IT Risk Management and Cybersecurity Frameworks - ITG160


This course focuses on risk identification, conducting risk assessments, determining appropriate risk responses, risk monitoring and risk reporting. Students review common risk assessment types and methodologies, and regulatory requirements.


Tuition cost


NASBA Certified CPE

32 Credits


Why you should attend

You should attend because understanding and assessing IT risks has never been more important for the continuity of operations for organizations in all industries and of all sizes.

Who should attend

Information Security and IT Professionals and auditors looking to gain greater knowledge on how to perform an IT Risk Assessment and develop a strong IT Risk Management program.

What You'll learn

You will learn the different types of risk assessments and how to satisfy regulatory requirements regarding IT risk management.


Fundamentals of Information Security-ISG101

 Introduction to Risk Management:

  • the risk management process: risk identification; analysis; evaluation; response; monitoring and reporting
  • how the information risk management process fits into the information security/cybersecurity program
  • data retention policy
  • information classification schema
  • data privacy program
  • who are the critical stakeholders/partners in the information risk management process and their roles in a risk management program
  • the changing threats associated to moving from centralized to decentralized information processing and storage

IT Risk Identification and Risk Universe:

  • identifying assets in an information risk analysis
  • dealing with emerging threats
  • determining the value of an asset to an enterprise
  • prioritizing, categorizing, and documenting information risks
  • uncovering information vulnerabilities

Risk Scenario Development:

  • facilitating scenario development exercises
  • determining scenario types: generic, strategy oriented or both
  • determining scenario components

Risk Analysis:

  • the risk analysis cycle and its components
  • management's concerns and perception of the information risk analysis process types of information risk analysis: quantitative vs. qualitative approach
  • software tools for performing the information risk analysis process
  • defining information risk analysis targets and scope
  • statements that create boundaries for the information risk analysis process
  • the information owner's role in the information risk analysis process

Risk Evaluation:

  • define the risk evaluation process and its components
  • determining and dealing with management's concerns and perception of the information risk analysis results
  • describing the information owner's role in the information risk evaluation process

Business Impact Analysis Overview:

  • describing the business impact analysis (BIA) process:
  • describing the business impact analysis (BIA) process
  • using the BIA as the key to a successful data security program
  • determining key stakeholders to be included in the business impact analysis process and the role each one plays
  • overview of plan facilitation
  • administrative information required in the action plan
  • identifying " impact criteria" and their importance to the organization
  • pinpointing key business processes and peak activity periods
  • developing algorithms to calculate business losses
  • making your BIA Exercise multi-purpose
  • creating the prioritized applications list
  • building organizational disaster recovery and business continuity plans using the business impact analysis results

Risk Response:

  • administrative information required in the action plan
  • logging risk and control information
  • creating action items in response to identified controls based on BIA or threat analysis results

Cost Benefit Analysis and Business Case:

  • developing a cost benefit analysis (CBA) and business case as the basis for determining the action plan to be presented to management for approval
  • methods for distributing and protecting the risk assessment results and associated action plan
  • evaluating the controls during the information risk analysis
  • determining the cost of control based on risk
  • categorize and document information controls for a total program
  • purpose and benefits of performing CBA and developing a business case
  • developing a cost benefit analysis
  • developing action plans
  • arriving at an "acceptable level of risk"

Control Development:

  • using the action plan to create assignments, schedules, and approvals
  • importance of project management good practices
  • developing and testing controls
  • importance of involving auditing and business owners in the process

Risk Monitoring and Reporting:

  • tracking action plans: start to finish (risk register development and maintenance)
  • conducting periodic threat analysis exercises after there are infrastructure changes, regulatory changes that may impact technology related controls or policies and after a security incident or outage
  • developing and monitoring key risk indicators and reacting when thresholds are exceeded

Schedule your course

Use the table below to select the time and location that works best for you.

Timezone: America/Chicago

October 2021

Oct 25th, 2021-Oct 28th, 2021

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: