SlideShare una empresa de Scribd logo

Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan

Descargar como PPTX, PDF
Global Knowledge Training
Global Knowledge Training

Current IT modernization plans create opportunities for tremendous gains in effectiveness and efficiency. However, if poorly implemented, they can also increase risk. Successful leaders know that while it’s impossible to eliminate risk, it can be managed. Discover the basics of the Risk Management Framework (prescribed by NIST Standards) and how to begin to apply it.

Tecnología
1 de 28
Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan
© Global Knowledge Training LLC. All rights reserved. Page 2 Your Presenter Dave Buster Security+, CISSP Global Senior Portfolio Director Global Knowledge
© Global Knowledge Training LLC. All rights reserved. Page 3 This is a terrain mapping exercise. We’ll talk about Cybersecurity in the government space, and relevant: • Laws • Executive Orders • Guidance • Standards We’ll also touch on the philosophy and approach. Abstract
© Global Knowledge Training LLC. All rights reserved. Page 4 In 2002, legislators passed the Federal Information Security Management Act (FISMA) • FISMA assigned responsibly for information assurance to various agencies for the federal government. • FISMA mandated accountability, cost effectiveness, timeliness, and efficiency. • FISMA requires annual reviews and the head of agencies to retain accountability. • The National Institute of Standards and Technology (NIST) outlined the steps to compliance. • FISMA is now generally known as the Federal Information Security Modernization Act. • FISMA requires federal agencies to secure government information, operations, national security interests and assets against natural and man-made threats. FISMA: Federal Information System Modernization Act
© Global Knowledge Training LLC. All rights reserved. Page 5 Supporting Publications NIST has special publications (SP) supporting the FISMA legislations • SP 800-18 (Security Planning) • SP 800-30 (Risk Assessment) • SP 800-37 (System Risk Management Framework) • SP 800-39 (Enterprise-Wide Risk Management) • SP 800-53 (Recommended Security Controls) • SP 800-53A (Security Control Assessment) • SP 800-59 (National Security Systems) • SP 800-60 (Security Category Mapping) (Hint: They are not in order. Start with 37/39)
© Global Knowledge Training LLC. All rights reserved. Page 6 Supporting Publications Federal Information Processing Standards (FIPS) are standard developed by the federal government for use by non-military government agencies and government contractors • FIPS Publication 199 (Security Categorization) • FIPS Publication 200 (Minimum Security Controls) • FIPS Publication 140-2 (Cryptographic modules) FIPS Publication 200 is the minimum standard. SP 800-53 provides the security controls to get there.
© Global Knowledge Training LLC. All rights reserved. Page 7 Presidential Executive Order 13800 The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure This EO provides for the following: • Securing the Federal networks that operate on behalf of the American people • Encouraging collaboration with industry to protect critical infrastructure that maintains the American way of life • Strengthening the deterrence posture of the United States and builds international coalitions • Places needed focus on building a stronger cybersecurity workforce, which is critical for the long term ability to strengthen cyber protections and capabilities Action: Requires agency heads to submit reports. Happy Birthday May 11, 2018
© Global Knowledge Training LLC. All rights reserved. Page 8 Due to the increasing interconnectedness of Federal information and information systems, EO 13800 has specific requirements regarding risk: Agency heads are required to manage risk commensurate with the documented amount of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a Federal information system or Federal information Agency heads are to produce a risk management report to the Director of Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS) within 90 days of publication. EO 13800 and Risk
© Global Knowledge Training LLC. All rights reserved. Page 9 Section 3 of EO 13800 prioritizes workforce development to sustain and grow the US cybersecurity workforce, and to maintain the country’s advantage in national security-related cyber capabilities: Subject matter experts worked on a joint assessment on how to support the growth and sustainment of the cybersecurity workforce • DHS, Commerce, DoD, the Department of Labor, the Department of Education, and the Office of Personnel Management EO 13800 and the Cybersecurity Workforce Published in May, 2018
© Global Knowledge Training LLC. All rights reserved. Page 10 Key RMF Baseline Concepts Operating any information system results in risk Risk must be highly managed in enterprise level organizations Key standards and guidelines are required to mitigate risk efficiently Risk Management Framework 1. Categorize Systems 2. Select Controls Refine Document 3. Implement Controls 4. Assess Controls Determine 5. Authorize System 6. Monitor Controls
