TRAINING PROPOSAL THE ULTIMATE IT RISK MANAGEMENT MASTER-CLASS AN EXAM PREPARATION COURSE FOR:
This ultimate IT Risk Management Master-class will give delegates sufficient knowledge to prepare for and appear in prestigious CRISC® certification exam, the only global certification exam in IT Risk Management.
Important Notes: Although this class is for IT Risk Management, it will give delegates sufficient knowledge to prepare for and appear in prestigious CRISC® certification exam, the only global certification exam in IT Risk Management. Next exam for CRISC® is on 11 June 2016 in Singapore, Kuala Lumpur, Jakarta, Hong Kong, Sydney, and other major cities in Southeast Asia. Course material is content-rich manual/course handouts consisting of about 505 slides. IT Risk Management cheat sheet as a refresher, CRISC® Axioms, Attendees’ questions and answers from the past, glossary of terms, acronyms, and types of exam questions.
3
CONTENTS Overview
04
Program Objectives
07
Target Audience
07
Course Agenda
07
Instructor Profile
08
Clients and Testimonials
09
Appendix
4
OVERVIEW As organizations’ dependence and interdependence on IT have increased, the consequences of IT risk have increased as well. What is IT risk? It’s the potential for an unplanned event involving a failure or misuse of IT to threaten an enterprise objective—and it is no longer confined to a company’s IT department or data center. An IT risk incident has the potential to produce substantial business consequences that touch a wide range of stakeholders. In short, IT risk matters—now more than ever.
worthless, and can even be a liability, if it’s not secure. Secure information is useless if it can’t be efficiently stored and readily accessed. Individuals, corporations, and economies are increasingly dependent on the Internet and information technology (IT) systems. The daily value that these systems deliver is not always readily apparent or easy to measure. The systems’ risk exposure can be equally elusive— dispersed among
IT RISK IS THE POTENTIAL FOR AN UNPLANNED EVENT INVOLVING A FAILURE OR MISUSE OF IT TO THREATEN AN ENTERPRISE OBJECTIVE AND IT IS NO LONGER CONFINED TO A COMPANY’S IT DEPARTMENT OR DATA CENTER. MOST CORPORATIONS HAVE A POOR AWARENESS OF THEIR IT RISK EXPOSURE, ARE NOT FULLY EXPLOITING THE BREADTH OF TOOLS TO MANAGE THESE RISKS, AND HAVE NOT BEGUN TO SYSTEMATICALLY BUILD THE KNOWLEDGE AND PROCESSES TO MANAGE IT RISKS AS PART OF A PROACTIVE PROGRAM OF WORK. Many financial services organizations are recognizing the need to broaden the scope of risk governance and management to include information technology (IT). This awareness is growing in the wake of highly publicized identity theft incidents and other security breaches, as well as legislation aimed at managing financial, market, and operational risk exposures. Developing an Information Technology Risk Management (ITRM) program is on the minds of Chief Executive Officers,
a number of departments and functions, and taking a variety of forms. Typical IT risks include lost business or productivity due to IT infrastructure downtime or disaster; liability for failing to keep customer data private; fines for regulatory violations; or inability to defend lawsuits due to inadequate record keeping. Recent headlines have demonstrated how anything from a lost laptop to a Category 1 hurricane can trigger a major incident.
