Risk Management Course
2 hours, 14 minutes
Syllabus
Ask me anything
Video - 00:02:00
The use of social media platforms has skyrocketed in recent years. Organizations must take the appropriate steps to ensure that sensitive data is not leaked through this mechanism.
Wiping disks with the dd command lab
Video - 00:06:00
When storage media has reached the end of its useful life, data must be wiped from it in a secure manner which can include using some built-in operating system tools. Linux administrators can use the dd command to wipe disk partitions by overwriting them with random data.
Exam question review
Video - 00:02:00
Threats are executed by a variety of different threat actors, each type having a different motivation for executing attacks. This episode presents a scenario where correct type of threat actor must be selected.
CompTIA Security+ SY0-601 Exam Objectives
Video - 00:03:00
Agreement types
Video - 00:07:00
When organizations enter into business partnerships with third-party service providers, the agreements and contracts they both sign protect both organizations legally, as well as establish the terms of service. This episode covers the various types of business agreements.
Third-party risk management
Video - 00:08:00
Some business activities cannot be completed entirely within an organization and must be outsourced. Ensuring that proper security safeguards are in place throughout the hardware, software, and personnel supply chain results in a properly secured data, such as through data loss prevention (DLP) tools.
Personnel risk and policies
Video - 00:10:00
Hiring the right employees and contractors for the job always matters. Enacting internal security controls such as background checks, mandatory vacations, job rotation, and separation of duties goes a long way in ensuring the integrity of business processes.
Data destruction
Video - 00:06:00
Digital data resides on physical storage devices. Secure storage media disposal mechanisms, such as shredding, cryptographic erasure, degaussing, and disk wiping, must be put in place to ensure sensitive data cannot be retrieved by unauthorized users.
Security and the information life cycle
Video - 00:09:00
Security must be applied to all phases of the information life cycle, from collection to its eventual archiving and deletion. This includes data security techniques such as tokenization and masking, while considering how laws apply to data based on its location (data sovereignty).
Data types and roles
Video - 00:11:00
Protecting personally identifiable information, or PII, is crucial and required by security regulations such as GDPR, but of the vast amounts of data in an organization, how do you know which data is sensitive? The answer is through data roles and responsibilities assigned to personnel in conjunction with data discovery and classification tools on-premises and in the cloud.
Business Impact Analysis
Video - 00:09:00
In addition to deploying effective security controls to protect assets, what can be done to ensure business continuity in the event of a security incident? A business impact analysis involves proactive planning to help reduce downtime and data loss when negative events occur.
Qualitative risk assessments
Video - 00:04:00
The same risk can have a different impact to various organizations. Qualitative risk assessments use subjective priority ratings for risks rather than dollar values.
Quantitative risk assessments
Video - 00:07:00
Is the cost of a security control justified? A quantitative risk assessment uses various calculations against an asset to determine the maximum yearly spend for protecting that asset.
Risk assessments and treatments
Video - 00:06:00
How can you determine whether assets are adequately protected from threats? One way is running periodic risk assessments to address the ever-changing threat landscape to define the likelihood and impact of security incidents.
Security controls
Video - 00:09:00
Various security standards such as PCI DSS and the Cloud Controls Matrix (CCM) define what types of security controls to put in place to mitigate risk both on-premises and in the cloud. The specific type of attack vector determines whether managerial, operational, or technical controls should be deployed.
Risk management concepts
Video - 00:07:00
A risk management framework aids in identifying and managing risk and is sometimes required for compliance with data privacy regulations such as GDPR and HIPAA. Organization security policies are often influenced by data privacy regulations.
Threat intelligence
Video - 00:11:00
With the ever-changing IT threat landscape, how can you keep up with the latest security issues? Threat intelligence refers to the wide variety of open-source intelligence (OSINT) and proprietary IT security sources that use standards such as STIX and TAXII for cybersecurity intelligence sharing.
Threats and vulnerabilities
Video - 00:07:00
The CIA security triad (confidentiality, integrity and availability) describes how solutions such as encryption, hashing, and data backups can address potential attack vectors that might be exploited by threat actors.
Defining risk
Video - 00:08:00
Managing risk involves identifying threat actors from script kiddies to state-sponsored attackers. Mitigating threats is achieved by identifying assets and putting security controls in place to mitigate risks.
Introduction to Security+ 601
Video - 00:01:00
Mike and Dan introduce the CompTIA Security+ (SY0-601) learning path.
Unlock 7 days of free training
- 1,400+ hands-on courses and labs
- Certification practice exams
- Skill assessments
Plans & pricing
Infosec Skills Personal
$299 / year
- 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Custom certification practice exams (e.g., CISSP, Security+)
- Skill assessments
- Infosec peer community support
Infosec Skills Teams
$799 per license / year
- Team administration and reporting
- Dedicated client success manager
-
Single sign-on (SSO)
Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
-
Integrations via API
Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
- 190+ role-guided learning paths and assessments (e.g., Incident Response)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Create and assign custom learning paths
- Custom certification practice exams (e.g., CISSP, CISA)
- Optional upgrade: Guarantee team certification with live boot camps