Implementing a Security Assessment and Authorization Process

This course teaches you how to approach reviewing the security of systems before introducing them to your environment and how to formally authorize systems. Both are key skills in the National Initiative for Cybersecurity Education framework.
Course info
Level
Intermediate
Updated
Dec 9, 2016
Duration
2h 26m
Table of contents
Description
Course info
Level
Intermediate
Updated
Dec 9, 2016
Duration
2h 26m
Description

New systems and changes to existing systems are part of any organization. Today, there is heavy emphasis on the security of all major changes to an organization's technology. The National Institute of Cybersecurity Education has a specific requirement for users to learn and understand a formal Security Assessment and Authorization process. In this course, Implementing a Security Assessment and Authorization Process, you'll first learn how to approach formally assessing the security controls of a new system. Next you'll explore the approach taken to formally authorize the system prior to allowing it to become part of your organization's technology. You'll finish the course by learning how to select the correct security testing procedures from a whole library provided by NIST (National Institute for Standards in Technology). Upon completion of this course, you'll be well versed in the knowledge needed to implement and operate a security assessment and authorization process for your organization.

About the author
About the author

Richard has worked for over 20 years in various technology management roles working in card payments and regulated financial sectors. He spent several years deploying niche payment card solutions in Europe and more recently as CIO, serving the US mortgage sector. Richard specializes in IT Risk and Information Security management.

More from the author
Security Compliance: The Big Picture
Beginner
1h 42m
Feb 12, 2019
More courses by Richard Harpur
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Richard Harpur. Welcome to my course, Implementing a Security Assessment and Authorization Process. I am a certified information security manager and my day job is all about managing IT risks. To date, concern about information security is mainstream. That's why I authored this course. Maybe you're an IT, risk, or compliance manager, or maybe you're working in the US federal organization. Whatever your background, this course will teach you the best approach to assessment and authorization. One thing is certain, the volume of security assessment and authorization is rapidly increasing. No one wants to be responsible for introducing unacceptable risk into their organization. You'll learn difference between assessment and authorization. You'll learn several different assessment methods, 18 different security assessment families. You'll learn how to present your findings. And finally, you'll learn how good authorization process should work. By the end of this course, you will have learned all about a security assessment and authorization process and you will be confident in implementing these processes in your own organization. I hope you'll join me on this journey to learn Implementing a Security and Assessment Process at Pluralsight.

Looking at a Typical Assessment Process
In this module, we're going to look at a typical assessment process. I'm going to present a five-stage assessment process for you. Step one is preparing and getting ready thinking about the assessment and how you're going to approach it. Step two is planning, specifically, identifying what you're going to test, who's going to be notified, what's your escalation pattern. Step three looks at procedures. Now we've covered some detail about procedures in a previous module, but here I'll show you where it fits into the overall process. Step four is all about hitting that big red button and executing your assessment. Step five, the most important thing for the stakeholders is reporting back your findings. And you know the approach by now. Let's take our five-stage assessment process and apply it to our Globomantics case study. Let's bring the assessment process to life. Now for you, the best thing about completing this module, it means that you can apply the fundamentals that you've learned in the previous module together with a structured approach for doing assessments. That really sets you up for carrying out your own assessments and also for future modules in this course. Let's get stocking.

Comparing Assessment Methods
Welcome to this module, Comparing Assessment Methods. This is one of the shorter modules in the entire course, but I think you'll find it really helpful. Even experienced assessors will find some nuggets in this module. You're going to learn some techniques to add to your toolkit for undertaking security assessment. So let's take a look at what we're going to cover in this module. Now this is very simple. We're going to cover three different assessment methods, examination, interviews, and testing. And we're going to round out this module by looking at our Globomantics payroll system and how we can apply what we've learned to that use case. What you will have gained by completing this module is that you have learned the different types of assessment methods, and as you go through your assessments, you can draw on each of these different techniques when it's appropriate. You might want to think of this module as giving you a few different options in your back pocket to apply the most appropriate assessment method for a given scenario. Let's now take a look at each of these three methods at a high level before we jump in and look at them in detail.

Assessing Controls
Welcome to this Pluralsight course, Implementing a Security Assessment and Authorization Process. In this module, we're going to look at Assessing Controls. Let's have a look at what's coming up in this module. Firstly, we're going to look at some real-world examples where an assessment process has been really critical. Then I am going to take you through a whole library of controls to help you formulate your own individual assessment process. I'm going to explain to you how to assess these controls. Finally, as you know by now, we're applying what we're learning to the Globomantics payroll system case study. So you can practice what you learn in this module. Let's look at how far you've progressed in this course. We started off by understanding why we should care about security assessment and authorization. I have a great example coming up in just a moment to reinforce what we've learned. After that, we looked at some of the fundamentals around an authorization and assessment process. Then you learned what a typical assessment process actually looks like so you can start forming your own process for your own organization. And just before this module, we finished off with comparing different assessment methods. So you will never get yourself into a tight spot when you're undertaking the assessment. You'll always have different methods to try. And here we are, assessing controls. Ultimately, when you are undertaking an assessment, you're really assessing the security controls around the system. There's quite a lot to get through in this module, so let's get started.

Conformance Testing
Thanks for watching this course, Implementing Security Assessment and Authorization Processes. In this module, we're going to look at Conformance Testing. In previous modules, you've been shown the different security control families that can be applied to a security assessment. Now we're going to look at undertaking some conformance testing. So we're going to look at the rules of engagement, really important before you ever put a finger on that keyboard to test anything. Next, I have separated conformance testing into two main categories. First, scanning, and second, active testing itself. This will help you to categorize the type of activity and conformance testing that you want to undertake. Remember the National Initiative for Cyber Security Education has security assessment and authorization as one of its key skills areas. By the time you complete this module, you'll have a great understanding of how to undertake some conformance testing. Let's move on and have a look at the rules of engagement.

Presenting Your Assessment Findings
Welcome along to this module. This is the second last module in our entire course of Implementing Security Assessment and Authorization Process. The next module, we'll cover security authorization. Let's have a look at how far you've come. We started off by looking at security assessment and authorization and why that's important. Then we looked at some of the assessment fundamentals. We followed that with looking at some of the typical assessment processes and procedures. We compared different types of assessment methods so you knew what approach to take if things got a little bit difficult for you. Then we discussed about assessing controls. And finally, before we got to this module, we discussed conformance testing. Now we're going to look at presenting your assessment findings. Unless you present your findings, the entire assessment process is not really going to be worthwhile. You need to present your findings and take decisions or actions as a result of your security assessment. Let's have a look at what's in store in this short module. We're going to look at the key elements of an assessment report. There are certain things that will make your report more effective if it has these contained within it. So that's where we're going to focus initially. From there, we look at assessment findings, the right to review and reply your assessment report. It's always to get buy-in from those that you're reporting upon rather than having challenges waiting for when you publish the report. And finally, submission of the final report. Let's get started.

Security Authorization
Hi. I'm Richard Harpur, and welcome to Implementing Security Assessment and Authorization Processes. In this module, we're going to look at the Security Authorizations section in this course. Previous modules focused on security assessment, but here we're going to look at the process of authorizing systems from a security perspective. This is what we're going to cover in this module. Firstly, we're going to revisit what is defined as security authorization. Then we're going to look at the authorization lifecycle. And finally, the key point for any authorization process is the authorization decision. So let's get started with clarifying the definition of authorization.