Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Organizational Governance, Policies, and Risk Management

This chapter is a detailed version of the topics we briefly touched on in Chapter 1. As we learned in Chapter 1, the purpose of an organization is to create value for the stakeholders, shareholders, and customers. This is achieved by aligning the enterprise’s mission, objectives, and strategy. Similarly, organizational structures and leadership are required to establish objectives that support their mission and satisfy stakeholders and customers. The board of directors establishes the strategy and the enterprise derives its principles from this plan.

Organizational leaders support the enterprise’s objectives and decision-making by evaluating the risk and benefits associated with specific investments. Senior managers identify the capabilities that contribute value to the organization’s strategy.

This is then translated into policies, standards, and procedures, which are essential to putting the objectives...

IT governance and risk

In any organization, governance establishes the requirements for meeting stakeholder needs and delivering value for the stakeholders. The purpose of having a governance structure is to have accountability for the business alignment and day-to-day operations of the organization. The purpose of governance of enterprise IT (GEIT) is to leverage technology to support and optimize enterprise needs. GEIT helps organizations address common pain points, such as applicable laws, regulations, and compliance, and stay abreast with the latest technologies and innovations. IT governance empowers organizations and helps establish and monitor accountability for IT activities to ensure that investments in IT are aligned with the business objectives and promote stakeholder value generation.

Important note

An organization can generate value for stakeholders by realizing the benefits of investments, risk optimization, and resource optimization.

Key risk terminologies

...

IT risk management

IT risk management is the practice of understanding the business goals and overall risk strategy, as well as guiding the IT strategy to align with organizational goals and priorities with minimal risk. The IT strategy needs to be supported by the available resources, technical maturity, and available budget.

Like enterprise risk management, IT risk management is a cyclical process that consists of the following steps:

Figure 3.2 – IT risk management life cycle

Figure 3.2 – IT risk management life cycle

The following is a brief description of each step of the IT risk management life cycle:

  1. IT risk identification: This is the first step of IT risk management and includes determining the level of risk per the enterprise’s risk appetite and tolerance. It is important to document the risk identification efforts and include the major threats to organization assets, including people, processes, and technologies.
  2. IT risk assessment: This step requires analyzing...

Organizational structure

The success of an organization’s risk management program depends on the sponsorship and support of the senior management. Different departments may lead risk management programs and to make risk-conscious decisions, senior management needs to combine all the individual programs in an enterprise risk program, often referred to as enterprise risk management (ERM).

The IT risk manager needs to be acquainted with the ERM program and establish roles and responsibilities for all relevant stakeholders. This can often be performed by a tool called RACI.

RACI

RACI is an effective tool for determining the roles and responsibilities of a project with several stakeholders with varying priorities. There are four main roles under the RACI method:

Organizational culture

In all my experience so far with several organizations, the only common thing was a huge emphasis on driving a resilient risk culture.

If you take away one lesson from this chapter, let the following be it.

Important note

Nothing impacts an organization’s behavior toward risk management more than its culture and nothing impacts an organization’s culture more than senior management.

An organization’s culture toward risk management can be divided into five parts:

  • Vulnerable: Neither senior management nor employees care about the organization’s risk and the response is always after the risk has materialized.

For example, the IT admin only updates the antivirus after the infection has happened.

  • Reactive: The response is based on the complaints of the employees or when required for compliance with contractual or non-contractual obligations.

For example, the organization is undergoing an external...

Policy documentation

For the sake of simplicity policies, standards, procedures, and guidelines are collectively referred to as policy documentation:

  • Policies: Policies are high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes.

Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.

Important note

Policies are a business decision, not a technical one. Technology determines how policies are implemented.

  • Standards: Standards are mandatory requirements concerning processes, actions, and configurations that are designed to satisfy control objectives.

Standards are intended to be granular and prescriptive to establish minimum security requirements that ensure systems, applications, and processes are designed and operated to include appropriate...

Organizational asset

There is a saying in information security – you can’t protect what you don’t know exists. The entire purpose of risk management is to protect assets.

Assets are anything that provides value to the organization. These can be either tangible such as equipment, physical media, laptops, and so on, or intangible such as data, knowledge, reputation, people, and more.

Here is the list of the major assets of any organization:

  • People: For any organization, their people are the greatest asset. Organizations are vulnerable to the loss of a key employee who may be the only person with the expertise and know-how in a specific area. Failure to identify key resources and effective cross-training in the absence of a key employee could lead to an ineffective transition or loss of business.
  • Technology: Using outdated systems and technology could lead an organization into a precarious situation where they are vulnerable to malware infections...

Summary

At the beginning of this chapter, we learned about the relationship between IT governance and risk. We learned about the IT strategy and how the IT risk strategy acts as a supporting mechanism for achieving business objectives. We then learned about the relationship between threats, vulnerabilities, assets, risks, and the IT risk management life cycle. Then, we learned about the importance of organizational structure and setting the tone for risk management from the top and how is it related to the organizational culture. Finally, we learned about policy documentation and the importance of asset classification and labeling for implementing appropriate controls per the asset valuation.

In the next chapter, we will look at the importance of three lines of defense in cybersecurity and why is it required to establish accountability and avoid conflicts of interest.

Review questions

  1. Which of the following is the first step in IT risk management?
    1. IT risk assessment
    2. Risk response and mitigation
    3. IT risk identification
    4. Risk reporting
  2. Oversight and direction are the responsibility of who?
    1. Management
    2. Senior staff
    3. IT risk manager
    4. Board of directors
  3. The high-level intent of an organization’s security practices is best established by which of the following?
    1. Procedures
    2. Policies
    3. Guidelines
    4. Processes
  4. Which of the following groups should be reached out to for expert guidance on the working group?
    1. Responsible
    2. Accountable
    3. Consulted
    4. Informed
  5. An IT risk manager recently joined an organization that had quite a few security incidents in the past. Which of the following should be the primary focus of the IT risk manager in the first few months of their tenure to reduce similar incidents in the future?
    1. Cite individuals who caused the incidents
    2. Understand the organization’s culture toward risk
    3. Draft the strategy for IT risk management
    4. Complete all the...

Answers

  1. C. IT risk identification is the first step of IT risk management. You cannot protect what you do not know exists.
  2. D. Oversight and direction are the responsibility of the board of directors. The rest of the options are important for risk management, but they do not provide the required oversight.
  3. B. Policies are the high-level intent of organizations for security practices.
  4. C. Consulted working groups are the subject matter experts for guidance on initiatives in their domain of expertise.
  5. B. The risk manager needs to understand the culture of the organization in the first place before drafting the strategy for risk management. Option A depends on the severity of the incident, while D is important but will not be the primary focus for reducing future incidents.
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 6 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Role

Description

Responsible

The individual or team responsible for performing...