Course Description

  • The course provides a comprehensive view of managing risk in information systems. It covers the fundamentals of risk and risk management and also includes in-depth details on more comprehensive risk management topics.
  • Areas of instruction include how to assess and manage risk based on defining an acceptable level of risk for information systems. Elements of a business impact analysis (BIA), business continuity plan (BCP), disaster recovery plan (DRP) and computer incident response team (CIRT) plan are also discussed.

Learning Outcomes

  • LO1: Understand the fundamental concepts of risk management and its importance.
  • LO2: Understand methods of mitigating risk by managing threats, vulnerabilities, and exploits.
  • LO3: Identify compliance laws, standards, best practices, and policies of risk management.
  • LO4: Describe the components of an effective risk management plan.
  • LO5: Describe approaches for identifying and analyzing relevant threats, vulnerabilities, and exploits.
  • LO6: Describe the process of performing risk assessments.
  • LO7: Identify assets and activities to be protected within an organization.
  • LO8: Identify and analyze threats, vulnerabilities, and exploits.
  • LO9: Identify and analyze risk mitigation security controls.
  • LO10: Describe the process of planning risk mitigation throughout an organization.
  • LO11: Describe the process of implementing a risk mitigation plan.
  • LO12: Perform a business impact analysis.
  • LO13: Review a business continuity plan (BCP) based on the findings of a given risk assessment for an organization.
  • LO14: Review a disaster recovery plan (DRP) based on the findings of a given risk assessment for an organization.
  • LO15: Review a computer incident response team (CIRT) plan for an organization.

Assessment Scheme

  • Ongoing assessment:
    • 01 Midterm Test: 20%
    • Participation in Discussions: 10%
    • 10 Labs: 30%
  • Final examination: 40%
  • Completion criteria: Every on-going assessment component >0 & Average Lab Score >= 4, Final Exam Score >=4 & Final Result >=5

