Cybersecurity risk management

STEP 7

Risk assessment is a top-down approach. The process of creating a detailed or formal risk assessment is as follows:

1. Identify assets.

2. Determine threats and vulnerabilities for each asset.

3. Estimate likelihood of a threat exploiting a vulnerability resulting in an attack.

4. Estimate the impact (individually and collectively) if each attack were to occur.

5. Derive overall (qualitative) risk rating for each asset.

6. Survey applicable controls and their costs to prevent the attack and choose the controls.

You will use a scale of 1 to 3 (low, medium, and high, respectively) for likelihood, impact, and risk. Review  risk analysis, security control, and security plans  and the  provided template  for an overview of the process. NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations, specifies NIST’s approach to applying security measures.

Security controls, as you may know, are not standalone countermeasures. They are put in place using two related architecture concepts:

· layering

· defense-in-depth

Step 8: Devise a Security Plan

You receive an email with directives from Commander Garrett.

Email

From: Commander Karen Garrett

Subject: Switch Gears to Security Controls

Thank you for the risk assessment and for identifying key controls that are missing. Now, I need you to shift your focus to developing a security plan.

A security plan identifies and organizes the security activities of an enterprise. The plan is a description of where the enterprise is on meeting its information security needs, where it should be, and a clear course of action to get there. The security plan also includes prioritization of risks and controls of each asset, a description of resources (human, capital, etc.) needed to implement the controls, and a schedule.

The security plan should:

· Describe risk analysis methodologies and techniques, specifically from NIST.

· Apply a risk methodology and techniques to selected businesses or systems in the organization.

· Propose a realistic security plan to fix vulnerabilities and/or apply controls (technical, management, and operational) to minimize the risk exposure.

· Explain the risk analysis outcome and actions to be taken for buy-in and a path forward

Please also begin thinking about ways to present this information to the leadership team, as I expect we will be asked to do so in the near future. I’ll keep you posted on that.

I appreciate your efforts in creating a well-designed plan.

Commander Garrett

Step 9: Develop Your Risk Assessment Report

  As a cyber warrior, it is your responsibility to report honestly about potential threats. Additionally, you are responsible for proposing realistic security plans to fix vulnerabilities and/or apply controls (technical, management, and operational) to minimize the risk exposure. Your experience with cyber solutions may have earned you a spot in the Cyber Attack Response and Strategy Unit; but your honesty, reliability, and responsibility are of equal importance in your career.

Based on your work and findings in the previous steps, assemble your formal risk assessment report. The report includes

· your completed risk assessment,

· controls you recommend,

· and the security plan to put thfe controls in place.

In addition to being a standalone report, this document will inform the next deliverable: a presentation to the executive leadership team at CARS. In the next step, you will create a slide deck and script for that presentation.

You will submit the report and the presentation at the end of this project.

STEP 10

From: Commander Karen Garrett

Subject: Presentation to Stakeholders

Thank you again for the formal report. As anticipated, we are now being asked to present this assessment and plan to executive leadership at the company that was the focus of your plan.

Please create a slide deck and presentation script that cover the main points of your report, including the most salient facts, figures, and findings. The goals are to get the leadership team’s buy-in of your security plan, and to give them with an overview of cybersecurity risk and mitigation recommendations.

The presentation should be about 7 slides, plus a presentation script (put the script in the Notes section of the slides). Bear in mind that the people you’re presenting to are not cyber experts, so make sure the content isn’t overly technical. Minimize the text on screen, and expand upon the concepts in your script.

Here’s an outline to use as a guide:

· Slide 1 (title slide): Identify the organization (your audience), the focus of the presentation (Risk Analysis), your name, and the date.

· Slide 2: Identify the organization’s mission and security strategy, and the need for and scope of the security plan.

· Slides 3–6: Focus on the vulnerabilities to IT assets, systems, and security identified in the risk analysis; the likelihood and impact of identified risks; and controls recommended in the security plan.

· Slide 7: Reiterate the main points and any action items/recommended controls.

I will need to review the slides and script before you present, so please send it to me once you have finalized it.

Thank you.

When creating a presentation for stakeholders, it is important to address how cybersecurity supports the mission and security plan of the organization, and to detail the factors that create potential risks to these plans.

Build your presentation using the information and deliverables you have already completed. You will submit the presentation file with your Risk Assessment Report in the next step.