付款。推介服務:課堂錄影隨時睇
(在家觀看 = 0%,在校觀看 = 100%)
(在家觀看 = 0%,在校觀看 = 100%)
100% 在校觀看日期及時間:
自由選擇,點選以下地區觀看辦公時間及位置
不限:$2,980 (地點沒有限制)報名
課時: 18 小時
享用時期: 6 星期。進度由您控制,可快可慢。
課堂錄影導師:Franco
在校免費試睇:首 1 小時,請致電以上地點與本中心職員預約。
本課程提供在校免費重睇及導師解答服務。
推介服務:課堂錄影隨時睇
(在家觀看 = 33%,在校觀看 = 67%)
(在家觀看 = 33%,在校觀看 = 67%)
33% 在家觀看日期及時間:
每天 24 小時全天候不限次數地觀看
67% 在校觀看日期及時間:
本中心辦公時間內自由選擇,點選以下地區觀看辦公時間及位置
旺角:$2,980 報名 phone
電話:2332-6544
觀塘:$2,980 報名 phone
電話:3563-8425
北角:$2,980 報名 phone
電話:3580-1893
沙田:$2,980 報名 phone
電話:2151-9360
屯門:$2,980 報名 phone
電話:3523-1560
課時: 18 小時
在家及在校觀看: 在家觀看首 6 小時,在校觀看尾 12 小時。
享用時期: 6 星期。進度由您控制,可快可慢。
課堂錄影導師:Franco
在校免費試睇:首 1 小時,請致電以上地點與本中心職員預約。
本課程提供在校免費重睇及導師解答服務。
ISACA® 成立於1969年,多年來不斷參與各項系統確認性與安全、企業資訊治理及資訊風險的活動,口碑載譽。
ISACA® 會員遍佈逾 160 個國家,總數超過 86,000 人。其頒授的全球認可國際資訊風險控制師 (CRISC, Certified in Risk and Information Systems Control) 資格,更是各位管理人員必考的證書。取得 CRISC 資格標誌著該專業人員具備定義明確及敏捷的風險管理計劃,並能有效識別、分析、評估、優先排序和應對風險。
本中心的 CRISC 國際認可證書課程由 Franco Tsang 籌備多時,精心編排。由上堂、溫習、實習、考試研習、做試題至最後考試,均為你度身訂造,作出有系統的編排。務求真正教識你,又令你考試及格。
| 課程名稱: |
CRISC 國際認可證書課程 - 簡稱:CRISC Training Course |
| 課程時數: | 合共 18 小時 (共 6 堂) |
| 適合人士: | 具備 3 年或以上的資訊科技風險管理與資訊系統控制工作經驗 |
| 授課語言: | 以廣東話為主,輔以英語 |
| 課程筆記: | 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。 |
| 1. Franco Tsang (CCIE #19772) 親自教授: | 本課程由擁有 CISA, CISM, CRISC, CDPSE, CISSP, ITILv3 Expert, ITIL 4 Managing Professional, ITIL 4 Strategic Leader, PMP 等專業認證的 Franco Tsang 親自教授。 |
| 2. Franco Tsang 親自編寫筆記: | Franco 親自編寫筆記,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。 |
| 3. 提供模擬考試題目: | 本中心為學員提供充足的模擬考試題目,每條考試題目均附有標準答案。而較難理解的題目,均會附有 Franco 的解釋。 |
| 4. 深入淺出: | Franco 會在課堂上深入淺出地講解相關概念,務求令同學理解抽象的概念。 |
| 5. 免費重讀: | 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。 |
本中心為 PSI 指定的 CRISC 考試試場,導師會在課堂上講解考試程序。考試費用如下:
通過考試後,同學需要
完成上述事項後,便能成為 CRISC。 |
| 課程名稱:CRISC 國際認可證書課程 - 簡稱:CRISC Training Course |
DOMAIN 1: Governance
- Organizational Governance
- Organizational Strategy, Goals, and Objectives
- Organizational Structure, Roles, and Responsibilities
- Organizational Culture
- Policies and Standards
- Business Processes
- Organizational Assets
- Risk Governance
- Enterprise Risk Management and Risk Management Framework
- Three Lines of Defense
- Risk Profile
- Risk Appetite and Risk Tolerance
- Legal, Regulatory, and Contractual Requirements
- Professional Ethics of Risk Management
DOMAIN 2: IT Risk Assessment
- IT Risk Identification
- Risk Events (e.g., contributing conditions, loss result)
- Threat Modelling and Threat Landscape
- Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
- Risk Scenario Development
- IT Risk Analysis and Evaluation
- Risk Assessment Concepts, Standards, and Frameworks
- Risk Register
- Risk Analysis Methodologies
- Business Impact Analysis
- Inherent and Residual Risk
DOMAIN 3: Risk Response and Reporting
- Risk Response
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Third-Party Risk Management
- Issue, Finding, and Exception Management
- Management of Emerging Risk
- Control Design and Implementation
- Control Types, Standards, and Frameworks
- Control Design, Selection, and Analysis
- Control Implementation
- Control Testing and Effectiveness Evaluation
- Risk Monitoring and Reporting
- Risk Treatment Plans
- Data Collection, Aggregation, Analysis, and Validation
