Certified Information Systems Risk and Compliance Professional (CISRCP)™

Second Certified Course:

Course Title

Certified Information Systems Risk and Compliance Professional (CISRCP)™ Prep Course

5 days

Objectives:

This course has been designed to provide IT and Information Securityprofessionals with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management,and to promote best practices and international standards that align with business and regulatory requirements.The course provides with the skills needed to pass the Certified Information Systems Risk and Compliance Professional (CISRCP) exam.

Target Audience:

This course is intended for IT and Information Security professionals that want to understand risk and compliance and to work as risk and
compliance officers, or IT managers and directors (and need to
understand compliance and business risk management). They will prove
that they are qualified, when they pass the Certified Information Systems
Risk and Compliance Professional (CISRCP) exam.
This course is intended for employers demanding qualified IT and
Information Security risk and compliance professionals.
This course is recommended for senior executives with IT and
Information Security background involved in risk and compliance.

About the Course

PART A: COMPLIANCE WITH LAWS AND REGULATIONS, AND

RISK MANAGEMENT

Introduction

Regulatory Compliance and Risk Management.

Definitions, roles and responsibilities
The role of the board of directors, the supervisors, the internal and external auditors
The new international landscape and the interaction among laws, regulations, and professional standards
The difference between a best practice and a regulatory obligation
Benefits of an enterprise wide compliance program
Compliance culture: Why it is important, and how to communicate the regulatory obligations

Policies, Workplace Ethics, Risk and Compliance Policies, procedures and the ethical code of conduct

Privacy and information security
Handling confidential information
Conflicts of interest
Use of organizational property
Fair dealings with customers, vendors and competitors
Reporting ethical concerns

Governance, Risk and Compliance

The definition of Governance, Risk and Compliance
The need for Internal Controls
Understand how to identify, mitigate and control risks effectively
Approaches to risk assessment
Qualitative, quantitative
Integrating risk management into corporate governance and
compliance

IT, Information Security, business risk and compliance

PART B: THE FRAMEWORKS

Internal Controls - COSO

The Internal Control — Integrated Framework by the COSO
committee
Using the COSO framework effectively
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
IT Controls
IT Controls and Sarbanes Oxley Act Relevance
Program Development and Program Change
Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls

COSO Enterprise Risk Management (ERM) Framework

Is COSO ERM needed for compliance?
COSO AND COSO ERM
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The two cubes
Objectives: Strategic, Operations, Reporting, Compliance
ERM – Application Techniques
Core team preparedness
Implementation plan
Likelihood Risk Ranking
Impact Risk Ranking

COBIT - the framework that focuses on IT

Is COBIT needed for compliance?
COSO or COBIT?
Corporate governance or financial reporting?
Executive Summary
Management Guidelines
The Framework
The 34 high-level control objectives
What to do with the 318 specific control objectives
COBIT Cube
Maturity Models
Critical Success Factors (CSFs)
Key Goal Indicators (KGIs)
Key Performance Indicators (KPIs)
How to use COBIT for Sarbanes Oxley compliance

The alignment of frameworks

COSO and COBIT
COSO ERM and COBIT
ITIL and COBIT
ISO/IEC 17799:2000 and COBIT
ISO/IEC 15408 and COBIT

Software and Spreadsheets

Is software necessary for risk and compliance?
Is software needed?
When and why
How large is your organization?
Is it geographically dispersed?
How many processes will you document?
Are there enough persons for that?
Selection process
Spreadsheets
It is just a spreadsheet…
Certain spreadsheets must be considered applications

Development Lifecycle Controls

Access Control (Create, Read, Update, Delete)
Integrity Controls
Change Control
Version Control
Documentation Controls
Continuity Controls
Segregation of Duties Controls
Spreadsheets – Errors
Spreadsheets and material weaknesses
Third-party service providers and vendors
Redefining outsourcing
Key risks of outsourcing
What is needed from vendors and service providers

SAS 70

Type I, II reports
Advantages of SAS 70 Type II
Disadvantages of SAS 70 Type II

PART C: SARBANES OXLEY

The Sarbanes Oxley Act
The Need
US federal legislation: Financial reporting or corporate
governance?
The Sarbanes-Oxley Act of 2002: Key Sections
SEC, EDGAR, PCAOB, SAG
The Act and its interpretation by SEC and PCAOB
PCAOB Auditing Standards: What we need to know