© Global Knowledge Training LLC. All rights reserved. Page 11 The NICE framework is a method for categorizing and defining cybersecurity work NICE was developed by NIST The NICE Framework is intended to be applied in the public, private, and academic sectors The National Initiative for Cybersecurity Education (NICE) framework is defined in NIST Special Publication 800-181 NICE establishes a common taxonomy and vernacular that is to be used to describe all cybersecurity work and the qualifications of the workers regardless of where the work is performed or for whom the work is performed. NICE Cybersecurity Workforce Framework NICE Cybersecurity Workforce Framework Categories
© Global Knowledge Training LLC. All rights reserved. Page 12 Training Can Be Aligned to the NICE Framework
© Global Knowledge Training LLC. All rights reserved. Page 13 NIST SP 800-16 SP 800-16 defines a role‐based model for Federal information technology/cybersecurity training The NICE framework allows the Federal government to have a view into the cyber workforce and its educational needs The SP 800-16 document provides a methodology on how to train the workforce Role-based training includes categories of cybersecurity awareness and cybersecurity essentials The document also defines competencies and proficiencies. Competencies are knowledge and skills Proficiencies increase as competencies are utilized over time with education and experience.
© Global Knowledge Training LLC. All rights reserved. Page 14 NIST SP 800-16 – Path to Expertise Proficiency is a living process Through structured education, proficiency is increasingly attained over time. As knowledge and skills are attained, they form competencies required for proper job performance Proficiency is attained as competencies are exercised over time, building expertise
© Global Knowledge Training LLC. All rights reserved. Page 15 The Cybersecurity Learning Continuum Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills The Cybersecurity Learning Continuum is a progression of learning across the spectrum of roles within an organization. It is spelled out in SP 800-16. Security awareness training is provided to all users within an organization. Cybersecurity Essentials training is provided to all users involved with IT Systems. Role-based training is provided to users with responsibilities relative to IT Systems. Education and/or experience is gained by IT Security Specialists and Professionals. The appropriate level of Cybersecurity awareness, training and education is determined by the role within an organization. Individuals gain knowledge, and experience as they participated in role-based training with their agency.
© Global Knowledge Training LLC. All rights reserved. Page 16 Security Awareness Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Security Awareness is expressly required for all individuals in the organization. All users of resources and systems are designated risk holders and require annual security awareness training.
© Global Knowledge Training LLC. All rights reserved. Page 17 Security Essentials Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Security Essentials is needed for those employees and contractors who have any involvement with IT systems Cybersecurity Essentials is the transitional stage between “Basic Awareness” and “Role-based Training.” It provides the foundation for subsequent specialized or role-based training by providing a universal baseline of key security terms and concepts.
© Global Knowledge Training LLC. All rights reserved. Page 18 Role-Based Training Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Role-based security training is focused on providing the knowledge and skills specific to an individual’s roles and responsibilities relative to Agency information systems. Their role within the organization is primary with IT secondary. Decision responsibilities come from the organization role, whereas the technical responsibilities are derived from the relationship with IT. At this level, training recognizes the differences between competencies among the trainees.
© Global Knowledge Training LLC. All rights reserved. Page 19 Education and Experience Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Education focuses on developing the ability and vision to perform complex multi- disciplinary activities and the skills needed to further the information technology/cybersecurity profession and to keep pace with threats and technology changes. This can be accomplished with experience, cooperative training such as “on the job” training or through certification and advanced education such as undergraduate and graduate studies and degrees as accepted by the particular Federal Organization.
© Global Knowledge Training LLC. All rights reserved. Page 20 Roles, and Knowledge and Skills Roles are defined in certain terms, as well as being mapped to defined knowledge and skills required for that specific role. Roles are defined by position or general task. Job titles can vary depending on organization, requirements and vernacular. Knowledge and skills are listed within knowledge units and are mapped to the role definition matrix. There is no hierarchy within the Knowledge and Skills. No Knowledge or Skill is of greater value than another. The first Knowledge and Skill listed within the knowledge unit has no order preference on those Knowledge and Skills listed elsewhere in list.
© Global Knowledge Training LLC. All rights reserved. Page 21 Knowledge and Skills Catalog The knowledge and skills catalog defines the K/S required to be mapped for appropriate job roles. The list of K/S is assigned a designator to be easily referenced in the matrix. Example:
