Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Control Design and Implementation

As we learned earlier in this book, risk mitigation is one of the most common responses in risk management. A risk manager needs to be aware of adequate risk mitigation techniques to reduce the risk to an acceptable level. Control design and implementation is one of the most important steps in risk mitigation. With the ever-changing threat landscape, the controls that are implemented today may become irrelevant tomorrow, and therefore, controls should be reviewed periodically to determine and continue their effectiveness.

This chapter aims to help you learn about the different types of controls, standards, frameworks, and methodologies for control design and selection, as well as how to implement them effectively. We will also learn about several control techniques and methods to evaluate them effectively.

In this chapter, we will cover the following topics:

  • Control categories
  • Control design and selection
  • Control implementation...

Control categories

Before we jump right into the control types, I think it is important to learn a bit about what constitutes a control. A control is a measure that helps reduce risk and improve the security posture of the organization. This control can be technical, such as antivirus software, something physical, such as a turnstile, or a policy document that dictates the ideal course in business operations.

These controls can be categorized as follows:

  • Preventive (also known as preventative): These controls prevent any security violations and practices. Installing antivirus software to prevent malicious software or a firewall from blocking unknown traffic is an example of preventive control.
  • Detective: These controls detect violations of security policies and practices. Intrusion detection systems (IDSs) or audit logs are examples of detective control.
  • Corrective: These controls correct a certain issue that has not been prevented or detected and led to an undesired...

Control design and selection

If someone asks you in a rapid-fire round what level of control a risk practitioner should implement, the correct answer is always optimal. We have touched on this a few times in previous chapters, stating that a control should always be implemented per the risk posed by the threat and evaluated for effectiveness, efficiency, and cost before it’s implemented. There is no reason to implement a control that exceeds the cost of assets.

As we discussed earlier, these controls can be either proactive (also known as safeguards), in that they will try to prevent the incident from occurring in the first place, or they can be reactive, in that once the incident has happened, these controls will assist in detection and correction. In some cases, the risk practitioner will have the option to choose the type of control to be implemented as per the business requirements; however, regardless of the selected control, the main purpose of implementing control...

Control implementation

In the previous chapter, we learned about configuration management, which refers to setting initial baselines for systems and tools so that it becomes easier for the relevant teams to install and manage that software. In this context, configuration management is a preventative control that ensures that no unapproved software and services are installed on the user’s laptop. The same goes for change management as well, where changes have been made to production system code that need to be tested in a test environment before being rolled out to all the users.

On a related note, it is important to ensure that once these changes have been set, the control is also tested in a non-production environment so that any errors from the test environment do not carry over to the production environment and affect a large set of systems or users in terms of unapproved changes. The ideal way to set up this test environment is to have it reflect the production environment...

Control testing and evaluation

Testing the effectiveness and efficacy of a control is as important as implementing them. A risk practitioner should ensure that implemented controls are tested and evaluated periodically to ensure that they are still relevant and advise the risk owner in case of any gaps that have occurred since the initial implementation. The responsibility to determine the efficacy of controls periodically relies on the control owner. Control testing can be either progressive or regressive. Progressive testing begins with the requirements and looks for flaws, whereas regressive testing works backward from the expectations of the results and known issues to identify causes.

The following are some of the best practices for effectively evaluating controls:

  • Never use production data for testing purposes and always produce synthetic data that’s as similar to the production data as possible for testing. If there is an absolute need to use the production...

Summary

At the beginning of this chapter, we learned about the five control categories (preventative, detective, corrective, deterrent, and compensating) and their relationship with incidents. We then learned about how a risk manager should design and select the controls as per the requirements of the business. Next, we learned about the different methods of control implementation (parallel, phased, and abrupt) and the importance of post-implementation review. Finally, we reviewed the best practices for control testing and evaluation.

In the next chapter, we will learn about log aggregation, risk and control monitoring, and reporting.

Review questions

  1. Which of the following is not a control category?
    1. Additive
    2. Preventative
    3. Deterrent
    4. Detective
  2. Implementing controls proactively based on a previous root cause analysis is an example of which control category?
    1. Preventive
    2. Detective
    3. Corrective
    4. Compensating
  3. Reviewing audit logs in a SIEM tool is an example of __.
    1. Corrective control
    2. Detective control
    3. Compensating control
    4. Deterrent control
  4. Installing security cameras to secure a data center location is an example of __.
    1. Corrective control
    2. Detective control
    3. Compensating control
    4. Deterrent control
  5. A risk manager introduced additional oversight of an accounting system where logical controls are not yet implemented. This is an example of ___.
    1. Corrective control
    2. Detective control
    3. Compensating control
    4. Deterrent control
  6. An IT system failed while new changes were being pushed to it from the production team and lost some data. The risk manager has advised the IT team to restore the data from previous backups. This is an example...

Answers

  1. A. Additive is not a control category; all the other options are valid control categories.
  2. A. Implementing controls proactively is an example of preventive control.
  3. B. Reviewing audit logs is an example of detective control as the incident has already happened and the goal is to find what caused the incident.
  4. D. Installing security cameras is an example of deterrent control.
  5. C. Implementing additional controls instead of the primary control is an example of compensating control.
  6. A. Performing a restore exercise is an example of corrective control.
  7. C. Detective and corrective controls are used after the incident has happened.
  8. A. Since the system is business-critical and should not have any downtime, the risk manager should recommend parallel changeover, where both the old and new systems will run in parallel.
  9. B. Performing a phased changeover would be the most efficient as no two modules are dependent on each other and the update is modular...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 17 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages