Security Risk Analysis
The intent of the Security Risk Analysis Knowledge Unit is to provide students with sufficient understanding of risk assessment models, methodologies and processes such that they can perform a risk assessment of a particular systems and recommend mitigations to identified risks.
Topics
- Risk Assessment/Analysis Methodologies
- Risk Measurement and Evaluation Methodologies
- Risk Management Models
- Risk Management Processes
- Risk Mitigation Economics
- Risk Transference/Acceptance/Mitigation
- Communication of Risk
Outcomes
- Describe how risk relates to a system security policy.
- Describe various risk analysis methodologies.
- Evaluate and categorize risk 1) with respect to technology; 2) with respect to individuals, and 3) in the enterprise, and recommend appropriate responses.
- Compare the advantages and disadvantages of various risk assessment methodologies
- Select the optimal methodology based on needs, advantages and disadvantages.
- Evaluate and categorize risk with respect to technology; with respect to individuals, and in the enterprise, and recommend appropriate responses.
- Risk Assessment/Analysis Methodologies
- Risk Measurement and Evaluation Methodologies
- Risk Management Models
- Risk Management Processes
- Risk Mitigation Economics
- Risk Transference/Acceptance/Mitigation
- Communication of Risk
- Evaluate and categorize risk 1) with respect to technology; 2) with respect toindividuals, and 3) in the enterprise, and recommend appropriate responses.
- Evaluate and categorize risk
KSA-T
Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.
| ID |
DESCRIPTION |
| K0002 |
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
| K0001 |
Knowledge of computer networking concepts and protocols, and network security methodologies. |
| K0195 |
Knowledge of data classification standards and methodologies based on sensitivity and other risk factors. |
| K0008 |
Knowledge of applicable business processes and operations of customer organizations. |
| K0048 |
Knowledge of Risk Management Framework (RMF) requirements. |
| K0165 |
Knowledge of risk/threat assessment. |
| K0043 |
Knowledge of industry-standard and organizationally accepted analysis principles and methods. |
| K0149 |
Knowledge of organization's risk tolerance and/or risk management approach. |
| K0527 |
Knowledge of risk management and mitigation strategies. |
| K0037 |
Knowledge of Security Assessment and Authorization process. |
| K0214 |
Knowledge of the Risk Management Framework Assessment Methodology. |
| K0009 |
Knowledge of application vulnerabilities. |
| K0028 |
Knowledge of organization's evaluation and validation requirements. |
| K0010 |
Knowledge of communication methods, principles, and concepts that support the network infrastructure. |
| K0272 |
Knowledge of network analysis tools used to identify software communications vulnerabilities. |
| K0011 |
Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware. |
| K0012 |
Knowledge of capabilities and requirements analysis. |
| K0013 |
Knowledge of cyber defense and vulnerability assessment tools and their capabilities. |
| K0014 |
Knowledge of complex data structures. |
| ID |
DESCRIPTION |
| S0080 |
Skill in performing damage assessments. |
| ID |
DESCRIPTION |
| A0154 |
Ability to conduct a comprehensive assessment of the management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine the effectiveness of the controls (i.e., the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). |
