Maturing Risk Management (Coursera)

Also, we know that cyber attack is a risk for all organizations. In this course, we will focus on bringing these ideas together in a context of continuous maturity modeling, measuring and monitoring. Risk alignment works best at the strategic long-term level of planning. By contrast risk maturation can be most effective when considered in day-to-day business operations. This is sometimes called operationalizing one's approach to risk management and maturation. Operationalizing risk management asks us to take the life cycle models about systems, software and data and connect or pivot them around business operations. We'll take on the view of the workers who use the business logic and the systems or the people who oversee the robotics and internet of things on the factory or warehouse floor and see how each of the different security disciplines brings something to them. This course has five modules. Module one focuses on change management and reveals how this detailed administratively intense process plays a primary role in protecting information systems. We'll also look at its vital contributions to incident response and remediation. Module two shows how physical security design principles are used to monitor and control the flow of physical objects in and out of various security zones. This module also considers the operational effects of safety planning and preparation on people and property, as well as availability and integrity of systems and information. Module three provides a different attitude and mindset about empowering and enabling the people in the organization to become more effective contributors and proponents of its information security. Security training programs have failed to help people complete their job safely and securely. New concepts such as micro chaining demonstrates that security education and awareness can add value to the security process. Module four shows us that system security assessment should be an ongoing task. Security has always involved continuous vigilance and integrity. Formal and informal audits demonstrate just how effective an organization's security controls are. As its process of maturing those controls continues to improve their performance. Module five brings many of these ideas and concepts together through business continuity and disaster recovery planning. The emphasis will be the operational support of these tasks, both in the planning and execution stages. We've prepared the foundations so you can bring concepts covered thus far into a cohesive daily operational context.
Course 8 Learning Objectives
After completing this course, the participant will be able to: 
L8.1 - Identify operational aspects of change management.
L8.2 - Summarize physical security considerations.
L8.3 - Design a security education and awareness strategy.
L8.4 - Recognize common security assessment activities.
L8.5 - Classify the components of a business continuity plan and disaster recovery plan.
Course Agenda
Module 1: Participate in Change Management (Domain 1 - Security Operations and Administration)
Module 2: Physical Security Considerations (Domain 1 - Security Operations and Administration)
Module 3: Collaborate in Security Awareness and Training (Domain 1 - Security Operations and Administration)
Module 4: Perform Security Assessment Activities (Domain 3 - Risk Identification, Monitoring and Analysis)
Module 5: Understand and Support the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) (Domain 4 - Incident Response and Recovery)
Who Should Take This Course: Beginners
Experience Required: No prior experience required
Course 8 of 8 in the (ISC)² Systems Security Certified Practitioner (SSCP).

Syllabus

WEEK 1
Module 1: Participate in Change Management
An important function of the IT department is to maintain information systems and upgrade, enhance and revise those systems as necessary. Information systems are subject to many changes and modifications due to system patches, new technology or functionality, correction of process errors or system failures. The IT department must be able to manage change in order to support business operations and ensure the security of the systems. 
The problem is that change poses a significant risk to the organization. Because of changes, systems may fail, functionality may be lost, security vulnerabilities may be introduced and data integrity may be compromised. This requires the development and implementation of a change management process that entails the documentation, testing and approval of all changes — and that thereby avoids business interruption.
Module 2: Physical Security Considerations
Physical and environmental security are often the responsibilities of departments other than IT, such as the physical security department or the facilities management group. These departments play an important role in providing resilient and reliable information to other areas of the organization, including IT. The security professional may be required to work with these other departments to ensure that information systems are supported with electrical power, fire protection, physical access security, surveillance and protection from threats such as theft, vandalism and natural disasters. 
It can even be said that physical security should be a higher priority than most other forms of security such as passwords, firewalls and procedures. If an adversary can gain physical access to a server room, then the adversary can bypass all of the other forms of control and circumvent the security defenses. An adversary in a server room or wiring closet can install a wireless device or sniffer, cut or re-route cables or disable equipment, among other things.