WITHOUT IT RISK MANAGEMENT, BUSINESSES RUN THE RISK OF LOSING THEIR COMPETITIVE EDGE. IT RISK MANAGEMENT NEEDS TO BECOME A TOP PRIORITY. TOP MANAGERS NEED TO START FOCUSING ON IT RISK MANAGEMENT. IT RISK MANAGEMENT INVOLVES DEFINING BUSINESS-CRITICAL PROCESSES. IT DEPARTMENTS THEN NEED TO ASSESS THE TECHNICAL RISK FOR THESE PROCESSES. A COMPANY-SPECIFIC IT GOVERNANCE POLICY CAN BE DEVELOPED ON THE BASIS OF THIS ASSESSMENT PROCESS. IN VIEW OF INCREASING RISKS, E.G. FROM INDUSTRIAL ESPIONAGE, IT IS NECESSARY TO INTRODUCE EFFECTIVE IT RISK MANAGEMENT MEASURES AT COMPANIES AND IN THE PUBLIC SECTOR. Chief Risk Officers, IT Chief Risk Officers, and Chief Information Security Officers, who are asking: How do I build my IT Risk Management program and office? What are its responsibilities? How do I ensure its effectiveness and success? IT risk, as part as an overall context of operational risk is now becoming a board-level topic in major businesses today. As a result, successful, forward-looking enterprises are developing specific strategies and policies for IT Risk Management. IT Risk Management involves two complementary components: security and availability. Information is
The business impact can be catastrophic. A single incident can cause widespread damage to a company’s reputation. A system slowdown or shutdown at a key time can be fatal. IT risk can become a legal and regulatory issue as well. Throughout the globe, a rapidly evolving matrix of legislation and regulation requires new levels of privacy, security, and documentation. New audit and accountability requirements often hold corporate officers and managers legally responsible—encouraging smart companies to take a closer look at IT-related due diligence policies.
5
A recent Harvard Business Review report identified company directors’ leading IT concerns:
the cost and impact that can result from the loss of information technology assets or access to their applications.
• Is the company getting adequate ROI from information resources? • Is there an effective, up-to-date plan in place for disaster response and recovery? • Are management practices in place to prevent hardware, software, and legacy applications from becoming obsolete? • Are corporate systems adequately protected against criminal intrusions? • Do we have management practices in place to ensure 24/7 levels, including tested backup? • Are there any possible IT-based surprises lurking out there?
The key piece in the puzzle is IT Risk Management—the ability to identify, quantify, and manage information risk as predictably as enterprises currently manage financial and operational risks. Most enterprises want to improve their IT Risk Management practices, but their IT organizations have not always been able to cost-justify remediation measures. Often, it is difficult to know where to start. A successful enterprise needs to treat information technology risk within the integrated framework of business risk management. IT Risk Management does not yet have
BUILDING AN IT RISK MANAGEMENT PROGRAM IS A CHALLENGE. BUT AN APPROPRIATELY DESIGNED PROGRAM HELPS ALIGN SILOS AND CROSSFUNCTIONAL AREAS SO THAT RISK OBJECTIVES ARE MET IN A HIGHLY COORDINATED, CONSISTENT FASHION. RISK MANAGEMENT IS THE PROCESS OF MAKING CONSCIOUS DECISIONS ABOUT APPROPRIATE LEVELS OF RESIDUAL RISK. SUCCESSFUL IT RISK MANAGEMENT PROGRAMS HELP BETTER MANAGE IT RISK - AND GIVE THEIR ORGANIZATIONS AN IMPORTANT COMPETITIVE MARKETPLACE ADVANTAGE. OTHER POSITIVES INCLUDE: ENHANCED BUSINESS VALUE IN THE FORM OF PROCESS, RISK AND CONTROL EFFICIENCIES; ELIMINATION OF REDUNDANCIES; EXPENSE REDUCTION; EFFECTIVE RESOURCE MANAGEMENT; AND LEGAL AND REGULATORY COMPLIANCE. Shareholders are paying attention, too: One study, by Oxford Executive Research, found that companies that recovered quickly from major operational disasters increased their share price by 5 percent on average versus the market. Companies that struggled to regain their operations took a 20 percent drop in relative value. Security is the headline-grabbing component of IT risk. But, on a day-to-day, profit-and-loss level, availability is just as important. Enterprises need to handle an explosion of email and online transactions, managing both the information flow, and the records they generate. Companies need to archive a growing volume of data, without devouring their budget. They need to have information available where and when it’s needed. They need to make sure information remains accessible when the worst happens, with plans and systems for disaster recovery and business continuity. The challenge to the enterprise - Most corporations have a poor awareness of their IT risk exposure, are not fully exploiting the breadth of tools to manage these risks, and have not begun to systematically build the knowledge and processes to manage IT risks as part of a proactive program of work. Businesses have only a vague understanding of