© Global Knowledge Training LLC. All rights reserved. Page 22 Job Role – Knowledge Skill Mapping Job roles are mapped to K/S by role, functional area, role, responsibility, and knowledge unit.
© Global Knowledge Training LLC. All rights reserved. Page 23 Global Knowledge has developed our own functional mapping of knowledge and skills in the cybersecurity space. - Based on interviews and reviews with many large and small companies. - Based on reviews with hundreds of our own industry experts - Based on input from our Industry technology partners What about cybersecurity roles in private industry?
© Global Knowledge Training LLC. All rights reserved. Page 24 How many employees are at each level in the organization? Has career progression been planned? SKILLS DEVELOPMENT CERTIFICATION PREP ARCHITECTURE Senior Architect, Compliance Auditor MANAGEMENT CISO TECHNICAL SME, Lead Engineer TECHNOLOGY SOLUTIONS NEW TO ROLE MID-CAREER “CASTLE” SPECIALIZATION SENIOR LEADERSHIP IT FOUNDATIONS CYBERSECURITY FOUNDATIONS The Global Knowledge “Crown” Organizational Map/Career Progression
© Global Knowledge Training LLC. All rights reserved. Page 25 The Global Knowledge “Castle” Functional Specialization ARCHITECTURE and POLICY DATA LOSS PREVENTION GOVERNANCE, RISK, and COMPLIANCE INDENTITY and ACCESS INCIDENT RESPONSE and FORENSIC ANALYSIS PENETRATION TESTING SECURE DEVOPS SECURE SOFTWARE DEVELOPMENT Designs and implements secure architectures, translates standards, business processes, and frameworks into internal policies Deploys and manages security applications such as malware detection on endpoints and servers Measures and quantifies risk, performs internal audits against best practices and standards, develops plans for business continuity and disaster recovery Manages identification, authorization, and permissions across all systems Detects and analyzes security events and correctly responds Intentionally attacks systems to expose vulnerabilities and probe weaknesses, Red Team Securely installs, configures, and operates systems and software Develops applications with minimal vulnerabilities, application security testing
© Global Knowledge Training LLC. All rights reserved. Page 26 ARCHITECTURE and POLICY DATA LOSS PREVENTION GOVERNANCE, RISK, and COMPLIANCE INDENTITY and ACCESS INCIDENT RESPONSE and FORENSIC ANALYSIS PENETRATION TESTING SECURE DEVOPS SECURE SOFTWARE DEVELOPMENT SENIOR LEADERSHIP (Expert) 9719: CSFI: Introduction to Cyber Warfare and Operations Design 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3796: Certified Information Privacy Technologist (CIPT) Prep Course 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3796: Certified Information Privacy Technologist (CIPT) Prep Course 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3401: Computer Hacking Forensic Investigator (CHFI) v9 1638: CISSP Certification Prep Course 3617: Certified Ethical Hacker 1638: CISSP Certification Prep Course 1642: SSCP Certification Prep Course 1638: CISSP Certification Prep Course 1697: CSSLP Certification Prep Course 1638: CISSP Certification Prep Course MID-CAREER “CASTLE” SPECIALIZATION (Practitioner) 3407: (DoD) Risk Management Framework (RMF) Process 1697: CSSLP Certification Prep Course 1638: CISSP Certification Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 3794: Certified Information Privacy Professional US Private-Sector (CIPP/US) Prep Course 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 3794: Certified Information Privacy Professional US Private- Sector (CIPP/US) Prep Course 5867: Cybersecurity Analyst+ (CySA+) Prep Course 9871: CISM Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 2180: CyberSec First Responder: Threat Detection and Response 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 1967: Hacking Methodologies for Security Professionals 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3812: EC-Council Certified Secure Programmer Java (ECSP) 2046: Introduction to Python Scripting for the Security Analyst 1123: Securing Java Web Applications NEW TO ROLE (Foundation) CYBERSECURITY FOUNDATIONS 9701: Cybersecurity Foundations 4277: Introduction to Cybersecurity IT FOUNDATIONS 3150: Understanding Network Fundamentals 9025: TCP/IP Networking 2892: CompTIA Network+ Certification Prep 4666: CompTIA A+ Certification Prep
© Global Knowledge Training LLC. All rights reserved. Page 27 DoD approved 8570.01-M Baseline Certifications
© Global Knowledge Training LLC. All rights reserved. Page 28 Summary FISMA mandated accountability, cost effectiveness, timeliness, and efficiency regarding information assurance and critical infrastructure for Federal systems. NIST has special publications (SP) detailing security and guidance for supporting the FISMA legislations, including risk management and the proper framework for its implementation. Executive Order 13800 addresses risk by requiring agency heads to report Risk Management findings to the DHS, and also requires a plan to strengthen and evolve a more highly skilled, trained, and proficient cybersecurity workforce. NIST SP 800-16 defines a path to expertise for cybersecurity personnel, including a knowledge and skills definition that maps to specific job roles in the information systems organizations. The proper method to compliance involves a proactive, detailed training and education program that enables long term proficiencies among key personnel in strategic areas of the organization.

