Description
Understanding and assessing IT Risk has never been more important for continuity of operations for organizations of all sizes. The increasing organizational dependence upon technology coupled with the fast changing technology landscape has placed increasing demands on risk management professionals and risk management programs.
In addition, there is regulatory pressure from both industry and regulators for organizations to have a solid, demonstrated and well-thought-out process for managing technology risks and their potential outcomes (both positive and negative.) This means an effective Risk Management Program has never been more important.
Key elements of a Risk Management Program focus on identification of risks, conducting risk assessments, determining appropriate risk response, risk monitoring and risk reporting. In this session, you will learn about the fundamental concepts central to risk management programs, explore the common types and methodologies used for risk assessment/analysis and gain an introductory understanding of the regulatory requirements regarding risk management.
At the end of the session attendees will understand the different types of risk assessments and how to satisfy regulatory requirements regarding IT risk management.
Prerequisite: Fundamentals of Information Security (ISG101) or equivalent experience
Advance Preparation: None
Learning Level: Basic
Field: Auditing
Delivery Method: Group-Live
What you will learn
1. Current Risk Environment
a. Emerging threats
b. Data breaches
c. Increasing privacy risk landscape
d. Risks of moving to the cloud
2. Introduction to Risk Management
a. Risk definitions
b. Elements of risk
c. Security and privacy risks
d. Risk management processes
i. Risk identification
ii. Risk assessment
iii. Risk analysis / evaluation
iv. Risk response
v. Risk monitoring
vi. Risk reporting
3. Legal / Regulatory requirements for risk assessments
a. Federal (FISMA, NERC, HIPAA, etc.)
b. PCI
c. State
d. International (GDPR)
i. Privacy Impact Assessments
4. Risk Assessments
a. Types of risk assessments
i. Privacy impact assessments
ii. System risk assessments
iii. Enterprise risk assessments
b. Qualitative vs. quantitative methodologies
c. Risk assessment purpose, scope and timing
d. Risk assessment methodology overview
i. NIST and CI (Critical Infrastructure)
ii. CIS RAM (Center for Internet Security Risk Assessment Methodology)
iii. ISO 27005 Risk Assessment Methodology
iv. OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) Allegro Risk Method from CERT
v. FAIR (Factor Analysis of Information Risk)
vi. Information Risk Assessment Methodology 2 (IRAM2)
vii. Others
5. Conducting a risk assessment
a. Process flow
b. Determining the scope based on purpose and objectives
c. Determining in-scope assets and their value
d. Controls analysis
e. Identification of vulnerabilities – people, process and technology
i. Compensating controls
f. Likelihood and impact determination
g. Mitigation strategies
h. Risk determination
6. Risk Response
a. Types of risk response and treatment
b. Risk acceptance criteria
c. Developing an action plan
7. Risk Monitoring and Reporting
a. Developing a Risk Register
b. Developing and monitoring key risk indicators
c. Risk metrics
d. Executive / Board reporting
8. Third Party Risk Assessments
a. Identification of supply chain and business partner risk management concerns
b. Key elements of supply chain risk determination
c. Assessing and managing risks of third parties
9. Risk Management Strategy and Program Development
a. Key stakeholders and their roles
b. Developing and implementing risk governance
c. Developing a risk management strategy and roadmap
i. Organizational risk assessment plan
d. Risk Management Program Components
e. Risk Management Program Maturity
10. Auditing the IT Risk Management Program
Learning Objectives:
At the completion of this seminar attendees will be able to
1. Understand the components of an effective IT risk management program
2. Conduct an IT risk assessment
3. Identify, evaluate and assess risk
4. Determine appropriate risk response
5. Develop a risk matrix and other reporting tools