CISM EXAM

PREPARATION

Domain 2

Information Risk Management

1
Domain 2

Manage information risk to an acceptable

level based on risk appetite in order to meet
organizational goals and objectives.

Domain 2 (cont’d)

▪ This domain reviews the knowledge base that the

information security manager must understand in
order to appropriately apply risk management
principles and practices to an organization’s
information security program.

2
Domain Objectives

▪ Ensure that the CISM Candidate has the knowledge

necessary to:
– Understands the importance of risk management as a tool
for meeting business needs and developing a security
management program to support these needs.
– Understands ways to identify, rank and respond to risk in a
way that is appropriate as defined by organizational
directives.
– Assesses the appropriateness and effectiveness of
information security controls.
– Reports on information security risk effectively.

On the CISM Exam

▪ This domain represents 30% (approximately 45

questions) of the CISM exam.

Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

3
Defining Risk

▪ Risk: The combination of the ▪ ISO definition: The effect

probability of an event and its of uncertainty upon
consequences objectives
– Uncertainty = probability
– Effect = consequences
– Upon objectives =
consequences that impact
goals

Domain 2 Overview

▪ Section One: Risk Identification

▪ Section Two: Risk Analysis and Treatment
▪ Section Three: Risk Monitoring and Reporting

Refer to the CISM Job Practice

for Task and Knowledge
Statements.

4
 Section One

Risk Identification

Task Statements

▪ T2.1 Establish and/or maintain a process for

information asset classification to ensure that
measures taken to protect assets are proportional to
their business value
▪ T2.2 Identify legal, regulatory, organizational and
other applicable requirements to manage the risk of
noncompliance to acceptable levels
▪ T2.3 Ensure that risk assessments, vulnerability
assessments and threat analyses are conducted
consistently, and at the appropriate times, to identify
and assess risk to the organization’s information

10

5
 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.1 Classification is a necessary precondition of risk management, and
appropriate methods are needed to do it properly.
K2.2 Clear ownership and authority facilitates classification, assessment, treatment
and reporting. Information risk belongs to the owners of information assets
associated with the risk.
K2.3 Without clear methods for identifying and analyzing impact, an information
security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to monitor
risk factors informs reassessment decisions and timeframes.

11

Knowledge Statements

How does Section One relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.5 Being able to properly value information assets is essential to understanding
the potential business impact associated with these assets.

K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

12

6
 Knowledge Statements

How does Section One relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.9 A working knowledge of threats, vulnerabilities and exposure guides risk
treatment decisions as circumstances change over time.
K2.10 Different environments may be more easily assessed and analyzed using
certain methods over other methods.
K2.14 Controls are mechanisms used to mitigate risk, and it may be more cost-
effective to employ known approaches rather than “reinventing the wheel.”

K2.16 Optimal risk treatment may require substantial planning to move from the
current state to the desired state.

13

Key Terms
Key Term Definition
Advanced persistent An adversary that possesses sophisticated levels of expertise and
threat significant resources which allow it to create opportunities to achieve its
objectives using multiple attack vectors (NIST SP800-61)

Boundary The defined limit of the scope

Impact Magnitude of loss resulting from a threat exploiting a vulnerability
Likelihood The probability of something happening

Probability The extent to which an event is likely to occur, measured by the ratio of
the favorable cases to the whole number of cases possible

Scope The activities included in the risk manage program

Risk analysis The initial steps of risk management: analyzing the value of assets to the
business, identifying threats to those assets and evaluating how
vulnerable each asset is to those threats.

See www.isaca.org/glossary for more key terms.

14

7
 Key Terms
Key Term Definition
Risk appetite The amount of risk, on a broad level, that an entity is willing to accept in
pursuit of its mission
Risk assessment A process used to identify and evaluate risk and its potential effects.

