CRISC Course Preview

CRISC® is a registered trademark of ISACA
CRISC® Training
Course Name : CRISC® Training
Version : INVL_CRISC_CW_01_1.0
Course ID :ITSG - 156

2
About Invensis Learning
Invensis Learning is a leading certification training provider for individuals and enterprises globally. Our expertise in
providing globally-recognized IT & Technical certification courses has enabled us to be one of the trusted certification
training partners for many Fortune 500 organizations and Government institutions worldwide. Invensis Learning has
trained and certified thousands of professionals across a wide-range of categories such as IT Service Management,
Project Management, Quality Management, IT Security and Governance, Cloud Computing, DevOps, Agile Project
Management, and Digital Courses. Invensis Learning’s certification training programs adhere to global standards such as
PMI, TUV SUD, AXELOS, ISACA, DevOps Institute, EXIN, and PEOPLECERT.

3
What We Offer
We offer globally-recognized training and certifications in categories such as Project Management, ITSM, Agile, Quality
Management, Technology Training, Program Management and IT Security & Governance.
ITSM Project Management Quality Management
Technology
Training
Agile & Scrum IT Security & Governance
ITIL Foundation PMP Project Rescue Six Sigma Yellow Belt Training Cloud Computing PMI-ACP COBIT5 Foundation
ITIL SD CAPM Project Scope Management Six Sigma Green Belt Training Big Data Scrum Training COBIT5 Implementation
ITIL SS PRINCE2 Project Time Management Six Sigma Black Belt Training Hadoop
DevOps
Foundation
COBIT5 Assessor
ITIL ST PgMP
Project Communications and
Management
Lean Six Sigma Green Belt Training .Net Technologies ISO/IEC 27001 Foundation
ITIL SO PMI-RMP Project Cost Management Lean Six Sigma Black Belt Training Data Warehousing CRISC
ITIL CSI P3O Project Procurement Management Introduction to Lean Training CISSP CGEIT
ITIL RCV MSP Project Leadership Lean Fundamentals Program VC++, MCF
ITIL OSA Microsoft Project Change Management Lean Management Training Advanced WCF,
ITIL SOA Microsoft Project Server Implementing a Project Management Lean Manufacturing Training Advanced JAVA
ITIL PPO IT Project Management Managing Conflict in the Workplace Lean Processes and Tools Advanced J2EE
ITIL MALC
Project Management
Overview
Negotiating in a Project Environment Lean Six Sigma in Information
ISO 20000 Project Initiation Presentation Skills for Project Personnel Lean Six Sigma in Healthcare
Earned Value Management Project Estimating Techniques DFSS Yellow Belt Training
Project Risk Management Managing Multiple Projects DFSS Green Belt Training
Project Sponsorship DFSS Black Belt Training
Team Development MINITAB Training

4
Chapter 1: Risk Management – Introduction
Chapter 2: Risk Identification
Chapter 3: Risk Assessment
Chapter 4: Risk Response and Mitigation
Chapter 5: Risk and Control Monitoring and Reporting
Table of Contents

Chapter 1: Risk Management - Introduction

6
What is Risk?
“An unforeseen event that may cause negative impact (or positive sometimes) on the outcome of a project or
daily operations that eventually affects the ability to meet business objectives”
Types of Risks
• Enterprise (Business) Risk i.e. Strategy, Compliance, Market Risk etc.
• IT Risk i.e. Operations, Information Security, Project/Program risks etc.
Note: IT Risk is a subset of Enterprise Risk
Risk occurrence, most invariably, affects IT value delivery to business.
Risk Governance ensures Risk Management practices are followed consistently across the enterprise to
maximize value delivered to business.
Note: From hereon, in this manual, the term Risk refers to IT Risk unless specifically stated otherwise

7
IT Risk Management Life Cycle
IT Risk Identification
IT Risk and Control
Monitoring and
Reporting
IT Risk Response and
Mitigation
IT Risk Assessment

8
What is Control?
It’s a systemic (technical) or procedural (process) or administrative (policy) or physical entity that is
used to either eliminate risk or to reduce the impact of a risk event (if it occurs)
Examples: Anti-virus (AV) Software, Cyber Risk Insurance
Risk and Control Monitoring
• Monitoring of Controls used is essential to ensure effectiveness of risk control
• Similarly, monitoring of identified risks and new risks is also equally essential
Examples: Monitoring Anti-Virus Signature Updates on all systems, Viruses detected & reported by AV,
Network traffic Monitoring to detect anomalies

9
Risk Response Types
• Eliminate/Avoid
• Risks that threaten the survival of an organization
must be eliminated
• Example: Business model that uses Robotics
extensively for operations wherein the local
government passes a legislation to protect the
interests of industrial labour (thereby challenging the
business model)
• Mitigate/Reduce
• Risks that threaten the realization of benefits to
business
• Example: IT disruption (i.e. data centre outage)
causing business downtime
• Transfer
• Risks that can be transferred to a third party
• Example: Cyber Risk Insurance
• Accept
• Risks that are least probable to occur and cost of
mitigation far outweighs the benefits
• Example: Data Centre (DC) location prone to
hurricanes. Relocation or building a secondary DC
would be more expensive. Data Backups relocated
to an offsite location is a good risk mitigation strategy
but beyond that you accept the risk (of downtime).