Recomendados

Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13Skillspire LLC
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Afcea it security course 2015 flyer
Afcea it security course 2015 flyerAfcea it security course 2015 flyer
Afcea it security course 2015 flyerClaude Gelinas
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 

Recomendados

Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13Skillspire LLC
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Afcea it security course 2015 flyer
Afcea it security course 2015 flyerAfcea it security course 2015 flyer
Afcea it security course 2015 flyerClaude Gelinas
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06Skillspire LLC
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14Skillspire LLC
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Forensic3e ppt ch06
Forensic3e ppt ch06Forensic3e ppt ch06
Forensic3e ppt ch06Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care itDhani Ahmad
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07Skillspire LLC
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBookPatrick Whelan, CISA
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Más contenido relacionado

La actualidad más candente

Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care itDhani Ahmad
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 

La actualidad más candente (20)

Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
 
Forensic3e ppt ch06
Forensic3e ppt ch06Forensic3e ppt ch06
Forensic3e ppt ch06
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care it
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 

Similar a Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan

GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
 
What Is Dod Directive 8570 And How Does It Benefit Me?
What Is Dod Directive 8570 And How Does It Benefit Me?What Is Dod Directive 8570 And How Does It Benefit Me?
What Is Dod Directive 8570 And How Does It Benefit Me?Jeteye Enterprises Inc.
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnelDhani Ahmad
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training CourseRicky Lionel Vaz
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 

Similar a Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan (20)

GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
 
What Is Dod Directive 8570 And How Does It Benefit Me?
What Is Dod Directive 8570 And How Does It Benefit Me?What Is Dod Directive 8570 And How Does It Benefit Me?
What Is Dod Directive 8570 And How Does It Benefit Me?
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training Course
 
Topic11
Topic11Topic11
Topic11
 
Websense
WebsenseWebsense
Websense
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 

Más de Global Knowledge Training

PAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywhereGlobal Knowledge Training
 
How To Troubleshoot Group Policy in Windows 10
How To Troubleshoot Group Policy in Windows 10How To Troubleshoot Group Policy in Windows 10
How To Troubleshoot Group Policy in Windows 10Global Knowledge Training
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Develop Your Skills with Unlimited Access to Red Hat Online Learning
Develop Your Skills with Unlimited Access to Red Hat Online LearningDevelop Your Skills with Unlimited Access to Red Hat Online Learning
Develop Your Skills with Unlimited Access to Red Hat Online LearningGlobal Knowledge Training
 
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7Global Knowledge Training
 
What’s Next For Your Azure Certification Journey
What’s Next For Your Azure Certification JourneyWhat’s Next For Your Azure Certification Journey
What’s Next For Your Azure Certification JourneyGlobal Knowledge Training
 
Cisco's Intent-Based Networking and the Journey to Software Defined Networks
Cisco's Intent-Based Networking and the Journey to Software Defined NetworksCisco's Intent-Based Networking and the Journey to Software Defined Networks
Cisco's Intent-Based Networking and the Journey to Software Defined NetworksGlobal Knowledge Training
 
The Essence of DevOps: What it Can Mean for You and Your Organization
The Essence of DevOps: What it Can Mean for You and Your OrganizationThe Essence of DevOps: What it Can Mean for You and Your Organization
The Essence of DevOps: What it Can Mean for You and Your OrganizationGlobal Knowledge Training
 
How to Make Agile Project Management Work in Your Organization
How to Make Agile Project Management Work in Your OrganizationHow to Make Agile Project Management Work in Your Organization
How to Make Agile Project Management Work in Your OrganizationGlobal Knowledge Training
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?Global Knowledge Training
 
How the Channel Can Break Down the Barriers to Cloud Success
How the Channel Can Break Down the Barriers to Cloud Success How the Channel Can Break Down the Barriers to Cloud Success
How the Channel Can Break Down the Barriers to Cloud Success Global Knowledge Training
 
Tackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementTackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementGlobal Knowledge Training
 

Más de Global Knowledge Training (20)

Taking Advantage of Microsoft PowerShell
Taking Advantage of Microsoft PowerShell Taking Advantage of Microsoft PowerShell
Taking Advantage of Microsoft PowerShell
 
PAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention Everywhere
 
The Basics of Computer Networking
The Basics of Computer NetworkingThe Basics of Computer Networking
The Basics of Computer Networking
 
How To Troubleshoot Group Policy in Windows 10
How To Troubleshoot Group Policy in Windows 10How To Troubleshoot Group Policy in Windows 10
How To Troubleshoot Group Policy in Windows 10
 
Accelerating with Ansible
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
How to Maximize Your Training Budget
How to Maximize Your Training BudgetHow to Maximize Your Training Budget
How to Maximize Your Training Budget
 
Develop Your Skills with Unlimited Access to Red Hat Online Learning
Develop Your Skills with Unlimited Access to Red Hat Online LearningDevelop Your Skills with Unlimited Access to Red Hat Online Learning
Develop Your Skills with Unlimited Access to Red Hat Online Learning
 
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7
Exploring the Upgrade from VMware vSphere: Install, Configure, Manage 6 5 to 6 7
 
What’s Next For Your Azure Certification Journey
What’s Next For Your Azure Certification JourneyWhat’s Next For Your Azure Certification Journey
What’s Next For Your Azure Certification Journey
 
Cisco's Intent-Based Networking and the Journey to Software Defined Networks
Cisco's Intent-Based Networking and the Journey to Software Defined NetworksCisco's Intent-Based Networking and the Journey to Software Defined Networks
Cisco's Intent-Based Networking and the Journey to Software Defined Networks
 
How to Build a Winning Cybersecurity Team
How to Build a Winning Cybersecurity TeamHow to Build a Winning Cybersecurity Team
How to Build a Winning Cybersecurity Team
 
How to Build a Web Server with AWS Lambda
How to Build a Web Server with AWS LambdaHow to Build a Web Server with AWS Lambda
How to Build a Web Server with AWS Lambda
 
The Essence of DevOps: What it Can Mean for You and Your Organization
The Essence of DevOps: What it Can Mean for You and Your OrganizationThe Essence of DevOps: What it Can Mean for You and Your Organization
The Essence of DevOps: What it Can Mean for You and Your Organization
 
How to Migrate a Web App to AWS
How to Migrate a Web App to AWSHow to Migrate a Web App to AWS
How to Migrate a Web App to AWS
 
How to Make Agile Project Management Work in Your Organization
How to Make Agile Project Management Work in Your OrganizationHow to Make Agile Project Management Work in Your Organization
How to Make Agile Project Management Work in Your Organization
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?
 
How the Channel Can Break Down the Barriers to Cloud Success
How the Channel Can Break Down the Barriers to Cloud Success How the Channel Can Break Down the Barriers to Cloud Success
How the Channel Can Break Down the Barriers to Cloud Success
 
How to Avoid Cloud Migration Pitfalls
How to Avoid Cloud Migration PitfallsHow to Avoid Cloud Migration Pitfalls
How to Avoid Cloud Migration Pitfalls
 
Tackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementTackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People Management
 

Último

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Último (20)

