Introduction

Risk management is the identification, assessment, and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

This course is built around globally accepted standards such as ISO 31000:2009 and frameworks such as ISACA’s Risk IT, and NIST and OCTAVE guidelines for risk management.

Objectives

Upon completion of this course, participants will be able to:

• Identify where and how to reduce known/unknown IT risks

• Identify areas of cost-benefit optimization and thus reduce IT expenditure

• Understand the ISO 31000:2009 standard and its applicability to the corporate environment

• Understand risk assessment as addressed in BASEL II, ISO 20000, ISO 27001, ITIL, COSO, COBIT, BS 25999 and its relevance to IT

• Understand the different IT Risk Assessment Standards, Models and Methodologies – NIST’s SP-800-30, and OCTAVE™, ISO 27005

• Insights on the practical use of risk assessment and control evaluation techniques

Course outline

Day 1:

• Background

• Briefing on the Definition of Risk and Risk in the context of Information Technology

• Discussion and recording: Known risk scenarios

• IT Risk Management Initiative

• Project Planning Requirements

• Groundwork:

• General Risk Scenarios

• Understanding Business-specific, industry-specific, region/location-specific scenarios

• Recording the scenarios

Day 2:

• Management Buy-in

• Degree of business dependence on information technology

• Understanding and recording technology-specific risks

• Tying in general risk scenarios with IT risks

• Techniques of building a business case

• Budgeting

• Project Planning

• Resource Identification and Allocation

Day 3:

Understanding the Concepts and Techniques

• IT Risk Management Cycle

• Technology and business drivers

• Risk Terms – Asset, Threat, Threat Agent, Threat Event, Vulnerability, Countermeasure, Risk, Residual Risk

• Risk Assessment Methodology

• ISO 31000:2009 Overview

       IT Risk Assessment:

• IT Process Selection

• IT Component Selection

• Approach Selection

• Risk Discussion :

• Risks from IT Strategy adopted

• Risks from IT Processes and Plans

• Risks from Networks and Systems

• Risks from Business Applications

• Risks from Internal Application

• Risks from Devices – Security Implementation, Disaster Recovery, Business Continuity

• Risks from Internal and External customers

• Applying ISO 31000 and Risk IT for Risk Assessment

• Challenges and Solutions

• Case Study I

Day 4:

• IT Risk Mitigation:

• IT Risk Mitigation Options

• IT Risk Mitigation Strategy

• Controls’ Identification and Analysis

• Cost Benefit Analysis

• Calculating Residual Risk

• Case Study II

• Applying ISO 31000 and Risk IT for Risk Mitigation

Day 5:

• Evaluation IT Risk Management Cycle:

• Project Evaluation

• Learning from Selection and Execution techniques

• Integrating IT Risk Management with various frameworks and standards – BASEL II, ISO 20000, ITIL, COSO, COBIT, ISO 27001, BS 25999

• IT Risk Management Cycle: A Revision