Course schedule

  • Lecture 1. Risk Management Fundamentals
    • 1.1 The Major Components of Risk to an IT Infrastructure
    • 1.2 Risk Management and Its Importance to the Organization
    • 1.3 Risk Identification Techniques
    • 1.4 Risk Management Techniques
  • Lab 1: How to Identify Threats and Vulnerabilities in an IT Infrastructure
  • Lecture 2. Managing Risk: Threats, Vulnerabilities, and Exploits
    • 2.1 Understanding and Managing Threats
    • 2.2 Understanding and Managing Vulnerabilities
    • 2.3 Understanding and Managing Exploits
    • Recommended Reading: U.S. Federal Government Risk Management Initiatives and U.S. Compliance Laws
  • Lecture 3. Maintaining Compliance
    • 3.1 Regulations Related to Compliance
    • 3.2 Organizational Policies for Compliance
    • 3.3 Standards and Guidelines for Compliance
  • Lab 2: Align Risks, Threats and Vulnerabilities to COBIT P09 Risk Management Controls
  • Lecture 4. Developing a Risk Management Plan
    • 4.1 Objectives and Scope of a Risk Management Plan
    • 4.2 Assigning Responsibilities, Procedures and Schedules for Accomplishment
    • 4.3 Reporting Requirements, Plan of Action and Milestones
    • 4.4 Charting the Progress of a Risk Management Plan
  • Lab 3: Define the Scope and Structure for an IT Risk Management Plan
  • Lecture 5. Defining Risk Assessment Approaches
    • 5.1 Understanding Critical Components of a Risk Assessment
    • 5.2 Types of Risk Assessments and Challenges
    • 5.3 Best Practices for Risk Assessment
  • Lecture 6. Performing a Risk Assessment
    • 6.1 Selecting a Risk Assessment Methodology
    • 6.2 Identifying the Management Structure, Assets and Activities Within Risk Assessment Boundaries
    • 6.3 Identifying and Evaluating Relevant Threats, Vulnerabilities and Countermeasures
    • 6.4 Selecting a Methodology Based on Assessment Needs
    • 6.5 Developing Mitigating Recommendations and Presenting Risk Assessment Results
    • 6.6 Best Practices for Performing Risk Assessments
  • Lab 4: Perform a Qualitative Risk Assessment for an IT Infrastructure
  • Lecture 7. Identifying Assets and Activities to Be Protected
    • 7.1 System Access and Availability
    • 7.2 System Functions: Manual and Automated
    • 7.3 Hardware, Software and Personnel Assets
    • 7.4 Data and Information Assets
    • 7.5 Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
    • 7.6 Identifying Facilities and Supplies Needed to Maintain Business Operations
  • Lectures 8. Identifying and Analyzing Threats, Vulnerabilities, and Exploits
    • 8.1 Threat Assessments
    • 8.2 Vulnerability Assessments
    • 8.3 Exploit Assessments
  • Lab 5: How to Identify Risks, Threats and Vulnerabilities in an IT Infrastructure Using ZeNmap GUI (Nmap) and Nessus® Reports
  • Review for Midterm & Midterm Test
  • Lectures 9. Identifying and Analyzing Risk Mitigation Security Controls
    • 9.1 In-Place Controls, Planned Controls and Control Categories
    • 9.2 Procedural Control Examples
    • 9.3 Technical Control Examples
    • 9.4 Physical Control Examples
    • 9.5 Best Practices for Risk Mitigation Security Controls
  • Lectures 10. Planning Risk Mitigation Throughout Your Organization
    • 10.1 The Scope of Risk Management for Your Organization
    • 10.2 Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization
    • 10.3 Translating Legal and Compliance Implications
    • 10.4 Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
    • 10.5 Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation
    • 10.6 Understanding the Operational Implications of Legal and Compliance Requirements
    • 10.7 Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
    • 10.8 Performing a Cost-Benefit Analysis
    • 10.9 Best Practices for Planning Risk Mitigation Throughout Your Organization
  • Lab 6: Develop a Risk Mitigation Plan Outline for an IT Infrastructure
  • Lectures 11. Turning Your Risk Assessment into a Risk Mitigation Plan
    • 11.1 Translating Your Risk Assessment into a Risk Mitigation Plan
    • 11.2 Prioritizing and Verifying Risk Elements and How These Risks Can Be Mitigated
    • 11.3 Performing a CBA on the Identified Risk Elements
    • 11.4 Implementing and Following Up on the Risk Mitigation Plan
    • 11.5 Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment
  • Lectures 12. Mitigating Risk with a Business Impact Analysis
    • 11.1 The Scope and Objectives of a BIA
    • 11.2 The Steps of a BIA Process
    • 11.3 Identifying Mission-Critical Business Functions and Processes
    • 11.4 Mapping Business Functions and Processes to IT Systems
    • 11.5 Best Practices for Performing a BIA for Your Organization
  • Lab 7: Perform a BIA for a Mock IT Infrastructure
  • Lectures 13. Mitigating Risk with a Business Continuity Plan
    • 11.1 Elements of a BCP
    • 11.2 How Does a BCP Mitigate an Organization’s Ri.sk?
    • 11.3 Best Practices for Implementing a BCP for Your Organization
  • Lab 8: Develop an Outline for a BCP for an IT Infrastructure
  • Lectures 14. Mitigating Risk with a Disaster Recovery Plan
    • 14.1 Critical Success Factors of a DRP
    • 14.2 Elements of a DRP
    • 14.3 How Does a DRP Mitigate an Organization’s Risk?
    • 14.4 Best Practices for Implementing a DRP for Your Organization
  • Lab 9: Develop Disaster Recovery Back-up Procedures and Recovery Instructions
  • Lectures 15. Mitigating Risk with a Computer Incident Response Team Plan
    • 15.1 Purpose and Elements of a CIRT Plan
    • 15.2 How Does a CIRT Plan Mitigate an Organization’s Risk?
    • 15.3 Best Practices for Implementing a CI RT Plan for Your Organization
  • Lab 10: Create a CIRT Response Plan for a Typical IT Infrastructure
  • Course Review

Teaching and Learning Materials

  • Darril Gibson, Managing Risk In Information Systems, 2nd Edition, Jones & Bartlett Learning, 2015.
  • Seymour Bosworth, M.E. Kabay, Eric Whyne (eds.), Computer Security Handbook, 6th Edition, 2 Volumes, Parts II, VII, John Wiley & Sons, 2014.
  • W. Krag Brotby, Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement, CRC Press, 2009.
  • Jack Freund, Jack Jones, Measuring and Managing Information Risk: A FAIR Approach, Butterworth-Heinemann, Elsevier, 2015.
  • Leighton R. Johnson, Security Controls Evaluation, Testing, and Assessment Handbook, Syngress, 2016.
  • Thomas R. Peltier, Information Security Risk Analysis, 3rd Edition, CRC Press, 2010.
  • Lecture slides, Lab manual, supplementary material
  • Tools: Internet, Student VM workstation with Microsoft Office 2007 or higher, Zenmap, Nessus