain unauthorized access through tactics like assistance, verification requests, pretexting, phishing, tailgating, and impersonation.

Navigate the difficulties of prosecuting computer crimes, including reputational risk, loss of assets, proving digital evidence across borders, and governing third parties with consistent policies and audits.

Senior management drives the annual enterprise risk assessment and risk management program within governance, ensuring due care, due diligence, and cost-justified countermeasures.

Apply the free NIST risk management framework to categorize assets, assess threats and vulnerabilities, quantify risk, propose cost-justified controls, and continuously monitor and refine the security posture.

Assign value to each asset by examining penalties, reputation impacts, and potential liability from failures or data theft, anchored in confidentiality, integrity, and availability.

Learn how to assign asset value in risk management by converting qualitative reputation effects and quantitative costs into a value, using the Delphi method and scenario analysis to justify protections.

Identify asset values, perform qualitative risk assessments that inform quantitative cost justification, and classify assets into red, orange, green, and blue to guide prioritized security controls and budgets.

Inventory, classify, and prioritize valuable information assets; conduct vulnerability and threat analysis, and compute annualized loss expectancy to guide protective controls.

Calculate losses by applying single loss expectancy and annualized loss expectancy to floods, compare preventive and mitigating controls, and justify cost-effective countermeasures with insurance and budget implications.

Identify administrative, technical, and physical countermeasures and apply layered controls. Reduce vulnerabilities, likelihood, and impact through governance, training, sanctions, and security as a service.

Explore how administrative, technical, and physical countermeasures deter, delay, prevent, and detect threats, then assess severity and apply corrective, recovery, compensating, and directive controls.

Compute the total and annual costs of countermeasures, quantify protection, and compare the new and old annualized loss expectancy to justify cost-effective security investments to senior management.

Identify asset risks and quantify annual loss, then implement cost-justified countermeasures to mitigate, transfer, or avoid risk. Present management with options A, B, C, leading to D category acceptance.

Complete risk assessment and move into risk management by inventorying assets, analyzing threats, estimating losses, and implementing cost justified countermeasures approved by management, with phased implementation.

Implement and evaluate new security controls through in-house acquisition and lab testing, assess effectiveness and risks, obtain management approval to go live, and plan for business continuity and disaster recovery.

Identify threats, prioritize critical business functions, and implement business continuity and disaster recovery plans to recover key processes within maximum tolerable downtime.

Explore how the business continuity plan, disaster recovery plan, and business impact analysis interconnect to protect survivability, focus on critical business functions, and reduce maximum tolerable downtime.

Explore recovery point and recovery time objectives to minimize data loss and downtime, with backup strategies, real-time redundancy, transaction journaling, and ongoing risk management for disaster recovery and business continuity.

Learn how to securely hire, onboard, train, and sign agreements with personnel and third parties. Apply provisioning, management, and termination procedures to protect information assets and minimize risk.

Define job roles before hiring and implement monitoring and auditing for high-privilege positions to deter violations, enforce policies, and protect assets.

Implement mandatory security awareness training for all users before hire and annually, with supplemental training for heightened privilege, and enforce protections like multifactor authentication, encrypted volumes, VPNs, and strong passwords.

Perform due diligence before hire by verifying education, work history, and references. Conduct background checks for criminal records, drug screening, credit history, and establish ongoing security agreements.

Learn the end-to-end user account provisioning lifecycle, from formal approvals and account creation to disabling on leave, termination, and deletion, with explicit vs group-based permissions and least-privilege enforcement.

Implement a legally reviewed employee monitoring policy that states no expectation of privacy, documents CCTV and video monitoring, calls, keystrokes, browsing, and business emails, and maintains an audit trail.

Have the legal department review termination procedures, conduct a private exit interview with an interviewer and witness, and document policy violations, prior infractions, and non-disclosure, non-compete, and non-solicitation agreements.

During exit interviews, verify return of all company assets with a documented checklist, collect personal belongings, offer incentives to recover items, and escort out while disabling access and notifying stakeholders.

Differentiate training from awareness and require annual security training for all employees, with extra training for privileged roles, followed by continuous monitoring and enforcement.

Define key security terms and definitions, including vulnerability and social engineer. Explain expected behavior, acceptable use policy, signed acknowledgments, monitoring policy, and the consequences for violations.

Detect anomalies and report policy violations to the designated contact list and management, enforce policy when safe, then apply safety training basics: first aid, CPR, scene control, fire evacuation.

Master risk management and compliance by exploring governance policies, legal and regulatory issues, professional ethics, risk assessment, and learning to calculate annualized loss expectancy for management decisions.