IT Security Risk Management Course/Studying
[Deleted User]
Senior MemberPosts: 0 ■■□□□□□□□□
Hey Forum:
During my time working in security, the main thing I am seeing is conveying and being able to communicate the business risk. It is a weakness of mine and I need to grow in that area if I want to get to my next level in my career. Does anyone know of any good course, book or certification that can help with understanding business risk or even risk management in general? Thanks!
During my time working in security, the main thing I am seeing is conveying and being able to communicate the business risk. It is a weakness of mine and I need to grow in that area if I want to get to my next level in my career. Does anyone know of any good course, book or certification that can help with understanding business risk or even risk management in general? Thanks!
Comments
-
UnixGuy Mod Posts: 4,570 ModGreat question. Apart from CISSP, I'm not too sure. I did some risk assessment, and just had to follow the existing procedure in place (i.e. looked at existing document for a previous project and used it as a template for the next one..).
-
tedjames Member Posts: 1,182 ■■■■■■■■□□www.cybrary.it has some great, free risk management training.
-
JoJoCal19 Mod Posts: 2,835 ModThe absolute BEST resources are probably going to be the CRISC and CISM Review Manuals from ISACA (I own them and a bunch of other related books). The cheapest, but still good options are going to be Security Risk Management: Building an Information Security Risk Management Program from the Ground Up and Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (I own these as well).Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
[Deleted User] Senior Member Posts: 0 ■■□□□□□□□□Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□kMastaFlash wrote: »Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!
The CISM or CRISC will not help you with addressing what is the risk with X vulnerability. Their risk focuses more on business risk which is a bit higher on the list of the risk you are trying to identify. -
[Deleted User] Senior Member Posts: 0 ■■□□□□□□□□@TheFORCE Any suggestions then on learning/understanding the business risk?
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□kMastaFlash wrote: »@TheFORCE Any suggestions then on learning/understanding the business risk?
Yes, start with identifying critical assets and critical areas of the network. And assign criticality to them, come up with your own numbers or looks up some risk assessment templates and methodologies.
For example lets say you have an internal server that hosts an application that internal users use on a daily basis, if this server goes go then people wont be able to worl for x amount of time. On top of that this server also processes sensitive customer information. You scan the server and you find xyz vulnerability. What you need to do at this point you need to find the severity of the vulnerability. Most vulnerability scanning tools will give you the info. Next you research how this vulnerability can be exploited. You find out that this is a RCE (Remote code execution) vulnerability .
Now you go back to your boss and you say... You have a RCE vulnerability that could allow an attacker to execute code on your server plus this server is a high criticality server that processes sensitive information. If the vulnerability gets exploited you are faced with losing all that sensitive information.
At this point your boss will say ok, is it worth the effort to fix it, update it, patch that server how much will it cost vs how much it will cost if we dont. Now you are at the stage where theu can talk business risk. That's a bit simplistic but I hope you get my point.
Start with reading about risk assessments and calculating qualitative vs quantitative Risk. Move higher from there. Then read CISM and CRISC but first you need to understand the risk of a vulnerability and do a vulnerability assessment in order to translate that into business risk. -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□kMastaFlash wrote: »@TheFORCE Any suggestions then on learning/understanding the business risk?
To learn about understanding risk from a high level and potential ways to manage it...you can study CRISC / CISA, NIST SP 800 series (837, 53, 53A, etc.), and COBIT will get you started.
It's important to understand that there is no one size fits all approach, and the solution is not always technical...so you won't see a lot of specific technologies listed.