Risk management The coordinated activities to direct and control an enterprise with regard
to risk
Risk profile An evaluation of an individual or organization's willingness to take risks,
as well as the threats to which an organization is exposed.
Risk scenario The tangible and assessable representation of risk

Risk tolerance The acceptable level of variation that management is willing to allow for
any particular risk as the enterprise pursues its objectives
Threat Anything (e.g., object, substance, human) that is capable of acting
against an asset in a manner that can result in harm.
Vulnerability A weakness in the design, implementation, operation or internal control
of a process that could expose the system to adverse threats from threat
events

15

Impact Drives Risk

▪ Consequences only matter if

they impact the pursuit of
business objectives.
▪ Something happened: What
was affected and how was it
affected?

16

8
 Managing Risk

▪ Management = Estimating risk and choosing an

appropriate response
▪ Goals of risk management:
– Keep risk within the risk appetite
– Keep senior management informed of changes
▪ Must be supported and understood

17

Building a Risk Management Program

▪ Steps in developing a risk

management program:
– Establish context and purpose
– Define scope and charter
– Define authority, structure and
reporting
– Ensure asset identification,
classification and ownership
– Determine objectives
– Determine methodologies
– Designate a team

18

9
 The Risk Assessment Process

Identification

Analysis

Evaluation
Risk treatment

19

COBIT 5 Risk Management Process

20

10
 Asset Identification

▪ In order to protect
something, you need to
identify it.
▪ Essential to managing risk
at an enterprise level
▪ Systems and data are
considered information
assets

21

Valuation of Assets

▪ Can be straight forward (i.e., hardware costs)

▪ Can be related to consequential costs (i.e.,
regulatory sanctions)
▪ Examples of information assets include:
– Proprietary information
– Current financial records and future projections
– Acquisition/merger plans
– Strategic marketing plans
– Trade secrets
– Patent-related information
– PII

22

11
 Valuation of Assets

▪ Work with asset owners for

estimates
▪ Quantitative: Dollar-value High
figures
▪ Qualitative:
Perception/judgement of
value Medium

Low
23

Discussion Question

▪ What are some advantages of a quantitative approach to

asset valuation over a qualitative one?
▪ What are some advantages of a qualitative approach over a
quantitative one?

24

12
 Good to Know

▪ Quantitative results can be used to inform rank orderings if

qualitative results are more suited to the goals of the
organization.

25

Loss Scenarios

▪ Loss of information may affect processes outside the scope of

its owner’s control.
▪ Loss scenarios can help pinpoint how particular assets may
affect operations.
▪ Valuation does not need to be accurate as long as the process
is consistent.

26

13
 Loss Scenarios

27

Risk Assessment

▪ The next step is considering the probability of loss

occurring.
▪ Requires knowledge of the threat environment and
the vulnerability of the information assets
▪ Structured methodologies can help to direct the
process.

Note: Information security managers should have broad knowledge of various

methodologies to determine the most suitable approach for their organization.
Specific approaches will not be tested in the CISM examination.

28

14
 FAIR

29

Threats

▪ Threat: Anything that is capable of acting against an

asset in a manner that can result in harm
▪ Threat event: Any event during which a threat
element/actor acts against an asset in a manner that
has the potential to directly result in harm
▪ Threat actor: A person who initiates a threat event

30

15
 Threat Identification

▪ An absence of a threat
doesn’t mean the threat no
longer exists.
▪ New threats emerge as
behaviors change.
▪ Sources of threat data:
– Prior threat assessments
– News outlets
– External reports
– Official notices
– Industry publications

31

External Threats

Criminal Data Disease Facility

Espionage
acts corruption (epidemics) flaws

Hardware Industrial
Fire Flooding Lost assets
flaws accidents

Power
Mechanical Seismic Severe
surge/utility Sabotage
failures activity storms
failure

Supply
Software
chain Terrorism Theft
errors
interruption

32

16
 Advanced Persistent Threat
▪ Advanced = Method of gaining
access include multiple attack
vectors
▪ Persistent = An ability to remain
present in a network for a long time
without detection
▪ Threat = Anything that is capable of
acting against an asset in a manner
that can result in harm
▪ Often linked to nation-state actors,
activist groups or criminal
enterprises

33

Advanced Persistent Threat

▪ Typical APT life cycle

– Initial compromise
– Establish foothold
– Escalate privileges
– Internal reconnaissance
– Move laterally
– Maintain presence
– Complete mission

34

17
 Good to Know

▪ APT is more about persistence than advanced capabilities.

▪ Working over time, a threat actor may be able carry out
effects that would be detected, prevented or corrected by
controls if done more quickly.

35

Internal Threats

▪ A threat actor needs knowledge of the environment.

– Those operating within a organization are trusted with
information and access.
▪ Screen applicants prior to employment.
▪ Periodically remind staff of organizational policies.
▪ At the end of employment, all organizational assets
should be returned.

36

18
 Types of Internal Threats

▪ Intentional
– Malicious
– Often disgruntled employees
– Control: Understand
frustrations/complaints and seek
to resolve them
– Control: Enforce SoD and least
privilege
▪ Unintentional
– Doing something they don’t
realize is a threat
– Providing information via social
engineering
– Control: Awareness training and
regular reviews

37

Vulnerabilities

▪ Vulnerability: A weakness in the design,

implementation, operation or internal control of a
process that could expose the system to adverse
threats from threat events
▪ Exist when a weakness is left unaddressed (known
or unknown)

38

19
 Vulnerability Assessment

▪ Vulnerability can be estimated

using quantitative or
qualitative methods.
– Automated scanning tools
– Interviews
– Structured walkthroughs
▪ Results should be considered
a rough estimate

39

Vulnerability Areas

Network vulnerabilities

Physical access

Applications and web-facing

services

Utilities

Supply chain

Processes

Equipment

Cloud computing

Internet of Things

40

20
 Exposure

▪ Risk = Threats ×
Vulnerabilities ×
Consequences
▪ Exposure: The potential loss
to an area due to the
occurrence of an adverse
event.

41

Exposure Example

HIGH = 5

Threat event

LOW = 1

Threat

42

21
 Exposure Example

MEDIUM-HIGH = 4

4 × 5 = 20 4×1=4

MEDIUM-HIGH LOW

43

Risk Scenarios

▪ Risk scenarios are a starting point for risk

identification.
– Assume all significant vulnerabilities and threats are
identified
▪ Structured and supportive of creative thinking and
judgement

44

22
 Risk Categorization

▪ Risk can be categorized by:

– Its origin
– A certain threat
– Its consequences, results or impact
– A specific reason for its occurrence
– Protective controls
– Time and place of occurrence

45

Risk Scenarios

46

23
 The Risk Register

▪ Maintains the organization’s overall risk profile

▪ Includes:
– Summary of the risk based on threat type and associated
event or actor
– Category and classification of the risk
– Risk owner
▪ Also documents risk treatment choices

47

Activity: Risk Register Template

48

24
 Section One

49

In the Big Picture

• In order to manage risk, you

must first identify what risk
the organization faces.
• Understanding concepts such
as threat, vulnerability,
Section One exposure and likelihood can
Risk Identification help you to prioritize risk
management efforts.
• Risk is ever-changing, so risk
identification is not a one-
time effort.

50

25
 Section One

Practice Questions

Practice Question

Why should the analysis of risk include consideration of potential

impact?

A. Potential impact is a central element of risk.

B. Potential impact is related to asset value.
C. Potential impact affects the extent of mitigation.
D. Potential impact helps determine the exposure.

52

26
 Practice Question

A risk management process is MOST effective in achieving

organizational objectives if:

A. asset owners perform risk assessments.

B. the risk register is updated regularly.
C. the process is overseen by a steering committee.
D. risk activities are embedded in business processes.

53

Practice Question

Reducing exposure of a critical asset is an effective mitigation

measure because it reduces:

A. the impact of a compromise.

B. the likelihood of being exploited.
C. the vulnerability of the asset.
D. the time needed for recovery.

54

27
 Practice Question

The classification level of an asset must be PRIMARILY based

on which of the following choices?

A. Criticality and sensitivity

B. Likelihood and impact
C. Valuation and replacement cost
D. Threat vector and exposure

55

Section Two

Risk Analysis and Treatment

28
 Task Statements

▪ T2.4 Identify, recommend or implement appropriate

risk treatment/response options to manage risk to
acceptable levels based on organizational risk
appetite.
▪ T2.5 Determine whether information security controls
are appropriate and effectively manage risk to an
acceptable level.

