Security
Reader small image

You're reading from  Certified Information Security Manager Exam Prep Guide - Second Edition

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781804610633
Edition2nd Edition
Concepts
Information Security
Right arrow
Author (1)
Hemang Doshi
Hemang Doshi
author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Right arrow

Information Risk Assessment

Accessing the Online Content

With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

Barcode 4

In this chapter, you will explore information risk management and learn about the tools and techniques available to help you with risk management, along with other important concepts from the perspective of the CISM exam. This chapter will help CISM candidates...

Understanding Risk

The following table illustrates the different definitions of risk:

Differentiating Risk Identification, Risk Analysis, and Risk Evaluation

ISACA's qualifications are recognized around the globe and as a result people across the world enroll for their examinations. It is of utmost importance for ISACA to use jargon and terminologies in their study materials and examinations that are globally accepted and that are not restricted to particular countries or continents. It is equally important for all candidates to understand the jargon and terminologies in the way ISACA uses them. For this, you need to let go of local perceptions and wear ISACA's thinking hat.

The following are some important terminologies from the perspective of ISACA's examinations.

Risk Management

Risk management indicates the combination of the following processes:

  • Risk assessment
    • Risk identification
    • Risk analysis
    • Risk evaluation
  • Risk response
  • Risk monitoring

Risk Assessment

Risk assessment is the combination of the following three...

Differentiating Risk Capacity, Risk Appetite, and Risk Tolerance

The first step toward understanding risk management is to learn the following three important terms:

  • Risk capacity: This is the maximum risk an organization can afford to take.
  • Risk tolerance: Risk tolerance levels are acceptable deviations from the risk appetite.
  • Risk appetite: This is the amount of risk that an organization is willing to take.

The following example further explains these terms.

Mr. A's total savings are $1,000. He wants to invest in equities to earn some income. Since he is risk averse, he decides to invest only up to $700. If the markets are good, he is willing to invest a further $50. In terms of risk capacity, risk appetite, and risk tolerance, the following can be derived:

  • Risk capacity: Total amount available, i.e., $1,000
  • Risk appetite: Mr. A's willingness to take a risk i.e., $700
  • Risk tolerance: Acceptable deviation from the risk appetite...

Inherent Risk and Residual Risk

Inherent Risk

Inherent risk is considered the risk before implementing a control. It is the risk that a process would pose if no control factors were in place (the gross risk, or, the risk before controls). It is the weakness or the susceptibility of a process to introduce a material error when there are no internal controls.

Inherent risk depends on the number of users and business areas. The higher the number of users and business processes, the higher the level of inherent risk will be.

Residual Risk

This is the risk that remains after controls have been considered (the net risk or the risk after controls).

Residual Risk = Inherent Risk - Controls

For a successful risk management program, residual risk should always be within the risk appetite. When the residual risk is within the risk appetite, it is considered an acceptable risk level.

The primary objective of a risk management program is to ensure that the residual risk is...

Phases of Risk Management

The prime objective of a risk management process is to achieve the optimum balance between maximizing business opportunities and minimizing vulnerabilities and threats. To achieve this objective, the information security manager should have a thorough understanding of the nature and extent of a risk applicable to the organization. A mature organization will have a dedicated enterprise risk management (ERM) group to monitor and control risk.

The first step in the development of a risk management program is to establish the context and purpose of the program. Management support can be gained only if the program has appropriate context and purpose.

Risk management must operate at both the strategic as well as the operational level. The effectiveness of a risk management program depends on how well it is integrated into an organization's culture and the extent to which it becomes everyone's responsibility.

Phases of Risk Management

A risk...

Risk Awareness

Having good awareness of risk management programs improves the organization's risk culture. It is the key element in impacting the behavior of end users. Through a risk awareness program, each member of the organization can help to identify vulnerabilities, suspicious activities, and other abnormal behavior patterns. This helps in having faster responses to attacks or incidents and thus minimizes their impact.

Tailored Awareness Programs

For a risk awareness program to be effective, it should be tailored to the needs of individual groups. The content of an awareness program should be specific and applicable to individual job functions. This enhances the effectiveness of awareness training. For example, a developer should be made aware of secure coding practices, whereas an end user may only need to be made aware of the risk of phishing emails.

An awareness program should meet the following criteria:

  • Be capable of highlighting the relevant risks
    • ...

Risk Assessment

Risk assessment is an important process for the identification of significant risks and to ensure cost-effective controls can be put in place to address the identified risks.

There are many methodologies available for assessing risks. An organization should use the methodology that best fits its requirements. This methodology should be able to achieve the goals and objectives of the organization in the identification of relevant risks. A common risk assessment methodology is COBIT 5.

Phases of Risk Assessment

Generally, a risk assessment process has the following three phases:

  1. Risk identification: In this phase, significant business risks are identified. Risk identification is generally conducted by the use of risk scenarios. A risk scenario is a visualization of a possible event that could have some adverse impact on the business objectives. Organizations use risk scenarios to imagine what could go wrong or what could create barriers to achieving the...

Risk Identification

Risk management begins with risk identification. Risk identification is the process of identifying and listing risks in the risk register.

