CRISC 2022 Domain4

CRISC Virtual Instructor-Led Course –
Participant Guide Session 4
Information Technology and Security

MODULE 4
Exam Relevance
The content area in this domain
will represent approximately 22% of 22
the CRISC examination (approximately 26
33 questions).
20
32
Domain 1 Domain 2
Domain 3 Domain 4
©2021. ISACA. All Rights Reserved 1

Topics
Enterprise Architecture
IT Operations Management
Project Management
Enterprise Resiliency
Data Life Cycle Management
System Development Life Cycle
Emerging Technologies
Information Security Principles
Information Security Frameworks and Standards
Information Security Awareness Training
Data Privacy and Data Protection Principles
Learning Objectives
Explain the key components of enterprise architecture and the
frameworks used to implement them.
Identify IT components and their areas of concern relating to

enterprise risk.
Describe the project risk and how it is addressed in the project

management process
Outline the steps and requirements needed to maintain enterprise

resiliency
Assess areas of risk throughout the data life cycle
Articulate key security and support tasks to perform during the

system development life cycle.
Evaluate emerging technologies and changes to the environment

for threats, vulnerabilities and opportunities.
4

Learning Objectives
Identify factors that can impact security and risk in the
enterprise.
Leverage information security frameworks and standards to

manage information systems and data.
Review the scope of information security training and

awareness programs against identified threats faced by the
enterprise.
Apply data privacy and data protection principles to risk

assessment activities.

Enterprise view of IT shows links between IT and
organizational objectives and produces a view of
current risk and controls to answer four basic
Strategic management of enterprise questions:
information technology begins with an Are we doing the right things?
enterprise-level understanding of the network Are we doing them the right way?
and information architecture. Are we getting them done well?
Are we seeing expected benefits?
Comprise a cycle of examination, evaluation and

EA typically includes business functions or
adjustment
capabilities, and human roles among others to
outline how information enables the Answers provide important continuous feedback
organization to do whatever it does. to implementation of enterprise IT strategy under
an approved architecture
Enterprise Architecture Guidance

Evaluating risk against established
Risk in any one location can affect
EAs yields greater efficiency and
the security of all other areas.
more complete understanding of risk
Documentation Notation
Presenting architecture in terms Visualizing architecture in a

of taxonomy or nomenclature standardized manner
Process Organization
Goals, inputs, actions, and outputs Needed skillsets, training and

occurring in building architecture. approaches to governance
TOGAF Zachman DODAF FEAF SABSA

8

Maturity Models
Consistent with total quality Goal: To reach an optimizing or
management (TQM) and continuous efficient level of operations through
process improvement (CPI) iteration and refinement
Nonexistent or Operation as
Reaction Integration
Entirely Notional Distinct Functions
Determine Assess Determine

existence of EA EA maturity
9
CMM Alternatives
1 Some organizations are moving away from the use of maturity models
regarding cybersecurity. This trend originates from the assumption that
greater monitoring means less risk.
2 This alternative to CMM focuses on measurements and controls.

Enterprises pursue a tactical approach, believing that sustained
commitments to cybersecurity can lead to a proactive posture of security
becoming part of daily operations.
3 There is no consensus on whether this dynamic represents an

improvement over CMM or instead defines maturity according to
different criteria than those applied in the prevailing generation of
models.
10
10

Review Question
During a risk assessment of a start-up enterprise with a bring your
own device (BYOD) practice, a risk practitioner notes that the
database administrator (DBA) minimizes a social media website on
his/her personal device before running a query of credit card account
numbers on a third-party cloud application. The risk practitioner
should recommend that the enterprise:
A. develop and deploy an acceptable use policy for BYOD.
B. place a virtualized desktop on each mobile device.
C. blacklist social media websites for devices inside the

demilitarized zone.
D. provide the DBA with user awareness training.
11
11
12
12

The risk practitioner should have knowledge of general IT, information security, and
cybersecurity concepts but is not required to be a technical expert.
Close and Working Relate areas to

ongoing knowledge of IT common threats
interaction within organization and vulnerabilities
13
13
Supply Chain Management

There are several recent examples of hardware intentionally tampered with or embedded
with bypasses to security controls during the manufacturing or delivery process.
It is not easy to detect tampering in network Risk practitioners should be aware of the
devices, point-of-sale terminals, applications risk of purchasing equipment and encourage
and smartphones from numerous countries their organizations to use trusted vendors or
and vendors. suppliers whenever possible.
Purchasing equipment tested and evaluated Validate that vendor-accessible maintenance

by an external entity using an internationally hooks are documented and either secured or
approved process may provide a higher level eliminated. When administering hardware
of confidence that the equipment is secure. devices, use a secure channel and require
strong authentication.
14
14

IT Components and Areas of Concern
Operating Applications
Hardware Software
Systems
Software Environmental Databases Networks

Utilities Controls
15
15
TCP/IP Stack Application Data
App Application Data

Header (HTTP, FTP, SMP, SNMP)
TCP App Transport Layer

Header Header (TCP, UDP)
ICP TCP App Internet Layer

Header Header Header (IP, ICMP, IGMP)
Frame ICP TCP App Link Layer Frame

Header Header Header Header (Ethernet, ARP, OSPF ) Footer
16

Common Networking Components

Proxies
Cabling
Repeaters Intrusion Systems
Switches Domain Name Systems
Routers Wireless Access Points
Firewalls Network Architecture
17
17
Types of Network Topologies

Topologies and deployment methods evolved significantly over time, with main drivers being
quality and cost. Network topologies can include:
Bus Star Ring Mesh
18
18

Demilitarized Zone (DMZ) Network borders exist to prevent outsiders

from directly accessing systems within LANs.
Web Server Services intended for outside use are typically

placed in network segment off the border
expressly configured to allow open access.
Internal
Systems and
Servers All devices are hardened with unnecessary
functionality disabled.
Internet Firewall IDSs or IPSs are generally placed to monitor,

record and potentially block suspicious activity.
DMZ firewalls are generally placed behind

packet-filtering routers to clear out obvious bad
Outsider Extranet traffic in advance.
19
19
Technology Refresh
The age, condition and complexity of technology used by an organization presents a substantial risk factor.
Difficult to obtain, support and maintain Enterprises retain legacy systems

because of a compelling business need
Acquired through multiple projects Use continues past anticipated life span
and/or mergers Outdated
due to cost-effectiveness of replacement
Technology
Products can be a varied mix of vendors, Work with business process owners and
languages, configurations and vintages technical staff to determine what legacy
systems are in use
Equipment Variety of Replacement Operating environment

age vendors/ suppliers part availability and user expertise
Expertise available Available system Ability to test systems Ability to patch/

for maintenance documentation or equipment mitigate vulnerabilities
20
20

IT Operations and Management
IT Operations IT Management
• Problem identification • Service requests & incidents

• Policy • Problem
• Procedures • Continuity
• Security services
• Business process controls
21
21
Configuration Management
Configure devices and systems after installation to support communications, interfaces

with other organizational systems and secure operations directed by policy.
Easier to deploy new Back up configurations and

Provide one approved way
systems, test patches and settings that control the
to configure and use
upgrades, identify the operation of devices and
systems/devices intended
presence of malware, and make available in case of
for a specific role.
manage the enterprise equipment failure
Ensure policies and

Provide backups of
procedures are in place
standard configurations to
that apply to proper
use in recovery scenarios.
configuration management.
22
22

Review Question
An excessive number of standard workstation images can be
categorized as a key risk indicator for:
A. change management.
B. configuration management.
C. IT operations management.
D. data management.
23
23
Virtualization
Instances of emulated hardware
that exist in computer memory
and can do everything physical
computers could do, including
Establishing servers as VMs

1 run operating systems and
applications.
offers tremendous advantages
for continuity and recovery,
because these environments
could be transferred to different
physical systems without Multiple VMs can be run on
needing to interrupt operations. 2 3 single physical servers built to
purpose, resulting in significant
downsizing of physical space
requirements for organizational
datacenters. Further advanced
due to rise of containers.
24
24

Updating the Risk Register

The risk register should show the progress of testing and attainment
of milestones during the progress of each mitigation project.
Control
Validated as Risk register