57

Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.10 Different environments may be more easily assessed and analyzed using
certain methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.

K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which approach
to use when, and why, because choosing the wrong treatment may lead to
excessive cost, fail to manage risk to tolerable levels or both.

K2.14 Controls are mechanisms used to mitigate, and it may be more cost effective
to employ known approaches rather than “reinventing the wheel.”

58

29
 Knowledge Statements

How does Section Two relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.5 Being able to properly value information assets is essential to understanding
the potential business impact associated with these assets.

K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

59

Knowledge Statements

How does Section Two relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.15 Understanding controls is fundamental to managing risk.

K2.16 Optimal risk treatment require substantial planning to move from the current
state to a desired state.
K2.17 Risk management is most effective when it is built into business processes.

K2.19 Risk recommendations may require business justification.

60

30
 Key Terms

Key Term Definition

Current risk Risk as it exists without applying any additional controls
Residual risk The remaining risk after management has implemented a risk response

Risk acceptance If the risk is within the enterprise's risk tolerance or if the cost of
otherwise mitigating the risk is higher than the potential loss, the
enterprise can assume the risk and absorb any losses
Risk avoidance The process for systematically avoiding risk, constituting one approach
to managing risk
Risk mitigation The management of risk through the use of countermeasures and
controls
Risk transfer The process of assigning risk to another enterprise, usually through the
purchase of an insurance policy or by outsourcing the service
Risk treatment The process of selection and implementation of measures to modify risk
(ISO/IEC Guide 73:2002)

See www.isaca.org/glossary for more key terms.

61

Calculating Risk

Risk = Threat × Vulnerability ×

Consequences

▪ Calculated for each risk

pairing
▪ ALE quantifies annual effects
or risk

62

31
 Good to Know

▪ Business impact analyses can be used to identify the

magnitude of impact (loss) associated with effects upon
particular target systems and assets.

63

Risk Analysis

▪ Qualitative analysis:
– Based on category assignment (Low, Medium, High)
– Scales can be adjusted to suit circumstances
– Can be used:
• As an initial assessment
• To consider nontangible aspects of risk
• When there is a lack of adequate information

64

32
 Risk Analysis

▪ Quantitative analysis
– Assigned numerical values
• Based on statistical probabilities and monetary values
– Quality depends on accuracy and validity
– Consequences may be expressed in terms of:
• Monetary Technical
• Operational
• Human impact criteria

65

Risk Analysis

▪ Semiquantitative analysis

66

33
 Discussion Question

▪ What are some of the reasons for using a semiquantitative

approach to risk analysis? Can you think of any drawbacks?

67

Activity
Using semiquantitative analysis, determine the relative value of the
following:
1. Reputational risk if a product line fails: The product development
team has indicated that the market is ready for this particular
product, but the infrastructure needed to launch the product is new
to the organization and has been rushed into production to meet
the desired launch date.
2. Noncompliance with new local regulation: Local government has
passed a new law mandating businesses operating within the
jurisdiction to update HVAC systems to more energy-efficient
models. The cost of upgrading the existing system would be US
$500,000, whereas the annual fine for noncompliance would be
$10,000.
3. Email quarantine system is outdated: The company’s email
quarantine system is outdated, and messages are not being
filtered as successfully as they had been in the past.
68

34
 Activity: Scenario 1

69

Activity: Scenario 2

70

35
 Activity: Scenario 3

71

Good To Know

▪ Although numbers tend to impress people, it’s actually often

difficult to know what they mean, especially when the results
don’t represent dollar figures. One big advantage of a
qualitative approach is that the rating something “Low,
Medium or High” is immediately understood by order of
importance.

72

36
 Specialized Techniques

▪ Bayesian analysis
▪ Bow tie analysis
▪ Delphi method
▪ Event tree analysis
▪ Fault tree analysis
▪ Markov analysis
▪ Monte-Carlo analysis

73

Risk Evaluation

▪ Risk evaluation is the last step in the risk

assessment process.
▪ Evaluation leads to risk treatment/mitigation options:
– Does the risk meet acceptable risk criteria?
▪ Evaluation may lead to further analysis.

