Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
1K views10 pages

RSM Toc

Risk Associates is an Australian information security company with offices globally. They provide governance, risk, compliance and threat management services. Their team of professionals have various certifications and they are approved to provide security services in various regions. The document discusses risk management, risk identification techniques, risk assessment techniques, and developing risk response plans and controls.

Uploaded by

mrehan2k2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views10 pages

RSM Toc

Risk Associates is an Australian information security company with offices globally. They provide governance, risk, compliance and threat management services. Their team of professionals have various certifications and they are approved to provide security services in various regions. The document discusses risk management, risk identification techniques, risk assessment techniques, and developing risk response plans and controls.

Uploaded by

mrehan2k2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Who We Are?

Risk Associates is an Australian owned company firmly embedded within the local
information security terrain and globally by strategically located offices. Having
accumulated a wealth of experience over the years, we provide Governance, Risk,
Compliance and Threat Management services and consultation.

Our objective is to assist you achieve your business objectives by supporting you in
implementing cost effective solutions. Our services and solutions are at the forefront
of the information security space.

Our team of information security professionals brings together broad technical and
management experience integrated with industry leading certifications such as
ACCA, CISSP, CISA, CISM, ITIL, CEH and ISO/IEC 27001 Lead Auditor.

We are one of the few Australian companies approved by the Payment Card Industry
(PCI) Security Standards Council as a Qualified Security Assessor (QSA) and
Payment Application (PA-QSA) company providing services to Australia, Central
Europe, the Middle East, and Africa (Latin America and the Caribbean) regions.

Risk Management

Risk Management is simply the process of managing risks based on your


organization’s security appetite. The process includes the assessment of people,
processes and technologies that can potentially impact security. A risk register and
plan is developed in the process of risk (threat) identification, evaluation,
prioritization and development of mitigation controls (accept, reduce, transfer).

The Risk Treatment Plan is built based on the results of the assessment, containing
the actions recommended to improve ineffective controls. Each Risk Treatment is
mapped to relevant risks; as risk treatments are completed, the effectiveness of the
control improves and in turn reduces the likelihood of mapped risks occurring.
Course Contents
Introduction to IT Risk Management
Governance and Risk Management The Context of IT Risk Management
Importance of IT Risk Management
Key Concepts of Risk
Risk in Relation to Other Business Functions
Risk and Business Continuity Risk and Audit
Risk and Information Security Control Risk
Project Risk Change Risk
IT Risk Management Good Practices Summary
Endnotes