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan

  • 1. Why It’s Critical to Apply the Risk Management Framework to Your IT Modernization Plan
  • 2. © Global Knowledge Training LLC. All rights reserved. Page 2 Your Presenter Dave Buster Security+, CISSP Global Senior Portfolio Director Global Knowledge
  • 3. © Global Knowledge Training LLC. All rights reserved. Page 3 This is a terrain mapping exercise. We’ll talk about Cybersecurity in the government space, and relevant: • Laws • Executive Orders • Guidance • Standards We’ll also touch on the philosophy and approach. Abstract
  • 4. © Global Knowledge Training LLC. All rights reserved. Page 4 In 2002, legislators passed the Federal Information Security Management Act (FISMA) • FISMA assigned responsibly for information assurance to various agencies for the federal government. • FISMA mandated accountability, cost effectiveness, timeliness, and efficiency. • FISMA requires annual reviews and the head of agencies to retain accountability. • The National Institute of Standards and Technology (NIST) outlined the steps to compliance. • FISMA is now generally known as the Federal Information Security Modernization Act. • FISMA requires federal agencies to secure government information, operations, national security interests and assets against natural and man-made threats. FISMA: Federal Information System Modernization Act
  • 5. © Global Knowledge Training LLC. All rights reserved. Page 5 Supporting Publications NIST has special publications (SP) supporting the FISMA legislations • SP 800-18 (Security Planning) • SP 800-30 (Risk Assessment) • SP 800-37 (System Risk Management Framework) • SP 800-39 (Enterprise-Wide Risk Management) • SP 800-53 (Recommended Security Controls) • SP 800-53A (Security Control Assessment) • SP 800-59 (National Security Systems) • SP 800-60 (Security Category Mapping) (Hint: They are not in order. Start with 37/39)
  • 6. © Global Knowledge Training LLC. All rights reserved. Page 6 Supporting Publications Federal Information Processing Standards (FIPS) are standard developed by the federal government for use by non-military government agencies and government contractors • FIPS Publication 199 (Security Categorization) • FIPS Publication 200 (Minimum Security Controls) • FIPS Publication 140-2 (Cryptographic modules) FIPS Publication 200 is the minimum standard. SP 800-53 provides the security controls to get there.
  • 7. © Global Knowledge Training LLC. All rights reserved. Page 7 Presidential Executive Order 13800 The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure This EO provides for the following: • Securing the Federal networks that operate on behalf of the American people • Encouraging collaboration with industry to protect critical infrastructure that maintains the American way of life • Strengthening the deterrence posture of the United States and builds international coalitions • Places needed focus on building a stronger cybersecurity workforce, which is critical for the long term ability to strengthen cyber protections and capabilities Action: Requires agency heads to submit reports. Happy Birthday May 11, 2018
  • 8. © Global Knowledge Training LLC. All rights reserved. Page 8 Due to the increasing interconnectedness of Federal information and information systems, EO 13800 has specific requirements regarding risk: Agency heads are required to manage risk commensurate with the documented amount of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a Federal information system or Federal information Agency heads are to produce a risk management report to the Director of Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS) within 90 days of publication. EO 13800 and Risk
  • 9. © Global Knowledge Training LLC. All rights reserved. Page 9 Section 3 of EO 13800 prioritizes workforce development to sustain and grow the US cybersecurity workforce, and to maintain the country’s advantage in national security-related cyber capabilities: Subject matter experts worked on a joint assessment on how to support the growth and sustainment of the cybersecurity workforce • DHS, Commerce, DoD, the Department of Labor, the Department of Education, and the Office of Personnel Management EO 13800 and the Cybersecurity Workforce Published in May, 2018
  • 10. © Global Knowledge Training LLC. All rights reserved. Page 10 Key RMF Baseline Concepts Operating any information system results in risk Risk must be highly managed in enterprise level organizations Key standards and guidelines are required to mitigate risk efficiently Risk Management Framework 1. Categorize Systems 2. Select Controls Refine Document 3. Implement Controls 4. Assess Controls Determine 5. Authorize System 6. Monitor Controls
  • 11. © Global Knowledge Training LLC. All rights reserved. Page 11 The NICE framework is a method for categorizing and defining cybersecurity work NICE was developed by NIST The NICE Framework is intended to be applied in the public, private, and academic sectors The National Initiative for Cybersecurity Education (NICE) framework is defined in NIST Special Publication 800-181 NICE establishes a common taxonomy and vernacular that is to be used to describe all cybersecurity work and the qualifications of the workers regardless of where the work is performed or for whom the work is performed. NICE Cybersecurity Workforce Framework NICE Cybersecurity Workforce Framework Categories
  • 12. © Global Knowledge Training LLC. All rights reserved. Page 12 Training Can Be Aligned to the NICE Framework
