Professional Documents
Culture Documents
Module 2: Applied Standards and Cybersecurity Risk Management
Module 2: Applied Standards and Cybersecurity Risk Management
NIST
DoD RMF
FFIEC SAT
FAIR
OCTAVE Allegro
Learning Setting: This module is suitable with minimal modifications for in-
class, online, and hybrid modes of delivery
Discussion
Exercises
Page | 1
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Module2_Lab_Application_of_FFIEC_Cybersecurity_Assessment_Tool.docx
Module2_LabSolution_Application_of_FFIEC_Cybersecurity_Assessment_To
ol.docx
Module2_Lab_Application_of_RMF_Steps_1_and_2.docx
Module2_LabSolution_Application_of_RMF_Steps_1_and_2.docx
LEARNING OUTCOMES
MODULE DETAILS
Page | 2
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
Instructional Files and Online Resources Needed:
Page | 3
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
8. NIST. (2018). Risk Management. https://csrc.nist.gov/projects/risk-
management
9. The Open Group. (2009). Risk Taxonomy-Technical Standard.
http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf
10. Software Engineering Institute. (2007). Introducing OCTAVE Allegro:
Improving the Information Security Risk Assessment process.
https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_
001_14885.pdf
Assessment Guides:
Module_2_Assessment_Guide.docx
Following table indicates the related learning outcome for each assessment
question in the guide.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
7.1 X X X
7.2 X X
7.3 X X X X
8.1 X X X
8.2 X X X
8.3 X
8.4 X
9.1 X X
9.2 X X X X X X
10.1 X
10.2 X
10.3 X
10.4 X
Page | 4
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULES
Overview of Micromodules:
Micromodule 7. Cybersecurity Framework and DoD Risk Management
Framework
Micromodule 8. Risk Management Framework and Information
Security Management Systems
Micromodule 9. Government Standards and Regulations
Micromodule 10. Industry Standards and Best Practices
Micromodule 7 Details:
Warm Up: The students will be asked to identify some of the primary
federal agencies who are heavily reliant on cyber infrastructure for their
operation. The students will then be asked to identify private or other
public agencies (aside from federal) who would need to connect to federal
agencies’ cyber infrastructure. It will then be pointed out that all these
various agencies and companies would need to be compliant with some
standards for them to be able to operate as some guaranteed level of
security.
Page | 5
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
is no potential impact from a loss of confidentiality (i.e., confidentiality
requirements are not applicable), a moderate potential impact from a loss
of integrity, and a moderate potential impact from a loss of availability. The
Security Category (SC) appropriate for this case is then deliberated to
emphasize how SC is determined.
Page | 6
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 8. RISK MANAGEMENT FRAMEWORK AND INFORMATION
SECURITY MANAGEMENT SYSTEMS
Learning Outcomes:
Upon completion of this micromodule:
Micromodule 8 Details:
Warm Up: Consider one of the large DoD subcontractors, e.g., Lockheed
Martin Corporation, The Boeing Company, or General Dynamics
Corporation, and how information may be flowing back and forth between
DoD and this company. It is only reasonable that the company’s
cybersecurity practices are within a certain level that will not put the rest of
the DoD cyber system in undue risk.
Page | 7
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 9. GOVERNMENT STANDARDS AND REGULATIONS
Learning Outcomes:
Micromodule 9 Details:
Page | 8
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 10. INDUSTRY STANDARDS AND BEST PRACTICES
Learning Outcomes:
Micromodule 10 Details:
o What is FAIR
o Fair Framework
o Decomposing Risk
o Fair Ontology
o OCTAVE-Original
o OCTAVE-S
o OCTAVE Allegro
Page | 9
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
o OCTAVE Allegro-Process
o OCTAVE Allegro-Worksheets
Page | 10
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).