Gideon Rasmussen, "Adaptive Cybersecurity Risk Assessments"
CERIAS Weekly Security Seminar - Purdue University
English - September 01, 2021 20:30 - 426 MB Video - ★★★★ - 6 ratingsTechnology Education Courses infosec security video seminar cerias purdue information sfs research education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
This session provides practical cybersecurity assessment advice. It
details the end-to-end process including: scoping, 9 steps to
develop work papers, scheduling, on-site assessment, report
preparation and presentation.
The first assessment example leverages the NIST Cybersecurity
Framework to ensure coverage across security domains. Sample
scoping questions will be provided, along with tips and examples to
add controls based on business processes, insider threat, privacy
and fraud.
This session also addresses follow-on assessments. Attendees are
encouraged to evaluate lines of business and to take deep dives
into critical functions. Tips and examples are provided to leverage
best practices, creating specific testing procedures.
Rather than repeating the same assessment year-over-year, the
scoping methodology is risk opportunistic. There is focus on areas
that have not been evaluated recently and areas that may require
enhanced controls due to presence of valuable data. Albert
Einstein’s quote applies here “the definition of insanity is doing
something over and over again and expecting different
results”.
The session will briefly walk through the assessment report
framework, providing tips along the way.
The assessment presentation phase includes a slide deck framework
covering: the threat landscape, assessment methodology, high and
moderate-high findings, a Strengths, Weaknesses, Opportunities and
Threats (SWOT) slide and next steps.