Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
A Critique of the Proposed National Education Policy Reform
CRISC Course Preview
1. CRISC® is a registered trademark of ISACA
CRISC® Training
Course Name : CRISC® Training
Version : INVL_CRISC_CW_01_1.0
Course ID :ITSG - 156
2. 2
About Invensis Learning
Invensis Learning is a leading certification training provider for individuals and enterprises globally. Our expertise in
providing globally-recognized IT & Technical certification courses has enabled us to be one of the trusted certification
training partners for many Fortune 500 organizations and Government institutions worldwide. Invensis Learning has
trained and certified thousands of professionals across a wide-range of categories such as IT Service Management,
Project Management, Quality Management, IT Security and Governance, Cloud Computing, DevOps, Agile Project
Management, and Digital Courses. Invensis Learning’s certification training programs adhere to global standards such as
PMI, TUV SUD, AXELOS, ISACA, DevOps Institute, EXIN, and PEOPLECERT.
3. 3
What We Offer
We offer globally-recognized training and certifications in categories such as Project Management, ITSM, Agile, Quality
Management, Technology Training, Program Management and IT Security & Governance.
ITSM Project Management Quality Management
Technology
Training
Agile & Scrum IT Security & Governance
ITIL Foundation PMP Project Rescue Six Sigma Yellow Belt Training Cloud Computing PMI-ACP COBIT5 Foundation
ITIL SD CAPM Project Scope Management Six Sigma Green Belt Training Big Data Scrum Training COBIT5 Implementation
ITIL SS PRINCE2 Project Time Management Six Sigma Black Belt Training Hadoop
DevOps
Foundation
COBIT5 Assessor
ITIL ST PgMP
Project Communications and
Management
Lean Six Sigma Green Belt Training .Net Technologies ISO/IEC 27001 Foundation
ITIL SO PMI-RMP Project Cost Management Lean Six Sigma Black Belt Training Data Warehousing CRISC
ITIL CSI P3O Project Procurement Management Introduction to Lean Training CISSP CGEIT
ITIL RCV MSP Project Leadership Lean Fundamentals Program VC++, MCF
ITIL OSA Microsoft Project Change Management Lean Management Training Advanced WCF,
ITIL SOA Microsoft Project Server Implementing a Project Management Lean Manufacturing Training Advanced JAVA
ITIL PPO IT Project Management Managing Conflict in the Workplace Lean Processes and Tools Advanced J2EE
ITIL MALC
Project Management
Overview
Negotiating in a Project Environment Lean Six Sigma in Information
ISO 20000 Project Initiation Presentation Skills for Project Personnel Lean Six Sigma in Healthcare
Earned Value Management Project Estimating Techniques DFSS Yellow Belt Training
Project Risk Management Managing Multiple Projects DFSS Green Belt Training
Project Sponsorship DFSS Black Belt Training
Team Development MINITAB Training
4. 4
Chapter 1: Risk Management – Introduction
Chapter 2: Risk Identification
Chapter 3: Risk Assessment
Chapter 4: Risk Response and Mitigation
Chapter 5: Risk and Control Monitoring and Reporting
Table of Contents
6. 6
What is Risk?
“An unforeseen event that may cause negative impact (or positive sometimes) on the outcome of a project or
daily operations that eventually affects the ability to meet business objectives”
Types of Risks
• Enterprise (Business) Risk i.e. Strategy, Compliance, Market Risk etc.
• IT Risk i.e. Operations, Information Security, Project/Program risks etc.
Note: IT Risk is a subset of Enterprise Risk
Risk occurrence, most invariably, affects IT value delivery to business.
Risk Governance ensures Risk Management practices are followed consistently across the enterprise to
maximize value delivered to business.
Note: From hereon, in this manual, the term Risk refers to IT Risk unless specifically stated otherwise
Chapter 1: Risk Management - Introduction
7. 7
IT Risk Management Life Cycle
IT Risk Identification
IT Risk and Control
Monitoring and
Reporting
IT Risk Response and
Mitigation
IT Risk Assessment
Chapter 1: Risk Management - Introduction
8. 8
IT Risk Management Life Cycle
What is Control?
It’s a systemic (technical) or procedural (process) or administrative (policy) or physical entity that is
used to either eliminate risk or to reduce the impact of a risk event (if it occurs)
Examples: Anti-virus (AV) Software, Cyber Risk Insurance
Risk and Control Monitoring
• Monitoring of Controls used is essential to ensure effectiveness of risk control
• Similarly, monitoring of identified risks and new risks is also equally essential
Examples: Monitoring Anti-Virus Signature Updates on all systems, Viruses detected & reported by AV,
Network traffic Monitoring to detect anomalies
Chapter 1: Risk Management - Introduction
9. 9
Chapter 1: Risk Management - Introduction
IT Risk Management Life Cycle
Risk Response Types
• Eliminate/Avoid
• Risks that threaten the survival of an organization
must be eliminated
• Example: Business model that uses Robotics
extensively for operations wherein the local
government passes a legislation to protect the
interests of industrial labour (thereby challenging the
business model)
• Mitigate/Reduce
• Risks that threaten the realization of benefits to
business
• Example: IT disruption (i.e. data centre outage)
causing business downtime
• Transfer
• Risks that can be transferred to a third party
• Example: Cyber Risk Insurance
• Accept
• Risks that are least probable to occur and cost of
mitigation far outweighs the benefits
• Example: Data Centre (DC) location prone to
hurricanes. Relocation or building a secondary DC
would be more expensive. Data Backups relocated
to an offsite location is a good risk mitigation strategy
but beyond that you accept the risk (of downtime).
10. 10
Enterprise Risk Management (ERM)
Business Risk
Management
IT Risk
Management
Unit 1
Unit 2
Unit 3
………………………
……….
Risk Register
Board of Directors
Risk Assessment
Risk Identification
Risk Response and
Mitigation
Risk Monitoring
Risk Reporting
Chapter 1: Risk Management - Introduction
Risk Governance
11. 11
Chapter 1: Risk Management - Introduction
Risk Management Frameworks & Methodologies
ISO/IEC 27005:2018 (Information Security Risk Management)
NIST SP 800 30
Factor Analysis of Information Risk (FAIR)
Risk IT Framework from ISACA
ISO 31000:2018
COBIT® for Risk
COSO
12. 12
Chapter 1: Risk Management - Introduction
Knowledge Test
Cite a few examples for Risks related to Information Technology.
When is it advisable to accept a Risk?
Risk Management process is linear. True/False?
Give an example for a Control that helps in avoiding Risk.
Risk Register has only IT related Risks. True/False?
Who reports to board about the Risk Management Status?
14. 14
Note: Participants are requested to review the documentation for commonly used Risk Management frameworks (listed at the end
of chapter 1) to familiarize them. CRISC exam doesn’t test knowledge about a particular standard or framework though.
Chapter 2: Risk Identification
Assets, Threats and Vulnerabilities
Asset – Any tangible or intangible entity that should be protected to ensure delivery of value to business
Example: People, Reputation, Information, Process, Technology Infrastructure etc.
Threat – Anything that can erode the value of an Asset – refers to a potential adverse event
Example: Unencrypted data can be eavesdropped on a network
Threat Agent – Anything that gives rise to a threat – something that can make the threat real
Example: Third-party user gaining access to corporate wireless network by virtue of weak authentication
Vulnerability – Systemic or procedural weakness in a process or a system that the threat agent can exploit
15. 15
Note: Participants are requested to review the documentation for commonly used Risk Management frameworks (listed at the end
of chapter 1) to familiarize them. CRISC exam doesn’t test knowledge about a particular standard or framework though.