DAY 1: IT Risk Identification Section One: Overview


Domain Definition
Learning Objectives CRISC Exam Reference
Task and Knowledge Statements
Tasks
Knowledge Statements
Self-assessment Questions
Answers to Self-assessment Questions Suggested Resources for Further Study
Section Two: Content
1.0 Overview
1.1 Risk Capacity, Risk Appetite and Risk Tolerance
1.2 Risk Culture and Communication
1.2.1 Risk Culture
1.2.2 Risk Communication
The Value of Communication
1.3 Elements of Risk
1.3.1 Risk Factors
1.3.2 Assets
People Technology Data
Intellectual Property Business Processes Asset Valuation
1.3.3 Threats
Internal Threats External Threats Emerging Threats
1.3.4 Vulnerabilities Network Vulnerabilities Physical Access
Applications and Web-facing Services Utilities
Supply Chain Processes Equipment
Cloud Computing Big Data
1.3.5 Vulnerability Assessment and Penetration Testing
1.3.6 Likelihood/Probability
1.4 Information Security Risk Concepts and Principles
1.4.1 Confidentiality
1.4.2 Integrity
1.4.3 Availability
1.4.4 Nonrepudiation
1.5 The IT Risk Strategy of the Business
1.5.1 Types of IT-related Business Risk
1.5.2 Senior Management Support
1.5.3 Alignment With Business Goals and Objectives
1.5.4 Organizational Structures and Impact on Risk
RACI (Responsible, Accountable, Consulted, Informed)
1.5.5 Organizational Culture, Ethics and Behavior and the Impact on Risk Culture
Ethics
1.5.6 Laws, Regulations, Standards and Compliance
1.5.7 Establishing an Enterprise Approach to Risk Management Executive
Sponsorship (Tone at the Top)
Policy
1.6 IT Concepts and Areas of Concern for the Risk Practitioner
1.6.1 Hardware
1.6.2 Software
Operating Systems Applications Software Utilities
1.6.3 Environmental Controls
1.6.4 Platforms
1.6.5 Network Components Cabling
Repeaters Switches Routers Firewalls Proxy
Domai n Name System Wireless Access Points Other Network Devices
1.6.6 Network Architecture
Types of Network Topologies Local Area Network Demilitarized Zone
Encryption
Virtual Private Network
1.7 Methods of Risk Identification
1.7.1 Conducting Interviews
1.7.2 Risk Identification and Classification Standards and Frameworks ISO
31000:2009 Risk Management—Principles and Guidelines COBIT® 5 for Risk
IEC 31010:2009 Risk Management—Risk Assessment Techniques
ISO/IEC 27001:2013 Information Technology—Security Techniques—
Information Security Management Systems—Requirements
ISO/IEC 27005:2011 Information Technology—Security Techniques—
Information Security Risk Management
NIST Special Publications
1.7.3 Example of a Risk Management Program Based on ISO/IEC 27005
1.8 IT Risk Scenarios
1.8.1 Risk Scenario Development Tools and Techniques Top-down Approach
Bottom-up Approach
1.8.2 Benefits of Using Risk Scenarios
1.8.3 Developing IT Risk Scenarios
1.9 Ownership and Accountability
1.10 The IT Risk Register
1.11 Risk Awareness
1.12 Summary Endnotes
DAY 2: IT Risk Assessment Section One: Overview
Domain Definition Learning Objectives CRISC Exam Reference
Task and Knowledge Statements
Tasks
Knowledge Statements
Self-assessment Questions
Answers to Self-assessment Questions Suggested Resources for Further Study
Section Two: Content
2.0 Overview
2.1 Risk Assessment Techniques
2.1.1 Bayesian Analysis
2.1.2 Bow Tie Analysis
2.1.3 Brainstorming/Structured Interview
2.1.4 Business Impact Analysis
2.1.5 Cause and Consequence Analysis
2.1.6 Cause-and-effect Analysis
2.1.7 Checklists
2.1.8 Delphi Method
2.1.9 Event Tree Analysis
2.1.10 Fault Tree Analysis
2.1.11 Hazard Analysis and Critical Control Points (HACCP)
2.1.12 Hazard and Operability Studies (HAZOP)
2.1.13 Human Reliability Analysis (HRA)
2.1.14 Layers of Protection Analysis (LOPA)
2.1.15 Markov Analysis
2.1.16 Monte-Carlo Analysis
2.1.17 Preliminary Hazard Analysis
2.1.18 Reliability-centered Maintenance
2.1.19 Root Cause Analysis
2.1.20 Scenario Analysis
2.1.21 Sneak Circuit Analysis
2.1.22 Structured “What If” Technique (SWIFT)
2.2 Analyzing Risk Scenarios
2.2.1 Organizational Structure and Culture
2.2.2 Policies, Standards and Procedures Policies
Standards Procedures
Exception Management
2.2.3 Technology
2.2.4 Architecture
2.2.5 Controls
2.3 Current State of Controls
2.3.1 Audits
2.3.2 Business Continuity Plans Disaster Recovery
2.3.3 Capability Maturity Models
2.3.4 Control Tests
2.3.5 Incident Reports
2.3.6 IT Operations and Management Evaluation Data Management
2.3.7 Enterprise Architecture Assessment
2.3.8 Logs
2.3.9 Media Reports
2.3.10 Observation
2.3.11 Self-assessments
2.3.12 Third-party Assurance Third-party Management
2.3.13 User Feedback
2.3.14 Vendor Reports
2.3.15 Vulnerability Assessments and Penetration Tests
2.4 Changes in the Risk Environment
2.4.1 Emerging Technologies
2.4.2 Industry Trends
2.5 Project and Program Management
2.5.1 The System Development Life Cycle
2.6 Risk and Control Analysis
2.6.1 Data Analysis
2.6.2 Threat and Misuse Case Modeling
2.6.3 Root Cause Analysis
2.6.4 Gap Analysis
2.6.5 Predicting Risk
2.7 Risk Analysis Methodologies
2.7.1 Quantitative Risk Assessment
2.7.2 Qualitative Risk Assessment
2.7.3 Semiquantitative Risk Assessment
2.8 Risk Ranking
Operationally Critical Threat Asset and Vulnerability Evaluation® (OCTAVE®)
2.8.1 Risk Appetite Bands
2.8.2 Risk Ownership and Accountability
2.9 Documenting Risk Assessments
2.9.1 Addressing Bypassed Risk
2.9.2 Updating the Risk Register
2.10 Summary Endnotes

