IT Risk Management

Training Duration: 3 days regular, 5 days intensive

Training Delivery Method: On-site, instructor-led course; or online, instructor-led course


Experienced IT professionals with some background in security and risk management

What Problem Does This Training Help Solve?

Provides training on IT risk assessment, risk management, risk mitigation, risk acceptance, risk management methodologies, risk management software, and many other aspects of IT risk management

Who Should Attend?

IT professionals interested in learning about IT risk control objectives, controls, methodologies, and risk management. Operational risk management (ORM) professionals who want to learn ITRM as a sub-component of ORM. IT Auditors who want to learn about IT controls and security.

Course Material:

Content-rich manual/course handouts consisting of about 600 slides

Course Syllabus for 3-day class:

Alignment of IT with business objectives brings value to the organization, but IT has an element of associated risk. This risk must be properly managed in order to balance the IT value delivery and the IT risk.  There are many risks associated with the use of information technology, but the major ones are related to IT disaster recovery, IS security, IT processes outsourcing, and IT projects management. Such risks must be monitored, analyzed, mitigated, and accepted at appropriate levels to balance value and risk. Although it is a relatively new discipline, measurement and management of IT risk has reached a stage of fairly stable maturity.

 Topics to be covered:

  • What IT risk is
  • 3-Layered ITR  approach
  • 4-layers of interdependence
  • IT Risk Framework
    • Risk Identification, Assessment, and Evaluation
    • Risk Response
    • Risk Monitoring
    • Information Systems Controls Design and Implementation
    • Information Systems Control Monitoring and Maintenance
  • How to assess IT risk – risk assessment
  • Risk analysis and risk management
  • Risk treatment – mitigation, avoidance, acceptance, transfer
  • Risk ownership and control ownership
  • What are controls
  • Control types for IT risk
  • Directive
  • Preventive
  • Detective
  • Corrective
  • Deterrent
  • How to measure the effectiveness of risk controls
  • Indicators and monitoring
  • Risk-based approach to IT risk management
  • IT risk analysis methodologies
  • NIST and European perspectives
  • Frameworks and Standards
  • Risk and security policies
  • Risk standards
  • Risk register
  • Risk, controls, residual risk
  • Security Awareness and training program
  • IT Risk Management and banking industry
      • Security vs. risk
      • Confidentiality, integrity, availability
      • Corporate pyramid- value delivery vs. risk management
      • Risk governance
      • Risk management
      • Risk controls
      • Business processes
      • IT Applications
      • IT Infrastructure
      • IT SD/SM
      • Quantitative assessment
      • Qualitative assessment
      • Policy, standards, procedures, processes, physical entities, organizational structure
      • Compensating
      • Design effectiveness
      • Operational effectiveness
      • Qualitative vs. Quantitative approaches
      • KRIs
      • KCIs
      • Why risk-based
      • Octave, Cobra, IRAM, FRAPP, Sara, Sprint
      • NIST 800-30
      • CRAMM
      • Mihari
      • Ebios
      • Grundshutz
      • A&K- Afhankelijkheids- en Kwetsbaarheidsanalyse
      • COSO 2013 and ERM 2004
      • ISO 27001:2013
      • ISO 27005:2011
      • 25+ types of risk/security policies
      • ISO 27001-based
    • Risk Communications
      • BASEL II/III
      • IT Risk Management and capital requirements
      • IT Risk vs. ORM