Udemy
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
Turn what you know into an opportunity and reach millions around the world.
Learn More
Your cart is empty.
Keep shopping
IT Cyber Security NIST Risk Management Framework
Rating: 4.2 out of 5(65 ratings)
3,188 students

IT Cyber Security NIST Risk Management Framework

Implementing NIST SP 800-37R2 Risk Management Framework (RMF) and NIST SP 800-53R5 Security and Privacy Controls
Created byMusa Bin Adi
Last updated 10/2022
English

What you'll learn

  • Take a risk-based approach developing such as a Risk Mangment program
  • Understand the key components of a NIST RMF
  • Develop required security policies, standards, and guidelines
  • Understand the key NIST security controls and countermeasures, how and when to apply them, and under which state condition
  • Understand information risk management and compliance
  • Apply appropriate risk-management techniques and models including risk scenarios.
  • Align cyber security and enterprise risk management with NIST RMF
  • Manage and monitor the status of risk-management strategies and plans
  • Design and use effective techniques to communicate Cybersecurity risks to stakeholders in a clear manner.
  • Select and tailor NIST secuirty and privacy controls

Course content

16 sections35 lectures2h 40m total length
  • What You will learn in this course?3:14

    Organizations today have to protect themselves from risks related to cyber security, including hacking, malware, phishing, and non-compliance to rules and regulations. In this hands-on course, you’ll learn how to develop a NIST risk management framework and how to integrate your risk management strategy into business functions and life cycle activities.

    In the first part of this course, you will learn how to define and rate risks based on impacts and threats levels. You will explore the risk management framework and how to implement it to assess the current state and identify the risk of the gaps in your information systems. You should be able to run gap analysis and conduct your initial current state risk assessment, roadmap, and initiatives to move to a more mature state cyber security. Then you use the outcome of your gap analysis to implement a risk management framework that meets your organization's specific requirements and the goals and objectives of its risk management strategy.

    During risk assessment, you need to identify and map infrastructure assets components, assign NIST security controls, countermeasures and measure risk management maturity level. This includes the use of quantitative and qualitative risk assessment tools. It is important to conduct an internal assessment of your organization to identify the potential impact of any arising risk and assign the proper controls to mitigate it to protect your organization from potential threats. Further, you need to monitor and evaluate your security controls to ensure that they are effective.

    In the last section of the course, you learn about the monitoring process, Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), related metrics, and reporting mechanisms to keep your organization on top of alters and provide valuable insights for decision-makers regarding risk and privacy.

    NIST provides numerous publications in support of the RMF.

    · The NIST special publication or SP 800-37 Rev.2 is the core document of the RMF that demonstrates a system life cycle approach for security and privacy. This document fully describes the process for applying the RMF to information systems and organizations.

    · NIST SP 800-53, currently at revision 5, provides a catalog of security and privacy controls and a process for selecting controls to protect your systems and operations from threats.

    · NIST SP 800-53A is for assessing security and privacy controls in information systems and organizations.

    · NIST SP 800-30 revision 1 is a guide for conducting risk assessments. It's a step-by-step process for assessing organizational risks.

    · NIST SP 800 -53B is intended to select control baselines for information systems and organizations. The control baselines provide a starting point for organizations in the security and privacy control selection process.

    · NIST SP 800-171 Rev.2 is for protecting controlled unclassified information in nonfederal systems and organizations.


    I attached all these publications in the exercise files for anyone who likes to read them in-depth which is very beneficial despite that it might take some time.

  • Introduction4:49

    If your job requires you to manage cyber security risks in the high-stakes world of enterprise IT, this course is for you. You'll examine risks, threats, opportunities, and vulnerabilities at the strategic and operational levels while being able to select the right countermeasures and security controls to mitigate that risk. You'll explore risk appetite, risk tolerance, mitigation strategies, and the seven-step approach to build a NIST risk management framework.

    The case study in this course will highlight risk and regulatory compliance issues and stakeholder communication. Risk assessment is primarily a business concept and it is all about money. You have to identify the most critical assets and systems that your business has, which are the ones that could potentially lead to the largest monetary losses for the company. Now that you have identified the most critical assets and systems, you have to determine the proper controls to mitigate the identified risks. Then you have to test the proper controls to see if they work, and if not, you have to find new proper controls to mitigate the identified risks that minimize the risks while not causing large financial losses to the organization.