- Risk and Control Monitoring Techniques
- Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
- Key Performance Indicators
- Key Risk Indicators (KRIs)
- Key Control Indicators (KCIs)
DOMAIN 4: Information Technology and Security
- Information Technology Principles
- Enterprise Architecture
- IT Operations Management (e.g., change management, IT assets, problems, incidents)
- Project Management
- Disaster Recovery Management (DRM)
- Data Lifecycle Management
- System Development Life Cycle (SDLC)
- Emerging Technologies
- Information Security Principles
- Information Security Concepts, Frameworks, and Standards
- Information Security Awareness Training
- Business Continuity Management
- Data Privacy and Data Protection Principles
The course content above may change at any time without notice in order to better reflect the content of the examination.
1 Governance
1.1 Organizational Governance
1.1.1 Organizational Strategy, Goals, and Objectives
1.1.1.1 The Context of IT Risk Management
1.1.1.2 Key Concepts of Risk
1.1.1.3 Importance and Value of IT Risk Management
1.1.1.4 The IT Risk Strategy of the Business
1.1.1.5 Alignment With Business Goals and Objectives
1.1.2 Organizational Structure, Roles, and Responsibilities
1.1.2.1 RACI (Responsible, Accountable, Consulted, Informed)
1.1.2.2 Key Roles
1.1.3 Organizational Culture
1.1.3.1 Organizational Culture and Behavior and the Impact on Risk Management
1.1.3.2 Risk culture
1.1.3.3 Risk-driven Business Approach
1.1.3.4 The Value of Risk Communication
1.1.4 Policies and Standards
1.1.4.1 Policies
1.1.4.2 Standards
1.1.4.3 Procedures
1.1.4.4 Exception Management
1.1.4.5 Risk Management Standards and Frameworks
1.1.5 Business Processes / Business Processes Review
1.1.5.1 Risk Management Principles, Processes and Controls
1.1.5.1.1 Principles
1.1.5.1.2 Processes and Controls
1.1.5.2 IT Risk in Relation to Other Business Functions
1.1.6 Organizational Assets
1.2 Risk Governance
1.2.1 Enterprise Risk Management and Risk Management Framework
1.2.1.1 IT Risk Management Good Practices
1.2.1.2 Establishing an Enterprise Approach to Risk Management
1.2.2 Three Lines of Defense
1.2.2.1 The First Line of Defense
1.2.2.2 The Second Line of Defense
1.2.2.3 The Third Line of Defense
1.2.2.4 The Role of the Risk Practitioner within the Three Lines of Defense
1.2.3 Risk Profile
1.2.4 Risk Appetite and Risk Tolerance
1.2.5 Legal, Regulatory, and Contractual Requirements
1.2.6 Professional Ethics of Risk Management
1.2.6.1 ISACA Code of Professional Ethics
2 IT Risk Assessment
2.1 IT Risk Identification
2.1.1 Risk Events (e.g., contributing conditions, loss result)
2.1.1.1 Risk Factors
2.1.1.2 Methods of Risk Identification
2.1.1.3 Changes in the Risk Environment
2.1.2 Threat Modelling and Threat Landscape
2.1.2.1 Internal Threats
2.1.2.2 External Threats
2.1.2.3 Emerging Threats
2.1.2.4 Additional Sources for Threat Information
2.1.2.5 Threat, Misuse and Abuse-Case Modeling
2.1.2.5.1 Threat modeling
2.1.3 Vulnerability and Control Deficiency Analysis (e.g., root cause analysis)
2.1.3.1 Sources of Vulnerabilities
2.1.3.2 Gap Analysis
2.1.3.3 Vulnerability Assessment and Penetration Testing
2.1.3.3.1 Vulnerability Assessment
2.1.3.3.2 Penetration Testing
2.1.3.4 Root Cause Analysis
