SlideShare a Scribd company logo

crisc_wk_2a.pptx

D
dotco

IT Security

Education
1 of 19
Certified in Risk and Information Systems Control (CRISC) ISACA’s Certified in Risk and Information Systems Control (CRISC) certification is ideal for IT/IS audit, risk and security professionals. Promotes skills and knowledge in using governance best practices and continuous risk monitoring and reporting. enhance business resilience and stakeholder value and gain increased credibility with peers, stakeholders and regulators. CRISC validates your experience in building a well-defined, agile risk- management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks. CRISC Domains:  Domain 1—Governance - (26%)  Domain 2—IT Risk Assessment- (20%)  Domain 3—Risk Response and Reporting - (32%)  Domain 4—Information Technology and Security - (22%)
Organizational Governance • At its core, governance is the ability to meet stakeholder needs by providing value. • This is achieved through the proper balancing of both performance and conformance requirements defined by the enterprise and only accomplished by ensuring that a proper risk-management capability is in place. • Having a well-defined risk- management program ensures that enterprises are able to identify, analyse, evaluate, assess and respond to those threats that pose the greatest risk . This allows enterprises to prioritize their limited resources, realize benefits and ultimately deliver value to stakeholders. • Effective risk management bridges the requirements for performance and conformance and establishes sound governance principles and practices.
Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
Security Governance Principles • Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
Security Governance Principles • The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
Business Process Review • Purpose of a business process review is to the effectiveness and efficiency of processes in achieving its objective. • Business process review is carried out for following objective: • To identify the issues with current process • To gather information for improvement of the process • To review and monitor the progress of the project and milestone • Business process owners are best to provide feedback about the effectiveness of the IT system. • Process owners are well versed about the system functionalities and its linkage to business objectives. • Risk assessment will be effective only if the assessor is aware about business objectives, business processes and business environment.
Business Case • A business case is a justification for a proposed project. The business case is prepared to justify the effort and investment in a proposed project. • The business case is a key element in decision-making for any project. • Development of the business case is the responsibility of the project sponsor. • Statement of Work • A statement of work is a contractual document that defines the ownership, liabilities, responsibilities and work agreements between two parties, usually clients and service providers.
Organizational Assets • Asset includes tangible as well as non-tangible assets such as reputation of the organization. • Prime objective of risk management activities is to safeguard the organizational assets. • People, Technology, Data, Intellectual Property, Business process, Asset Valuation • The risk practitioner should determine criticality of each asset so that priority may be given to protecting the critical assets first and addressing other assets as per requirement. • Following are some factors for calculating asset value: • Reputational loss and other penalties for legal noncompliance • Impact on associated third parties, business partners • Impact on business continuity • Monetary loss • Breach of contracts • Loss of competitive advantage • Legal costs
Enterprise Risk Management & Risk Management Framework • Enterprise risk management (ERM) is the practices, methods, and processes adopted by organizations to manage and monitor risks. • Adoption of ERM ensures that risk management processes are standardized, structured and consistent across the organization. • A consistent risk management approach facilitates the comparison of results of risk management amongst different departments. • Risk practitioner should ensure that ERM framework is flexible enough to suit the requirements of local culture, priorities, regulations and goals. • For success of an ERM, support from the senior management is the most important factor. It is difficult to implement risk management activities in business processes unless there is mandate from senior management.
Three lines of Defence • First line should actively manage the risk (i.e., business process owners) • Second line should guide, direct, influence and assess risk management processes (i.e., risk management dept., compliance dept.) • Third line should have independent oversight, review and monitoring (i.e., audit) • First Line of Defence – Operational Management • First line of defence are the process owners that performs daily operational activities. • They are required to: • Have thorough understanding of risk environment within business units • Ensure appropriate controls are implemented within their business units • Conduct review of control environment and ensure control deficiencies are addressed • Ensure compliance with risk management policies and procedures • Monitor control effectiveness on ongoing basis • Business process owners are considered as risk owner. They are responsible to keep the risk within the risk appetite.
• Second Line of Defence – Risk & Compliance Functions • Risk management, compliance and ethics functions are considered as second line of defence. • They are expected to: • Develop organization wide risk management framework, policies, standards and procedures • Monitor and oversee the risk management procedures across the organization • Ensure that business process owner adhere to risk management policies, standards and procedures. • Determine the current risk profile of the organization and provide risk management status to senior management. Three lines of Defence
• Third Line of Defence – Audit • Audit is considered as third line of defence. Audit is an independent function reporting directly to board of directors / senior management. • Role of an audit function is to: • Assess the conformation of the risk management program against risk management policies, standards and procedures. • Evaluate the effectiveness of first line and second line of defence Provide all attestation and assurance related functions. • Provide all attestation and assurance related functions. • A structured three lines model helps to have defined roles and responsibilities of risk management activities. • For effective and efficient risk management process, it is most important that all three lines have common goals, objective and planning. If each line is planning independently, risk management process may not provide expected results. Three lines of Defence
Risk Profile • Risk profile provides overall risk status that the organization is exposed to. • Risk profile is to be kept updated with new and emerging risk so as to ascertain organization’s current risk status. • Management can take risk-aware business decisions only if they are aware about risk profile of the organization. • Risk practitioners should ensure that the risk profile of the organization should be evaluated at periodic intervals to determine the changes to the risk profile. Primary reason to determine the changes is the risk profile is to evaluate whether additional response is required to reduce the risk. • Risk profile may change on account of following factors: • Implementation of new technologies • Changes in business processes • Changes in regulatory requirements • Changes in market demand and customer requirements • Changes in competitor’s policy • Changes in the organization’s risk profile is to be updated in the risk register. Risk registers should be able to provide status of the organization’s current risk profile.
Risk Capacity, Appetite and Tolerance • Risk Capacity: Maximum risk an organization can afford to take. • Risk Appetite: Amount of risk an organization is willing to take. • Risk Tolerance: Risk tolerance levels are acceptable deviations from risk appetite. lower than risk capacity. Example: • Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700. If the markets are good he is willing to further invest $50. • Risk Capacity: Total amount available i.e. $1000 • Risk Appetite: His willingness to take risk i.e. $700 • Risk Tolerance: Acceptance deviation from risk appetite i.e. $750 Note: • Risk Capacity is always greater as compared to tolerance and appetite. • Tolerance can be either equal to or greater than appetite. Risk acceptance generally should be within the risk appetite of the organization. In no case, it should exceed risk capacity. It is important that Risk appetite and tolerance should be defined and approved by senior management.
• Risk appetite should be aligned with business objectives to ensure that resources are directed towards areas of low risk tolerance. • For critical business processes, risk appetite should be thoroughly monitored and controlled. This will help a risk practitioner to build more controls for the areas or processes where risk appetite and risk tolerance is low. • Risk practitioners can determine the compliance with risk appetite by evaluating the residual risk i.e., residual risk should be within the risk appetite (i.e., acceptable risk). • Organization adopts their risk appetite on the basis of their culture and predisposition towards risk taking. • Risk prone organizations may have high levels of risk appetite whereas risk averse organizations may have low levels of risk appetite. • Benefits • It provides evidence of the risk-based decision-making processes. • It helps to understand how each component of the enterprise contributes to the overall risk profile. • It helps in prioritization and approval of risk response. • It helps in identifying specific areas where a risk response is warranted. Risk Capacity, Appetite and Tolerance
Legal, Regulatory and Contractual Requirements • In the field of IT, the most common objectives of laws and regulations include the safeguarding of privacy and the confidentiality of personal data, the protection of intellectual property rights, and the integrity of financial information. • Adherence to laws and regulations is one of the most important external requirements for an organization. Control should be implemented and monitored at periodic intervals to ensure that the organization is complying with legal and regulatory requirements. • Privacy laws could prevent the flow of information across borders • Most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives - A compliance-oriented gap analysis
Professional Ethics for Risk Management • Professional ethics directly impacts the risk. Organization with poor ethical standards are more susceptible to fraud or other major risk. • Organization should have its own ethics policy and should be applicable to all the levels of employees. • When ethical behavior is promoted by the employees, risk aware culture spreads within the organization. This promotes a risk-based approach to decision-making and enhances overall risk management. • Periodic training should be conducted to spread awareness about ethical behavior. • Periodic awareness session on ethical behavior will help employees to have a clear idea of what is expected of them in terms of ethical behavior. Training should also include evaluation to measure employees’ understanding of these concepts.

