ISC2

Maturing Risk Management

This course is part of (ISC)² Systems Security Certified Practitioner (SSCP)

Taught in English

Some content may not be translated

3,030 already enrolled

Course

Gain insight into a topic and learn the fundamentals

4.9

(25 reviews)

Beginner level

Recommended experience

6 hours (approximately)
Flexible schedule
Learn at your own pace

Skills you'll gain

Details to know

Shareable certificate

Add to your LinkedIn profile

Assessments

12 quizzes

Course

Gain insight into a topic and learn the fundamentals

4.9

(25 reviews)

Beginner level

Recommended experience

6 hours (approximately)
Flexible schedule
Learn at your own pace

See how employees at top companies are mastering in-demand skills

Placeholder

Build your subject-matter expertise

This course is part of the (ISC)² Systems Security Certified Practitioner (SSCP)
When you enroll in this course, you'll also be enrolled in this Specialization.
  • Learn new concepts from industry experts
  • Gain a foundational understanding of a subject or tool
  • Develop job-relevant skills with hands-on projects
  • Earn a shareable career certificate
Placeholder
Placeholder

Earn a career certificate

Add this credential to your LinkedIn profile, resume, or CV

Share it on social media and in your performance review

Placeholder

There are 6 modules in this course

An important function of the IT department is to maintain information systems and upgrade, enhance and revise those systems as necessary. Information systems are subject to many changes and modifications due to system patches, new technology or functionality, correction of process errors or system failures. The IT department must be able to manage change in order to support business operations and ensure the security of the systems.  The problem is that change poses a significant risk to the organization. Because of changes, systems may fail, functionality may be lost, security vulnerabilities may be introduced and data integrity may be compromised. This requires the development and implementation of a change management process that entails the documentation, testing and approval of all changes — and that thereby avoids business interruption. 

What's included

5 videos4 readings1 quiz

Physical and environmental security are often the responsibilities of departments other than IT, such as the physical security department or the facilities management group. These departments play an important role in providing resilient and reliable information to other areas of the organization, including IT. The security professional may be required to work with these other departments to ensure that information systems are supported with electrical power, fire protection, physical access security, surveillance and protection from threats such as theft, vandalism and natural disasters.  It can even be said that physical security should be a higher priority than most other forms of security such as passwords, firewalls and procedures. If an adversary can gain physical access to a server room, then the adversary can bypass all of the other forms of control and circumvent the security defenses. An adversary in a server room or wiring closet can install a wireless device or sniffer, cut or re-route cables or disable equipment, among other things. 

What's included

7 videos8 readings2 quizzes

Experience shows that it’s relatively easy to establish and maintain a security education, awareness and training program for almost any organization. The difficulty with such a program is measurably demonstrating the program’s effectiveness.  Two major conflicts present themselves when the security team tries to engage with the end users at large. The first is rooted in the perception that security measures cost the end user time and effort to comply with. Work could get done so much more quickly and easily, this view argues, if all these extra security hurdles didn’t have to be jumped over all the time. The second reflects the users’ perception that most security training is an even further waste of their time. Both perceptions act to oppose the effective adoption of security controls by end users and discourage them from taking responsibility for their own learning and thus gaining the most value possible from the training that’s presented to them.  As with access control and identity management, it may be that it’s more than high time for a healthy dose of just-in-time learning for security. Security training consultants and specialist firms have made significant changes in their approaches to helping users learn what they need and when they need it. Microtraining, for example, breaks the training experience down into steps that might last less than one minute. In that minute, the microtraining engages the learner-user, has them take actions related to how they perform their normal jobs but is structured as part of the teaching and learning process.  Measuring the effectiveness of a training program has also been suffering from lack of innovation and maturation as well. This can change. User behavior modeling and analysis tools can gather data that highlights when individual users or groups of users are in need of specific refresher learning opportunities.  Let’s see how ideas like these can be put into practice and how we can assess their effectiveness. 

What's included

3 videos1 reading3 quizzes

Security assessment determines whether the controls implemented to reduce risk have been implemented as designed, are operating as expected and are achieving the desired result.  This assurance can be the result of outside organizations evaluating the control environment or actions taken by the organization itself to evaluate the performance of the controls.  Security assessment is performed by conducting inspections, audits and tests.  Additionally, the results of investigations into anomalies and security incidents can also provide valuable insights into a security assessment process.  The assessment and testing processes must be performed consistently and the results communicated properly so that the organization’s management understands the risks they face.  Security or controls audits are formal assessments that are normally performed to assure external evaluators that an organization’s controls meet compliance expectations.  Ultimately, the results of audit, assessment and testing activities will allow the organization to identify control gaps and inefficiencies.  This information will be the starting point for continual process improvement activities.  The security professional should be familiar with the strategies, techniques and processes by which organizational expectations for control are set, evaluated and improved.  They should be able to explain the basic flow of audit and assessment activities and describe the tools and artifacts that support data-driven decision-making.  Collectively, this information should enable the security professional to develop an organizationally appropriate assessment program.  It is tempting to think that much of the burden of security assessment and testing takes place during the development phase of the lifecycle of a major software system. Two factors, however, show us that this would be an unwise and unsafe assumption for security professionals or systems owners to make.   The first is that many systems are turned over to operational users with inadequate functional testing having been completed. Experience shows that many systems development projects fall behind schedule, and since it’s the last tasks on the timeline that feel the pressure to cut corners, testing often is rushed, abbreviated or skipped.   The second is that many commercial systems are developed with a less robust view of the need for security, safety, resilience and data protection than are required to defend against today’s sophisticated threats.  Both factors mean that many organizations today are failing security assessments, audits and compliance reviews or are failing to win new business opportunities, as a result of building their business processes atop an insecure software and systems base.  It also means that security professionals are often confronted with deployed, in-use systems in need of a thorough security assessment, including testing, to meet evolving business needs and the changing threat landscape. This starts (as does this module) by first understanding the objectives of a security assessment, which lead to developing the strategy that will guide its accomplishment. This provides the framework for vulnerability assessments and the testing techniques used to perform it. This includes a deeper dive into wireless network security testing.  Ethical penetration testing can and should be a regular component in nearly every organization’s security assessment and operations plan. We’ll take a closer look at what makes this unique and valuable, and how the ethical penetration testers work with the organization’s leadership and its technical and security teams to preserve the integrity of the testing at minimal disruption to the daily business of the organization. Audits, both formal and informal, provide a structured way to review all of the control systems the organization has in place. Many of these are known as internal controls over financial reporting (ICOFR or ICFR); in this era of ransom attacks as big business, security professionals need to be far more conversant with how the flow of information about the flow of money must be protected. 

