News & Announcements

Our Holiday Schedules:

Summer:
Last week in July
(approximately July 21-30:
SOX and DF anniversaries)

Winter:
Last week in December
(approximately Dec 25-31:
i.e. Christmas-New Year's)

 

2011 GRC MVP

Meet the Winners

Inside GRC Journal

Login to access

Are You LinkedIn?

Join GRC Group Forum over at LinkedIn to network and connect with the GRC community. Just log in to your LinkedIn account and search goups for GRC Group Forum. See you there!

Member Login

Current member login:

Email:     Password:

 
If you are a member and have forgotten your user ID and/or password click here.

Contact Us

USA: 1-888-WHY-GRCG
Fax: 1-888-FAX-GRC-G
E-mail: email@grcg.com

Main: +1.212.626.9016
Fax : +1.212.712.8897

IS/IT-GRC Classroom Training Formats

2-Day IT Governance Training (8:00 a.m. – 5:00 p.m.)

CITG (Computer/IT Governance) and CITGP (Computer/IT Governance Professional) Training:

Information technology (IT) governance educational programs taught via self-study/classroom

The issues, opportunities and challenges of aligning information technology more closely with an organization and effectively governing an organization’s Information Technology (IT) investments, resources, major initiatives and superior uninterrupted service is becoming a major concern of the Board and executive management in enterprises on a global basis. An integrated and comprehensive approach to the alignment, planning, execution and governance of IT and its resources has become critical to more effectively align, integrate, invest, measure, deploy, service and sustain the strategic and tactical direction and value proposition of IT in support of organizations. Much has been written and documented about the individual components of IT Governance such as strategic planning, demand (portfolio investment) management, program and project management, IT service management and delivery, strategic sourcing and outsourcing, performance management and metrics, like the balanced scorecard, compliance and others. Much less has been said about a comprehensive and integrated IT/Business Alignment, Planning, Execution and Governance approach. This course fills that need in the marketplace and gives you structured and practical solutions using the best of the best principles available today.

The three critical pillars necessary to develop, execute and sustain a robust and effective IT governance environment are:

  • leadership and proactive people and change agents,
  • flexible and scalable processes and 
  • enabling technology.

We also cover these action-oriented elements:

  • demand management and alignment (the why and what of IT strategic planning, portfolio investment management, decision authority, etc.);
  • execution management (includes the how - Program/Project Management, IT Service Management with IT Infrastructure Library (ITIL) and Strategic Sourcing and outsourcing); 
  • performance, risk and contingency management (e.g. includes COBIT, the balanced scorecard and other metrics and controls); and 
  • leadership, teams and people skills.

2-Day IT Risk Management Training (8:00 a.m. – 5:00 p.m.)

Part A: Risk Management for IT

Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

In addition, this course provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this program and tailor them to their environment in managing IT-related mission risks.

The objective of performing risk management is to enable the organization to accomplish its mission(s)

  • by better securing the IT systems that store, process, or transmit organizational information;
  • by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and 
  • by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management

Part B: Managing Risks from IT

The complex, many-to-many relationships among mission/business processes and the information systems supporting those processes require a holistic, organization-wide view for managing risk. The role of information security in managing risk from the operation and use of information systems is also critical to the success of an organization in achieving its strategic goals and objectives. Historically, senior leaders have viewed information security as a technical matter that was independent of organizational risk. This narrow view resulted in inadequate consideration of how risk from information systems, like other organizational risks, affects the likelihood of mission and business success. The risk management concepts in this program establish a relationship between aggregated risks from information systems and mission/business success. Establishing this type of relationship will:

  • Encourage senior leaders (including authorizing officials) to recognize the importance of engaging in the management of risk from the operation and use of information systems;
  • Foster an organizational climate where the risk from information systems will automatically be considered within the context of an overarching enterprise architecture and at all phases of the system development life cycle; and
  • Help individuals with information system implementation and operational responsibilities to better understand how the information security issues associated with their systems translate into organizational security concerns.

3-Day IT Compliance Training (8:00 a.m. – 5:00 p.m.)

With a detailed methodology of technically based, professional IT audit skills that lead to compliance, this course provides a comprehensive roadmap, enabling the staff charged with preparing for and/or conducting an IT audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This roadmap provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization's overall needs.

  • The ultimate roadmap for making an effective security policy and controls that enable monitoring and testing against them
  • The most comprehensive IT compliance template available, giving detailed information on testing all your IT security, policy and governance requirements
  • A guide to meeting the minimum standard, whether you are planning to meet ISO 27001, PCI-DSS, HIPAA, FISCAM, COBIT or any other IT compliance or standards requirements
  • Both technical staff responsible for securing and auditing information systems, as well as auditors who wish to demonstrate their technical expertise will gain the knowledge, skills and abilities to apply basic risk analysis techniques and to conduct a technical audit of essential information systems
  • This technically based, practical map to information systems audit and assessment will show how the process can be used to meet myriad compliance issues

5-Day IT Governance, Risk, Compliance Training (8:00 a.m. – 8:00 p.m.)

This course is combination of the following courses above:

  • 2-Day IT Governance Training
  • 2-Day IT Risk Management Training
  • 3-Day IT Compliance Training

Following the successful completion of a closed-book exam and two case study write-ups, you will be Certified in IT Governance, Risk, and Compliance (CGRC-IT). If you already have the required IT-GRC related experience, you can apply for the IT Governance, Risk, Compliance Professional credential (CGRCP-IT).

Class materials include six textbooks, two case-studies, an exam study-guide and a workbook. Please note that you’ll need a notebook computer for the ITC exam. If you do not have one, please let us know when you register.

"More than three-quarters of professionals report that the GRC Group’s training programs improve their job performance."

 

Digging Deeper: IS/IT-GRC Program Course Content

IT Governance (only offered as classroom training)
NASBA Delivery Method: 14 CPEs available with group-live classroom training
Audience: Professionals and Executives
Program Level: Intermediate.
Preparation/Prerequisite: Minimum of 3 Years IT Experience

Overview: The issues, opportunities and challenges of aligning information technology more closely with an organization and effectively governing an organization’s Information Technology (IT) investments, resources, major initiatives and superior uninterrupted service is becoming a major concern of the Board and executive management in enterprises on a global basis. An integrated and comprehensive approach to the alignment, planning, execution and governance of IT and its resources has become critical to more effectively align, integrate, invest, measure, deploy, service and sustain the strategic and tactical direction and value proposition of IT in support of organizations. Much has been written and documented about the individual components of IT Governance such as strategic planning, demand (portfolio investment) management, program and project management, IT service management and delivery, strategic sourcing and outsourcing, performance management and metrics, like the balanced scorecard, compliance and others. Much less has been said about a comprehensive and integrated IT/Business Alignment, Planning, Execution and Governance approach.

Objective: This course fills that need in the marketplace and gives you structured and practical solutions using the best of the best principles available today. The three critical pillars necessary to develop, execute and sustain a robust and effective IT governance environment are:

  • leadership and proactive people and change agents,
  • flexible and scalable processes and
  • enabling technology.

We also cover these action-oriented elements:

  • demand management and alignment (the why and what of IT strategic planning, portfolio investment management, decision authority, etc.);
  • execution management (includes the how - Program/Project Management, IT Service Management with IT Infrastructure Library (ITIL) and Strategic Sourcing and outsourcing);
  • performance, risk and contingency management (e.g. includes COBIT, the balanced scorecard and other metrics and controls); and
  • leadership, teams and people skills.

Agenda:

  • Introduction to IT/business governance

o Defining enterprise governance, business and IT governance
o Purpose and scope of IT governance
o Linking the role of the CEO to creating an effective governance and compliance environment
o Overview of the integrated IT governance framework
o Steps in making IT governance achievable and real

  • Overview of comprehensive IT governance framework and related industry best practice frameworks

o Limitations to existing models, standards and frameworks
o Integrated IT governance framework and roadmap
o Overview of models, frameworks and standards including: COSO, ITIL, PMBOK®, PRINCE2, Six Sigma® and Lean, COBIT®, ISO/IEC 20000, ISO 17799 and many more

  • Business and IT alignment, strategic/operating planning and portfolio investment management excellence

o IT alignment governance process
o Principles of aligning IT to the business more effectively
o Setting a direction for improved alignment through planning related processes
o Strategic IT investment portfolio alternatives
o IT engagement and relationship model and roles

  • Principles for managing successful organizational change and developing high performance teams

o Framework for managing accelerating change
o Organizing for the IT governance initiative
o World class leadership principles and practices
o Principles for creating and sustaining high performance teams

  • Program and project management excellence

o Trends in program and project management
o Causes of program/project failures and challenges and how to overcome them
o Principles for achieving excellence in program/project management
o Making the choice – program and project management light or complex
o Program and project governance excellence

  • IT Service Management (ITSM) excellence

o Principles for achieving IT Service Management excellence
o Introduction to ITIL
o ITIL frameworks, certifications and qualifications
o Major ITIL processes and functions
o Steps in making ITIL real and effective

  • Strategic sourcing, outsourcing and vendor management excellence

o Defining strategic sourcing and outsourcing
o Principles and practices for outsourcing excellence
o Vendor selection, contract negotiations and governance process

  • Performance management, management controls, risk management, business continuity and enabling technology

o Principles for achieving performance management and control excellence
o COBIT® and key management controls
o Risk assessment, management and mitigation
o Business and IT continuity and protection plan checklist
o Enabling technologies to improve IT governance

  • Summary, lessons learned, critical success factors and future challenges

o Migration plan for making IT governance real and sustainable
o Composite checklist for implementing and sustaining successful IT governance
o Lessons learned
o Critical success factors
o Implications for the future and personal action plan

 

IT Risk Management(offered as self-study or classroom training)
NASBA Delivery Method: 14 CPEs available with group-live classroom training only
Audience: Professionals and Executives
Program level: Intermediate
Preparation/Prerequisite: Minimum of 3 Years IT Experience

Consists of two parts described below:

  • Part A: Risk Management for IT
  • Part B: Managing Risk from IT

Part A: Risk Management for IT

Overview: Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.

Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

In addition, this course provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this program and tailor them to their environment in managing IT-related mission risks.

Objective: The objective of performing risk management is to enable the organization to accomplish its mission(s):

  • by better securing the IT systems that store, process, or transmit organizational information;
  • by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and 
  • by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

Agenda:

  • Introduction to Risk Management

o Importance of Risk Management
o Integration into SDLC

  • Risk Assessment

o Step 1: System Characterization
   System-Related Information
   Information-Gathering Techniques
o Threat Identification
   Threat-Source Identification
   Motivation and Threat Actions
o Vulnerability Identification
   Vulnerability Sources
   System Security Testing
   Development of Security Requirements Checklist
o Control Analysis
   Control Methods
   Control Categories
   Control Analysis Technique
o Likelihood Determination
o Impact Analysis
o Risk Determination
   Risk-Level Matrix
   Description of Risk Level
o Control Recommendations
o Results Documentation

  • Risk Mitigation

o Risk Mitigation Options
o Risk Mitigation Strategy
o Approach for Control Implementation
o Control Categories
   Technical Security Controls
   Management Security Controls
   Operational Security Controls
o Cost-Benefit Analysis
o Residual Risk

  • Evaluation and Assessment

o Good Security Practice
o Keys for Success

  • Interview Questions
  • Risk Assessment Reporting

Part B: Managing Risk from IT

Overview: Information technology is widely recognized as the engine that drives many economies, giving industry a competitive advantage in global markets, enabling the government to provide better services to its citizens, and facilitating greater productivity as a nation. Organizations in the public and private sectors depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can be very diverse entities ranging from high-end supercomputers to very specialized systems (e.g. industrial/process control systems, telecommunications systems, and environmental control systems). Information systems are subject to serious threats that can have adverse effects on organizational operations (including missions, functions, image, or reputation), organizational assets, individuals, other organizations, and the government by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information systems include environmental disruptions, human errors, and purposeful attacks. Attacks on information systems today are often well-organized, disciplined, aggressive, well-funded, and in a growing number of documented cases, extremely sophisticated. Successful attacks on public and private sector information systems can result in great harm to the national and economic security interests. Given the significant danger of these attacks, it is imperative that leaders at all levels understand their responsibilities in managing the risks from information systems that support the missions and business functions of organizations.

Risk related to the operation and use of information systems is another component of organizational risk that senior leaders must address as a routine part of their ongoing risk management responsibilities. Organizational risk can include many types of risk (e.g., investment risk, budgetary risk, program management risk, legal liability risk, safety risk, inventory risk, and the risk from information systems). Effective risk management requires recognition that organizations operate in a highly complex and interconnected world using state-of-the-art and legacy information systems—systems that organizations depend upon to accomplish critical missions and to conduct important business. Leaders must recognize that explicit, well-informed management decisions are necessary in order to balance the benefits gained from the use of these information systems with the risk of the same systems being the vehicle through which adversaries cause mission or business failure. Managing risk is not an exact science. It brings together the best collective judgments of the individuals responsible for the strategic planning and day-to-day operations of organizations to provide adequate security and risk mitigation for the information systems supporting the missions and business functions of those organizations.

The complex, many-to-many relationships among mission/business processes and the information systems supporting those processes require a holistic, organization-wide view for managing risk. The role of information security in managing risk from the operation and use of information systems is also critical to the success of an organization in achieving its strategic goals and objectives. Historically, senior leaders have viewed information security as a technical matter that was independent of organizational risk. This narrow view resulted in inadequate consideration of how risk from information systems, like other organizational risks, affects the likelihood of mission and business success.

Objective: The risk management concepts in this program establish a relationship between aggregated risks from information systems and mission/business success. Establishing this type of relationship will:

  • Encourage senior leaders (including authorizing officials) to recognize the importance of engaging in the management of risk from the operation and use of information systems;
  • Foster an organizational climate where the risk from information systems will automatically be considered within the context of an overarching enterprise architecture and at all phases of the system development life cycle; and
  • Help individuals with information system implementation and operational responsibilities to better understand how the information security issues associated with their systems translate into organizational security concerns.

Agenda:

  • Introduction

o Purpose
o Applicability

  • Fundamentals

o Organization wide Perspective
o Risk-based Protection Strategies
o Trustworthiness of Information Systems
o Establishing Trust Relationships Among Organizations
o Managing Risk from Supply Chains
o Strategic Planning Considerations

  • Process

o Risk Management Framework
o Categorizing Information and Information Systems
o Selecting Security Controls
o Implementing Security Controls
o Assessing Security Controls
o Authorizing Organizational Information Systems
o Monitoring Security State of the Organization

  • Managing Risks within Life Cycle Processes

 

IT Compliance (offered as self-study or classroom training)
NASBA Delivery Method: 21 CPEs available with group-live classroom training only
Audience: Professionals and Executives
Program Level
: Basic and Intermediate
Preparation/Prerequisite: Minimum of 2-3 Years IT Experience

Overview: With a detailed methodology of technically based, professional IT audit skills that lead to compliance, this course provides a comprehensive roadmap, enabling the staff charged with preparing for and/or conducting an IT audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This roadmap provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization's overall needs.

Objective:

  • The ultimate roadmap for making an effective security policy and controls that enable monitoring and testing against them
  • The most comprehensive IT compliance template available, giving detailed information on testing all your IT security, policy and governance requirements
  • A guide to meeting the minimum standard, whether you are planning to meet ISO 27001, PCI-DSS, HIPAA, FISCAM, COBIT or any other IT compliance or standards requirements
  • Both technical staff responsible for securing and auditing information systems, as well as auditors who wish to demonstrate their technical expertise will gain the knowledge, skills and abilities to apply basic risk analysis techniques and to conduct a technical audit of essential information systems
  • This technically based, practical map to information systems audit and assessment will show how the process can be used to meet myriad compliance issues

Agenda:

  • Introduction to IT Compliance
  • Information Security
  • Audits, Assessments, Reviews
  • Penetration Testing, Red Teaming
  • Acceptance Testing
  • Vulnerability Assessments
  • Data Conversion
  • IT General Controls
  • Application Controls
  • Procedures
  • Information System Auditing

o Primary Objective
o Attacks and Levels
o Methods of Attack
o Hostile Code
o Policy, Procedure, Audit

  • IS/IT Audit Programs

o Audit Checklists
o Baselines and Automation
o Assurance
o Testing Security
o Business Continuity Tests
o Disaster Recovery Tests
o Audit Manuals
o Security Management

  • Planning the Audit

o Examine and Evaluate Information
o Communicating Results
o Security Review Methodology
o Statement of Purpose/Scope
o Research and Strategy

  • Information Gathering

o Issuing Requests
o Security Reviews of IT Systems
o System Audit Considerations
o Characterizing Your Company
o Completeness of Documentation
o Information Required
o Network Related Information
o Gathering Passwords
o Access Control Techniques

  • Security Policy

o SMART Policies
o Mission, Vision, Values
o Frameworks and Policies
o Standards and Guidelines
o Processes and Procedures
o Interpreting Policies
o Preventive and Detective Controls
o Policy Areas to be Considered
o Policy Framework – ISO 17799
o Sample Policies and Templates
o Policy Creation
o Policy Conformance
o Incident Handling
o Standards and Compliance
o Internal and External Standards
o HR Issues

  • Security Awareness and Knowledge

o Security Awareness and Training
o Objectives of Awareness Program
o Resource Requirements
o Sample Content

  • Information Systems Legislation

o Civil and Criminal Law
o Legal Requirements
Electronic Contracting
Jurisdiction
Due Care
Due Diligence
E-Discovery

  • Operations Security

o Administrative Management
Fraud Triangle
Control Categories
o Individual Accountability
o Operational Controls
o Auditing After the Fact



Check our Training Calendar for upcoming IS/IT-GRC training opportunities or register for IS/IT-GRC Training now.

Let Us Come to You!

Call 1-888-WHY-GRCG or email email@grcg.com to discuss in-house training.

For more information on On-Site or In-House Training, click here.

Not Quite Certain? No Problem!

We understand that the best laid plans can change, which is why the GRC Group offers a generous cancellation and refund policy.

  • For classroom training, you can receive a full refund when you cancel up to 14 days prior to the beginning of class.
  • For self-study training, you can receive a full refund for books and other materials, provided the products are returned to the GRC Group within 30 days of receipt.
  • For live online training, you can receive a full refund if you cancel within the first hour of training.
  • For recorded online training, the GRC Group offers a three-day money-back guarantee.