Management's Testing

Management's Documentation

Reports used to Validate SOX Compliant IT Infrastructure
Documentation Issues

Sections 302, 404, 906: The three certifications

Sections 302, 404, 906: Examples and case studies
Management's Responsibilities
Committees and Teams
Project Team – Section 404: Reports to Steering Committee
Steering Committee – Section 404: Reports to Certifying Officers
and cooperates with Disclosure Committee
Disclosure Committee: Reports to Certifying Officers and
cooperates with Audit Committee
Certifying Officers and Audit Committee: Report to the Board of
Directors

Control Deficiency

Deficiency in Design

Deficiency in Operation

Significant Deficiency

Material Weakness

Is it a Deficiency, or a Material Weakness?
Reporting Weaknesses and Deficiencies
Examples
Case Studies
Public Disclosure Requirements
Real Time Disclosures on a rapid and current basis?
Whistleblower protection
Rulemaking process
Companies Affected
International companies
Foreign Private Issuers (FPIs)
American Depository Receipts (ADRs)
Employees Affected
Effective Dates
IT and Information Security Control Objectives and Control
Framework

PART D: BASEL II

The New Basel Capital Accord (Basel II)
Realigning the regulation with the economic realities of the global
banking markets
New capital adequacy framework replaces the 1988 Accord
Improving risk and asset management to avoid financial disasters
"Sufficient assets" to offset risks
The technical challenges for both banks and supervisors
How much capital is necessary to serve as a sufficient buffer?
The three-pillar regulatory structure
Purposes of Basel II

Pillar 1: Minimum capital requirements

Credit Risk – 3 approaches
The standardized approach to credit risk
Claims on sovereigns
Claims on banks
Claims on corporates
The two internal ratings-based (IRB) approaches to credit risk
Some definitions: PD - The probability of default, LGD - The loss
given default, EAD - Exposure at default, M – Maturity
5 classes of assets

The IT requirements

Pillar 2: Supervisory review

Key principles
Aspects and issues of the supervisory review process
Pillar 3: Market discipline
Disclosure requirements
Qualitative and Quantitative disclosures
Guiding principles
Employees Affected
Effective Dates

The IT requirements

Operational Risk

What is operational risk
Legal risk
Information Technology operational risk
Operational, operations and operating risk
The evolving importance of operational risk
Quantification of operational risk
Loss categories and business lines
Operational risk measurement methodologies
Identification of operational risk

Operational Risk Approaches

Basic Indicator Approach (BIA)
Standardized Approach (SA)
Alternative Standardized Approach (ASA)
Advanced Measurement Approaches (AMA)
Internal Measurement Approach (IMA)
Loss Distribution (LD)
Standard Normal Distribution
“Fat Tails” in the normal distribution
Expected loss (EL), Unexpected Loss (UL)
Value-at Risk (VaR)
Calculating Value-at Risk
Stress Testing
Stress testing and Basel

The IT requirements

(AMA) Advantages / Disadvantages
Operational Risk Measurement Issues
The game theory
The prisoner’s dilemma – and the connection with operational risk
measurement and management

Operational risk management

Operational Risk Management Office
Key functions of Operational Risk Management Office
Key functions of Operational Risk Managers
Key functions of Department Heads
Internal and external audit
Operational risk sound practices
Operational risk mitigation
Insurance to mitigate operational risk
IT and Information Security in the Basel ii framework and projects

Basel II and other regulations

Capital Requirements Directive (CRD)
Markets in Financial Instruments Directive (MiFID)
What will be the impact of MiFID to EU and non EU banks?
Aligning Basel II operational risk and Sarbanes-Oxley 404 projects
Common elements and differences of compliance projects
New standards
Disclosure issues
Multinational companies and compliance challenges

PART E: DESIGNING AND IMPLEMENTING A RISK AND

COMPLIANCE PROGRAM

Designing an Implementing an enterprise wide Risk and
Compliance Program
Designing an Internal Compliance System
Compliance programs that withstand scrutiny
How to optimize organizational structure for compliance

Documentation

Testing

Training
Ongoing compliance reviews and risk assessments for continuing
compliance with laws and regulations

Compliance Monitoring

The company and other stakeholders
Managing the regulators and change in regulations
International and national regulatory requirements

Regulatory compliance in Europe.

Regulatory compliance in the USA. What is different

The GCC countries

The Caribbean

The Pacific Rim

Common elements and differences of compliance projects

New standards
Disclosure issues
Multinational companies and compliance challenges

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License