10
Enterprise Risk Management (ERM)
Business Risk
Management
IT Risk
Management
Unit 1
Unit 2
Unit 3
………………………
……….
Risk Register
Board of Directors
Risk Assessment
Risk Identification
Risk Response and
Mitigation
Risk Monitoring
Risk Reporting
Risk Governance

11
Risk Management Frameworks & Methodologies
 ISO/IEC 27005:2018 (Information Security Risk Management)
 NIST SP 800 30
 Factor Analysis of Information Risk (FAIR)
 Risk IT Framework from ISACA
 ISO 31000:2018
 COBIT® for Risk
 COSO

12
Knowledge Test
 Cite a few examples for Risks related to Information Technology.
 When is it advisable to accept a Risk?
 Risk Management process is linear. True/False?
 Give an example for a Control that helps in avoiding Risk.
 Risk Register has only IT related Risks. True/False?
 Who reports to board about the Risk Management Status?

14
Note: Participants are requested to review the documentation for commonly used Risk Management frameworks (listed at the end
of chapter 1) to familiarize them. CRISC exam doesn’t test knowledge about a particular standard or framework though.
Assets, Threats and Vulnerabilities
 Asset – Any tangible or intangible entity that should be protected to ensure delivery of value to business
Example: People, Reputation, Information, Process, Technology Infrastructure etc.
 Threat – Anything that can erode the value of an Asset – refers to a potential adverse event
Example: Unencrypted data can be eavesdropped on a network
 Threat Agent – Anything that gives rise to a threat – something that can make the threat real
Example: Third-party user gaining access to corporate wireless network by virtue of weak authentication
 Vulnerability – Systemic or procedural weakness in a process or a system that the threat agent can exploit

15
Risk can also be defined as
“the likelihood of a threat agent
making the threat real
by exploiting the vulnerability
found on the Asset”
Assets, Threats and Vulnerabilities

16
Risk Identification Techniques
 Risk Identification is the organized set of processes to
• Identify Assets
• Assess their Value to the organization (quantitative or qualitative)
• Identify Vulnerabilities, Threat and potential Threat Agents
• Identify Stakeholders for Risk Identification and Ownership
• Develop Risk Scenarios based on information collected
• Develop the Risk Register
• Communicate Risk to Senior Management
• Develop the Risk Awareness program

17
Risk Culture
 Organizational Culture towards Risk & business strategy should be studied and understood properly for effective Risk
Management
 Some organizations are Too Risk-Taking (for example, an eCommerce company migrating to a new cutting-edge
technology platform as soon as it is made available in the market) and some are Risk-Averse (a company continues to
use legacy system for its operations)
 What may seem to be a Risk for one organization (Risk-Averse) may be seen as an opportunity by another
organization (Risk Taking)
 Risk practitioner should consider the organization culture towards risk and their business strategy as inputs to the Risk
Identification process

18
Laws, Regulations, Standards and Compliance
 Risk Practitioner should have clear understanding of all the laws, regulations and standards applicable in general and
specific to the industry the organization belongs to
• Example: PCI DSS Standard for companies that deal in online payments, GDPR for any organization that processes private
user data of European Union (EU) citizens
 Non-compliance to applicable laws, regulations or standards may cause loss of reputation and/or monetary losses,
may attract penalties etc.
 Information System Audit is an effective method to check compliance status
 Audit Reports serve as valuable inputs to Risk Identification process

19
Organizational Structure
 Large organizations typically have a dedicated Chief Risk Officer (CRO) who is in-charge of Enterprise Risk
Management (ERM)
 Each Business Unit can have a team or an individual that handles Risk Management for that unit
 The structure of the Risk Management team can be based on the overall size of the organization
 CIO oversees Risk Management within IT department
 Some organizations have a GRC sub-team within IT to handle IT Risk Management
 The Risk Practitioner should have a clear understanding of the Risk Management Team organization and the reporting
structure
 A RACI Matrix can help in establishing accountability clearly

20
Risk Appetite and Risk Tolerance
 Risk Appetite and Tolerance are defined at the organizational level by the senior management
 Risk Appetite refers to the level of Risk that is desirable and is set by board or senior management
• Risk Appetite is a broader-level definition of how much risk can be taken without affecting the business
• Example: The board may decide that the organization can sustain a loss of revenue of 5% from one category of products
 Tolerance is the tolerable deviation to the limits set by Risk Appetite
• Tolerance is a narrower definition of the range of deviation to the limit set by Risk Appetite
• Example: The board may decide that the organization can sustain a loss of revenue of 5% from one category of products
with a tolerance level of +/- 2% i.e. the loss of revenue can be 3% to 7% (max).
 Both Risk Appetite and Tolerance change over time based on several factors and so need to be reviewed from time-to-
time.