    Risk assessment involves three factors: the importance of the assets at risk, how critical the threat is, and the vulnerability of the system to that threat. Using those factors, you can assess the risk which is the likelihood of money loss by your organization. Even though risk assessment is based on logical constructs rather than numbers, it helps to express it as a formula:

    Risk = Asset X Threat X Vulnerability

    Suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is vulnerable, perhaps because you have no firewall and no antivirus solution, and the asset is critical, your risk is high. However, if you have good countermeasures defenses and your vulnerability is low, your risk will be medium even though the asset is still critical.

    Generally, the risk is about uncertainty, but in the IT world risk is the extent to which an entity is threatened by a potential circumstance or event. If something is guaranteed to happen, it is not a risk. The success of the organization’s missions and business functions depends on safeguarding the confidentiality, integrity, availability of information processed. In addition to the responsibility to protect organizational assets from the threats that exist in today’s environment, organizations have a responsibility to consider and manage the risks to individuals when information systems process personally identifiable information (PII). The Risk Management Framework (RMF) from the National Institute of Standards and Technology NIST SP 800 37 Rev 2 defines a road map and a strategy for efficiently managing organizational risk.

    The risk management framework developed by NIST is designed for managing risks relating to the cybersecurity of an organization or a product, service, or system. The framework is intended to be used in conjunction with other cybersecurity frameworks, including the NIST Cybersecurity Framework, the NIST Risk Assessment Framework, and the CIS Critical Security Controls. Preparing the organization to execute the risk management framework NIST RMF can include:

    • Assigning roles and responsibilities for organizational risk management processes.

    • Establishing a risk Identifying and prioritizing assets.

    • Understanding threats to information systems and organizations.

    • Developing the security and privacy architectures that include controls.


    Risk management is essential and critical for survival in every organization's information security and privacy program. In this course, you will learn how to use the NIST RMF to assist your business to categorize and manage its security and privacy program efficiently across the system management lifecycle. I take you in-depth look at each of the NIST RMF's seven phases, covering everything from how to prepare for a risk-based approach to security then assessment and continuously monitoring and reviewing security measures in a system. Further, you will clearly understand how to select the proper security controls from the NIST SP800-53 Rev 5 security catalog to respond and mitigate risks. Along the process, I use a case study to show you how each stage is used in the real world.

  • Integrating Cybersecurity and ERM2:45

    The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs. The NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) document Published: October 2020 is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives. Focusing on the use of risk registers to set out cybersecurity risk, this document explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.

    NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management Published on November 2021 supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets.

    Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to prioritize and communicate enterprise cybersecurity risk response and monitoring. For further details please refer to the indicated NIST documents. I am highlighting this topic to provide you with a glance at NIST’s efforts to integrate cyber security and risk management into Enterprise Risk Management (ERM).

    The wide management approach (ERM) is to ensure that all cyber risk activities, countermeasures, policies, plans, and strategies are not treated separately in a silo management approach. This can result in system failure, data breach, loss of assets and data, and compromise security objectives due to the hidden aggregated and cascaded risks that some organization functions may overlook or miscalculate its impacts and threats which may build up like a snowball and cause severe consequences.

Requirements

  • Basic Cybersecurity Knowledge

Description

If your job requires you to manage cyber security risks in the high-stakes world of enterprise IT, this course is for you. You'll examine risks, threats, opportunities, and vulnerabilities at the strategic and operational levels. This includes Cybersecurity IT value generation for the business, and the IT NIST Risk Management Framework (RMF).

You'll also explore risk appetite, risk tolerance, and mitigation strategies, selecting, implementing, tailoring, assessing, and monitoring NIST security controls. The course case study will highlight issues related to legal and regulatory compliance and stakeholder communication.

By the end of this course, you will be able to:

  • Understand the seven-step NIST Risk management and compliance

  • Apply appropriate risk-management techniques and models including risk scenarios.

  • Conduct risk analysis and assessment

  • Align cyber security and enterprise risk management.

  • Manage and monitor the status of NIST risk-management strategies and plans.

  • Provide oversight of related legal and regulatory compliance such as HIPPA and credit card regulation PCI DSS

  • Design and use effective techniques to communicate Cybersecurity risks to stakeholders in a clear manner

  • Select and tailor the proper NIST security and privacy controls

  • Understand the difference between IT audit and assessment.

  • Track risks and create cyber security performance indicators

The course will provide you with a foundational understanding of risk and how to identify, assess, and mitigate risk. You will become familiar with the concepts, tools, and techniques used to develop a risk management process. You will also learn how to use these tools and techniques to effectively manage risk using the NIST seven-step approach along with security and privacy controls.


Who this course is for:

  • Cyber Security Professionals who want to dive in depth in NIST Risk Management Framework