  • 13. © Global Knowledge Training LLC. All rights reserved. Page 13 NIST SP 800-16 SP 800-16 defines a role‐based model for Federal information technology/cybersecurity training The NICE framework allows the Federal government to have a view into the cyber workforce and its educational needs The SP 800-16 document provides a methodology on how to train the workforce Role-based training includes categories of cybersecurity awareness and cybersecurity essentials The document also defines competencies and proficiencies. Competencies are knowledge and skills Proficiencies increase as competencies are utilized over time with education and experience.
  • 14. © Global Knowledge Training LLC. All rights reserved. Page 14 NIST SP 800-16 – Path to Expertise Proficiency is a living process Through structured education, proficiency is increasingly attained over time. As knowledge and skills are attained, they form competencies required for proper job performance Proficiency is attained as competencies are exercised over time, building expertise
  • 15. © Global Knowledge Training LLC. All rights reserved. Page 15 The Cybersecurity Learning Continuum Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills The Cybersecurity Learning Continuum is a progression of learning across the spectrum of roles within an organization. It is spelled out in SP 800-16. Security awareness training is provided to all users within an organization. Cybersecurity Essentials training is provided to all users involved with IT Systems. Role-based training is provided to users with responsibilities relative to IT Systems. Education and/or experience is gained by IT Security Specialists and Professionals. The appropriate level of Cybersecurity awareness, training and education is determined by the role within an organization. Individuals gain knowledge, and experience as they participated in role-based training with their agency.
  • 16. © Global Knowledge Training LLC. All rights reserved. Page 16 Security Awareness Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Security Awareness is expressly required for all individuals in the organization. All users of resources and systems are designated risk holders and require annual security awareness training.
  • 17. © Global Knowledge Training LLC. All rights reserved. Page 17 Security Essentials Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Security Essentials is needed for those employees and contractors who have any involvement with IT systems Cybersecurity Essentials is the transitional stage between “Basic Awareness” and “Role-based Training.” It provides the foundation for subsequent specialized or role-based training by providing a universal baseline of key security terms and concepts.
  • 18. © Global Knowledge Training LLC. All rights reserved. Page 18 Role-Based Training Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Role-based security training is focused on providing the knowledge and skills specific to an individual’s roles and responsibilities relative to Agency information systems. Their role within the organization is primary with IT secondary. Decision responsibilities come from the organization role, whereas the technical responsibilities are derived from the relationship with IT. At this level, training recognizes the differences between competencies among the trainees.
  • 19. © Global Knowledge Training LLC. All rights reserved. Page 19 Education and Experience Security Awareness Security Essentials Role-based Training Education and Experience Increasing Knowledge and Skills Education focuses on developing the ability and vision to perform complex multi- disciplinary activities and the skills needed to further the information technology/cybersecurity profession and to keep pace with threats and technology changes. This can be accomplished with experience, cooperative training such as “on the job” training or through certification and advanced education such as undergraduate and graduate studies and degrees as accepted by the particular Federal Organization.
  • 20. © Global Knowledge Training LLC. All rights reserved. Page 20 Roles, and Knowledge and Skills Roles are defined in certain terms, as well as being mapped to defined knowledge and skills required for that specific role. Roles are defined by position or general task. Job titles can vary depending on organization, requirements and vernacular. Knowledge and skills are listed within knowledge units and are mapped to the role definition matrix. There is no hierarchy within the Knowledge and Skills. No Knowledge or Skill is of greater value than another. The first Knowledge and Skill listed within the knowledge unit has no order preference on those Knowledge and Skills listed elsewhere in list.
  • 21. © Global Knowledge Training LLC. All rights reserved. Page 21 Knowledge and Skills Catalog The knowledge and skills catalog defines the K/S required to be mapped for appropriate job roles. The list of K/S is assigned a designator to be easily referenced in the matrix. Example:
  • 22. © Global Knowledge Training LLC. All rights reserved. Page 22 Job Role – Knowledge Skill Mapping Job roles are mapped to K/S by role, functional area, role, responsibility, and knowledge unit.
  • 23. © Global Knowledge Training LLC. All rights reserved. Page 23 Global Knowledge has developed our own functional mapping of knowledge and skills in the cybersecurity space. - Based on interviews and reviews with many large and small companies. - Based on reviews with hundreds of our own industry experts - Based on input from our Industry technology partners What about cybersecurity roles in private industry?
  • 24. © Global Knowledge Training LLC. All rights reserved. Page 24 How many employees are at each level in the organization? Has career progression been planned? SKILLS DEVELOPMENT CERTIFICATION PREP ARCHITECTURE Senior Architect, Compliance Auditor MANAGEMENT CISO TECHNICAL SME, Lead Engineer TECHNOLOGY SOLUTIONS NEW TO ROLE MID-CAREER “CASTLE” SPECIALIZATION SENIOR LEADERSHIP IT FOUNDATIONS CYBERSECURITY FOUNDATIONS The Global Knowledge “Crown” Organizational Map/Career Progression
