Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

The Three Lines of Defense and Cybersecurity

In the wake of the financial crisis, the Institute of Internal Auditors (IIA) came up with a model for risk management and called it the Three Lines of Defense (3LoD) model. 3LoD traces its origins to the managing of operational risk in large organizations, especially financial institutions. However, in the recent past, this has slowly gained traction in the cybersecurity world, too. The main objective of the 3LoD framework is to ensure the effective segregation of duties for all business functions and better accountability for the stakeholders of those functions.

As we saw in earlier chapters, one of the major functions of IT risk management is to have an effective delineation between the risk owners (think the board of directors) and risk practitioners (think senior management).

In the 3LoD framework, the goal is to have business functions segregated based on the duties they perform for effective risk management.

In simple terms...

The 3LoD model

As mentioned in the previous section, the purpose of the 3LoD model is to ensure appropriate segregation and accountability for individual business owners and other functions.

Let’s take a step back for a moment to establish the ownership of the risk – if there is a risk to the business, who will be the owner of the risk? The business owner. Therefore, the business owner will also be the risk owner as per the 3LoD model. Since the business owners are responsible for the day-to-day operational management of the business, they will be considered the first LoD for any risk that might occur to their business.

Now, these business owners might know a lot about the business, the risks, and the control environment, but they might not be the experts in remediating those risks. This is where the second LoD comes in. The second LoD is the risk monitoring and oversight function. They work closely with the first LoD to ensure that these risks are mitigated with...

3LoD and cybersecurity

So far, we have looked at the 3LoD model from an overarching view of enterprise risk management. In this section, we will translate those responsibilities for cybersecurity functions.

Please be aware that an official 3LoD and cybersecurity model is not mainstream, but the following figure should give you a good sense of the responsibilities for each role:

Figure 4.3 – 3LoD and cybersecurity responsibilities

Figure 4.3 – 3LoD and cybersecurity responsibilities

In the preceding figure, we can see that the first LoD is doing the on-ground work and owns the responsibilities of the operational management of technical activities such as conducting penetration tests and vulnerability assessments, restricting user access rights, and more.

The second LoD is focused on performing oversight and monitoring in the form of documenting the policies/standards/procedures as per the business objectives, conducting access reviews, planning and conducting the Business Continuity Planning...

Critical concepts for risk assessment and management

This section is the essence of the critical concepts that will be widely used across this book, your day-to-day job, and any ISACA exam including the CRISC.

The risk profile

The purpose of the risk management function is to optimize the risk decisions for an enterprise. The risk profile is the overall risk exposure of the organization to any type of risk. There are many factors that could impact the risk profile of an organization, such as new regulations, changes in the underlying technology, changes in the business objectives, mergers and acquisitions, direct or indirect competitors, and more. This is all part of the enterprise risk profile and will impact all businesses and functions of the organization.

The IT risk profile of an organization is the overall identified IT risk to which the enterprise is exposed. Similar to the enterprise risk profile, the IT risk profile can be dependent on many external factors such as...

Risk tolerance versus risk capacity

I have seen IT risk practitioners use the phrases risk tolerance and risk capacity interchangeably, but this is not correct.

An organization going a little beyond the risk appetite is still within the risk tolerance, which is manageable as long as there are some compensating controls in place. However, when the risk tolerance crosses a certain threshold, it enters into the territory of risk capacity. As we saw in the earlier definition, anything over risk capacity could impact the existence of the organization, and that is something that has to be avoided at all costs.

That said, an organization can still operate as intended within its risk tolerance and under the risk capacity, but its existence will be in question if it crosses the risk capacity.

In the following section, we will see the relationship between risk appetite and business objectives.

Risk appetite and business objectives

The risk appetite of an organization should be agreed upon with the relevant stakeholders. It is important to align risk appetite with the objectives of the business to ensure that high-risk areas providing more value to the business are getting more resources than low-risk, low-reward processes.

The best way to align risk appetite with the business objectives is to translate it into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. With changing business conditions, these boundaries need to be regularly adjusted or confirmed.

Risk acceptance

Risk appetite and tolerance need to be defined, approved, and clearly communicated by the senior management with a process in place to review and approve any exceptions. These exceptions are formally documented in the form of risk acceptance.

As important as it might be to keep the risk levels within acceptable thresholds, there might be...

Summary

At the beginning of this chapter, we learned about the 3LoD model and the responsibilities of each LoD. Then, we reviewed how we can translate the 3LoD model for IT risk management and cybersecurity. In the next section, we switched gears to learn about the importance of the risk profile, appetite, tolerance, capacity, the relationship between all of them, and how to distinguish between risk tolerance and risk capacity. Another major area covered in this chapter was how to determine the risk appetite for a business and the process for formal risk acceptance.

In the next chapter, we will learn about the legal, regulatory, and contractual requirements, along with ethical risk management.

Review questions

  1. In the 3LoD model, which LoD is responsible for risk monitoring and oversight?
    1. The first LoD
    2. The second LoD
    3. The third LoD
    4. All of the above
  2. What is the primary responsibility of the third LoD?
    1. Policy and procedure development
    2. Provide independent assurance of controls
    3. Perform periodic user reviews
    4. Restrict least privileged roles
  3. The amount of risk an organization is willing to accept is known as ____::
    1. Risk tolerance
    2. Risk capacity
    3. Risk profile
    4. Risk appetite
  4. The information security manager has performed a risk assessment and provided recommendations for enhancing the controls of the Business Process Owner (BPO). After much deliberation, the BPO has decided to accept the risk. The BEST reason for the BPO to accept the risk is ____:
    1. Difficulty to implement the suggested controls
    2. Unavailability of resources to implement the controls
    3. Cost of control implementation outweighs the cost of assets
    4. Budgetary constraints
  5. Which of the following statements is correct?
    1. Breaching...

Answers

  1. B. The second LoD is responsible for risk monitoring and oversight. Please refer to the Responsibilities of 3LoD section for additional details.
  2. B. The third LoD is primarily responsible for an internal and external audit, which is an independent assurance of controls. The keyword here is independent, which is the utmost requirement of a third LoD function.
  3. D. An organization should be able to accept the risk within the risk appetite. Any risk above the risk appetite should be reduced to an acceptable level by implementing adequate controls.
  4. C. This is the fundamental aspect of risk management to ensure that the cost of control implementation should not outweigh the cost of assets. For example, it does not make sense to put a $1,000 lock on a $500 bicycle.
  5. A. This is the only correct statement in this question. Option B is incorrect as that should be risk tolerance. Option C is incorrect as we learned in the Risk appetite, tolerance, and capacity section...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 7 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at AU $19.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages