Information Security Risk Management and Business Continuity Planning

• HPE Security Essentials (HL945S) or equivalent knowledge

Module 1: Mapping risk management and continuity planning to your business

• Describe risk management

• Discuss the relationship between security, business continuity management and risk management

• Define risk terms

• Describe the risk equation

• Define the key words relating to BCP/DRP

• Position resiliency in your management strategy

• Describe the types of response strategies

• Describe the role of governance in managing risk and compliance

Module 2: Making the case for risk management and business continuity planning

• Discuss the importance of risk management and the need for BCP/DRP in any environment

• List business considerations and drivers for risk management and business continuity planning

• Determine which drivers apply to your environment

Module 3: Managing risk as a process

• Describe the purpose of frameworks, reference models, standards

• List possible risk management models or frameworks as your guide

• Compare BCP/DRP frameworks for your environment

• Describe the lifecycle of risk management

• Distinguish between risk assessment, risk analysis, and business impact analysis

• Promote the ongoing need for training and plan updates

• Define the activities involved in managing risk

• List responsibilities and potential members for a risk management team

• Define the activities involved in developing and maintaining a BCP/DRP

• List responsibilities and potential members for a BCP team

• Describe elements of a proposal for board approval

• Identify stakeholders and their concerns

Module 4: Analyzing business impact: where to focus

• List detailed steps to conduct a business impact analysis project

• Describe steps to conduct interviews to gather data

• Describe how to increase success with BIA interviewing

• Define analytical terms for business impact and recovery requirements

• Explain the process to calculate and document recovery requirements for your critical business functions

Module 5: Assessing risk: what threats and vulnerabilities exist

• List the requirements of a risk assessment team

• Describe how to select assessment targets based on BIA

• Outline the steps in a risk assessment project

• Define the scope of an assessment

• Identify what goes into a plan for examination activities (interviews and vulnerability scanning)

• Compare data gathering methods

• Compare risk assessment methods and tools

• List expectations for documenting assessment results

• List steps to mitigate risks of being a risk assessor

Module 6: Analyzing risks: how much it's worth

• Compare quantitative and qualitative risk analysis

• Describe methods to calculate quantitative risk

• Define probability classes

Module 7: Documenting risk treatment plans: how to protect assets

• Define risk management strategies

• Describe how to select risk treatment plans (physical, technical, social) appropriate to analysis results

• Describe the importance of documenting a policy to review risk management needs

Module 8: Planning for resiliency: how to continue your business

• List the sections of a Business Continuity Plan document

• Describe the BCP’s underlying plans

• List other BC-related plans and their contents

• Position the Disaster Recovery Plan with respect to the BCP

• List key elements for a Disaster Recovery plan

• Compare Disaster Recovery strategies for your company

• Compare levels of redundancy and retention

• Identify roles and responsibilities for recovery teams

• Optimize distribution and utility of documents

Module 9: Implement risk treatment plan

• Integrate the project requirements across risk, BCP, and DRP plans

• Follow project management best practices to implement plans for risk treatment across the organization

• Describe the steps to take during a security incident

• List the elements of a security incident report

• Identify what constitutes an incident

• Describe the process to collect evidence related to an incident

Module 10: Failing back

• Discuss what happens when you’re ready to go back

• Evaluate the opportunity to upgrade business effectiveness and/or resiliency

• Describe the steps

Module 11: Auditing risk management implementation and testing BCP procedures

• Differentiate between an audit and an assessment

• Define the characteristics of an audit

• Describe when an audit may be applicable

• Predict evidence requested during an audit process

• Compare risk management audit, compliance audit, and BCP testing

• Describe the levels of testing for BCP/DRP plans

Module 12: Summary and case study

• Test your knowledge

• Given sufficient detail, design an appropriate risk strategy

Module 13: Business continuity planning—Next steps

• Ask the right questions to determine where your company currently stands

• Champion the need for Business Continuity Planning with your management

• Determine how much help you need and get it