74

37
 Risk Treatment

▪ Current risk considered in risk evaluation.

▪ Four possible options:
– Avoid
– Transfer
– Mitigate
– Accept

75

Good To Know

▪ In addition to current risk, you may see references to “inherent

risk,” which is the level of risk that exists with no controls or
other treatment in place. Where there are no controls,
inherent risk and current risk are equal. In most organizations,
information security managers inherit a particular set of
controls that has already been implemented, and whether
these are effective or not, the rest of their implementation is
that inherent risk is transformed into current risk. If controls
are removed, risk may increase.

76

38
 Risk Avoidance

▪ Rare that no means would reduce risk to acceptable

levels
▪ Cost may be prohibitive
▪ Best choice is to stop/not engage in the activity
▪ Cost-benefit analysis should consider long-term
effects and opportunities for growth

77

Risk Transfer

• Insurance policies and service level agreements are risk

transfer mechanisms.
• Organizations always retain some responsibility for
consequences of compromise.
• Generally, risk is transferred when likelihood is low, but
impact is high.

78

39
 Risk Mitigation

▪ Control = The means of managing risk, including

policies, procedures, guidelines, practices or
organizational structures, which can be of an
administrative, technical, management, or legal
nature
▪ Reduce risk by affecting threat, vulnerability and/or
consequences

79

Risk Acceptance

▪ No additional action is taken.

▪ A formal decision made by
someone with the proper
authority
▪ Changes in risk
environment/risk appetite may
affect accepted risk

80

40
 Selecting a Risk Treatment Option

▪ The choice is usually straightforward.

– Risk within risk appetite should be accepted.
– For risk outside of the appetite:
• If value of continuing < cost of transfer/mitigation, avoid.
• If value of continuing > cost of transfer/mitigation, choose most
cost-effective choice
▪ The minimum cost/cost-effective solution is the
solution to adopt.

81

Legal and Regulatory Considerations

▪ Treatment needs to consider

legal or regulatory
requirements.
▪ Different requirements may
need to be considered for
different
jurisdictions/industries
▪ Legal/regulatory risk should
be treated as any other risk.

82

41
 Discussion Question

▪ When evaluating legal and regulatory non-compliance as a

risk, what might you use in the risk equation to represent
threat, vulnerability and consequences?

83

Good to Know

▪ In general the potential for criminal penalties brought against

top executives will result in risk being deemed unacceptable,
but it would be naïve to assume that organizations comply
with laws and regulations simply because they are mandated
to do so.
▪ Where penalties are minimal and compliance is expensive,
organizations might well choose non-compliance as a “cost of
doing business.” This happens more often than most people
realize.

84

42
 Section Two

85

In the Big Picture

• Risk must be managed to

ensure that the organization
doesn’t take on more risk it is
willing to accept.
• To know how much risk an
organization is taking, it is
Section Two necessary to first identify risk
and then analyze it to provide
Risk Analysis and Treatment the basis for informed
decisions.
• Risk treatment decisions are
based on the lowest cost that
meets business goals.

86

43
 Section Two

Practice Questions

Practice Question

Quantitative risk analysis is MOST appropriate when

assessment results:

A. include customer perceptions.

B. contain percentage estimates.
C. lack specific details.
D. contain subjective information.

88

44
 Practice Question

Which of the following techniques MOST clearly indicates

whether specific risk-reduction controls should be implemented?

A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation

89

Practice Question

The fact that an organization may suffer a significant disruption

as the result of a distributed denial-of service (DDoS) attack is
considered:

A. an intrinsic risk.
B. a systemic risk.
C. a residual risk.
D. an operational risk.

90

45
 Practice Question

Management requests that an information security manager

determine which regulations regarding disclosure, reporting and
privacy are the most important for the organization to address.
The recommendations for addressing these legal and regulatory
requirements will be MOST useful if based on which of the
following choices?