2.1.4 Risk Scenario Development
2.1.4.1 Risk Scenario Development Tools and Techniques
2.1.4.1.1 Top-down Approach scenario development
2.1.4.1.2 Bottom-up Approach scenario development
2.1.4.2 Benefits of Using Risk Scenarios / Why Using Risk Scenarios
2.1.4.3 Developing IT Risk Scenarios
2.1.4.4 Analyzing Risk Scenarios
2.1.4.4.1 Factor Analysis of Information Risk (FAIR)
2.1.4.4.2 Holistic Approach to Risk Management (HARM)
2.2 IT Risk Analysis and Evaluation and Assessment
2.2.1 Risk Assessment Concepts, Standards, and Frameworks
2.2.1.1.1 Risk Ranking
2.2.1.1.2 Risk Maps
2.2.1.2 Risk Ownership and Accountability
2.2.1.3 Documenting Risk Assessments
2.2.1.4 Addressing Risk Exclusions
2.2.2 Risk Register
2.2.3 Risk Analysis Methodologies
2.2.3.1 Quantitative Risk Assessment
2.2.3.2 Qualitative Risk Assessment
2.2.3.3 Semiquantitative/Hybrid Risk Assessment
2.2.4 Business Impact Analysis
2.2.4.1 Business Continuity and Organizational Resiliency
2.2.4.2 Regulatory and Contractual Obligations
2.2.4.3 Strategic Investments
2.2.4.4 Business Impact Analysis and Risk Assessment
2.2.5 Inherent and Residual Risk
2.2.5.1 Inherent Risk
2.2.5.2 Residual Risk
2.2.5.3 Current Risk
3 Risk Response and Reporting
3.1 Risk Response
3.1.1 Risk and Control Ownership
3.1.1.1 Ownership and Accountability
3.1.2 Risk Treatment / Risk Response Options
3.1.2.1 Aligning Risk Response with Business Objectives
3.1.2.2 Risk Response Options
3.1.2.2.1 Risk acceptance
3.1.2.2.2 Risk mitigation
3.1.2.2.3 Risk sharing/transfer
3.1.2.2.4 Risk avoidance
3.1.2.3 Choosing a Risk Response
3.1.3 Third-Party Risk Management
3.1.4 Issue, Finding, and Exception Management
3.1.4.1 Configuration Management
3.1.4.2 Release Management
3.1.4.3 Exception Management
3.1.4.4 Change Management
3.1.4.5 Issue and Finding Management
3.1.5 Management of Emerging Risk
3.1.5.1 Vulnerabilities Associated with New Controls
3.1.5.2 Impact of Emerging Technologies on Design and Implementation of Controls
3.2 Control Design and Implementation
3.2.1 Control Types, Standards, and Frameworks
3.2.1.1 Control Standards and Frameworks
3.2.1.2 Administrative, Technical and Physical Controls
3.2.1.3 Capability Maturity Models (CMM)
3.2.2 Control Design, Selection, and Analysis
3.2.2.1 Control Design and Selection
3.2.3 Control Implementation
3.2.3.1 Changeover (Go-live) Techniques
3.2.3.2 Post-implementation Review
3.2.3.3 Control Documentation
3.2.4 Control Testing and Effectiveness Evaluation
3.2.4.1 Good Practices for Testing
3.2.4.1.1 Various testing approaches
3.2.4.1.1.1 Unit Testing and Code Review
3.2.4.1.1.2 Integration/System Testing
3.2.4.1.1.3 User Acceptance Testing (UAT)
3.2.4.1.1.4 Quality Assurance (QA)
3.2.4.1.1.5 Testing for Non-technical Controls
3.2.4.2 Updating the Risk Register
3.3 Risk Monitoring and Reporting
3.3.1 Risk Treatment Plans
3.3.2 Data Collection, Aggregation, Analysis, and Validation
3.3.2.1 Data Collection and Extraction Tools and Techniques
3.3.2.1.1 Several sources of data
3.3.2.1.1.1 Logs
3.3.2.1.1.2 Security Information and Event Management (SIEM)
3.3.2.1.1.3 Integrated Test Facilities (ITF)
3.3.2.1.1.4 External Sources
3.3.3 Risk and Control Monitoring Techniques
3.3.3.1 Monitoring Controls
3.3.3.2 Control Assessment Types
