Risk Management (Security Control Assessor)



We deliver training live-on-line, on site, and on demand.

This course is a practical way to develop the knowledge, skills, and abilities necessary to protect an organization using cyber security risk assessment techniques. It is possible to develop an enterprise GRC output as a capstone project in this course.

This course is known by 2 distinct names: Security Control Assessor or Risk Assessment.  Students will become cybersecurity professional community members.

Practice in this course will lead to excellence in cybersecurity risk assessment.

If your organization would like this course at a particular time or location, it is available for groups greater than 8 with a contract. 


  • Certified in Risk and Information Systems Control
  • Governing Body:Information Systems Audit and Control Association ISACA
  • You must take both RISK Management 101 & this course to prepare for exam.
  • Exam is only offered twice per year May / December
  • External exam costs: $420 to $725 in United States
  • Price does/does not include exam

Security / Technical / Certification

This course fulfills NICE/NICCS Categories and Roles:

  • Securely Provision (SP) Security Control Assessor SP-RSK-002

We expect every student to achieve the knowledge, skills, and abilities necessary to develop and support a GRC program, complete a risk assessment, and report findings to management. As a side benefit of the course, students will pass the exam and validate their skills as a cybersecurity professional via certification.

  • Identify and use computer networking concepts, protocols, and network security methodologies.
  • Understand basic risk management processes.
  • Execute secure network administration principles.
  • Distinguish and differentiate cyber threats and vulnerabilities.
  • Replace suitable certification for security experience such as with CompTIA Security+.
  • Configure and implement virtual machine and basic virtual network environments.
  • Configure and implement client server operating systems of both Linux and Microsoft.
  • Knowledge and skills necessary to troubleshoot, install, operate and configure basic network infrastructure.
  • Replace suitable certification for technical experience such as with CompTIA Network+.

Upon completion of the course the student should be able to conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology system to determine the overall effectiveness of the controls as defined in NIST SP 800-37 or other Risk Standards.

