MODULE 2: APPLIED STANDARDS AND

CYBERSECURITY RISK MANAGEMENT

Module Description: Applied Standards and Cybersecurity Risk
Management, will discuss major cybersecurity standards including:

 NIST
 DoD RMF
 FFIEC SAT
 FAIR
 OCTAVE Allegro

Prerequisite Knowledge: Knowledge of risk is required to take this course.

Length of Completion: 12 contact hours

Level of Instruction: Appropriate for both upper level undergraduate

courses, as well as graduate-level courses with its additional advanced
topics.

This module is suitable for non-majors and majors in engineering and

management.

Learning Setting: This module is suitable with minimal modifications for in-
class, online, and hybrid modes of delivery

Lab Environment: This module does not require a laboratory setting.

Activity/Lab Tasks: Learning activities are:

Lecture

Discussion

Exercises

Hands-on Case Study Labs

Lab Files Needed:

Page | 1

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Module2_Lab_Application_of_FFIEC_Cybersecurity_Assessment_Tool.docx

Module2_LabSolution_Application_of_FFIEC_Cybersecurity_Assessment_To
ol.docx

Module2_Lab_Application_of_RMF_Steps_1_and_2.docx

Module2_LabSolution_Application_of_RMF_Steps_1_and_2.docx

LEARNING OUTCOMES

MODULE LEARNING OUTCOMES

• Adapt risk management methods and skills to their current area of
expertise in cybersecurity
• Communicate cybersecurity risks to a decision maker of any level
(i.e., tactical, operational and strategic) in an understandable manner
• Apply cybersecurity risk management standards and best practices

MODULE DETAILS

Interconnection: This module is one of three modules of the

Multidisciplinary Risk Management in Cybersecurity course. This module
has six micromodules:

Number Micromodule Title Slides Assessment

Guides
7 Cybersecurity Framework and DoD X X
Risk Management Framework
8 Risk Management Framework and X X
Information Security Management
Systems
9 Government Standards and X X
Regulations
10 Industry Standards and Best X X
Practices

Page | 2

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
Instructional Files and Online Resources Needed:

Micromodule (MM) PowerPoint slides:

MM_07_ Cybersecurity_Framework_and_DoD_Risk_Management_
Framework.pptx
MM_08_Risk_Management_Framework_and_Information_Security_
Management_Systems.pptx
MM_09_Government_Standards_and_Regulations.pptx
MM_10_Industry_Standards_and_Best_Practices.pptx

Supplementary Readings (Optional)

1. NIST. (2014). Document 3764, CSF Core.

https://www.nist.gov/document-3764
2. DoD. (2014). 8510.01 Risk Management Framework (RMF) for DoD
Information Technology
(IT).http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/do
di/851001_2014.pdf
3. DoD. (2015). DoD Program Manager’s Guidebook for Integrating the
Cybersecurity Risk Management Framework (RMF) into the System
Acquisition Lifecycle.
https://www.dau.mil/tools/Lists/DAUTools/Attachments/37/DoD%20-
%20Guidebook,%20Cybersecurity%20Risk%20Management
%20Framework,%20v1.08,%20Sep%202015.pdf
4. White House. (2013). Executive Order - Improving Critical
Infrastructure Cybersecurity.
https://obamawhitehouse.archives.gov/the-press-
office/2013/02/12/executive-order-improving-critical-infrastructure-
cybersecurity
5. NIST. (2017). SP 800-37 Risk Management Framework for
Information Systems and Organizations - A System Life Cycle
Approach for Security and Privacy.
https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-
2/draft/documents/sp800-37r2-discussion-draft.pdf  
6. Irwin. L, (2017). How to implement an ISMS.
https://www.itgovernance.co.uk/blog/how-to-implement-an-isms/
7. FFEIC. (2017). Cybersecurity Assessment Tool - Overview for Chief
Executive Officers and Boards of Directors.
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CEO_Board_Over
view_June_2015_PDF1.pdf

Page | 3

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
 8. NIST. (2018). Risk Management. https://csrc.nist.gov/projects/risk-
management
9. The Open Group. (2009). Risk Taxonomy-Technical Standard.
http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf
10. Software Engineering Institute. (2007). Introducing OCTAVE Allegro:
Improving the Information Security Risk Assessment process.
https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_
001_14885.pdf

Assessment: The module assessment is composed of various types of

questions – multiple choice, true-or-false, matching, exposition – all
aligned to the learning objectives of the respective micromodules.

Assessment Guides:
Module_2_Assessment_Guide.docx

Following table indicates the related learning outcome for each assessment
question in the guide.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

7.1 X X X
7.2 X X
7.3 X X X X
8.1 X X X
8.2 X X X
8.3 X
8.4 X
9.1 X X
9.2 X X X X X X
10.1 X
10.2 X
10.3 X
10.4 X

Page | 4

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
 MICROMODULES

Overview of Micromodules:
Micromodule 7. Cybersecurity Framework and DoD Risk Management
Framework
Micromodule 8. Risk Management Framework and Information
Security Management Systems
Micromodule 9. Government Standards and Regulations
Micromodule 10. Industry Standards and Best Practices

MICROMODULE 7. CYBERSECURITY FRAMEWORK AND DOD RISK

MANAGEMENT FRAMEWORK
Learning Outcomes:

Upon completion of this micromodule:

7.1. Identify important elements of the cybersecurity framework, such

as its purpose, its steps, its core function, the implementation
tiers, or the coordination of implementation
7.2. Identify the elements of the DoD risk management framework,
such as the principles and concepts behind it, the steps of the RMF
lifecycle, or the main government cybersecurity risk management
standard governing each step 
7.3. Apply steps 1 and 2 of the risk management framework

Micromodule 7 Details:

Warm Up: The students will be asked to identify some of the primary
federal agencies who are heavily reliant on cyber infrastructure for their
operation. The students will then be asked to identify private or other
public agencies (aside from federal) who would need to connect to federal
agencies’ cyber infrastructure. It will then be pointed out that all these
various agencies and companies would need to be compliant with some
standards for them to be able to operate as some guaranteed level of
security.

Micromodule Content: The micromodule material is a combination of

expository and free discovery of the NIST Cybersecurity Framework for
improving critical infrastructure and application of DoD Risk Management
Framework Steps 1 and 2.

Active Learning Activity: An example will be given of an organization

managing public information on its web server which determines that there

Page | 5

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
is no potential impact from a loss of confidentiality (i.e., confidentiality
requirements are not applicable), a moderate potential impact from a loss
of integrity, and a moderate potential impact from a loss of availability. The
Security Category (SC) appropriate for this case is then deliberated to
emphasize how SC is determined.

Page | 6

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 8. RISK MANAGEMENT FRAMEWORK AND INFORMATION
SECURITY MANAGEMENT SYSTEMS

Learning Outcomes:
Upon completion of this micromodule:

8.1. Recognize the benefits of applying the DoD risk management

framework (RMF)
8.2. Identify actions organizations perform when applying the DoD
RMF
8.3. Identify the purpose of ISO information security management
system (ISMS) standards
8.4. Identify characteristics of the DoD RMF and the information
security risk management standards

Micromodule 8 Details:

Warm Up: Consider one of the large DoD subcontractors, e.g., Lockheed
Martin Corporation, The Boeing Company, or General Dynamics
Corporation, and how information may be flowing back and forth between
DoD and this company. It is only reasonable that the company’s
cybersecurity practices are within a certain level that will not put the rest of
the DoD cyber system in undue risk.

Micromodule Content: The micromodule material is a combination of the

expository and free discovery of DoD Risk Management framework Steps 3
to 6, Implement Security Controls, Assess Security Controls, Authorize
System, Monitor Security Controls. Information Security Management
System (ISMS) is explored and compared with the DoD RMF.

Active Learning Activity: Considering ‘Tailoring – Advance Persistent

Threat (APT)’, addressing the APT would require general knowledge of
various aspects of DoD RMF particularly:
 Insider protection (CM-5(4)
 Diversity/heterogeneity (SC-27 and SC-29)
 Deception (SC-26 and SC-30)
 Non-persistence (SC-25 and SC-34), and
 Segmentation (SC-7 (13).

Page | 7

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 9. GOVERNMENT STANDARDS AND REGULATIONS

Learning Outcomes:

Upon completion of this micromodule:

9.1. Distinguish standards and regulations based on their type and
scope
9.2. Apply government cybersecurity risk management standards,
particularly the Federal Financial Institutions Examination Council
(FFIEC) Cybersecurity Assessment Tool when assessing
cybersecurity risks

Micromodule 9 Details:

Warm Up: Several examples of financial institutions will be provided,

from the common and popularly known large ones like Equifax and Bank of
America, as well as smaller and less known ones like credit unions. It will
be emphasized that cybersecurity postures of these organizations must be
based on their respective size and types of operations.

Micromodule Content: The micromodule material is a combination of the

expository and free discovery of

 Federal Information Security Modernization Act (FISMA)

 National Institute of Standards and Technology (NIST) Risk

Management Framework (RMF)

 Department of Defense Risk Management Framework (DoD RMF)

 Federal Financial Institutions Examination Council (FFIEC)

Cybersecurity Assessment Tool

Active Learning Activity: Samples of characteristics of a small bank will

be provided and will be used to identify corresponding inherent risk and
cybersecurity maturity level using FFIEC CAT use manual. It will be pointed
out that application of FFIEC CAT can identify to cybersecurity managers
actions to attain their target cybersecurity level in the short term and
directions for longer terms targets.

Page | 8

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
MICROMODULE 10. INDUSTRY STANDARDS AND BEST PRACTICES

Learning Outcomes:

Upon completion of this micromodule:

10.1. Define the basic elements of FAIR

10.2. Identify the relationships among FAIR risk factors
10.3. Define the process and steps of OCTAVE Allegro
10.4. Apply the risk analysis steps using the OCTAVE Allegro
worksheets.

Micromodule 10 Details:

Warm Up: A recent popular cyber incident in a financial institution will be

invoked, e.g., Equifax with emphasis on how much it has cost various
stakeholders. It will be pointed out that cybersecurity posture of this
organization could have been different if it was known ahead of time how
much the losses would have been.

Micromodule Content: The micromodule material is a combination of the

expository and free discovery of

 Factor Analysis of Information Risk (FAIR)

o What is FAIR

o Fair Framework

o Decomposing Risk

o Fair Ontology

 Operationally Critical Threat, Asset, and Vulnerability Evaluation

(OCTAVE) Methodology

o OCTAVE-Original

o OCTAVE-S

o OCTAVE Allegro

Page | 9

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).
 o OCTAVE Allegro-Process

o OCTAVE Allegro-Worksheets

o OCTAVE Allegro Example

Active Learning Activity: Sample OCTAVE Allegro worksheets will be

filled and examined to point out the information required by this standard,
and how they are used to guide an organization to implement best-practice
in cybersecurity risk management.

Page | 10

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Catalyzing Computing and Cybersecurity in
Community Colleges (C5).