Risk can also be defined as
“the likelihood of a threat agent
making the threat real
by exploiting the vulnerability
found on the Asset”
Chapter 2: Risk Identification
Assets, Threats and Vulnerabilities
16. 16
Note: Participants are requested to review the documentation for commonly used Risk Management frameworks (listed at the end
of chapter 1) to familiarize them. CRISC exam doesn’t test knowledge about a particular standard or framework though.
Chapter 2: Risk Identification
Risk Identification Techniques
Risk Identification is the organized set of processes to
• Identify Assets
• Assess their Value to the organization (quantitative or qualitative)
• Identify Vulnerabilities, Threat and potential Threat Agents
• Identify Stakeholders for Risk Identification and Ownership
• Develop Risk Scenarios based on information collected
• Develop the Risk Register
• Communicate Risk to Senior Management
• Develop the Risk Awareness program
17. 17
Chapter 2: Risk Identification
Risk Culture
Organizational Culture towards Risk & business strategy should be studied and understood properly for effective Risk
Management
Some organizations are Too Risk-Taking (for example, an eCommerce company migrating to a new cutting-edge
technology platform as soon as it is made available in the market) and some are Risk-Averse (a company continues to
use legacy system for its operations)
What may seem to be a Risk for one organization (Risk-Averse) may be seen as an opportunity by another
organization (Risk Taking)
Risk practitioner should consider the organization culture towards risk and their business strategy as inputs to the Risk
Identification process
18. 18
Chapter 2: Risk Identification
Laws, Regulations, Standards and Compliance
Risk Practitioner should have clear understanding of all the laws, regulations and standards applicable in general and
specific to the industry the organization belongs to
• Example: PCI DSS Standard for companies that deal in online payments, GDPR for any organization that processes private
user data of European Union (EU) citizens
Non-compliance to applicable laws, regulations or standards may cause loss of reputation and/or monetary losses,
may attract penalties etc.
Information System Audit is an effective method to check compliance status
Audit Reports serve as valuable inputs to Risk Identification process
19. 19
Chapter 2: Risk Identification
Organizational Structure
Large organizations typically have a dedicated Chief Risk Officer (CRO) who is in-charge of Enterprise Risk
Management (ERM)
Each Business Unit can have a team or an individual that handles Risk Management for that unit
The structure of the Risk Management team can be based on the overall size of the organization
CIO oversees Risk Management within IT department
Some organizations have a GRC sub-team within IT to handle IT Risk Management
The Risk Practitioner should have a clear understanding of the Risk Management Team organization and the reporting
structure
A RACI Matrix can help in establishing accountability clearly
20. 20
Chapter 2: Risk Identification
Risk Appetite and Risk Tolerance
Risk Appetite and Tolerance are defined at the organizational level by the senior management
Risk Appetite refers to the level of Risk that is desirable and is set by board or senior management
• Risk Appetite is a broader-level definition of how much risk can be taken without affecting the business
• Example: The board may decide that the organization can sustain a loss of revenue of 5% from one category of products
Tolerance is the tolerable deviation to the limits set by Risk Appetite
• Tolerance is a narrower definition of the range of deviation to the limit set by Risk Appetite
• Example: The board may decide that the organization can sustain a loss of revenue of 5% from one category of products
with a tolerance level of +/- 2% i.e. the loss of revenue can be 3% to 7% (max).
Both Risk Appetite and Tolerance change over time based on several factors and so need to be reviewed from time-to-
time.
21. 21
Chapter 2: Risk Identification
Residual Risk
When Risk is mitigated by using an appropriate Control, either the likelihood or impact of the Risk is reduced
sufficiently (in line with the Risk Appetite and Tolerance)
But Risk is still not completely eliminated – some part of the Risk still exist
The remaining part of the Risk (likelihood and impact) is called the Residual Risk
Periodic and regular monitoring is required to ensure Residual Risk doesn’t cross the levels set by Risk Appetite
Identifying Residual Risks (post Risk Response and Mitigation) is essential part of Risk Management (Remember Risk
Management process is cyclic)
Residual Risks should be treated like primary Risks if they are likely to exceed the limits acceptable to the organization
22. 22
Chapter 2: Risk Identification
Risk Identification Techniques
Evidence Based
• Historical Records
• System logs, Access logs
• Audit Reports
• Vulnerability Analysis Reports
• CERT Advisories from Vendors and other organizations
• Process documentation Review
• Third-party Contracts
• Expert Review
• SME Review of processes, practices followed etc.