the kind of well developed statistical or actuarial models that make financial risk assessment reasonably precise. However, “roughly right” approaches based on heuristics and experience yield reliable, valuable, and usable measures of IT risk. These approaches enable IT managers to assess the business impact of I risks, and to demonstrate the ROI of prevention and remediation measures. By quantifying business impact, minimizing exposure, and planning for disaster, a company can go a long way towards putting information risk on a more businesslike footing. In addition, it has been proven that business who manage IT risk effectively tend to be far more operationally efficient than those who do not. Effective IT Risk Management requires a comprehensive approach involving security, availability, performance, and compliance. IT risk is dispersed across departments, locations, and business lines, and needs to be addressed in ways that challenge conventional organizational charts. Corporate officers and executives need to take a leadership role in developing IT Risk Management strategies and policies. IT Risk Management exists in a constantly changing environment, and requires unremitting monitoring and continuous improvement. People and process issues can be as important as technology or budget concerns.
6
IT risk is one of the 97 Enterprise Risks. Alignment of IT with business objectives brings value to the organization, but IT has an element of risk associated with it. This risk must be properly managed in order to balance the IT value delivery and IT risk. Major risks are related to IT disaster recovery, IS security, IT processes outsourcing, regulatory compliance, and IT projects management. Such risks must be identified, assessed, mitigated, accepted, and monitored at appropriate levels to balance value and risk. Although it is a relatively new discipline, measurement and management of IT risk has reached a stage of fairly stable maturity. An IT Risk Management program is designed to execute, manage, measure, control and report on risk matters within IT. It is essential to an organization’s overall risk management capability and effectiveness. If successful, an IT Risk Management program provides the board of directors, senior management, regulators and other external stakeholders with confidence that IT can deliver business value efficiently and securely, while providing high quality assurance around data integrity, availability, and confidentiality.
This master-class will start from the very basics and take delegates to an advanced level of IT Risk and IT Controls management. At the end of the course, delegates would be able to either start a new IT Risk Management project from scratch or find the gaps between current state and desirable state of IT Risk management in their organization. Course coverage will include international standards, IT risk register, IT Risk Frameworks, IT risk policies, general controls, application controls, and much more. This master-class does not need any knowledge of mathematics. If you’re a business executive or board member, this masterclass provides ideas, frameworks, and advice to help you meet your fiduciary responsibility of managing IT risks as effectively as you manage other risks. If you’re an IT executive, this master-class provides step-by-step advice and tools to help you build an IT risk management capability. It provides information in a practical form to help you start the program, find the right specialists for each element, and engage both business and IT people in the right roles.
ALTHOUGH THE ORIENTATION OF THIS CLASS IS TOWARDS FINANCIAL SECTOR (BANKING, INVESTMENT BANKING, AND INSURANCE), PRINCIPLES ARE APPLICABLE TO OTHER BUSINESS MODELS AS WELL.
