From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations' risk management capabilities. But no one is showing them how - until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In this presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:
Understand the current cyber threats to all public and private sector organizations;
Develop a multi-tiered risk management approach built upon governance, processes and information systems;
Implement NIST's risk management framework, from defining risks to selecting, implementing and monitoring information security controls.
Cyber threats can destroy any organization or its reputation, and recent incidents prove they can come from anywhere - malware in a security vendor's e-mail attachment, a lost laptop with critical health data or a rogue employee who commits financial fraud.
In a landscape filled with new threats and new regulations, risk management has never been more critical to senior leaders in all sectors. Whether you are maintaining an online banking system, sharing healthcare data with a business associate or rolling out a new mobile device policy to agency staff, you are tasked with understanding the information security risks and the management of controls.
To guide risk managers, NIST has developed a Risk Management Framework (NIST SP 800-37), which aims to improve organizations' abilities to manage information system-related security risks in today's ever-changing environment of sophisticated cyber threats, system vulnerabilities and rapidly changing business requirements.
Among the characteristics of the Risk Management Framework, it:
Promotes near real-time risk management and ongoing information system;
Authorization through the implementation of continuous monitoring processes;
Encourages the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions;
Provides emphasis on the selection, implementation, assessment and monitoring of security controls.
Leading this session is one of the world's foremost risk management experts, Ron Ross, NIST's senior computer scientist and lead author of SP 800-37, NIST's widely-embraced Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans. In this session, Ross will walk through the critical elements of the Risk Management Framework. But he also will offer expert insight on:
The current cyber threats targeting critical public and private sector information systems;
The fundamentals of the risk management approach, including risk assessments, response and ongoing monitoring;
Potential inhibitors to security success, including cultural barriers, lack of senior leadership commitment, and failure to follow a true risk-based approach.
Fellow, National Institute of Standards and Technology (NIST)
Ross specializes in information security, systems security engineering and risk management. He leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, the U.S. Intelligence Community and the Committee on National Security Systems, with responsibility for developing the Unified Information Security Framework for the federal government and its contractors. In addition to his responsibilities at NIST, Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. Ross has lectured at many universities across the country and has received numerous private sector cybersecurity awards.