Course description
IT Risk Management and Cybersecurity Frameworks
This course focuses on risk identification, conducting risk assessments, determining appropriate risk responses, risk monitoring and risk reporting. Students review common risk assessment types and methodologies, and regulatory requirements.
Do you work at this company and want to update this page?
Is there out-of-date information about your company or courses published here? Fill out this form to get in touch with us.
Upcoming start dates
Who should attend?
Information Security and IT Professionals and auditors looking to gain greater knowledge on how to perform an IT Risk Assessment and develop a strong IT Risk Management program.
Prerequisites
Fundamentals of Information Security-ISG101
Training content
Introduction to Risk Management:
- the risk management process: risk identification; analysis; evaluation; response; monitoring and reporting
- how the information risk management process fits into the information security/cybersecurity program
- data retention policy
- information classification schema
- data privacy program
- who are the critical stakeholders/partners in the information risk management process and their roles in a risk management program
- the changing threats associated to moving from centralized to decentralized information processing and storage
IT Risk Identification and Risk Universe:
- identifying assets in an information risk analysis
- dealing with emerging threats
- determining the value of an asset to an enterprise
- prioritizing, categorizing, and documenting information risks
- uncovering information vulnerabilities
Risk Scenario Development:
- facilitating scenario development exercises
- determining scenario types: generic, strategy oriented or both
- determining scenario components
Risk Analysis:
- the risk analysis cycle and its components
- management's concerns and perception of the information risk analysis process types of information risk analysis: quantitative vs. qualitative approach
- software tools for performing the information risk analysis process
- defining information risk analysis targets and scope
- statements that create boundaries for the information risk analysis process
- the information owner's role in the information risk analysis process
Risk Evaluation:
- define the risk evaluation process and its components
- determining and dealing with management's concerns and perception of the information risk analysis results
- describing the information owner's role in the information risk evaluation process
Business Impact Analysis Overview:
- describing the business impact analysis (BIA) process:
- describing the business impact analysis (BIA) process
- using the BIA as the key to a successful data security program
- determining key stakeholders to be included in the business impact analysis process and the role each one plays
- overview of plan facilitation
- administrative information required in the action plan
- identifying " impact criteria" and their importance to the organization
- pinpointing key business processes and peak activity periods
- developing algorithms to calculate business losses
- making your BIA Exercise multi-purpose
- creating the prioritized applications list
- building organizational disaster recovery and business continuity plans using the business impact analysis results
Risk Response:
- administrative information required in the action plan
- logging risk and control information
- creating action items in response to identified controls based on BIA or threat analysis results
Cost Benefit Analysis and Business Case:
- developing a cost benefit analysis (CBA) and business case as the basis for determining the action plan to be presented to management for approval
- methods for distributing and protecting the risk assessment results and associated action plan
- evaluating the controls during the information risk analysis
- determining the cost of control based on risk
- categorize and document information controls for a total program
- purpose and benefits of performing CBA and developing a business case
- developing a cost benefit analysis
- developing action plans
- arriving at an "acceptable level of risk"
Control Development:
- using the action plan to create assignments, schedules, and approvals
- importance of project management good practices
- developing and testing controls
- importance of involving auditing and business owners in the process
Risk Monitoring and Reporting:
- tracking action plans: start to finish (risk register development and maintenance)
- conducting periodic threat analysis exercises after there are infrastructure changes, regulatory changes that may impact technology related controls or policies and after a security incident or outage
- developing and monitoring key risk indicators and reacting when thresholds are exceeded
Course delivery details
Bring this course to your organization at your convenience. ACI Learning can deliver this instructor-led course for your team at a chosen location or virtually. Alternatively, choose the topic(s) you need and ACI will craft a training solution to keep your team future-proof.
Certification / Credits
NASBA Certified CPE: 32 Credits Auditing
- IT Audit Certificate
- Risk and Compliance Certificate
- Information Security Certificate
What You'll Learn
You will learn the different types of risk assessments and how to satisfy regulatory requirements regarding IT risk management.
Reviews
ACI Learning
At ACI Learning, we train leaders in Cybersecurity, Audit, and Information Technology. Whether you're starting your IT career, mastering your profession, or developing your team, we're with you every step of the way. We believe that training is not a...
I am currently enrolled in this course, it is alot of information in a short period of time. They do provide various ways of obtaining the information besides the lectures and s...