7
PROGRAM OBJECTIVES TARGET AUDIENCE • Provide practical training to learn: • Prepare delegates for ISACA’s CRISC exam • Four-tier IT Risk Management Framework from governance, management, and operational perspective • How to identify IT risk, assess it, treat it, accept it, and monitor it • How to identify controls and measure their design and operational effectiveness • Gap analysis for current and desirable state of IT risk • Learn about a 18 month project plan to achieve IT risk management project • Measuring IT risk maturity level and effectiveness • IT risk policies and standards
• The ideal participants for this tutorial are all IT professionals who are interested in learning IT Risk Management. Typical titles but not limited to: • Internal and external, IS and non-IS auditors • Assurance, risk and compliance professionals who need to understand technology related controls • IT Managers and Business Managers responsible for audit coordination and support • Risk Managers • IT and Information Security Managers • IT Security designers, architects, and engineers • IT Professionals who coordinates, supports, or is involved in assurance activities • IT Professionals interested in earning CRISC certification and learning IT Risk Management
COURSE AGENDA* This master-class will address materials about IT Risk Management and alignment with BASEL capital requirements. DOMAIN 1 Risk Identification
DOMAIN 2 IT Risk Assessment
• What is IT risk • Corporate pyramid- value delivery vs. risk management • Risk governance, management, and controls • Four layers- business process, applications, infrastructure, and SD/SM • Risk Universe • Alignment with ERM • Risk identification methodologies • Internal and External business environment and business objectives • Threats and vulnerabilities • People processes and Technology • Risk scenarios and business objectives • Risk identification and classification standards and FWs • Key stakeholders and accountability for IT risk • IT Risk Register • Risk appetite and risk tolerance • Risk awareness and risk aware culture • Laws and regulatory compliance • External contractual obligations • Threats vulnerabilities for business processes, third party management, data management, HW, SW, and appliances, SDLC, project management, program management, BC/DR, IT Operations, emerging technologies, outsourcing risk
• Risk, likelihood, and Impact • ALE, SLE, ARO, AV, and EF • Organizational structure, policies, standards, technology, architecture, and controls • Current state of IT controls and their effectiveness in risk mitigation • IT Risk gap analysis • Risk ownership and control ownership • Risk communications and risk aware decisions • Risk register update • Risk event and LCA • Qualitative and Quantitative RA • Organizational structure and risk • Organizational culture and risk • Policies, standards, procedures, and guidelines • Business process review • Root cause analysis, gap analysis, CBA, ROI • Inherent risk, residual risk, control risk, discovery risk, sampling risk • Risk assessment standards, FWs, and techniques • Information security and CIA • BC, RTO, RPO, SDO, MTO
DOMAIN 3 Risk Response and Mitigation
DOMAIN 4 Risk and Control Monitoring and Reporting
• Roles and responsibilities • Controls- directive, preventive, detective, corrective, compensating, deterrent • Risk response optionsaccept, mitigate, transfer, avoid • Risk response and alignment with business objectives • Risk owners participation • Risk response action plan and cost/target date • Control design and control operations • Accountability of controls • Control procedures • Risk register update with DE and OE of controls • Residual risk and its alignment with risk appetite • CMMI and improvement • Balanced Score Card • Control assessmentsself assessment, audits, vulnerability assessments, penetration tests, third party assurance • LCA, loss data, external and internal sources of loss data
• Determine variation in risk and control effectiveness • KRIs and thresholds • KRI design and monitoring – KRI mistakes • KCIs and monitoring • Risk reporting and trend analysis • Metrics, KPIs, and control performance • KPIs and DET/OET of controls • Risk trend analysis and stakeholders reporting • Data analysis, data validation, data aggregation, trend analysis, modeling • Data collections and extraction • Risk exception management • Certification and accreditation • IT SD and SM • Risk reporting and periodicity
DOMAIN 5 Miscellaneous Topics • COBIT 4.1 and COBIT 5 • Risk IT FW • Cloud computing, mobile computing, BYOD, social networking risks • ISO 27005:2011, COSO IC FW 2013, COSO ERM, ISO 27001:2013
* Sequence of topics in the master-class can be different
8
INSTRUCTOR PROFILE The instructor for this IT Risk Management Master-class is certified CRISC, CIA, CISA, CISM, CISSP, ISSAP, CGEIT, and CBCP. He was awarded President’s “Outstanding Educator Award” by ISACA NY Metro Chapter in June 2013 and is an internationally renowned expert on IT Risk management, disaster recovery, IT Security, IT Auditing and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, mainframe/distributed operating systems, and computer programming languages. He also has an imprint with McGraw-Hill with more than 300 books with more than 7 million copies in print. His books have been translated in German, Chinese, Portuguese, Spanish, Japanese, and Korean. He is currently working on a number of books on various subjects such as Enterprise Risk Management and Operational Risk Management.
