Information Risk Management & Security – ERMS 690
Cyber Security is no longer just a technical issue. If you own a computer, a phone, a smart device, or a social media account, it is almost a guarantee that you will be exposed to Cyber Security threats and attacks. Thus, it is already well-documented that a very large percent of businesses suffer some form of computer attacks every year, with a significant success rate for the attackers. Cyber Security is important for both individuals and organizations.
So how do we deal with Cyber Security threats and attacks? The alternative – going back to the Stone Age – is literally not an option! Rather, it all starts with awareness and education. This course introduces you to the world of Cyber Security, discusses the main threats to Cyber Security, and suggests how to manage Cyber Security risks from an individual and an organizational perspective. The course is thus aiming to provide awareness and education and is valuable to both technical and non-technical individuals.
By the end of this course, students should be able to:
- Defend the need for security risk-based management based on an understanding of opportunity costs, within the confines of regulation and client expectations.
- Identify and develop awareness of risk sources involving people, processes, information, and technology.
- Defend enterprises through an understanding of the anatomy of attacks and the building of sustainable defense-in-depth (DiD) strategies to mitigate current and emerging attacks.
- Review and develop an on-going and sustained approach to security risk-management throughout the enterprise.
Week 1: Overview of Risk Management, Security, and Governance:
- Overview of risk management and its life cycle
- Business implications of security management, including risk and opportunity management (costsand benefits)
- Understanding and reviewing risk management frameworks, standards, and practices
Week 2: Overview of Risk Management, Security, and Governance:
- Essentials of risk governance and legislation
- Roles and responsibilities for security risk management
- Articulating clear goals for enterprise risk management
Week 3: Identifying Sources of Risk:
- Understanding residual risks as well as threats, vulnerabilities, and organizational assets
- Knowledge of different types of security threats and attacks
- Physical versus logical security
- Network, database, and application level security
Week 4: Identifying Sources of Risk:
- Understanding security risks in enterprise processes and employees
- Emerging sources of risk: outsourcing, cloud, critical infrastructure, and cybersecurity
- Technology projects, the SDLC and security risk planning
Week 5: Dealing with Security Risks:
- Anatomy of security threats and attack modeling
- Security and the risk management life cycle
- Quantitative vs. qualitative risk methodologies
- Technical and non-technical risks management (Security policies, standards, guidelines, andgovernance)
Week 6: Dealing with Security Risks:
- Mitigation strategies and developing response plans (IRP, DRP, and BCP)
- Technology projects, the SDLC, and security risk design and management
- Developing Security-in-Depth
Week 7: Ongoing Management of a secure enterprise:
- Review of your risk and security management program
- Review of security policies, standards, guidelines, and procedures
- Review of security and enterprise governance frameworks
Week 8: Ongoing Management of a secure enterprise:
- Documentation of lessons learned
- Security awareness, training, and education
- 50% – Discussions (group and individual grades)
- 20% – Individual assignment
- 30% – Individual final essay