Recommended

CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
dotco
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
Shreeveni
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
dotco
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 

Recommended

CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
dotco
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
Shreeveni
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
dotco
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
Divya Tiwari
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
it grc
it grc it grc
it grc
9535814851
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
HardikKundra
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Isms
IsmsIsms
Isms
penetration Tester
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
FizZaShYkh
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
insider threat research
insider threat researchinsider threat research
insider threat research
Asma Al-maskaria
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Compliance
ComplianceCompliance
Compliance
Priyank Hada
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
StevenTharp2
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 

More Related Content

Similar to crisc_wk_2a.pptx

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
StevenTharp2
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 

Similar to crisc_wk_2a.pptx (20)

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
it grc
it grc it grc
it grc
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Isms
IsmsIsms
Isms
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Compliance
ComplianceCompliance
Compliance
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Internal controls
Internal controlsInternal controls
Internal controls
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 

More from dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 

More from dotco (12)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Recently uploaded

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 

Recently uploaded (20)

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

crisc_wk_2a.pptx

  • 1. Certified in Risk and Information Systems Control (CRISC) ISACA’s Certified in Risk and Information Systems Control (CRISC) certification is ideal for IT/IS audit, risk and security professionals. Promotes skills and knowledge in using governance best practices and continuous risk monitoring and reporting. enhance business resilience and stakeholder value and gain increased credibility with peers, stakeholders and regulators. CRISC validates your experience in building a well-defined, agile risk- management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks. CRISC Domains:  Domain 1—Governance - (26%)  Domain 2—IT Risk Assessment- (20%)  Domain 3—Risk Response and Reporting - (32%)  Domain 4—Information Technology and Security - (22%)
  • 2. Organizational Governance • At its core, governance is the ability to meet stakeholder needs by providing value. • This is achieved through the proper balancing of both performance and conformance requirements defined by the enterprise and only accomplished by ensuring that a proper risk-management capability is in place. • Having a well-defined risk- management program ensures that enterprises are able to identify, analyse, evaluate, assess and respond to those threats that pose the greatest risk . This allows enterprises to prioritize their limited resources, realize benefits and ultimately deliver value to stakeholders. • Effective risk management bridges the requirements for performance and conformance and establishes sound governance principles and practices.
  • 3. Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
  • 4. Security Governance Principles • Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
  • 5. Security Governance Principles • The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
  • 6. Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
  • 7. Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
  • 8. Business Process Review • Purpose of a business process review is to the effectiveness and efficiency of processes in achieving its objective. • Business process review is carried out for following objective: • To identify the issues with current process • To gather information for improvement of the process • To review and monitor the progress of the project and milestone • Business process owners are best to provide feedback about the effectiveness of the IT system. • Process owners are well versed about the system functionalities and its linkage to business objectives. • Risk assessment will be effective only if the assessor is aware about business objectives, business processes and business environment.
  • 9. Business Case • A business case is a justification for a proposed project. The business case is prepared to justify the effort and investment in a proposed project. • The business case is a key element in decision-making for any project. • Development of the business case is the responsibility of the project sponsor. • Statement of Work • A statement of work is a contractual document that defines the ownership, liabilities, responsibilities and work agreements between two parties, usually clients and service providers.
  • 10. Organizational Assets • Asset includes tangible as well as non-tangible assets such as reputation of the organization. • Prime objective of risk management activities is to safeguard the organizational assets. • People, Technology, Data, Intellectual Property, Business process, Asset Valuation • The risk practitioner should determine criticality of each asset so that priority may be given to protecting the critical assets first and addressing other assets as per requirement. • Following are some factors for calculating asset value: • Reputational loss and other penalties for legal noncompliance • Impact on associated third parties, business partners • Impact on business continuity • Monetary loss • Breach of contracts • Loss of competitive advantage • Legal costs
  • 11. Enterprise Risk Management & Risk Management Framework • Enterprise risk management (ERM) is the practices, methods, and processes adopted by organizations to manage and monitor risks. • Adoption of ERM ensures that risk management processes are standardized, structured and consistent across the organization. • A consistent risk management approach facilitates the comparison of results of risk management amongst different departments. • Risk practitioner should ensure that ERM framework is flexible enough to suit the requirements of local culture, priorities, regulations and goals. • For success of an ERM, support from the senior management is the most important factor. It is difficult to implement risk management activities in business processes unless there is mandate from senior management.