• Peer Review or Interviewing
• Review the processes of each business unit with the respective department staff
23. 23
Chapter 2: Risk Identification
Areas for IT Risk Identification
IT Infrastructure – hardware/software/Data Centres – Review documentation and Inspect existing controls if any
SDLC (for organizations using in-house software development)
Project/Program Management (Risks related to project/programs)
Supplier Contracts
Business Continuity Planning (BCP) and Disaster Recovery (DR) Management
IT Operations (ITIL V3 process audit reports)
New Technologies (i.e. Cloud, AI, Blockchain etc.) relevant to the organization and Risks involved in adopting them
Data or Information Assets
24. 24
Chapter 2: Risk Identification
IT Risk Analysis
Risk Analysis can be Qualitative or Quantitative
• Qualitative - ranks each risk as high, medium or low – subjective – easier to perform
• Quantitative - gives a numerical score to each risk – objective – very difficult
A thorough analysis will be done during Assessment phase – high level analysis is required to capture all relevant data
and for initial classification of risks and developing the Risk Register
Use the following techniques for identifying risks, evaluating the existing control
• Root Cause Analysis
• FMEA (Failure Mode Effect Analysis)
• Gap Analysis
• Cost-Benefit Analysis (RoI)
25. 25
Chapter 2: Risk Identification
Information Security Risk
CIA Triad – Confidentiality, Integrity and Availability
Identify Risks related to the above (i.e. absence of HA cluster, storing data without encryption etc.)
Consider the following controls for mitigating such risks
• Authentication, Authorization, Auditing (AAA)
• Identity Management
Consider the following controls for mitigating risks related to people
• SoD – Segregation of Duties
• Job Rotation
• Dual Control
26. 26
Chapter 2: Risk Identification
Risk Scenarios
Use all the captured information w.r.t. Risks i.e. Threats, Agents, Vulnerabilities, Risks, Classification, Impact
Assessment, existing controls etc. and prepare detailed scenarios
Qualify the Risks identified, Review and tabulate them into a Risk Register document
Classify the Risks (initial) based on impact and likelihood
Use Qualitative and Quantitative methods as appropriate
Keep all supporting documentation (evidences collected) for further review
Consider Business objectives, Risk Appetite, Tolerance
Identify Residual Risks (where Controls exist)
27. 27
Chapter 2: Risk Identification
Risk Register
Refer a Standard Risk Register Template and try to understand its content and structure
28. 28
Chapter 2: Risk Identification
Risk Communication and Awareness Program
The organization should use the Risk Register to take Risk-Aware business decisions
Risk Register serves as a single point of reference for all Risks affecting business and their current status
Risk practitioner should communicate Risks and their current Status to all stakeholders
Information Security Awareness programs should be conducted to raise knowledge about Risks and various attacks
targeting End Users
Information Security Policy, Process, Standards should be clearly communicated to all Employees
29. 29
Chapter 2: Risk Identification
Knowledge Test
1. Can a Risk within Risk Appetite limits be deemed as accepted?
2. Identify Risks in the following scenarios
1. Multiple users are sharing same credentials to login to system
2. Data stored on an All Flash Array storage is not being backed up as Flash is less susceptible to data corruption/loss than
magnetic disks
3. A critical database server is running with a Single power supply unit
3. Risk Appetite is constant and doesn’t change over time. True or False?
4. Who approves the definition of Risk Appetite and Tolerance limits?
5. Name a Few Assets that need to be protected
6. Can a Database Administrator be allowed to create system accounts? If not, why?
7. What are the possible risks in a Cloud Migration project?