Risk Management Concepts
provide guidance on identifying and managing risk
Risk Management Frameworks (RMFs)
Risk Management Concepts
Security regulations and standards designed to protect sensitive data
GDPR
HIPAA
PCI DSS
Risk Management Concepts
Security policies designed to protect assets
Org security policies
Risk Management Concepts
-Acceptable use policy (AUP)
- email, social media, web browsing
- Resource access policies
- app or file access
- Account policies
- hardening
-Data Retention Policies
- often dictated by regs
- asset management policies
Types of security policies
Risk Management Concepts
Data Privacy Regs and Stds
protects EU citizen’s private data
General Data Protection Regulation (GDPR)
Risk Management Concepts
RMF
cybersecurity best practices
Center for Internet Security (CIS)
Risk Management Concepts
Data Privacy Regs and Stds
protect American patient medical info
Health Insurance Portability and Accountability Act (HIPAA)
Risk Management Concepts
RMF
Cybersecurity risk management
NIST RMF
Cybersecurity Framework (CSF)
Risk Management Concepts
RMF
IT and info security
- 27001
- 27002
- 27701
- 31000
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
Risk Management Concepts
RMF
- Financial statements integrity
- internal controls
- Type I and Type II
Statement on Standards for Attestation Engagements System and Organization Controls (SSAE SOC 2)
Risk Management Concepts
RMF
Guidance for Conducting Risk Assessments
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Risk Management Concepts
Access control vestibules (mantraps)
Server room access
Limit USB bootable devices
Physical Risk Vectors
Risk Management Concepts
- Mission-critical IT systems
- Payment processing
- HR
- Emergency
- Sensitive data
- do we know what we have and where it is?
- Third-party access
Risk Vectors