A. The extent of enforcement actions

B. The probability and consequences
C. The sanctions for noncompliance
D. The amount of personal liability

91

Section Three

Risk Monitoring and Reporting

46
 Task Statements
▪ T2.6 Facilitate the integration of information risk management into
business and IT processes (e.g., systems development,
procurement, project management) to enable a consistent and
comprehensive information risk management program across the
organization.
▪ T2.7 Monitor for internal and external factors (e.g., threat
landscape, cybersecurity, geopolitical, regulatory change) that may
require reassessment of risk to ensure that changes to existing, or
new, risk scenarios are identified and managed appropriately.
▪ T2.8 Report noncompliance and other changes in information risk
to facilitate the risk management decision-making process.
▪ T2.9 Ensure that information security risk is reported to senior
management to support an understanding of potential impact on
the organizational goals and objectives.

93

Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.3 Without clear methods for identifying and analyzing impact, an information
security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to monitor
risk factors informs reassessment decisions and timeframes.
K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 Identifying clear criteria for reassessment of risk helps to ensure a consistent
approach to risk management.
K2.9 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

94

47
 Knowledge Statements

How does Section Three relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.10 Different environments may be more easily assessed and analyzed using
certain methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.
K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which approach
to use when, and why, because choosing the wrong treatment may lead to
excessive cost, fail to manage risk to tolerable levels, or both.

K2.17 Risk management is most effective when it is built into business processes.

K2.18 Timelines and content of risk reports are often driven by explicit compliance
standards.

95

Key Terms

Key Term Definition

Allowable interruption The longest that operations can be interrupted before financial impacts threaten the
window organization’s continued existence.

Key risk indicator A subset of risk indicators that are highly relevant and possess a high probability of
predicting or indicating important risk.

Maximum allowable The absolute longest amount of time that the system can be unavailable without
downtown direct or indirect ramifications to the organization.
Maximum tolerable Maximum time that an enterprise can support processing in alternate mode.
outage
Service delivery Directly related to the business needs, SDO is the level of services to be reached
objective during the alternate process mode until the normal situation is restored.

Recovery point objective Determined based on the acceptable data loss in case of a disruption of operations.
It indicates the earliest point in time that is acceptable to recover the data. The RPO
effectively quantifies the permissible amount of data loss in case of interruption.

Recovery time objective The amount of time allowed for the recovery of a business function or resource after
a disaster occurs.

96

48
 Life Cycle Integration

▪ Integration with life cycle processes leads to more

effective risk management.
▪ Change management should include consideration
of risk.
– Should extend beyond hardware and software
– Should include review of the risk register
– Should include information security representative

97

Security Baselines

▪ Security baselines can help manage risk implications

– Has many benefits:
• Standardizes the minimum amount of security measures
• Provides a convenient point of reference for measurement
– May be built by:
• Observation of current controls
• Using published third-party standards

98

49
 Volatility

▪ Each component of the risk

formula is subject to change
▪ Volatile environments
experience large variations in
risk
– Base calculations on the highest
observed risk values to ensure
effective risk management

99

Internal and External Environments

▪ Risk changes both inside and outside of the

organization.
– These shifts can be difficult to track.
▪ Vulnerabilities identified publically may encourage
threat actors to try to exploit them before
organizations can patch them.
▪ Patching is vital, but moving too fast can also
introduce new weaknesses.

100

50
 Key Risk Indicators

▪ Indicators that are highly relevant to risk and

possess a high probability of indicating a change in
risk
▪ Specific to each enterprise and selection depends on
a number of parameters
▪ Careful selection provides input for a dashboard view
of risk

101

Criteria for KRIs

▪ Impact
▪ Effort
– To implement
– To measure
– To report
▪ Reliability
▪ Sensitivity

102

51
 Criteria for KRIs

▪ Consider when an indicator begins to show changes:

– Leading: Predictive and allow for correction
– Lagging: Reveal that a change has occurred
▪ May reveal immediate information and trends over
time
▪ Need to be checked regularly due to evolving risk
environment

103

Changes in Goals and Operations

▪ Should be conscious of business decisions that

affect the risk profile
▪ New business initiatives may substantially change
the consequences of known exposures
▪ Information security is not always included in
planning for line-of-business activities, but teams
task with business continuity typically are.

