The CDRP^® is a 2 days course is designed to expose attendants to the overall risk management process. Focus is on both the data centre infrastructure and the physical data centre facility and equipment; the attendant will learn how to identify and quantify risk in their organization, creating the ability to reduce the risk to a level acceptable for the organization. The course is based on international standards (ISO/IEC27001:2005) and guidelines (ISO/IEC27005:2011, NIST800-30, ISO/IEC31000) and will additionally prepare the candidate being able to take part and assist in corporate certification processes that may apply.

Exam: Certified Data Centre Risk Professional (CDRP^®)

• Understand the different standards and methodologies for risk management and assessment
• Establish the required project team for risk management
• Perform the risk assessment, identifying current threats, vulnerabilities and the potential impact based on customised threat catalogues
• Report on the current risk level of the data centre both quantitative and qualitative
• Anticipate and minimise potential financial impacts
• Understand the options for handling risk
• Continuously monitor and review the status of risk present in the data centre
• Reduce the frequency and magnitude of incidents
• Detect and respond to events when they occur
• Meet regulatory and compliance requirements
• Support certification processes such as ISO/IEC 27001
• Support overall corporate and IT governance

Introduction to Risk Management

• Risk management concepts
• Senior management and risk
• Enterprise Risk Management (ERM)
• Benefits of risk management

Data Centre Risk and Impact

• Risk in facility, power, cooling, fire suppression, infrastructure and IT services
• Impact of data centre downtime
• Main causes of downtime
• Cost factors in downtime

Standards, Guidelines and Methodologies

• ISO/IEC 27001:2013, ISO/IEC 27005:2011, ISO/IEC 27002:2013
• NIST SP 800-30
• ISO/IEC 31000:2009
• SS507:2008
• ANSI/TIA-942
• Other methodologies (CRAMM, EBIOS, OCTAVE, etc.)

Risk Management Definitions

• Asset
• Availability/Confidentiality/Integrity
• Control
• Information processing facility
• Information security
• Policy
• Risk
• Risk analysis/Risk assessment/Risk evaluation/
• Risk treatment
• Threat/Vulnerability
• Types of risk

Risk Assessment Software

• The need for software
• Automation
• Considerations

Risk Management Process

• The risk management process
• Establishing the context
• Identification
• Analysis
• Evaluation
• Treatment
• Communication and consultation
• Monitoring and review

Project Approach

• Project management principles
• Project management methods
• Scope
• Time
• Cost
• Cost estimate methods

Context Establishment

• General considerations
• Risk evaluation, impact and acceptance criteria
• Severity rating of impact
• Occurrence rating of probability
• Scope and boundaries
• Scope constraints
• Roles & responsibilities
• Training, awareness and competence

Risk Assessment – Identification

• The risk assessment process
• Identification of assets
• Identification of threats
• Identification of existing controls
• Identification of vulnerabilities
• Identification of consequences
• Hands-on exercise: Identification of assets, threats, existing controls, vulnerabilities and consequences

Risk Assessment – Analysis and Evaluation

• Risk estimation
• Risk estimation methodologies
• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
• Risk evaluation
• Hands-on exercise: Assessment of consequences,
• probability and estimating level of risk

Risk Treatment

• The risk treatment process steps
• Risk Treatment Plan (RTP)
• Risk modification
• Risk retention
• Risk avoidance
• Risk sharing
• Constraints in risk modification
• Control categories
• Control examples
• Cost-benefit analysis
• Control implementation
• Residual risk

Communication

• Effective communication of risk management activities
• Benefits and concerns of communication

Risk Monitoring and Review

• Ongoing monitoring and review
• Criteria for review

Risk scenarios

• Risk assessment approach
• Data centre site selection
• Data centre facility
• Cloud computing
• UPS scenarios
• Force majeure
• Organisational shortcomings
• Human failure
• Technical failure
• Deliberate acts

The primary audience for this course is an IT, Facilities or Data Centre Operations professional working in and around the data centre (representing both end-customers and/or service provider/facilitators) and having responsibility to achieve and improve hi-availability and manageability of the data centre, such as: Data centre managers, Operations / Floor / Facility managers, IT managers, Information security managers, Security professionals, Auditors / Risk Managers / Professionals responsible for IT/corporate governance.

There is no specific prerequisite for the CDRP^® course. However, participants who have at least three years’ experience in a data centre and/or IT infrastructures will be best suited. This experience may come from a business or IT background where the participant has knowledge of both environments, and understands the mission of their organisation. Attendance of CDCP^® is beneficial but not a requirement.