IT Risk Management School
IT Risk Management School
Risk Management is the primary process organizations use to determine their current capability to identify, manage and respond to risk. A properly conducted IT risk assessment gives organizations the best depiction of their ability to maintain the confidentiality, integrity and availability of their information assets. As a result, there is increased regulatory pressure from both industry and regulators for organizations to have a solid, demonstrated and thought-out process of technology risks and their potential outcomes (both positive and negative) embedded in their risk management process. This means asset identification and inventory, vulnerability and threat analysis, control inventory, risk assessment and response, risk monitoring and reporting and of course incident response, business continuity and disaster recovery.
In this session, you will explore the more common risk assessment/analysis requirements for meeting both regulatory and industry requirements today and in upcoming years including Risk Management Strategy and Program Development, The IT Risk Universe and It's Key Components, Inherent Risk Concept and Assessment Techniques, Scenario Analysis Development Fundamentals, Regulatory Requirements for Assessments, Conducting a Maturity Assessment (Gap between current and desired state), Tips to Conducting Third Party Assessments, Risk Response Preparation and Execution Basics, Assessment Follow-up.
At the end of the session, attendees will have an additional viewpoint on the IT risk assessment process and some of the more critical components to incorporate into any program.
This course is available on-site at your location, or offered through open enrollment 10/5/20 - 10/7/20.
- 1 Introduction to Risk Management, The risk management process risk identification, analysis; evaluation, response, monitoring and reporting, How the information risk management process fits into the information security cybersecurity program, Data retention policy, Information classification schema, Data privacy program, Who are the critical stakeholders/partners in the information risk management process and their roles in a risk management program, The changing threats associated to moving from centralized to decentralized information processing and storage.
- 2 IT Risk Identification and Risk Universe, Identifying assets in an information risk analysis, Dealing with emerging threats, Determining the value of an asset to an enterprise, Prioritizing, categorizing, and documenting information risks, Uncovering information vulnerabilities.
- 3 Risk Scenario Development, Facilitating scenario development exercises, Determining scenario types generic, strategy oriented or both, Determining scenario components.
- 4 Risk Analysis, The risk analysis cycle and its components, Managements concerns and perception of the information risk analysis process types of information risk analysis quantitative vs qualitative approach, Software tools for performing the information risk analysis process, Defining information risk analysis targets and scope, Statements that create boundaries for the information risk analysis process, The information owners role in the information risk analysis process.
- 5 Risk Evaluation, Define the risk evaluation process and its components, Determining and dealing with management's concerns and perception of the information risk analysis results, Describing the information owners role in the information risk evaluation process.
- 6 Business Impact Analysis Overview, Describing the business impact analysis (BIA) process, Using the BIA as the key to a successful data security program, Determining key stakeholders to be included in the business impact analysis process and the role each one plays, Overview of plan facilitation, Administrative information required in the action plan, Identifying impact criteria and their importance to the organization, Pinpointing key business processes and peak activity periods, Developing algorithms to calculate business losses, Making your BIA Exercise multi-purpose, Creating the prioritized applications list, Building organizational disaster recovery and business continuity plans using the business impact analysis results.
- 7 Risk Response, Administrative information required in the action plan, Logging risk and control information, Creating action items in response to identified controls based on BIA or threat analysis results.
- 8 Cost Benefit Analysis and Business Case, Developing a cost benefit analysis (CBA) and business case as the basis for determining the action plan to be presented to management for approval, Methods for distributing and protecting the risk assessment results and associated action plan, Evaluating the controls during the information risk analysis, Determining the cost of control based on risk, Categorize and document information controls for a total program, Purpose and benefits of performing CBA and developing a business case, Developing a cost benefit analysis, Developing a cost benefit analysis, Developing action plans, Arriving at an acceptable level of risk.
- 9 Control Development, Using the action plan to create assignments, schedules, and approvals, Importance of project management good practices, Developing and testing controls, Importance of involving auditing and business owners in the process.
- 10 Risk Monitoring and Reporting, Tracking action plans: start to finish (risk register development and maintenance), Conducting periodic threat analysis exercises after there are infrastructure changes, regulatory changes that may impact technology related controls or policies and after a security incident or outage, Developing and monitoring key risk indicators and reacting when thresholds are exceeded.
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.