Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Importance of GRC for cybersecurity professionals

As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.

With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.

The following table shows the importance of implementing an overarching GRC framework for an organization in detail:

Non-GRC

Effective GRC

Lack of effective oversight

Effective oversight across all departments

Focus on achieving results only

Achieving results with integrity and ethics

Organizational and functional silos

Integrated decision-making

Lack of visibility

Shared technology, services, and vocabulary

Disjointed strategy

Integrated strategy

Duplication of efforts

Create-once, use-multiple

High costs

Optimized costs

Inefficient efforts

Efficient efforts

Lack of integrity

Culture of integrity

Wasted information

Shared and common knowledge

Fragmented information

Continuous flow of information

Table 1.1 – Importance of a GRC framework

In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.

Implementing GRC using COBIT

Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.

ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.

The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.

There are four publications under the COBIT 2019 framework:

  • Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
  • Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
  • Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
  • Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.

COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:

  • Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
  • Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
  • Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
  • Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
  • Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.

The following figure shows the five domains and 40 COBIT Core processes:

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Important note

Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.

COBIT and ITIL

This section would not be complete without understanding the relationship between COBIT and ITIL.

ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.

ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.

On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.

The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.

A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.

In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.

Previous Page
Chapter 3 of 28, Page 4
Next Page
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages