Introduction
Risk management is the identification, assessment, and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
This course is built around globally accepted standards such as ISO 31000:2009 and frameworks such as ISACA’s Risk IT, and NIST and OCTAVE guidelines for risk management.
Objectives
Upon completion of this course, participants will be able to:
- Identify where and how to reduce known/unknown IT risks
- Identify areas of cost-benefit optimization and thus reduce IT expenditure
- Understand the ISO 31000:2009 standard and its applicability to the corporate environment
- Understand risk assessment as addressed in BASEL II, ISO 20000, ISO 27001, ITIL, COSO, COBIT, BS 25999 and its relevance to IT
- Understand the different IT Risk Assessment Standards, Models and Methodologies – NIST’s SP-800-30, and OCTAVE™, ISO 27005
- Insights on the practical use of risk assessment and control evaluation techniques
Day 1:
- Background:
- Briefing on the Definition of Risk and Risk in the context of Information Technology
- Discussion and recording: Known risk scenarios
- IT Risk Management Initiative
- Project Planning Requirements
- Groundwork:
- General Risk Scenarios
- Understanding Business-specific, industry-specific, region/location-specific scenarios
- Recording the scenarios
Day 2:
- Management Buy-in
- Degree of business dependence on information technology
- Understanding and recording technology-specific risks
- Tying in general risk scenarios with IT risks
- Techniques of building a business case
- Budgeting
- Project Planning
- Resource Identification and Allocation
Day 3:
Understanding the Concepts and Techniques
- IT Risk Management Cycle
- Technology and business drivers
- Risk Terms – Asset, Threat, Threat Agent, Threat Event, Vulnerability, Countermeasure, Risk, Residual Risk
- Risk Assessment Methodology
- ISO 31000:2009 Overview
IT Risk Assessment:
- IT Process Selection
- IT Component Selection
- Approach Selection
- Risk Discussion :
- Risks from IT Strategy adopted
- Risks from IT Processes and Plans
- Risks from Networks and Systems
- Risks from Business Applications
- Risks from Internal Application
- Risks from Devices – Security Implementation, Disaster Recovery, Business Continuity
- Risks from Internal and External customers
- Applying ISO 31000 and Risk IT for Risk Assessment
- Challenges and Solutions
- Case Study I
Day 4:
- IT Risk Mitigation:
- IT Risk Mitigation Options
- IT Risk Mitigation Strategy
- Controls’ Identification and Analysis
- Cost Benefit Analysis
- Calculating Residual Risk
- Case Study II
- Applying ISO 31000 and Risk IT for Risk Mitigation
Day 5:
- Evaluation IT Risk Management Cycle:
- Project Evaluation
- Learning from Selection and Execution techniques
- Integrating IT Risk Management with various frameworks and standards – BASEL II, ISO 20000, ITIL, COSO, COBIT, ISO 27001, BS 25999
- IT Risk Management Cycle: A Revision