  • 12. Three lines of Defence • First line should actively manage the risk (i.e., business process owners) • Second line should guide, direct, influence and assess risk management processes (i.e., risk management dept., compliance dept.) • Third line should have independent oversight, review and monitoring (i.e., audit) • First Line of Defence – Operational Management • First line of defence are the process owners that performs daily operational activities. • They are required to: • Have thorough understanding of risk environment within business units • Ensure appropriate controls are implemented within their business units • Conduct review of control environment and ensure control deficiencies are addressed • Ensure compliance with risk management policies and procedures • Monitor control effectiveness on ongoing basis • Business process owners are considered as risk owner. They are responsible to keep the risk within the risk appetite.
  • 13. • Second Line of Defence – Risk & Compliance Functions • Risk management, compliance and ethics functions are considered as second line of defence. • They are expected to: • Develop organization wide risk management framework, policies, standards and procedures • Monitor and oversee the risk management procedures across the organization • Ensure that business process owner adhere to risk management policies, standards and procedures. • Determine the current risk profile of the organization and provide risk management status to senior management. Three lines of Defence
  • 14. • Third Line of Defence – Audit • Audit is considered as third line of defence. Audit is an independent function reporting directly to board of directors / senior management. • Role of an audit function is to: • Assess the conformation of the risk management program against risk management policies, standards and procedures. • Evaluate the effectiveness of first line and second line of defence Provide all attestation and assurance related functions. • Provide all attestation and assurance related functions. • A structured three lines model helps to have defined roles and responsibilities of risk management activities. • For effective and efficient risk management process, it is most important that all three lines have common goals, objective and planning. If each line is planning independently, risk management process may not provide expected results. Three lines of Defence
  • 15. Risk Profile • Risk profile provides overall risk status that the organization is exposed to. • Risk profile is to be kept updated with new and emerging risk so as to ascertain organization’s current risk status. • Management can take risk-aware business decisions only if they are aware about risk profile of the organization. • Risk practitioners should ensure that the risk profile of the organization should be evaluated at periodic intervals to determine the changes to the risk profile. Primary reason to determine the changes is the risk profile is to evaluate whether additional response is required to reduce the risk. • Risk profile may change on account of following factors: • Implementation of new technologies • Changes in business processes • Changes in regulatory requirements • Changes in market demand and customer requirements • Changes in competitor’s policy • Changes in the organization’s risk profile is to be updated in the risk register. Risk registers should be able to provide status of the organization’s current risk profile.
  • 16. Risk Capacity, Appetite and Tolerance • Risk Capacity: Maximum risk an organization can afford to take. • Risk Appetite: Amount of risk an organization is willing to take. • Risk Tolerance: Risk tolerance levels are acceptable deviations from risk appetite. lower than risk capacity. Example: • Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700. If the markets are good he is willing to further invest $50. • Risk Capacity: Total amount available i.e. $1000 • Risk Appetite: His willingness to take risk i.e. $700 • Risk Tolerance: Acceptance deviation from risk appetite i.e. $750 Note: • Risk Capacity is always greater as compared to tolerance and appetite. • Tolerance can be either equal to or greater than appetite. Risk acceptance generally should be within the risk appetite of the organization. In no case, it should exceed risk capacity. It is important that Risk appetite and tolerance should be defined and approved by senior management.
  • 17. • Risk appetite should be aligned with business objectives to ensure that resources are directed towards areas of low risk tolerance. • For critical business processes, risk appetite should be thoroughly monitored and controlled. This will help a risk practitioner to build more controls for the areas or processes where risk appetite and risk tolerance is low. • Risk practitioners can determine the compliance with risk appetite by evaluating the residual risk i.e., residual risk should be within the risk appetite (i.e., acceptable risk). • Organization adopts their risk appetite on the basis of their culture and predisposition towards risk taking. • Risk prone organizations may have high levels of risk appetite whereas risk averse organizations may have low levels of risk appetite. • Benefits • It provides evidence of the risk-based decision-making processes. • It helps to understand how each component of the enterprise contributes to the overall risk profile. • It helps in prioritization and approval of risk response. • It helps in identifying specific areas where a risk response is warranted. Risk Capacity, Appetite and Tolerance
  • 18. Legal, Regulatory and Contractual Requirements • In the field of IT, the most common objectives of laws and regulations include the safeguarding of privacy and the confidentiality of personal data, the protection of intellectual property rights, and the integrity of financial information. • Adherence to laws and regulations is one of the most important external requirements for an organization. Control should be implemented and monitored at periodic intervals to ensure that the organization is complying with legal and regulatory requirements. • Privacy laws could prevent the flow of information across borders • Most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives - A compliance-oriented gap analysis
  • 19. Professional Ethics for Risk Management • Professional ethics directly impacts the risk. Organization with poor ethical standards are more susceptible to fraud or other major risk. • Organization should have its own ethics policy and should be applicable to all the levels of employees. • When ethical behavior is promoted by the employees, risk aware culture spreads within the organization. This promotes a risk-based approach to decision-making and enhances overall risk management. • Periodic training should be conducted to spread awareness about ethical behavior. • Periodic awareness session on ethical behavior will help employees to have a clear idea of what is expected of them in terms of ethical behavior. Training should also include evaluation to measure employees’ understanding of these concepts.