WEEK 2
Module 3: Collaborate in Security Awareness and Training
Experience shows that it’s relatively easy to establish and maintain a security education, awareness and training program for almost any organization. The difficulty with such a program is measurably demonstrating the program’s effectiveness. 
Two major conflicts present themselves when the security team tries to engage with the end users at large. The first is rooted in the perception that security measures cost the end user time and effort to comply with. Work could get done so much more quickly and easily, this view argues, if all these extra security hurdles didn’t have to be jumped over all the time. The second reflects the users’ perception that most security training is an even further waste of their time. Both perceptions act to oppose the effective adoption of security controls by end users and discourage them from taking responsibility for their own learning and thus gaining the most value possible from the training that’s presented to them.  As with access control and identity management, it may be that it’s more than high time for a healthy dose of just-in-time learning for security. Security training consultants and specialist firms have made significant changes in their approaches to helping users learn what they need and when they need it. Microtraining, for example, breaks the training experience down into steps that might last less than one minute. In that minute, the microtraining engages the learner-user, has them take actions related to how they perform their normal jobs but is structured as part of the teaching and learning process.  Measuring the effectiveness of a training program has also been suffering from lack of innovation and maturation as well. This can change. User behavior modeling and analysis tools can gather data that highlights when individual users or groups of users are in need of specific refresher learning opportunities.  Let’s see how ideas like these can be put into practice and how we can assess their effectiveness.
Module 4: Perform Security Assessment Activities
Security assessment determines whether the controls implemented to reduce risk have been implemented as designed, are operating as expected and are achieving the desired result.  This assurance can be the result of outside organizations evaluating the control environment or actions taken by the organization itself to evaluate the performance of the controls.  Security assessment is performed by conducting inspections, audits and tests.  Additionally, the results of investigations into anomalies and security incidents can also provide valuable insights into a security assessment process. 
The assessment and testing processes must be performed consistently and the results communicated properly so that the organization’s management understands the risks they face.  Security or controls audits are formal assessments that are normally performed to assure external evaluators that an organization’s controls meet compliance expectations.  Ultimately, the results of audit, assessment and testing activities will allow the organization to identify control gaps and inefficiencies.  This information will be the starting point for continual process improvement activities.  The security professional should be familiar with the strategies, techniques and processes by which organizational expectations for control are set, evaluated and improved.  They should be able to explain the basic flow of audit and assessment activities and describe the tools and artifacts that support data-driven decision-making.  Collectively, this information should enable the security professional to develop an organizationally appropriate assessment program.  It is tempting to think that much of the burden of security assessment and testing takes place during the development phase of the lifecycle of a major software system. Two factors, however, show us that this would be an unwise and unsafe assumption for security professionals or systems owners to make.   The first is that many systems are turned over to operational users with inadequate functional testing having been completed. Experience shows that many systems development projects fall behind schedule, and since it’s the last tasks on the timeline that feel the pressure to cut corners, testing often is rushed, abbreviated or skipped.   The second is that many commercial systems are developed with a less robust view of the need for security, safety, resilience and data protection than are required to defend against today’s sophisticated threats.  Both factors mean that many organizations today are failing security assessments, audits and compliance reviews or are failing to win new business opportunities, as a result of building their business processes atop an insecure software and systems base.  It also means that security professionals are often confronted with deployed, in-use systems in need of a thorough security assessment, including testing, to meet evolving business needs and the changing threat landscape. This starts (as does this module) by first understanding the objectives of a security assessment, which lead to developing the strategy that will guide its accomplishment. This provides the framework for vulnerability assessments and the testing techniques used to perform it. This includes a deeper dive into wireless network security testing.  Ethical penetration testing can and should be a regular component in nearly every organization’s security assessment and operations plan. We’ll take a closer look at what makes this unique and valuable, and how the ethical penetration testers work with the organization’s leadership and its technical and security teams to preserve the integrity of the testing at minimal disruption to the daily business of the organization. Audits, both formal and informal, provide a structured way to review all of the control systems the organization has in place. Many of these are known as internal controls over financial reporting (ICOFR or ICFR); in this era of ransom attacks as big business, security professionals need to be far more conversant with how the flow of information about the flow of money must be protected.

WEEK 3
Module 5: Understand and Support the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
The incident triage process (described in module 1) may identify that a particular event or set of events needs more than just the incident response process to handle itself. Two specific types of plans are typically used to define these responses, prepare the organization and guide their teams in dealing with such events. 
It’s an easy mistake to make to think that disaster recovery plans (DRPs) are broad and all-encompassing to deal with recovering from earthquakes, hurricanes, fires or major cyberattacks; in reality, the scope of DRPs is much narrower.  DRPs and their activities deal with the restoration of information and communications systems and technologies that support urgent business or organizational needs.  (It would not be surprising that organizations which rely on IoT, SCADA or process control systems will start reshaping their classic DRPs to also address their OT critical systems and capabilities.)    It is the business continuity plan (BCP) that takes into account the much broader scope of activities required to keep an organization alive and operating, as it recovers from both the immediate effects of a disruptive incident and restoring non-critical services and activities so it can move forward. Let’s see how the security professional would support these plans, during both their development and operational activation and use.
Module 6: Chapter 8 Review
Chapter 8 brought together many different aspects of information systems security, binding them together with several important ideas. First, systems must be managed, if they are to be protected and kept secure. One form of management is configuration management, in which we ensure that changes are only made when authorized; when effective, CM systems can become part of the arsenal of intrusion detection capabilities. 
Physical security measures were placed in the context of protecting and sustaining the organization, its systems and its people. In many organizations, these physical security control systems are data-driven and thus tightly integrated with overall IAAA and incident detection capabilities. SUNBURST and other recent attacks on SCADA, ICS and other operational technology (OT) systems highlighted the need for many organizations and security professionals to expand their horizons to include things beyond the edge of the TCP/IP networks, databases and web page views of the organization and the threat landscape.  We also saw that effective systems management requires measurement, observation, test and analysis in order to know what today’s security posture really is, and to inform considerations of where, when and how to improve that posture. Inspections, assessments, audits and ethical penetration testing were all viewed in this context.  Two other major topic areas — business continuity and security education, training and awareness — actually come together in surprising ways. Many of us who’ve served in our nation’s militaries, police or emergency first responder corps know that humans in highly disruptive situations often must fall back on their training, if they are to remain calm, not panic and thoughtfully deal with the situation one step at a time. Microtraining is an excellent example of this. By popping up a mock phishing or malware-based attack activity when an end user least expects it, microtraining presents users with the chance to either fall back unthinkingly to habit, or stop, observe, orient themselves to a potential security issue and then make decisions. Awareness, training and education efforts can provide employees with the skills and the frame of mind they need to deal with disruptions, no matter what scale and no matter whether they are simulated or real. As with other aspects of information systems security, continuity of operations and disaster recovery require extensive preparation, and one of the most important tasks in that is preparing one’s people to adapt and overcome as a team.