What's included

14 videos5 readings3 quizzes

The incident triage process (described in module 1) may identify that a particular event or set of events needs more than just the incident response process to handle itself. Two specific types of plans are typically used to define these responses, prepare the organization and guide their teams in dealing with such events.  It’s an easy mistake to make to think that disaster recovery plans (DRPs) are broad and all-encompassing to deal with recovering from earthquakes, hurricanes, fires or major cyberattacks; in reality, the scope of DRPs is much narrower.  DRPs and their activities deal with the restoration of information and communications systems and technologies that support urgent business or organizational needs.  (It would not be surprising that organizations which rely on IoT, SCADA or process control systems will start reshaping their classic DRPs to also address their OT critical systems and capabilities.)    It is the business continuity plan (BCP) that takes into account the much broader scope of activities required to keep an organization alive and operating, as it recovers from both the immediate effects of a disruptive incident and restoring non-critical services and activities so it can move forward. Let’s see how the security professional would support these plans, during both their development and operational activation and use. 

What's included

14 videos2 readings2 quizzes

Chapter 8 brought together many different aspects of information systems security, binding them together with several important ideas. First, systems must be managed, if they are to be protected and kept secure. One form of management is configuration management, in which we ensure that changes are only made when authorized; when effective, CM systems can become part of the arsenal of intrusion detection capabilities.  Physical security measures were placed in the context of protecting and sustaining the organization, its systems and its people. In many organizations, these physical security control systems are data-driven and thus tightly integrated with overall IAAA and incident detection capabilities. SUNBURST and other recent attacks on SCADA, ICS and other operational technology (OT) systems highlighted the need for many organizations and security professionals to expand their horizons to include things beyond the edge of the TCP/IP networks, databases and web page views of the organization and the threat landscape.  We also saw that effective systems management requires measurement, observation, test and analysis in order to know what today’s security posture really is, and to inform considerations of where, when and how to improve that posture. Inspections, assessments, audits and ethical penetration testing were all viewed in this context.  Two other major topic areas — business continuity and security education, training and awareness — actually come together in surprising ways. Many of us who’ve served in our nation’s militaries, police or emergency first responder corps know that humans in highly disruptive situations often must fall back on their training, if they are to remain calm, not panic and thoughtfully deal with the situation one step at a time. Microtraining is an excellent example of this. By popping up a mock phishing or malware-based attack activity when an end user least expects it, microtraining presents users with the chance to either fall back unthinkingly to habit, or stop, observe, orient themselves to a potential security issue and then make decisions. Awareness, training and education efforts can provide employees with the skills and the frame of mind they need to deal with disruptions, no matter what scale and no matter whether they are simulated or real. As with other aspects of information systems security, continuity of operations and disaster recovery require extensive preparation, and one of the most important tasks in that is preparing one’s people to adapt and overcome as a team. 

What's included

1 reading1 quiz1 peer review

Instructor

Instructor ratings
4.8 (6 ratings)
(ISC)² Education & Training
ISC2
20 Courses74,096 learners

Offered by

ISC2

Recommended if you're interested in Security

Why people choose Coursera for their career

Felipe M.
Learner since 2018
"To be able to take courses at my own pace and rhythm has been an amazing experience. I can learn whenever it fits my schedule and mood."
Jennifer J.
Learner since 2020
"I directly applied the concepts and skills I learned from my courses to an exciting new project at work."
Larry W.
Learner since 2021
"When I need courses on topics that my university doesn't offer, Coursera is one of the best places to go."
Chaitanya A.
"Learning isn't just about being better at your job: it's so much more than that. Coursera allows me to learn without limits."

Learner reviews

Showing 3 of 25

4.9

25 reviews

  • 5 stars

    92%

  • 4 stars

    8%

  • 3 stars

    0%

  • 2 stars

    0%

  • 1 star

    0%

SS
5

Reviewed on May 31, 2023

New to Security? Start here.

Placeholder

Open new doors with Coursera Plus

Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs - all included in your subscription

Advance your career with an online degree

Earn a degree from world-class universities - 100% online

Join over 3,400 global companies that choose Coursera for Business

Upskill your employees to excel in the digital economy

Frequently asked questions