21
Residual Risk
 When Risk is mitigated by using an appropriate Control, either the likelihood or impact of the Risk is reduced
sufficiently (in line with the Risk Appetite and Tolerance)
 But Risk is still not completely eliminated – some part of the Risk still exist
 The remaining part of the Risk (likelihood and impact) is called the Residual Risk
 Periodic and regular monitoring is required to ensure Residual Risk doesn’t cross the levels set by Risk Appetite
 Identifying Residual Risks (post Risk Response and Mitigation) is essential part of Risk Management (Remember Risk
Management process is cyclic)
 Residual Risks should be treated like primary Risks if they are likely to exceed the limits acceptable to the organization

22
Risk Identification Techniques
 Evidence Based
• Historical Records
• System logs, Access logs
• Audit Reports
• Vulnerability Analysis Reports
• CERT Advisories from Vendors and other organizations
• Process documentation Review
• Third-party Contracts
• Expert Review
• SME Review of processes, practices followed etc.
• Peer Review or Interviewing
• Review the processes of each business unit with the respective department staff

23
Areas for IT Risk Identification
 IT Infrastructure – hardware/software/Data Centres – Review documentation and Inspect existing controls if any
 SDLC (for organizations using in-house software development)
 Project/Program Management (Risks related to project/programs)
 Supplier Contracts
 Business Continuity Planning (BCP) and Disaster Recovery (DR) Management
 IT Operations (ITIL V3 process audit reports)
 New Technologies (i.e. Cloud, AI, Blockchain etc.) relevant to the organization and Risks involved in adopting them
 Data or Information Assets

24
IT Risk Analysis
 Risk Analysis can be Qualitative or Quantitative
• Qualitative - ranks each risk as high, medium or low – subjective – easier to perform
• Quantitative - gives a numerical score to each risk – objective – very difficult
 A thorough analysis will be done during Assessment phase – high level analysis is required to capture all relevant data
and for initial classification of risks and developing the Risk Register
 Use the following techniques for identifying risks, evaluating the existing control
• Root Cause Analysis
• FMEA (Failure Mode Effect Analysis)
• Gap Analysis
• Cost-Benefit Analysis (RoI)

25
Information Security Risk
 CIA Triad – Confidentiality, Integrity and Availability
 Identify Risks related to the above (i.e. absence of HA cluster, storing data without encryption etc.)
 Consider the following controls for mitigating such risks
• Authentication, Authorization, Auditing (AAA)
• Identity Management
 Consider the following controls for mitigating risks related to people
• SoD – Segregation of Duties
• Job Rotation
• Dual Control

26
Risk Scenarios
 Use all the captured information w.r.t. Risks i.e. Threats, Agents, Vulnerabilities, Risks, Classification, Impact
Assessment, existing controls etc. and prepare detailed scenarios
 Qualify the Risks identified, Review and tabulate them into a Risk Register document
 Classify the Risks (initial) based on impact and likelihood
 Use Qualitative and Quantitative methods as appropriate
 Keep all supporting documentation (evidences collected) for further review
 Consider Business objectives, Risk Appetite, Tolerance
 Identify Residual Risks (where Controls exist)

27
Risk Register
Refer a Standard Risk Register Template and try to understand its content and structure

28
Risk Communication and Awareness Program
 The organization should use the Risk Register to take Risk-Aware business decisions
 Risk Register serves as a single point of reference for all Risks affecting business and their current status
 Risk practitioner should communicate Risks and their current Status to all stakeholders
 Information Security Awareness programs should be conducted to raise knowledge about Risks and various attacks
targeting End Users
 Information Security Policy, Process, Standards should be clearly communicated to all Employees

29
Knowledge Test
1. Can a Risk within Risk Appetite limits be deemed as accepted?
2. Identify Risks in the following scenarios
1. Multiple users are sharing same credentials to login to system
2. Data stored on an All Flash Array storage is not being backed up as Flash is less susceptible to data corruption/loss than
magnetic disks
3. A critical database server is running with a Single power supply unit
3. Risk Appetite is constant and doesn’t change over time. True or False?
4. Who approves the definition of Risk Appetite and Tolerance limits?
5. Name a Few Assets that need to be protected
6. Can a Database Administrator be allowed to create system accounts? If not, why?
7. What are the possible risks in a Cloud Migration project?

30
CONTACT INVENSIS LEARNING
Email Us:
© Copyright 2019 Invensis Learning Pvt Ltd. All Rights Reserved.
www.invensislearning.com
support@invensislearning.com
USA +1-910-726-3695 | IND +91-96-2020-0784
UK +44 2033-223-280 | Germany +49 2119-5987-989
Switzerland +41-22-518-2042 | Hong Kong +852-5803-9039

CRISC Course Preview

More Related Content

What's hot

Similar to CRISC Course Preview

More from Invensis Learning

Recently uploaded

CRISC Course Preview