Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Enterprise Resiliency and Data Life Cycle Management

This chapter discusses how we can build the foundations of a resilient architecture and ensure effective data life cycle management. It is divided into two main parts – one on enterprise resiliency and one on data life cycle management. In the first part, we will review the concepts related to enterprise resiliency, business continuity, disaster recovery, and recovery objectives. These are important considerations for an organization, being related to infrastructure availability, scalability, and reliability as well as the external challenge of attacks from malicious actors. In the second part, we will review the concepts of data classification, labeling, and data life cycle management, as well as regulatory requirements for retention and destruction.

In this chapter, we will cover the following key topics:

  • Enterprise resiliency
  • Business continuity and disaster recovery
  • Recovery objectives
  • Data classification...

Enterprise resiliency

Organizations encounter both internal and external threats all the time. Resiliency refers to the ability of an organization to withstand these threats and disruptions with minimum harmful impact and recover to normal business operation quickly.

It is important to differentiate between resiliency and recovery, which are often treated the same. While resiliency deals with avoiding or mitigating failure in the first place and continuing to provide services, recovery deals with restoring services after a failure has already occurred. Similarly, reliability, that is, the ability of a service to operate at an expected level, is an outcome of a resilient system.

Quick definitions

Resiliency: Keeping the system from complete failure

Recovery: Recovering data or applications after a failure has occurred

Reliability: An outcome of a resilient system performing at expected levels

A risk manager should analyze the organization’s requirements and...

Business continuity and disaster recovery

Business continuity (BC) refers to the ability of an organization to continue operating its critical business functions during and after a disruption. The purpose of BC planning is to identify potential threats to an organization’s operations and develop strategies and procedures to ensure that critical business processes can continue or resume quickly after a disruption. To prepare against such a disruption or disaster, you use a formal plan known as a business continuity plan (BCP).

The inputs to creating a BCP result from a business impact analysis (BIA), that is, the determining systems, data, processes, people, and other assets that are strategically important to achieving business goals. The BIA conducted by the organization will support the risk practitioner in recommending a reasonable and appropriate risk response and guide senior management in selecting appropriate mitigation strategies.

Disaster recovery (DR) refers...

Recovery objectives

As we saw in Figure 15.1, BC planning typically begins with a BIA. The goal of a BIA is to identify the critical systems and services and ensure that sufficient controls are put in place so they operate within their recovery point objective (RPO) and recovery time objective (RTO), which are two key metrics to determine the criticality of an application.

The RPO is the maximum amount of data that an organization can afford to lose without a material impact, whereas the RTO is the maximum amount of time an application can remain unavailable before having a material impact on the business.

A similar metric to the RPO is the maximum tolerable downtime (MTD), that is, the maximum amount of time stakeholders are willing to accept for a business process outage that includes all impact considerations.

These metrics are illustrated in the following figure:

Figure 15.2 – The relationship between the RPO, RTO, and MTD

Figure 15.2 – The relationship between the RPO, RTO, and MTD

A risk practitioner...

Data classification and labeling

Data classification and labeling are integral parts of data life cycle management. The classification of data determines the sensitivity of the data and the controls that are required to keep it secure.

Data classification refers to the process of categorizing data based on the level of sensitivity and its value to an organization. Data classification determines the robustness of data controls to ensure security. The classification of data can be performed based on the following factors:

  • Regulatory requirements: Data classification may be based on specific regulatory requirements. Regulatory and compliance frameworks such as HIPAA, GDPR, or PCI-DSS require certain types of data, such as Personally Identifiable Information (PII), to be classified and handled in a specific way to ensure compliance.
  • Business impact: Data classification may be based on the level of impact that a loss or breach of the data could have on the business. Highly...

Data life cycle management

Data life cycle refers to the stages that data goes through, from its creation to its destruction. The following are the six stages of the data life cycle:

  1. Creation: The creation stage refers to the phase when data first comes into existence or is collected through synthesis from other sources, such as consolidating a large amount of data into a report.
  2. Storage: The storage stage refers to data being stored and thus becoming available for use.
  3. Use: This stage refers to data being used or processed for a material output.
  4. Sharing: This stage refers to data being shared with other users or entities for inference.
  5. Archiving: When the data is no longer in use, it is archived to comply with regulatory/contractual requirements.
  6. Destruction: Once the archival period is over or data is deemed inappropriate for usage, the data is destroyed using industry-standard best practices.

Figure 15.3 – The life cycle of data

Figure 15.3 – The...

Summary

At the beginning of this chapter, we learned about the importance of enterprise resiliency and its relationship with BC and DR. In the following sections, we learned about the concepts of BIA and how it relates to the recovery objectives of the RPO, RTO, and MTD. In the final section, we learned about the difference between data classification and labeling, data life cycle management, and how data governance differentiates from data management. With the prevalence of cloud technologies, a risk manager should be aware of these concepts and plan with the business owners accordingly to reduce the risk of any outages or security issues that may impact the availability of data or systems.

In the next chapter, we will learn about the system development life cycle and emerging technologies.

Review questions

  1. ___ refers to a system’s ability to avoid complete failure.
    1. Recovery
    2. Resiliency
    3. Reliability
    4. None of the above
  2. Which of the following acts as an input for the BCP?
    1. Recovery objectives
    2. DR test
    3. BIA
    4. BC test
  3. A risk manager wants to develop a BCP and confirms that the application in scope can’t lose more than four hours of data. Which recovery objective is the risk manager referring to?
    1. MTD
    2. RPO
    3. RTO
    4. BIA
  4. An application can tolerate four hours of downtime but has to be recovered within six hours. Considering this, which of the following metrics is correct?
    1. RPO – four hours, RTO – six hours
    2. MTD – four hours, RTO – six hours
    3. MTD – six hours, RPO – four hours
    4. RTO – four hours, MTD – six hours
  5. A risk manager defined the data classification for the entire organization. The organization processes healthcare records and often collects personal information such as driver’s licenses to verify identity...

Answers

  1. B. A system that can avoid complete failure is a resilient one.
  2. C. Business impact analysis, or BIA, is the input to creating a BCP.
  3. B. The correct answer is RPO, as the metric in question is data that can be lost.
  4. D. The correct answer is an RTO of four hours and an MTD of six hours.
  5. A. As the organization contains both PII and PHI, the correct classification is sensitive.
  6. A. The destruction of data is also known as the disposal of data.
  7. D. Data labeling is important to facilitate all the options.
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 21 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at AU $19.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages