
In this lecture, we introduce both the RMF and CRISC as Risk Frameworks; we then discuss what we will cover in this course that aims to combine those two frameworks and provide more value by discussing the pros and cons as well as how these frameworks are implemented.
The prepare step in RMF is one of the most crucial steps in the framework; here, we collect and use data from our asset management systems and the enterprise risk strategy. These key components provide us with a valuable source of information in which we build our risk management implementation later in the framework.
The Categorize step aims to inform organizational risk management processes and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.
For security control selection, the initial set of baseline controls is based on the impact level of the system as determined by the security categorization process. The organization selects one of three sets of baseline security controls from NIST SP 800-53B [SP 800-53B], corresponding to the system's low-, moderate-, or high-impact rating. After selecting the initial set of baseline security controls, the organization initiates the tailoring process to modify appropriately and more closely align the controls with the specific conditions within the organization (i.e., conditions specific to the system or its environment).
This lecture and step in MF deals with the implementation of controls involves establishing new or utilizing existing processes, procedures, products, and services to meet the intent of the controls selected in the RMF Select step.
Security and privacy control assessments verify that selected controls are implemented correctly, operating as expected, and recorded appropriately (e.g., in security and privacy plans). The deficiencies in implementing security and privacy controls should be prioritized by the potential risks they convey to the system, components, and organization.
The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official (authorizing official) to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation is acceptable based on the operation of a system or the use of standard controls.
The ultimate objective of continuous monitoring is to determine if the security and privacy controls in the system continue to be effective over time in light of the inevitable changes that occur in the design and the environment in which the system operates. Continuous monitoring also provides an effective mechanism to update security and privacy plans, assessment reports, and plans of action and milestones.
This is a short lecture on some of the best practices of implementing NIST's RMF.
This is an introduction to ISACA's CRISC.
Governance is the responsibility for safeguarding an organization’s assets. The organization’s board of directors is responsible for governance. The board entrusts the senior management team to manage the organization’s day-to-day operations following the board’s authorized strategic directives.
IT risk assessment identifies, analyses, and evaluates IT risks that could affect an organization’s operations, assets, and reputation. It is an essential component of IT risk management and helps organizations make informed decisions about managing their IT risks.
This domain focuses on identifying strategic measures and choices to improve opportunities and decrease risks while balancing restrictions imposed on the organization. It is divided into risk response, control design and implementation, and risk monitoring and reporting.
Domain 4 of CRISC, Information Technology and Security focuses on verifying IT risk management and information systems control expertise. It deals with how professionals manage a company’s IT risks and controls.
This section discusses the differences and pros and cons of CRISC, NIST RMF, and other ERM (Enterprise Risk Management Frameworks). We also review the implementation guidance and best practices to help you decide which EMF is suitable for your organization.
This course goes through two different Risk Management Frameworks (RMF and CRISC) and details both framework components, areas, and especially the tasks involved in each area.
This course examines the two risk frameworks' areas, key takeaways, and implementation. In summary, we compared and contrasted each framework and its use.
We conclude the training by looking at other risk management frameworks and reviewing if the CRISC is used since this is one of the certification frameworks rather than an actual risk framework.
The NIST RMF (Risk Management Framework) and ISACA CRISC (Certified in Risk and Information Systems Control) course is designed to provide a comprehensive understanding of risk management in information security.
The course covers the NIST RMF, a process for managing and mitigating risks to information systems. It includes an overview of the six steps in the NIST RMF process, including categorization, selection, implementation, assessment, authorization, and continuous monitoring. Additionally, the course covers how to implement the NIST RMF in an organization, including how to select appropriate security controls and how to assess the effectiveness of those controls.
The course also covers the ISACA CRISC certification, designed to demonstrate expertise in identifying, assessing, evaluating, and managing information system risks. It includes an overview of the CRISC domains, including IT risk identification, assessment, response, and monitoring. Additionally, the course covers how to prepare for and pass the CRISC exam, including study tips and best practices.
Overall, this course provides a comprehensive understanding of risk management in the context of information security, including both the NIST RMF and ISACA CRISC. It is ideal for information security professionals who want to enhance their knowledge and skills in managing and mitigating risks to information systems.