You're reading from ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook

Published inSep 2023

PublisherPackt

ISBN-139781803236902

Edition1st Edition

Concepts

Cybersecurity

Author (1)

Shobhit Mehta

Risk Management Life Cycle

This chapter marks the beginning of Domain 2, IT Risk Assessment, for CRISC. This domain represents 20 percent (approximately 30 questions) of the CRISC exam. As a reminder, Domain 1 of the CRISC exam and the material we learned up to Chapter 5, Legal Requirements and the Ethics of Risk Management, was entirely based on Governance, which relates to the direction from the stakeholders and leadership team. This chapter, and the following chapters, are about the hands-on approach to implementing those directions across the organization.

The aim of this chapter is to introduce the concept of risk, learn how it is different from IT risk, take a deeper dive into the risk management life cycle, understand the requirements of risk assessments, learn the difference between issues, events, incidents, and breaches, and ultimately, learn about how the correlation of events and incidents works. Additionally, we will learn about how to choose different sets of controls...

Comparing risk and IT risk

For any organization, risk could be the probability of having an adverse impact on the goals or outcome of an organization. As we learned in the earlier chapters, there could be risks related to geography, market, operations, finance, reputation, technology, natural disasters, and more.

IT risk is a subset of the overarching world of risk. It is the probability that a threat will exploit an information system vulnerability and could lead to the loss of IT systems, unauthorized disclosure/modification/destruction/loss of information, errors and omissions, or failure to run the operations successfully.

ISACA has also published a risk IT framework. It defines the IT risk for an organization as “the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. IT risk can be categorized into IT benefit/value enablement risk, IT programme and project delivery risk, and IT operations and...

IT risk management life cycle

There are six steps in the IT risk management life cycle, starting from risk identification to risk monitoring. Each step is equally important to ensure that an organization does not only identify and assess the risk, but treats it according to its impact on the business and risk appetite, reports to the executives and key decision makers in an understandable report, and lastly, performs continuous monitoring of the risk and controls.

The following list details the key steps for IT risk management:

Risk identification:

Risk identification is the first step in IT risk management. An organization can only assess and treat the risk that it knows exists. Any failure to identify risks could lead to an organization not including those risks in its strategic planning and not giving them the due attention required.

In IT risk management, it is important for the risk practitioner to be aware of the technologies used in the organization and...

Requirements of risk assessment

Risk assessment is an important tool in the arsenal of risk practitioners. Risk assessments help organizations determine the level of risk and mitigate it according to the risk appetite of the organizations. Risk assessments also help organizations to be more proactive in implementing controls for unforeseen risks instead of being reactive to adverse risk scenarios.

The following table details some of the legal and regulatory compliance requirements for conducting a risk assessment:

...

Issues, events, incidents, and breaches

This section is not specifically included in the CRISC exam syllabus, but it is important for an IT risk manager to understand certain terminologies. I have seen many experienced risk professionals use these terms interchangeably, but that’s not correct. The following list details the definitions of each term:

Issues – This is an instance of IT risk that has not materialized at all but needs to be considered and kept on the radar. This is a combination of control, value, and threat conditions that impose a noteworthy level of risk. One example of an issue could be outdated operating systems that are still being used by employees. Though nothing is wrong with using an outdated operating system and delaying the update by a few weeks while it’s being tested, it should be noted as an issue, and the operating system should be updated at the earliest opportunity.
Events – This is any occurrence that takes place...

Correlating events and incidents

One of the major problems for any organization is the huge number of event alerts they receive. Over a period of time, it becomes difficult for the organization to maintain and correlate all the alerts.

IT event correlation automates the process of analyzing IT events and identifying relationships between them to detect problems and uncover their root cause. There are some event correlation tools such as AlertLogic, Splunk, and others that can help organizations monitor their systems and applications more effectively. This also helps to reduce false positives and improve uptime and performance.

IT infrastructures generate a huge amount of data in various formats. This could be from multiple sources such as servers, databases, virtual machines, mobile devices, operating systems, web applications, IoT devices, and other network components. An event for this kind of tool can be any piece of data that provides insight about a state change in that...

Summary

At the beginning of this chapter, we learned about risk and how it differentiates from IT risk. Then, we learned about the IT risk management life cycle and understood the process in detail with the help of an example. We then learned about the legal and compliance requirements of conducting a risk assessment. In the next section, we switched gears to learn about the difference between issues, events, incidents, and breaches and looked at an overview of event correlation.

In the next chapter, we will learn about the fundamentals of risk, that is, threats and vulnerabilities, and how they relate to risk.

Review questions

Which of the following depicts the correct relationship between IT risk and enterprise risk?
1. Enterprise risk is a part of IT risk.
2. IT risk is a part of enterprise risk.
3. These types of risk are not related to each other.
4. Enterprise risk is independent of IT risk.
Which risk management life cycle step emphasizes the “You can’t protect what you don’t know exists” dictum?
1. Risk and control monitoring
2. Risk assessment
3. Risk identification
4. Risk categorization
Which of the following is a formal requirement by many legal and regulatory compliance frameworks?
1. Performing vulnerability assessments
2. Maintaining an asset inventory
3. Deploying changes to production without testing
4. Conducting a formal risk assessment
A healthcare employee accidentally sent more than 5,000 patient records in response to a phishing email. The patient records are not encrypted at rest or in transit. This scenario will fall under a material ____.
1. Issue
2. Event
3. Incident
4. Breach

Answers

B. IT risk is part of enterprise risk. The other options are distractors.
C. This is the requirement of the risk identification step.
D. Conducting a formal risk assessment is a requirement of many legal and regulatory compliance frameworks. The other options are important for a risk management program but are not mandatory.
D. This scenario will fall under a breach since the material data, for instance, the PHI of patients is leaked.
C. All the options are applicable, but the primary objective of a SIEM is to correlate events from the system and alert on malicious activities by providing actionable insights.

The rest of the chapter is locked

You have been reading a chapter from

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at AU $19.99/month. Cancel anytime

Author (1)

Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Regulation/Law	Risk assessment requirements section
Canada – The Personal Information Protection and Electronic Documents Act (PIPEDA)	Principles 1,3, and 7
EU Directive 2016/679 – General Data Protection Regulation (GDPR)	Article 36. 1, 7(c), 7(d), and 11