A huge part of this training is providing you with the mental models required to think about security. By providing the general framework, you can fill in the gaps, or at least start working towards filling the gaps. But sometimes, mental models just don't cut it. You need something on paper, written in blood, that will help you do what you need to do in order to be successful. Risk assessment models give organizations a way to identify problems and address them in a quantitative and structured manner. There are a ton of them out in the wild, but the most important one for most people is NIST (National Institute of Standards and Technology). This is the general framework that all DoD and .gov sites adhere to. There are other specific frameworks like ISO27001, CIS Critical Security Controls, HIPAA (health data), PCI DSS (credit cards and banking), and countless others but those don't matter much to you other than knowing they exist. A good knowledge of NIST will get you most of the way there.
- So many things to do here.
- Read this: https://www.nist.gov/cyberframework/online-learning/components-framework
- Read this: https://www.nist.gov/cyberframework/online-learning/five-functions
- Write a few sentences about each of the different function categories.
- What does "Outcome Driven" mean?
- Read this: https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework
- Write a few sentences on how to use the framework to drive decision making.
You probably don't know much right now technically, but technical knowledge is meant to inform your decision making processes, and you can usually get along fairly well on a good mix of common sense and procedure.?Remember, frameworks are just frameworks, and are only as good as the person doing the assessment.