Cyber Security Risk Assessment Training

Defining the system 

• Outlining the system security boundary 
• Pinpointing system interconnections 
• Incorporating the unique characteristics of Industrial Control Systems and cloud-based systems 

Identifying security risk components 

• Estimating the impact of compromises on confidentiality, integrity, and availability 
• Adopting the appropriate model for categorizing system risk 

Setting the stage for successful risk management 

• Documenting critical risk assessment and management decisions in the SSP (System Security Plan) 
• Appointing qualified individuals to risk governance roles

Assigning a security control baseline 

• Investigating security control families 
• Determining the baseline from system security risk 

Tailoring the baseline to fit the system 

• Examining the structure of security controls, enhancements, and parameters 
• Binding control overlays to the selected baseline 
• Gauging the need for enhanced assurance 
• Distinguishing system-specific, compensating, and non-applicable controls 

Specifying the implementation approach 

• Maximizing security effectiveness by "building in" security 
• Reducing residual risk in legacy systems via "bolt-on" security elements 

Applying NIST/ISO controls 

• Enhancing system robustness through the selection of evaluated and validated components 
• Coordinating implementation approaches to administrative, operational, and technical controls 
• Providing evidence of compliance through supporting artifacts 

Developing an assessment plan 

• Prioritizing depth of control assessment 
• Optimizing validation through sequencing and consolidation 
• Verifying compliance through tests, interviews, and examinations 

Formulating an authorization recommendation 

• Evaluating overall system security risk 
• Mitigating residual risks 
• Publishing the POA&M (Plan of Action and Milestones), the risk assessment, and recommendation 

Aligning authority and responsibility 

• Quantifying organizational risk tolerance 
• Elevating authorization decisions in high-risk scenarios 

Forming a risk-based decision 

• Appraising system operational impact 
• Weighing residual risk against operational utility 
• Issuing ATO (Authority to Operate) 

Justifying continuous reauthorization 

• Measuring the impact of changes on system security posture 
• Executing effective configuration management 
• Performing periodic control reassessment 

Preserving an acceptable security posture 

• Delivering initial and routine follow-up security awareness training 
• Collecting ongoing security metrics 
• Implementing vulnerability management, incident response, and business continuity processes