104

52
 Discussion Question

▪ Why would business continuity teams be regularly included in

planning for line-of-business activities?

105

Continuity and Risk

▪ Each business function is

responsible for its own
continuity.
▪ Strong communications
between information security
and business continuity can
provide good insight.

106

53
 Continuity and Risk

▪ Information security managers should watch for

changes in:
– Recovery time objectives
– Recovery point objectives
– Service delivery objectives
– Maximum tolerable outage
– Allowable interruption window

107

Risk Reporting and Convergence

▪ Business operations are

managed by considering the
effects of risk upon goals.
▪ Risk reporting used to be
segregated by risk type.
– New initiatives to consolidate
risk reporting
– Due to the fact that risk in one
area can cascade to another

108

54
 Considerations for Risk Reporting

▪ Reports should be
tailored to the intended
audience
▪ Use categories like
“HIGH,” “MEDIUM,”
“LOW.”
▪ Use data to back up
rationale.
▪ The information security
manager is responsible
for information risk.

109

Escalation

▪ Clear escalation criteria are

needed
▪ Based on risk appetite/senior
manager preferences
▪ Good practice to integrate into
incident response

110

55
 Section Three

111

In the Big Picture

• Executives base decisions in part on

their understanding of the risk
environment and rely on risk reports to
have the information they need to
make good decisions.
• The risk environment changes
constantly, so tools such as KRIs and
security baselines are useful in
Section Three •
estimating changes to information risk.
Risk should be reported regularly and
Risk Monitoring and Reporting in a way preferred by the intended
audience, but quick escalation may be
needed if risk changes suddenly and
drastically.

112

56
 Section Three

Practice Questions

Practice Question

There is a delay between the time when a security vulnerability

is first published, and the time when a patch is delivered. Which
of the following should be carried out FIRST to mitigate the risk
during this time period?

A. Identify the vulnerable systems and apply compensating

controls.
B. Minimize the use of vulnerable systems.
C. Communicate the vulnerability to system users.
D. Update the signatures database of the intrusion detection
system.

114

57
 Practice Question

An information security manager is advised by contacts in law

enforcement that there is evidence that the company is being targeted
by a skilled gang of hackers known to use a variety of techniques,
including social engineering and network penetration. The FIRST step
that the security manager should take is to:

A. perform a comprehensive assessment of the organization’s

exposure to the hackers’ techniques.
B. initiate awareness training to counter social engineering.
C. immediately advise senior management of the elevated risk.
D. increase monitoring activities to provide early detection of
intrusion.

115

Practice Question

The information security policies of an organization require that

all confidential information must be encrypted while
communicating to external entities. A regulatory agency insisted
that a compliance report must be sent without encryption. The
information security manager should:

A. extend the information security awareness program to

include employees of the regulatory authority.
B. send the report without encryption on the authority of the
regulatory agency.
C. initiate an exception process for sending the report without
encryption.
D. refuse to send the report without encryption.
116

58
 Practice Question

Which of the following activities MUST a financial-services

organization do with regard to a web-based service that is
gaining popularity among its customers?

A. Perform annual vulnerability mitigation.

B. Maintain third-party liability insurance.
C. Conduct periodic business impact analyses.
D. Architect a real-time failover capability.

117

Domain 2

Summary

59
 Summary

▪ Risk management includes risk identification;

assessment and analysis; and risk monitoring and
reporting.
▪ If risk is not identified, it cannot be mitigated.
▪ Risk scenarios and the risk register are tools that can
be used to identify risk, and subsequently can be
used to analyze risk.
▪ Impact, vulnerability and likelihood all need to be
taken into consideration when ranking and
evaluating risk.

119

Summary

▪ Cost, whether tangible or intangible, should be

considered when deciding on a risk treatment option.
▪ Changes in the risk environment (often KRIs) should
be used to monitor changes in risk.
▪ Information security and business continuity should
be in communication with one another.
▪ Risk reports should be clear and written to the
preferences of senior management.
▪ Escalation processes need to be in place for major
incidents.

120

60
 Questions

121

61