Introduction

Risk management is the identification, assessment, and prioritization of risks followed by the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

This course is built around globally accepted standards such as ISO 31000:2009 and frameworks such as ISACA’s Risk IT, and NIST and OCTAVE guidelines for risk management.

Objectives

Upon completion of this course, participants will be able to:

• Identify where and how to reduce known/unknown IT risks
• Identify areas of cost-benefit optimization and thus reduce IT expenditure
• Understand the ISO 31000:2009 standard and its applicability to the corporate environment
• Understand risk assessment as addressed in BASEL II, ISO 20000, ISO 27001, ITIL, COSO, COBIT, BS 25999 and its relevance to IT
• Understand the different IT Risk Assessment Standards, Models and Methodologies – NIST’s SP-800-30, and OCTAVE™, ISO 27005
• Insights on the practical use of risk assessment and control evaluation techniques

Day 1:

• Background:
• Briefing on the Definition of Risk and Risk in the context of Information Technology
• Discussion and recording: Known risk scenarios
• IT Risk Management Initiative
• Project Planning Requirements
• Groundwork:
• General Risk Scenarios
• Understanding Business-specific, industry-specific, region/location-specific scenarios
• Recording the scenarios

Day 2:

• Management Buy-in
• Degree of business dependence on information technology
• Understanding and recording technology-specific risks
• Tying in general risk scenarios with IT risks
• Techniques of building a business case
• Budgeting
• Project Planning
• Resource Identification and Allocation

Day 3:

Understanding the Concepts and Techniques

• IT Risk Management Cycle
• Technology and business drivers
• Risk Terms – Asset, Threat, Threat Agent, Threat Event, Vulnerability, Countermeasure, Risk, Residual Risk
• Risk Assessment Methodology
• ISO 31000:2009 Overview

       IT Risk Assessment:

• IT Process Selection
• IT Component Selection
• Approach Selection
• Risk Discussion :
   
• Risks from IT Strategy adopted
• Risks from IT Processes and Plans
• Risks from Networks and Systems
• Risks from Business Applications
• Risks from Internal Application
• Risks from Devices – Security Implementation, Disaster Recovery, Business Continuity
• Risks from Internal and External customers
• Applying ISO 31000 and Risk IT for Risk Assessment
• Challenges and Solutions
• Case Study I

Day 4:

• IT Risk Mitigation:
• IT Risk Mitigation Options
• IT Risk Mitigation Strategy
• Controls’ Identification and Analysis
• Cost Benefit Analysis
• Calculating Residual Risk
• Case Study II
• Applying ISO 31000 and Risk IT for Risk Mitigation

Day 5:

• Evaluation IT Risk Management Cycle:
• Project Evaluation
• Learning from Selection and Execution techniques
• Integrating IT Risk Management with various frameworks and standards – BASEL II, ISO 20000, ITIL, COSO, COBIT, ISO 27001, BS 25999
• IT Risk Management Cycle: A Revision