  • Access information on current assets available, usage.
    Access the databases where plans/directives/guidance are maintained.
    Administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
    An organization’s information classification program and procedures for information compromise.
    Analyze strategic guidance for issues requiring clarification and/or additional guidance.
    Analyze target or threat sources of strength and morale.
    Analyze test data.
    Analyzing a target’s communication networks.
    Analyzing traffic to identify network devices.
    Answer questions in a clear and concise manner.
    Applicable business processes and operations of customer organizations.
    Applicable laws, statutes, presidential directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
    Application security risks
    Application vulnerabilities.
    Apply collaborative skills and strategies.
    Apply critical reading/thinking skills.
    Apply cybersecurity and privacy principles to organizational requirements.
    Apply cybersecurity and privacy principles to organizational requirements.
    Applying confidentiality, integrity, and availability principles.
    Applying secure coding techniques.
    Applying security controls.
    Ask clarifying questions.
    Assess all the configuration management processes.
    Assess the effectiveness of security controls.
    Assessing security controls based on cybersecurity principles and tenets..
    Assessing security systems designs.
    Assure successful implementation and functionality of security requirements and appropriate information technology policies and procedures that are consistent with the organization’s mission and goals.
    Authentication, authorization, and access control methods.
    Business continuity and disaster recovery continuity of operations plans.
    Capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.
    Collect, verify, and validate test data.
    Communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
    Communicate effectively when writing.
    Communication methods, principles, and concepts that support the network infrastructure.
    Computer networking concepts and protocols, and network security methodologies.
    Conduct vulnerability scans and recognize vulnerabilities in security systems.
    Conducting application vulnerability assessments.
    Conducting reviews of systems.
    Conducting vulnerability scans and recognizing vulnerabilities in security systems.
    Controls related to the use, processing, storage, and transmission of data.
    Critical infrastructure systems with information communication technology that were designed without system security considerations.
    Cryptography and cryptographic key management concepts
    Current industry methods for evaluating, implementing, and disseminating information technology security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
    Cyber defense and vulnerability assessment tools and their capabilities.
    Cyber threats and vulnerabilities.
    Cybersecurity and privacy principles and organizational requirements.
    Cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
    Cybersecurity and privacy principles.
    Data backup and recovery.
    Database systems.
    Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
    Design valid and reliable assessments.
    Determining how a security system should work and how changes in conditions, operations, or the environment will affect these outcomes.
    Develop a collection plan that clearly shows the discipline that can be used to collect the information needed.
    Develop or procure curriculum that speaks to the topic at the appropriate level for the target.
    Develop security compliance processes and/or audits for external services.
    Discerning the protection needs of information systems and networks.
    Dissect a problem and examine the interrelationships between data that may appear unrelated.
    Effectively collaborate via virtual teams.
    Embedded systems.
    Encryption algorithms
    Encryption algorithms
    Ensure security practices are followed throughout the acquisition process.
    Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
    Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
    Ensure that security design and cybersecurity development activities are properly documented and updated as necessary.
    Establish acceptable limits for the software application, network, or system.
    Evaluate information for reliability, validity, and relevance.
    Evaluate requests for information to determine if response information exists.
    Evaluate, analyze, and synthesize large quantities of data into high quality, fused targeting/intelligence products.
    Exercise judgment when policies are not well-defined.
    Expand network access by conducting target analysis and collection to identify targets of interest.
    Extract information from available tools and applications associated with collection requirements and collection operations management.
    Facilitate small group discussions.
    Focus research efforts to meet the customer’s decision-making needs.
    Function effectively in a dynamic, fast-paced environment.
    Function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise.
    Identify basic common coding flaws at a high level.
    Identify critical infrastructure systems with information communication technology that were designed without system security considerations.
    Identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.
    Identify external partners with common cyber operations interests.
    Identify intelligence gaps.
    Identify systemic security issues based on the analysis of vulnerability and configuration data.
    Identify/describe target vulnerability.
    Identify/describe techniques/methods for conducting technical exploitation of the target.
    Identifying intelligence gaps and limitations.
    Identifying language issues that may have an impact on organization objectives.
    Identifying leads for target development.
    Identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
    Identifying non-target regional languages and dialects
    Identifying test & evaluation infrastructure requirements.
    Identifying the devices that work at each level of protocol models.
    Identifying, locating, and tracking targets via geospatial analysis techniques
    Information prioritization as it relates to operations.
    Information technology security principles and methods.
    Information technology supply chain security and supply chain risk management policies, requirements, and procedures.
    Integrating and applying policies that meet system security objectives.
    Interfacing with customers.
    Interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
    Interpret and translate customer requirements into operational action.
    Interpret and understand complex and rapidly evolving concepts.
    Interpreting compiled and interpretive programming languages.
    Interpreting metadata and content as applied by collection systems.
    Interpreting traceroute results, as they apply to network analysis and reconstruction.
    Interpreting vulnerability scanner results to identify vulnerabilities.
    Knowledge management, including technical documentation techniques.
    Laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
    Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
    Manage accreditation packages.
    Manage and approve accreditation packages.
    Managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
    Managing test assets, test resources, and test personnel to ensure effective completion of test events.
    Monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
    Network access, identity, and access management.
    Network security architecture concepts including topology, protocols, components, and principles.
    Network systems management principles, models, methods, and tools.
    New and emerging information technology and cybersecurity technologies.
    Organization’s enterprise information security architecture.
    Organization’s evaluation and validation requirements.
    Organization’s local and wide area network connections.
    Participate as a member of planning teams, coordination groups, and task forces as necessary.
    Participate in risk governance process to provide security risks, mitigations, and input on other technical risk.
    Payment card industry data security standards.
    Penetration testing principles, tools, and techniques.
    Perform risk analysis whenever an application or system undergoes a major change.
    Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
    Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
    Performing impact/risk assessments.
    Performing root cause analysis.
    Performing target system analysis.
    Personal health information data security standards.
    Personally identifiable information data security standards.
    Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
    Prepare and present briefings.
    Preparing and presenting briefings.
    Preparing plans and related correspondence.
    Preparing test & evaluation reports.
    Prioritize and allocate cybersecurity resources correctly and efficiently.
    Prioritizing target language material.
    Processing collected data for follow-on analysis.
    Produce technical documentation.
    Provide input to the risk management framework process activities and related documentation.
    Providing analysis to aid writing phased after action reports.
    Recognize and mitigate cognitive biases which may affect analysis.
    Recognizing and categorizing types of vulnerabilities and associated attacks.
    Relate strategy, business, and technology in the context of organizational dynamics.
    Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
    Reviewing and editing assessment products.
    Reviewing and editing plans.
    Reviewing logs to identify evidence of past intrusions.
    Risk management framework requirements.
    Risk management processes.
    Secure test plan design.
    Security architecture concepts and enterprise architecture reference models.
    Security assessment and authorization process.
    Security models.
    Specific operational impacts of cybersecurity lapses.
    Structured analysis principles and methods.
    Supply chain risk management practices
    Support necessary compliance activities.
    System and application security threats and vulnerabilities.
    Systems diagnostic tools and fault identification techniques.
    Tailoring analysis to the necessary levels.
    Target development in direct support of collection operations.
    Target network anomaly identification.
    Technical writing.
    The cyber defense service provider reporting structure and processes within one’s own organization.
    The enterprise information technology architecture.
    The organization’s core business/mission processes.
    The organization’s enterprise information technology goals and objectives.
    Think critically.
    Translate data and test results into evaluative conclusions.
    Troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
    Understand objectives and effects.
    Understand technology, management, and leadership issues related to organization processes and problem solving.
    Understand the basic concepts and issues related to cyber and its organizational impact.
    Understand the basic concepts and issues related to cyber and its organizational impact.
    Use cyber defense service provider reporting structure and processes within one’s own organization.
    Using code analysis tools.
    Using manpower and personnel it systems.
    Using public-key infrastructure encryption and digital signature capabilities into applications.
    Using security event correlation tools.
    Using virtual machines..
    Utilize multiple intelligence sources across all intelligence disciplines.
    Utilizing feedback to improve processes, products, and services.
    Utilizing or developing learning activities.
    Verify and update security documentation reflecting the application/system security design features.
    Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
    Vulnerability information dissemination sources.
    Work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
    Work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives. ￸￸￸￸￸￸￸￸￸￸￸￸￸￸￸Ⱜ耬

All courses are available in live-on-line format.

There are 8 different methods of possible exercises used throughout the course in one-hour class meetings. As soon as students become accustomed to a particular flow, or they get comfortable, the instructor will switch methods. Some examples include: Risk I heard, GRCME,threats and controls, case studies, risk analysis practice, and reading review. Technical labs will require basic skills in operating systems and virtualization.

Before class students will complete mindmaps, assigned readings, take practice quizzes, submit case study information, and build flashcards. Each activity is graded as needed.

We use a customized text developed by our internal experts. This text covers the latest best practices, current state of security and technology. All students are required to have a working computer, microphone, and earbuds.

  • 1 hour per session
  • 3 sessions per week
  • 10 weeks with 2 break weeks (also called ‘dark weeks’)
  • Orientation is held for 90 minutes before first live class.
  • Class meeting times are listed on the public calendar.