After completion of the course the participant will be able to:

• Understand the different standards and methodologies for risk management and assessment
• Establish the required project team for risk management
• Perform the risk assessment, identifying current threats, vulnerabilities and the potential impact based on customised threat catalogues
• Report on the current risk level of the data centre both quantitative and qualitative
• Anticipate and minimise potential financial impacts
• Understand the options for handling risk
• Continuously monitor and review the status of risk present in the data centre
• Reduce the frequency and magnitude of incidents
• Detect and respond to events when they occur
• Meet regulatory and compliance requirements
• Support certification processes such as ISO/IEC 27001
• Support overall corporate and IT governance

Introduction to Risk Management

• Risk management concepts
• Senior management and risk
• Enterprise Risk Management (ERM)
• Benefits of risk management

Data Centre Risk and Impact

• Risk in facility, power, cooling, re-suppression, infrastructure and IT services
• Impact of data centre downtime
• Main causes of downtime
• Cost factors in downtime

Standards, Guidelines and Methodologies

• ISO/IEC 27001:2013, ISO/IEC 27005:2011, ISO/IEC 27002:2013
• NIST SP 800-30
• ISO/IEC 31000:2009
• SS507:2008
• ANSI/TIA-942
• Other methodologies (CRAMM, EBIOS, OCTAVE, etc.)

Risk Management Definitions

• Asset
• Availability/Confidentiality/Integrity
• Control
• Information processing facility
• Information security
• Policy Risk
• Risk analysis/Risk assessment/Risk evaluation/Risk treatment
• Threat/Vulnerability
• Types of risk

Risk Assessment Software

• The need for software
• Automation
• Considerations

Risk Management Process

• The risk management process
• Establishing the context
• Identification
• Analysis
• Evaluation
• Treatment
• Communication and consultation
• Monitoring and review

Project Approach

• Project management principles
• Project management methods
• Scope
• Time
• Cost
• Cost estimate methods

Context Establishment

• General considerations
• Risk evaluation, impact and acceptance criteria
• Severity rating of impact
• Occurrence rating of probability
• Scope and boundaries
• Scope constraints
• Roles & responsibilities
• Training, awareness and competence

Risk Assessment - Identification

• The risk assessment process
• Identification of assets
• Identification of threats
• Identification of existing controls
• Identification of vulnerabilities
• Identification of consequences
• Hands-on exercise: Identification of assets, threats, existing controls, vulnerabilities and consequences

Risk Assessment - Analysis and Evaluation

• Risk estimation
• Risk estimation methodologies
• Assessment of consequences
• Assessment of the incident likelihood
• Level of risk estimation
• Risk evaluation
• Hands-on exercise: Assessment of consequences, probability and estimating the level of risk

Risk Treatment

• The risk treatment process steps
• Risk Treatment Plan (RTP)
• Risk modication Risk retention
• Risk avoidance
• Risk sharing
• Constraints in risk modication
• Control categories
• Control examples
• Cost-benefit analysis
• Control implementation
• Residual risk

Communication

• Effective communication of risk management activities
• Benefits and concerns of communication

Risk Monitoring and Review

• Ongoing monitoring and review
• Criteria for review

Risk scenarios

• Risk assessment approach
• Data centre site selection
• Data centre facility
• Cloud computing
• UPS scenarios
• Force majeure
• Organisational shortcomings
• Human failure
• Technical failure
• Deliberate acts

Exam

• Sample questions
• Self-study (time permitted)
• Exam: Certified Data Centre Risk Professional

The primary audience for this course is an IT, Facilities or Data Centre Operations professional working in and around the data centre (representing both end-customers and/or service provider/facilitators) and having the responsibility to achieve and improve hi-availability and manageability of the Data Centre, such as:

• Data centre managers
• Operations/Floor/Facility managers
• IT managers
• Information security managers
• Security professionals
• Auditors
• Risk Managers
• Professionals who are responsible for IT/corporate governance

There is no specific prerequisite for the CDRP course. However, participants who have at least three years’ experience in a data centre and/or IT infrastructures will be best suited. This experience may come from a business or IT background where the participant has knowledge of both environments and understands the mission of their organisation. Attendance of CDCP is beneficial but not a requirement.