IT Risk: Governance, Management, and Controls

Training Duration: 3 days

Training Delivery Method: On-site, instructor-led course; or online, instructor-led course

Prerequisites: Experienced IT professionals with background in security and risk management

What Problem Does This Training Help Solve? Provides training on IT risk governance, management, and risk controls.

Who Should Attend? IT professionals interested in learning about IT risk control objectives, controls, methodologies, and risk management

Course Material: Content-rich manual /course handouts consisting of about 600 plus foils

Course Syllabus:

Alignment of IT with business objectives brings value to the organization, but IT has an element of risk associated with it. This risk must be properly governed and managed in order to balance the IT value delivery and the IT risk.  There are many risks associated with the use of information technology, but the major ones are related to IT disaster recovery, IS security, IT processes outsourcing, and IT projects management. Such risks must be monitored, analyzed, mitigated, and accepted at appropriate level to balance value and risk. Although it is a relatively new discipline, measurement and management of IT risk has reached a stage of fairly stable maturity.

Topics to be covered:

  • IT Risk Governance
    • Knowledge Statements for ITRG
    • IT and IS risk/security governance framework
    • Board’s and senior management’s responsibilities
    • IT Governance Committees
    • IT Security Governance committees
    • Most common IT/IS risks
    • Top three: Security, BC/DR, Regulatory
    • Others: privacy risk (GLBA), Project Risk
    • EuroSOX and privacy risks
    • Safe Harbor
    • IT/IS Risk Policies and Standards
    • Key Corporate Risk Policies:
    • Data Classification, Appropriate use of IT Resources, IS Security
    • Corporate-level policies and IT-level policies
    • COSO model and COBIT model
    • COBIT framework
    • COBIT and 34 IT Governance Processes
    • IT Risk related COBIT processes:
    • P09- Assess and Manage IT risk
    • DS04- CooP and BC
    • DS5- System Security
    • DS7- Educate and Train IT and users
    • AI6- Manage Changes
    • ME4- IT Governance (only cover Risk Management Governance component)
    • IT Auditing and Assurance
  • IT Risk Management (Day 2 and first half of Day 3):
    • Knowledge statements for ITSM
    • Role of CISO
    • Organizational structure and risk
    • SOD- Principle of CARRE and DOPESS
    • Business Process and data owners
    • Risk Management as part of business process
    • IS Standards: ISO 27002
    • ISO 27001
    • ISO 27005:2008
    • Methodologies and FWs: NIST 800-30, ISF/IRAM, OCTAVE, Marion, Mehari, CRAMM, EBIOS, GRUNDSHUTZ, A&K
    • RISK IT FW overview
    • 34 COBIT processes and related 218 control objectives
    • Control objectives related to risk management
    • Risk identification, risk mitigation, risk acceptance
    • Business Process criticality assessment- RTO and RPO
    • Risk register
    • Risk management Tools: COBRA, Risk Watch, CRAMM, GSTOOL, RA2, Callio, Countermeasures, Proteus, Archer, Citicus, and WCK
    • Awareness and training programs: 6 categories
    • PDCA- plan do check act process
    • Metrics: Metrics for each risk management process, CMM maturity level, Balanced Score Card, operational level metrics
  • IT Risk Controls (Second half of Day 3):
    • Knowledge statements for ITSO
    • IT Risk Management Program Development
    • IT Risk Management Program Management
    • Incidence Response Management
    • Physical security
    • Network security
    • Application Security
    • Operational Security
    • Access Management Security
    • Common Threats and Attacks
    • Policy compliance
    • Vulnerability management- Pen testing
    • Threat management
    • Forensic analysis and evidence life cycle