The primary objective of the risk identification process is to recognize threats, vulnerabilities, assets, and controls of the organization. A risk practitioner can use the following sources for the identification of any risk:

  • Review of past audit reports
  • Review of incident reports
  • Review of public media articles and press releases
  • Systematic approaches such as vulnerability assessments, penetration testing, review of business continuity plan (BCP) and disaster recovery plan (DRP) documents, interviews with senior management and process owners, and scenario analysis

All the identified risks should be captured in the risk register along with details such as description, category, probability, impact, and risk owner. In fact, maintenance of the risk register process starts with the risk identification...

Risk Analysis

Risk analysis is the ranking of risks based on their impact on business processes. A risk with high impact is ranked higher and given priority when it comes to addressing risks. More resources are allocated to high-risk areas.

Risk analysis results help with the prioritization of risk responses and the allocation of resources.

Risk analysis is the process of rating all identified risks in order to prioritize them. Risks with the highest rating and impact are addressed first. Generally, the following techniques are used to rank risks:

  • Quantitative method
  • Qualitative method
  • Semi-quantitative method

The availability of the correct data for risk assessment is a major factor in determining which of the previously mentioned techniques is to be used. For instance, when a data source is trustworthy and dependable, an organization will prefer a quantitative risk assessment since it expresses risk in numerical terms, such as monetary value. The...

Risk Evaluation

In the risk evaluation phase, the level of each risk is compared with acceptable risk criteria. If the risk is within the acceptable level, then it is accepted as it is. If the risk exceeds the acceptable level, then the treatment will be some form of mitigation.

Risk Ranking

A risk with a high impact is ranked higher and given priority. The process of ranking risk in terms of its criticality is known as risk analysis. More resources are allocated to high-risk areas. Ranking each risk based on impact and likelihood is critical in determining the risk mitigation strategy. Ranking the risk helps the organization determine its priority.

Practice Question Set 9

  1. As an information security manager, you are required to close the vulnerabilities identified by external auditors. What will the most effective way to mitigate the vulnerabilities be?
    1. All vulnerabilities should be addressed immediately
    2. Mitigation should be based on threat, impact, and cost considerations...

Risk Register

As previously noted, all identified risks should be captured in the risk register along with details such as description, category, probability, impact, and risk owner. The maintenance of the risk register starts with risk identification.

A risk register is the inventory of all existing risks of an organization. The best method to understand any kind of risk is to review the risk register. It includes details of all risks along with relevant control activities. The most effective use of a risk register is to facilitate a thorough review of all risks on a periodic basis.

Practice Question Set 10

  1. A risk register is best used for:
    1. Identification of emerging risks
    2. Identification of risk owners
    3. Review of all IT-related risks on a periodic basis
    4. Recording annualized loss due to an incident

Emerging Risk and the Threat Landscape

CISM aspirants should be able to establish the difference between a threat and a vulnerability. A vulnerability means a weakness in the system. A threat is any element that attempts to exploit the vulnerability. For example, when an anti-virus is not updated, it is considered a vulnerability. A hacker who attempts to exploit this vulnerability is a threat. It is the objective of an internal control to reduce vulnerability. Internal controls cannot directly control threats.

Emerging Threats

An information security manager must be aware of the constantly evolving threat landscape and how it affects their organization. As infrastructures evolve, new risks can emerge in unexpected ways. When a threat is combined with a lack of adequate monitoring, a breach might occur.

Unusual activity on a system, frequent alarms, delayed system or network performance, or new or excessive activity in logs are all signs of emerging threats. Many affected...

Vulnerability and Control Deficiency

Vulnerabilities can arise from multiple sources, such as technological concerns, process lapses, and human weakness. To be effective, a vulnerability assessment must include process, procedural, and physical vulnerabilities in addition to technological flaws.

Audits, security reviews, vulnerability scans, and penetration tests are some methods that are commonly used to find vulnerabilities.

Various types of testing, as well as subject matter expert estimates, can be used to determine the degree of vulnerability. To the extent possible, the overall risk needs to be quantified. This helps management take relevant action.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Source

Risk defined as

Keywords

COSO-ERM

Potential events that may impact the entity

probability/impact

Oxford Dictionary

The probability of something happening multiplied by the resulting cost or benefit if it does

probability/cost/benefit

Business Dictionary

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities and that may be avoided through preventive action

probability/damage

ISO 31000

The effect of uncertainty on objectives...

Security Baselines

A security baseline refers to the minimum security requirement across the organization. The baseline may be different in accordance with asset classification. For highly classified assets, the baseline will be more stringent. For example, for low-classified assets, the baseline can be single-factor authentication. However, it would increase to two-factor authentication for high-classified assets.

Baseline security should form a part of the control objectives. The baseline should be reviewed at regular intervals to ensure that it is aligned with the organization's overall objectives.

Risk Communication

The communication of risk management activities is key to the effective implementation of the risk management strategy. Communication should involve all relevant stakeholders, and communication channels should enable interaction in both directions. That is, management should be able to communicate with end users and end users should be able ...

Summary

In this chapter, you learned about the important aspects of risk management. You explored different risk identification and risk assessment methods. This will help you as a security manager to identify risk in the organization, assess the level of risk, and determine the most appropriate treatment options.

The next chapter will cover the different methods for responding to identified risks.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 12
Next Chapter
You have been reading a chapter from
Certified Information Security Manager Exam Prep Guide - Second Edition
Published in: Dec 2022Publisher: PacktISBN-13: 9781804610633
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Question

Possible Answer

What is the most cost-effective method of identifying new vulnerabilities for...