3.3.3.2.1 Self-assessment
3.3.3.2.2 IS Audit / Third-party Assurance
3.3.3.2.3 Vulnerability Assessment
3.3.3.3 Penetration Testing
3.3.4 Risk and Control Reporting Techniques (heatmap, scorecards, dashboards)
3.3.4.1 Heat Maps
3.3.4.2 Scorecards
3.3.4.3 Dashboards
3.3.5 Key Performance Indicators (KPIs)
3.3.6 Key Risk Indicators (KRIs)
3.3.6.1 KRI Selection
3.3.6.2 KRI Effectiveness
3.3.6.3 KRI Optimization
3.3.6.4 KRI Maintenance
3.3.6.5 Using KPIs with KRIs
3.3.7 Key Control Indicators (KCIs)
4 Information Technology and Security
4.1 Information Technology Principles
4.1.1 Enterprise Architecture
4.1.1.1 Maturity Models
4.1.2 IT Operations Management (e.g., change management, IT assets, problems, incidents)
4.1.2.1 Hardware
4.1.2.1.1 Supply Chain Management
4.1.2.2 Software
4.1.2.2.1 Operating Systems
4.1.2.2.2 Applications
4.1.2.2.3 Databases
4.1.2.2.4 Software Utilities
4.1.2.3 Environmental Controls
4.1.2.4 Networks
4.1.2.4.1 Firewalls
4.1.2.4.2 Proxies
4.1.2.4.3 Intrusion Systems
4.1.2.4.4 Domain Name System
4.1.2.4.5 Software-defined Networking
4.1.2.4.6 Demilitarized Zones (DMZ)
4.1.2.4.7 Virtual Private Networks (VPNs)
4.1.2.5 Technology Refresh
4.1.2.6 Operations and Management Evaluation
4.1.2.7 Virtualization and Cloud Computing
4.1.3 Project Management
4.1.3.1 Project Risk
4.1.3.2 Project Closeout
4.1.4 Disaster Recovery Management (DRM) / Enterprise Resiliency
4.1.4.1 Business Continuity
4.1.4.2 Disaster Recovery
4.1.5 Data Lifecycle Management
4.1.5.1 Data Management
4.1.5.2 Data Loss Prevention (DLP)
4.1.6 System Development Life Cycle (SDLC)
4.1.7 Emerging Technologies / Emerging Trends in Technology
4.1.7.1 Omnipresent Connectivity
4.1.7.1.1 Bring Your Own Devices (BYOD)
4.1.7.1.2 The Internet of Things
4.1.7.2 Massive Computing Power
4.1.7.2.1 Deepfakes
4.1.7.2.2 Blockchain
4.1.7.2.3 Artificial Intelligence (AI)
4.2 Information Security Principles
4.2.1 Information Security Concepts, Frameworks, and Standards
4.2.1.1 Likelihood and Impact
4.2.1.2 CIA Triad
4.2.1.3 Segregation of Duties / Separation of Duties / SoD
4.2.1.4 Cross-training and Job Rotation
4.2.1.5 Access Control / Identity and Access Management (IAM)
4.2.1.5.1 Identification
4.2.1.5.2 Authentication
4.2.1.5.3 Authorization
4.2.1.5.4 Accountability
4.2.1.6 Encryption
4.2.1.6.1 Symmetric Encryption Algorithms
4.2.1.6.2 Asymmetric Encryption Algorithms / Public Key Cryptography
4.2.1.6.3 Message Integrity and Hashing Algorithms
4.2.1.6.4 Digital Signatures
4.2.1.6.5 Certificates
4.2.1.6.6 Public Key Infrastructure (PKI)
4.2.2 Information Security Awareness Training
4.2.3 Business Continuity Management
4.2.4 Data Privacy and Data Protection Principles
4.2.4.1 Key Concepts of Data Privacy
4.2.4.1.1 Informed Consent
4.2.4.1.2 Privacy Impact Assessment (PIA)
4.2.4.1.3 Minimization
4.2.4.1.4 Destruction
4.2.4.2 Risk Management in a Privacy Context
5 Further readings
5.1 Example of Bayesian analysis
5.2 Example of Bow Tie analysis
5.3 Example of cause-and-effect analysis
5.4 Example of Event tree analysis
5.5 Example of Fault tree analysis
5.6 Example of Markov analysis
5.7 More about Network
5.7.1 The TCP/IP Stack / TCP/IP Model
5.7.2 Cabling
5.7.3 Repeaters
5.7.4 Switches
5.7.5 Routers
5.8 More about Technical Refresh
5.9 IaaS, PaaS, and SaaS