  • 25. © Global Knowledge Training LLC. All rights reserved. Page 25 The Global Knowledge “Castle” Functional Specialization ARCHITECTURE and POLICY DATA LOSS PREVENTION GOVERNANCE, RISK, and COMPLIANCE INDENTITY and ACCESS INCIDENT RESPONSE and FORENSIC ANALYSIS PENETRATION TESTING SECURE DEVOPS SECURE SOFTWARE DEVELOPMENT Designs and implements secure architectures, translates standards, business processes, and frameworks into internal policies Deploys and manages security applications such as malware detection on endpoints and servers Measures and quantifies risk, performs internal audits against best practices and standards, develops plans for business continuity and disaster recovery Manages identification, authorization, and permissions across all systems Detects and analyzes security events and correctly responds Intentionally attacks systems to expose vulnerabilities and probe weaknesses, Red Team Securely installs, configures, and operates systems and software Develops applications with minimal vulnerabilities, application security testing
  • 26. © Global Knowledge Training LLC. All rights reserved. Page 26 ARCHITECTURE and POLICY DATA LOSS PREVENTION GOVERNANCE, RISK, and COMPLIANCE INDENTITY and ACCESS INCIDENT RESPONSE and FORENSIC ANALYSIS PENETRATION TESTING SECURE DEVOPS SECURE SOFTWARE DEVELOPMENT SENIOR LEADERSHIP (Expert) 9719: CSFI: Introduction to Cyber Warfare and Operations Design 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3796: Certified Information Privacy Technologist (CIPT) Prep Course 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3796: Certified Information Privacy Technologist (CIPT) Prep Course 2951: CompTIA Advanced Security Practitioner (CASP) Prep Course 1638: CISSP Certification Prep Course 3401: Computer Hacking Forensic Investigator (CHFI) v9 1638: CISSP Certification Prep Course 3617: Certified Ethical Hacker 1638: CISSP Certification Prep Course 1642: SSCP Certification Prep Course 1638: CISSP Certification Prep Course 1697: CSSLP Certification Prep Course 1638: CISSP Certification Prep Course MID-CAREER “CASTLE” SPECIALIZATION (Practitioner) 3407: (DoD) Risk Management Framework (RMF) Process 1697: CSSLP Certification Prep Course 1638: CISSP Certification Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 3794: Certified Information Privacy Professional US Private-Sector (CIPP/US) Prep Course 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 3794: Certified Information Privacy Professional US Private- Sector (CIPP/US) Prep Course 5867: Cybersecurity Analyst+ (CySA+) Prep Course 9871: CISM Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 2180: CyberSec First Responder: Threat Detection and Response 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 1967: Hacking Methodologies for Security Professionals 3404: CompTIA Security+ Prep Course 4935: Certified Network Defender (CND) 5867: Cybersecurity Analyst+ (CySA+) Prep Course 3812: EC-Council Certified Secure Programmer Java (ECSP) 2046: Introduction to Python Scripting for the Security Analyst 1123: Securing Java Web Applications NEW TO ROLE (Foundation) CYBERSECURITY FOUNDATIONS 9701: Cybersecurity Foundations 4277: Introduction to Cybersecurity IT FOUNDATIONS 3150: Understanding Network Fundamentals 9025: TCP/IP Networking 2892: CompTIA Network+ Certification Prep 4666: CompTIA A+ Certification Prep
  • 27. © Global Knowledge Training LLC. All rights reserved. Page 27 DoD approved 8570.01-M Baseline Certifications
  • 28. © Global Knowledge Training LLC. All rights reserved. Page 28 Summary FISMA mandated accountability, cost effectiveness, timeliness, and efficiency regarding information assurance and critical infrastructure for Federal systems. NIST has special publications (SP) detailing security and guidance for supporting the FISMA legislations, including risk management and the proper framework for its implementation. Executive Order 13800 addresses risk by requiring agency heads to report Risk Management findings to the DHS, and also requires a plan to strengthen and evolve a more highly skilled, trained, and proficient cybersecurity workforce. NIST SP 800-16 defines a path to expertise for cybersecurity personnel, including a knowledge and skills definition that maps to specific job roles in the information systems organizations. The proper method to compliance involves a proactive, detailed training and education program that enables long term proficiencies among key personnel in strategic areas of the organization.

Notas del editor

  1. Signed May 11, 2017… so it’s one year old now.
  2. Simplifying skills development planning, the “Crown” provides a high-level view for managers, directors and any other leaders responsible for cybersecurity people management and/or professional development. The “Crown” outlines and organizes cybersecurity career progression from foundational IT skills all the way up through the three branches of cybersecurity senior leadership. Leaders can use the “Crown” to measure, track, and develop optimal depth and breadth of skills within their department or team, while individual contributors can use “the Crown” to define and evaluate their personal career goals.
  3. Designed to be implemented along with the “Crown”, the “Castle” describes the discrete functions within cybersecurity. These are the individual pieces that make up the cybersecurity whole and one job role may cover several functions or one function might be manned by several professionals depending on the size and scope of the organization. As Cybersecurity professionals reach the Mid-Career Specialization level in the “Crown,” the “Castle” helps focus activity on for maximum return on training investments.