This course includes a study of the existing risk management frameworks, models, processes and tools to provide students with the theory and practical knowledge needed to operationalize risk management in an organization or government agency. Additionally, fundamental concepts in information technology security audit and control processes for an organization are discussed. Students learn to create a control structure and audit an information technology infrastructure.
Upon completion of the course, students are expected to be able to do the following:
- Perform a risk assessment to determine the extent that an organization’s technology assets are exposed to risk.
- Demonstrate the concepts of risk appetite and residual risk as they apply to information assets of an organization.
- Complete a threat assessment that identifies asset vulnerabilities and ranks threats based on likelihood and financial impact.
- Apply the risk control strategies of transfer, mitigation, acceptance, and termination and how a cost-benefit analysis is utilized in determining which strategy to implement.
- Employ risk assessment and analysis techniques that include risk response and countermeasure selection and implementation.
- Apply risk-based management concepts to the supply chain with an understanding of risks associated with hardware, software, and services.
- Conduct a security control testing plan that involves a vulnerability assessment, penetration testing, log reviews, synthetic transactions, code review, and interface testing.
- Verify controls are applied consistently.
- Define how business alignment, risk appetite, and risk aversion affect the security program implementation.