DAY 3: Risk Response and Mitigation Section One: Overview


Domain Definition Learning Objectives CRISC Exam Reference
Task and Knowledge Statements
Tasks
Knowledge Statements
Self-assessment Questions
Answers to Self-assessment Questions Suggested Resources for Further Study
Section Two: Content
3.0 Overview
3.1 Aligning Risk Response With Business Objectives
3.2 Risk Response Options
3.2.1 Risk Acceptance
3.2.2 Risk Mitigation
3.2.3 Risk Transfer (Sharing)
3.2.4 Risk Avoidance
3.3 Analysis Techniques
3.3.1 Cost-benefit Analysis
3.3.2 Return on Investment
3.4 Vulnerabilities Associated With New Controls
3.5 Developing a Risk Action Plan
3.6 Business Process Review Tools and Techniques
3.7 Control Design and Implementation
3.7.1 Control Standards and Frameworks
3.7.2 Administrative, Technical and Physical Controls
3.8 Control Monitoring and Effectiveness
3.8.1 Control Monitoring and Reporting Tools and Techniques
3.9 Types of Risk
3.9.1 Inherent Risk
3.9.2 Residual Risk
3.9.3 Current Risk
3.10 Control Activities, Objectives, Practices and Metrics
3.10.1 Business Processes
3.10.2 Information Security Change Control System Authorization
Asset Inventory and Documentation Configuration Management
3.10.3 Third-party Management
3.10.4 Data Management Identity Management Segregation of Duties
Cross-training and Job Rotation Access Control
Cryptography
3.10.5 Project, Program and Portfolio Management
3.10.6 The System Development Life Cycle
3.10.7 Business Continuity and Disaster Recovery Management
3.10.8 IT Operations Management and Acquisition
3.10.9 Information Systems Architecture Platforms and Operating Systems
Applications
Databases Networks
3.11 Systems Control Design and Implementation
3.11.1 Testing
Good Practices for Testing Unit Testing and Code Review
Integration Testing/System Testing
3.11.2 Changeover (Go-live) Techniques Parallel Changeover
Phased Changeover Abrupt Changeover
3.11.3 Challenges Related to Data Migration
3.11.4 Fallback (Rollback)
3.11.5 Postimplementation Review
3.11.6 Project Closeout
3.12 Impact of Emerging Technologies on Design and Implementation of Controls
3.13 Control Ownership
3.14 Risk Management Procedures and Documentation
3.15 Summary Endnotes

DAY 4: Risk and Control Monitoring and Reporting Section One: Overview
Domain Definition Learning Objectives CRISC Exam Reference
Task and Knowledge Statements
Tasks
Knowledge Statements
Self-assessment Questions
Answers to Self-assessment Questions Suggested Resources for Further Study
Section Two: Content
4.0 Overview
4.1 Key Risk Indicators
4.1.1 KRI Selection
4.1.2 KRI Effectiveness
4.1.3 KRI Optimization
4.1.4 KRI Maintenance
4.2 Key Performance Indicators
4.2.1 Using KPIs with KRIs
4.3 Data Collection and Extraction Tools and Techniques
4.3.1 Logs
4.3.2 Security Information and Event Management
4.3.3 Integrated Test Facilities
4.3.4 External Sources of Information
4.4 Monitoring Controls
4.5 Control Assessment Types
4.5.1 IS Audit
4.5.2 Vulnerability Assessment
4.5.3 Penetration Testing
4.5.4 Third-party Assurance
4.6 Results of Control Assessments
4.6.1 Maturity Model Assessment and Improvement Techniques
4.7 Changes to the IT Risk Profile
4.8 Summary Endnotes

Ending Note
Any Question?

You might also like