Introduction to Risk Management
Risk management concepts Senior management and risk Enterprise Risk Management (ERM) Benefits of risk management Data Centre Risk and Impact
Risk in facility, power, cooling, fire suppression, infrastructure and IT services Impact of data centre downtime Main causes of downtime Cost factors in downtime Standards, Guidelines and Methodologies
ISO/IEC 27001:2013, ISO/IEC 27005:2011, ISO/IEC 27002:2013 NIST SP 800-30 ISO/IEC 31000:2009 SS507:2008 ANSI/TIA-942 Other methodologies (CRAMM, EBIOS, OCTAVE, etc.) Risk Management Definitions
Asset Availability/Confidentiality/Integrity Control Information processing facility Information security Policy Risk Risk analysis/Risk assessment/Risk evaluation/ Risk treatment Threat/Vulnerability Types of risk Risk Assessment Software
The need for software Automation Considerations Risk Management Process
The risk management process Establishing the context Identification Analysis Evaluation Treatment Communication and consultation Monitoring and review Project Approach
Project management principles Project management methods Scope Time Cost Cost estimate methods Context Establishment
General considerations Risk evaluation, impact and acceptance criteria Severity rating of impact Occurrence rating of probability Scope and boundaries Scope constraints Roles & responsibilities Training, awareness and competence Risk Assessment - Identification
The risk assessment process Identification of assets Identification of threats Identification of existing controls Identification of vulnerabilities Identification of consequences Hands-on exercise: Identification of assets, threats, existing controls, vulnerabilities and consequences Risk Assessment - Analysis and Evaluation
Risk estimation Risk estimation methodologies Assessment of consequences Assessment of incident likelihood Level of risk estimation Risk evaluation Hands-on exercise: Assessment of consequences, probability and estimating level of risk Risk Treatment
The risk treatment process steps Risk Treatment Plan (RTP) Risk modification Risk retention Risk avoidance Risk sharing Constraints in risk modification Control categories Control examples Cost-benefit analysis Control implementation Residual risk Communication
Effective communication of risk management activities Benefits and concerns of communication Risk Monitoring and Review
Ongoing monitoring and review Criteria for review Risk scenarios
Risk assessment approach Data centre site selection Data centre facility Cloud computing UPS scenarios Force majeure Organisational shortcomings Human failure Technical failure Deliberate acts
Who should attend
The primary audience for this course is an IT, Facilities or Data Centre Operations professional working in and around the data centre (representing both end-customers and/or service provider/facilitators) and having responsibility to achieve and improve hi-availability and manageability of the Data Centre, such as: Data centre managers, Operations / Floor / Facility managers, IT managers, Information security managers, Security professionals, Auditors / Risk Managers / Professionals responsible for IT/corporate governance.
There is no specific prerequisite for the CDRP® course. However, participants who have at least three years' experience in a data centre and/or IT infrastructures will be best suited. This experience may come from a business or IT background where the participant has knowledge of both environments, and understands the mission of their organisation. Attendance of CDCP® is beneficial but not a requirement.
After completion of the course, the participant will be able to:
Understand the different standards and methodologies for risk management and assessment Establish the required project team for risk management Perform the risk assessment, identifying current threats, vulnerabilities and the potential impact based on customised threat catalogues Report on the current risk level of the data centre both quantitative and qualitative Anticipate and minimise potential financial impacts Understand the options for handling risk Continuously monitor and review the status of risk present in the data centre Reduce the frequency and magnitude of incidents Detect and respond to events when they occur Meet regulatory and compliance requirements Support certification processes such as ISO/IEC 27001 Support overall corporate and IT governance
This 2-day course is designed to expose attendants to the overall risk management process. Focus is on both the data centre infrastructure and the physical data centre facility and equipment; the attendant will learn how to identify and quantify risk in their organization, creating the ability to reduce the risk to a level acceptable for the organization. The course is based on international standards (ISO/IEC27001:2005) and guidelines (ISO/IEC27005:2011, NIST800-30, ISO/IEC31000) and will additionally prepare the candidate being able to take part and assist in corporate certification processes that may apply.