Risk Management Approach and Practices | RM

Risk Management Approach and Practices | RM

This risk management course is specifically designed to guide a CISO in defining and implementing a risk management approach within an IS program. The course introduces the student to the most common approaches and practices used by organizations worldwide. It is not intended to cover risk outside of the IS enterprise (including financial and business risks).

Course Outline

Introduction to Risk Management

  • 1.0 Introduction to Risk Management
  • 1.1 Cyber-Risk Sources
  • 1.2 Black Swan Events
  • 1.3 Compliance Risk
  • 1.4 Ethics
  • 1.5 A Seven-Question Framework for Ethical Decision-Making
  • 1.6 Fraud Risk Management
  • 1.7 Risk Appetite Statement
  • 1.8 Risk Tolerance
  • 1.9 Risk Threshold
  • 1.10 Risk Retention
  • 1.11 Risk Management Standards

The Essentials of a Risk Management Program

  • 2.1 Where Risk Resides
  • 2.2 Risk Ownership
  • 2.3 Key Risk Indicators (KRI)
  • 2.4 Risk Assessment Types
  • 2.5 ISO 27001-based Risk Assessment Process
  • 2.6 Risk Categories
  • 2.7 Risk Rewards
    • 2.7.1 – Risk Modification or Mitigation
    • 2.7.2 – Risk Retention or Risk Acceptance
    • 2.7.3 – Risk Avoidance or Risk Elimination
    • 2.7.4 – Risk Sharing or Risk Transfer
    • 2.7.5 – Risk Retention or Risk Acceptance
    • 2.7.6 – Risk Avoidance or Risk Elimination
    • 2.7.4.1 – Cyber Risk Insurance
    • 2.7.4.2 – Insurable vs. Uninsurable Risks
    • 2.7.4.3 – Cyber Risk Pools
  • 2.8 – Silent Cyber Risk
  • 2.9 – Risk Registry
  • 2.10 – Risk Taxonomy
  • 2.11 – Risk Rewards
  • 2.12 – Risk Ontology
  • 2.13 – Risk Registry Products
  • 2.14 – Applying Compensating Controls to Reduce Risk
  • 2.15 – Risk Calculation Formula
  • 2.16 – Risk Management Software
  • 2.17 – Risk Maps
  • 2.18 – Risk-Mapping Software

Risk Management Frameworks

    • 3.1 ISO 27005
      • 3.1.1 – Context Establishment
      • 3.1.2 – Risk Assessment
      • 3.1.3 – Risk Treatment
      • 3.1.4 – Risk Acceptance
      • 3.1.5 – Risk Feedback
      • 3.1.6 – Risk Communication and Consultation
      • 3.1.7 – Risk Monitoring and Review
    • 3.2 NIST Risk Management Framework (RMF)
      • 3.2.1 – Step 1: Categorize the Information System
      • 3.2.2 – Step 2: Select Security Controls
      • 3.2.3 – Step 3: Implement Security Controls
      • 3.2.4 – Step 4: Assess the Information System
      • 3.2.5 – Step 5: Authorize the Information System
      • 3.2.6 – Step 6: Monitor Security Controls
    • 3.3 NIST Risk Management and Assessment
    • 3.4 NIST Risk Management Hierarchy
    • 3.5 NIST Risk Assessment Process

3.6 Other Frameworks and Methodologies

  • 3.6.1 – COBIT 5 for Risk Management
  • 3.6.2 – COSO Enterprise Risk Management Integrated Framework
  • 3.6.3 – Consultative, Objective and Bi-functional Risk Analysis (COBRA)
  • 3.6.4 – Factor Analysis of Information Risk (FAIR)
  • 3.6.5 – Facilitated Risk Analysis and Assessment Process (FRAAP)
  • 3.6.6 – Information Risk Assessment Methodology 2 (IRAM2) [25]
  • 3.6.7 – Information Technology Infrastructure Library (ITIL)
  • 3.6.8 – IRGC Risk Governance Framework [27]
  • 3.6.9 – Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • 3.6.10 – Operational Risk Management Framework [29]
  • 3.6.11 – Operational Risk Management (ORM) [30]
  • 3.6.12 – Threat Agent Risk Assessment (TARA) [31]
  • 3.6.13 – The Risk IT Framework (ISACA) [32]
  • 3.7 Lesser Known Risk Assessment Methods

Risk Management Policies and Procedures

  • 4.1 Risk Management Lifecycle
  • 4.2 Risk Management Program Implementation Use Case
  • 4.3 Risk Management Program Review
  • 4.4 Risk Program Maturity Models
  • 4.5 Enterprise Risk Management (ERM)

Risk-Based Audits

  • 5.1 Risk-Based Internal Audit
  • 5.2 Physical Risk Assessments

Third-Party Risk Management (TPRM)

  • 6.1 TPRM Program Structure
  • 6.2 Delivery Assurance
  • 6.3 Validation of Meeting Contractual Requirements
  • 6.4 Formal Delivery Audits
  • 6.5 Periodic Random Delivery Audits
  • 6.6 Third-Party Attestation Services (TPRM)

Risk Management Positions

  • Risk Management Positions

Risk Law

  • Risk Law

Procurement Risk Management

  • Procurement Risk Management

Risk Culture

  • Risk Culture

Future of Risk Management

  • Future of Risk Management

Course Content

This risk management course covers the following main subject areas:

  • Risk Management
  • Risk Treatment

  • Risk Management Frameworks
  • Third-Party Risk Management

When the main subject areas are combined, they create an effective risk management program to establish the foundation to protecting information and assets. The specific focus of this course doesn’t allow covering certain topics. Subject areas related to risk––such as threat and vulnerability management, as well as information security controls––simply cannot be covered within the scope of this course.

Meet Your Instructor

Buy Self-Paced Training:

Or choose a training option:

Still have questions?

1-888-330-HACK

Mon – Fri / 8:00 AM – 5:00 PM

Email Us

Upcoming Live RM Training:

For Self-Paced, On-Demand training, click here