📖 About this Domain
This domain covers the foundational processes for establishing an organization's information security risk management program. It emphasizes the creation and implementation of a risk management framework (RMF) that aligns with organizational governance and the system development life cycle (SDLC).
🎓 What You Will Learn
- You will learn the core processes of risk management, including risk framing, assessment, response, and monitoring.
- You will learn to integrate established risk management frameworks, such as the NIST RMF, into organizational processes.
- You will learn the relationship between risk management and governance, including defining risk appetite and risk tolerance.
- You will learn to incorporate legal, regulatory, and compliance drivers into the risk management program.
🛠️ Skills You Will Build
- You will build the skill to establish and manage a risk management program using frameworks like NIST SP 800-37.
- You will build the skill to perform risk assessments, identifying threats, vulnerabilities, likelihood, and impact.
- You will build the skill to develop risk management policies, standards, and procedures supporting organizational goals.
- You will build the skill to communicate risk posture and treatment plans to key stakeholders, including the Authorizing Official (AO).
💡 Top Tips to Prepare
- Master the seven steps of the NIST Risk Management Framework (RMF) and their specific inputs and outputs.
- Clearly differentiate between risk appetite, risk tolerance, and risk capacity for scenario-based questions.
- Understand how risk management activities are integrated into each phase of the System Development Life Cycle (SDLC).
- Focus on the distinct roles and responsibilities within the risk governance structure, such as the System Owner and Information Owner.
📖 About this Domain
This domain covers 5: Assessment/Audit of Security and Privacy Controls concepts and practices.
🎓 What You Will Learn
- Key concepts and fundamentals
- Best practices and methodologies
- Real-world application scenarios
🛠️ Skills You Will Build
- Technical expertise in 5: Assessment/Audit of Security and Privacy Controls
- Analytical and problem-solving skills
- Practical implementation abilities
📖 About this Domain
This domain covers the Risk Management Framework (RMF) Step 2, focusing on the selection of security and privacy controls. It details the process of identifying control baselines, tailoring them based on risk assessment, and documenting the final control set. The core activity is translating risk decisions into actionable security and privacy requirements for a system.
🎓 What You Will Learn
- Identify appropriate control baselines from sources like NIST SP 800-53 and leverage common control inheritance to optimize implementation.
- Select and tailor controls using scoping, parameterization, and compensating controls to align with the system's operational environment.
- Develop a continuous monitoring (ConMon) strategy to define how selected controls will be assessed for ongoing effectiveness.
- Understand the formal process for reviewing the selected control set and obtaining approval from the Authorizing Official (AO).
🛠️ Skills You Will Build
- Ability to analyze system categorization results to select the correct initial control baseline.
- Proficiency in tailoring controls and documenting the rationale and implementation details within the System Security Plan (SSP).
- Competency in creating a control monitoring strategy that supports the organization's risk management objectives.
- Skill in articulating the security posture defined by the control set to stakeholders for formal risk acceptance and approval.
💡 Top Tips to Prepare
- Master the structure of NIST SP 800-53, including control families, baselines, and the relationship between security and privacy controls.
- Clearly differentiate between tailoring actions like scoping considerations, parameterization, and applying compensating controls.
- Recognize the System Security Plan (SSP) as the key artifact for documenting the results of the control selection process.
- Connect how system categorization from RMF Step 1 directly informs the control baseline selection in this domain.
📖 About this Domain
This domain covers 6: Authorization/Approval of Information System concepts and practices.
🎓 What You Will Learn
- Key concepts and fundamentals
- Best practices and methodologies
- Real-world application scenarios
🛠️ Skills You Will Build
- Technical expertise in 6: Authorization/Approval of Information System
- Analytical and problem-solving skills
- Practical implementation abilities
📖 About this Domain
This domain covers 4: Implementation of Security and Privacy Controls concepts and practices.
🎓 What You Will Learn
- Key concepts and fundamentals
- Best practices and methodologies
- Real-world application scenarios
🛠️ Skills You Will Build
- Technical expertise in 4: Implementation of Security and Privacy Controls
- Analytical and problem-solving skills
- Practical implementation abilities
📖 About this Domain
This domain covers 2: Scope of the Information System concepts and practices.
🎓 What You Will Learn
- Key concepts and fundamentals
- Best practices and methodologies
- Real-world application scenarios
🛠️ Skills You Will Build
- Technical expertise in 2: Scope of the Information System
- Analytical and problem-solving skills
- Practical implementation abilities
📖 About this Domain
This domain covers 7: Continuous Monitoring of Security and Privacy Controls concepts and practices.
🎓 What You Will Learn
- Key concepts and fundamentals
- Best practices and methodologies
- Real-world application scenarios
🛠️ Skills You Will Build
- Technical expertise in 7: Continuous Monitoring of Security and Privacy Controls
- Analytical and problem-solving skills
- Practical implementation abilities