This IT Risk Management Guru has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. His classes and lectures have been attended by employees of almost every Fortune 500 company globally. He teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. He is also an adjunct professor at St John’s University and teaches graduate-level classes on Accounting Information Systems, IT Auditing, Internal Auditing, Security/ Forensics, and Operational Risk Management.
HE WAS AWARDED PRESIDENT’S “OUTSTANDING EDUCATOR AWARD” BY ISACA NY METRO CHAPTER IN JUNE 2013.
9
CLIENTS & TESTIMONIALS “Just wanted to inform that I passed the CGEIT exam... ISACA also informed that my score was in the top 10 percent of those testing. In 2012, I took CISM after attending your class and turned up second top scorer for the exam. So there’s definitely a trend! Thanks very much for doing an awesome job in class!” VP, Bank of New York Mellon
“I am impressed by the quality of following a course from remote, good time keeping, good involvement of the remote listeners to the course. Well done, and thanks for this.” Honeywell, Netherlands (May, 2014)
“The training seminar was very helpful. Very effective trainer. Enjoyed real world experiences applied to course material. His real life examples really brought material to life. Very good class!!!” Ernst and Young, USA (May, 2013)
“This was one of the best training sessions I have ever attended. (It is) a direct result of the instructor’s expertise, knowledge, experience, presentation, and teaching skills. A wow factor of 10!!!” Broadridge, USA (May, 2013)
“He found the right balance between test-related material and real life presentation that kept things interesting.” Federal Reserve Bank of NY, USA (May, 2013)
“Great class with lot of real world practical examples.”
Columbia University Medical Center, USA (May, 2013)
“Everything was terrific and properly planned. The most effective course and the best trainer in all the courses and degrees I have ever had.” HSBC, Israel (April, 2014)
“He is a great teacher. I loved the fact he provided so many examples, the axioms, and he has plenty of energy and sense of humor.” HSBC, UK (April, 2014)
“Excellent training course!!!”
Honeywell, Netherlands (May, 2014)
“It was a privilege to be in your class. Thanks for the amazing training session.” Ernst and Young, USA (May, 2014)
“He was great! My co-worker and I couldn’t believe how much he knew and the extensive examples he provided. He was amazing!!” Marriott, USA (December, 2013)
“He was terrific - very engaging, funny, and kept the class moving. He handled remote questions, as well as live questions, and was mindful of the time for breaks. He had a way of presenting the material that was not dry and was designed to ensure success on the CRISC test, not just academic knowledge.”
Bank of the West, USA (December, 2013)
“He is the man. He was very knowledgeable across the board.” Ernst and Young, USA (Spring, 2012)
“Very good class!!!”
Comcast, USA (Spring, 2014)
10
AD ASTRA | ABOUT US AdAstra provides forward-thinking, relevant and challenging education programs for executives and senior executives. Our programs are all designed to enable your business to enhance its capacity to compete in a changing world. We look to current and emerging trends as our inspiration. We see a business world characterised by intense competition, increasing public accountability and global risks. In this time of challenge we want to inspire excellence. We believe that the knowledge and insight we offer enables our clients to enhance their capacity to compete.
We believe that knowledge and insight are the basis of effective learning. Our programs are developed in response to trusted research. We work with prominent corporate leaders, highly respected training directors, and practitioners to create innovative, responsive and relevant training courses, seminars and conferences. We deliver delegate courses and in-house courses to local and multi-national companies across Asia. We value our customer’s time. This is why we take a practical and effective approach to learning. All our programs are focused on improving skills, solidifying confidence, developing knowledge and inspiring new ideas and responses.
Ad Astra Pte Ltd Phone (65) 6488-0282 Fax (65) 6284-0668 E-mail info@adastra.com.sg Website http://adastra.com.sg
11