Residual levels of risk
effective updated to reflect
formally accepted
the changes
By keeping the risk register accurate and up to date, the risk practitioner ensures that it is
consistently available as a resource for risk management activities across the enterprise.
25
25
Cloud Computing
Cloud Clients
(web browser, mobile apps, thin clients)
Software as a Service (SaaS)

(CRM, email, virtual desktops, games)
Platform as a Service (PaaS)

(Web servers, databases, development tools)
Infrastructure as a Service (IaaS)

(Servers, storage, network, VMs)
26
26

Cloud Computing Risk

Extremely well protected
• These cloud centers make tempting targets
Providers invest heavily in security

• Security capabilities are not disclosed to their customers
Robust computing and storage capabilities

• Jurisdictional issues, privacy concerns, regulatory constraints
High availability & uptime

• If there is an outage the enterprise will experience the impact, regardless of contract
27
27
Review Question
An enterprise wants to use a cloud solution for its travel booking
system that will store its employees’ information. Which of the
following cloud models presents the lowest risk to the risk
practitioner?
A. Hybrid
B. Private
C. Public
D. Community
28
28

Project Management
29
29
Project Management
A series of tasks that work towards a common purpose with a defined end-state.
Project management is the

formal discipline of organizing,
1 administering and carrying out 3
projects.
2
Undertaken across enterprises Enterprises rely on projects and
and fields to deliver value by programs to execute the
bringing about some specific set decisions of management and
of conditions or outcomes. carry out their business functions.
30
30

Project Management Steps
Initiation Planning Execution Closeout

• Project charter • Scope & budget • Status & tracking • Post mortem
• Initial scope • Work breakdown • KPIs • Reporting
• Initial schedule structure • Quality • Issues log
• Initial budget • Gantt chart • Forecasts • Status reports
estimate • Communication plan • Acceptance forms
• Risk management • Change control logs
31
31
Project Management Methodologies

Intent of bringing projects to a successful completion:
Interim Evaluation
Identifies variances between real and anticipated need

prior to finalization of deliverables:
• Helps to manage risk
• Agile, Kanban and Extreme Programming (XP)
Tip: The best methodology is based
on the nature of the project, customer
Waterfall Methodology expectations, organizational culture
and other factors
Commonly associated with delivering precisely what was
originally requested
32

Project Failure
Project failure is surprisingly common and may include early cancellation, nondelivery
of expected outcomes or lack of expected value relative to invested resources.
Timely identification of a project at risk of Projects are frequently assembled into

failure is important so that corrective action programs. Programs rely on successful
can be implemented while the situation can and timely completion. If project is at risk,
be salvaged. the entire program may also be at risk.
It is important to balance time, quality and Risk practitioners who identify issues in
cost. Skipping steps and cutting corners project planning or execution should
can cause losses and limit opportunities. alert management through portfolio
channels as soon as possible.
33
33
Review Question
During project implementation, a relevant risk that was not previously
identified was discovered. What would be the NEXT step the risk
practitioner would recommend?
A. Update the risk treatment plan and report the risk to management.
B. Penalize the project owner for not identifying the risk.
C. Add the risk to the risk register and analyze the new risk.
D. Refine the risk assessment methodology used by the enterprise.
34
34

Responding to Project Failure
Project objectives not met Project failure affecting program
• Implementing a change control board to prevent scope creep

• Prioritizing critical project tasks to use resources optimally
• Reorganizing or providing additional resources to overcome bottlenecks
• Replacing or supplementing project managers who fall short of expectations
• Canceling projects whose costs or schedules are far outside of projections or
restarting them under more favorable conditions
• Replacing suppliers or renegotiating contracts that fail to deliver agreed-upon
products or services
35
35
Poor Project Management Consequences

Loss of business or competitive advantage
Low morale among staff members
Inefficient processes
Lack of testing of new systems or changes to existing systems
Impact on other business operations
Failure to meet contractual requirements
Violations of law or regulations
Insufficient QA activities
36
36

Project Closeout
Projects unlike programs have a finite life span
There must be an anticipated

point when deliverables are
fully transitioned to users Formal closeout procedures are an
and/or system support staff important part of managing risk.
and the project is closed. Consider:
• Postimplementation or after reviews
to capture lessons learned
• Stakeholder satisfaction
• Information that can be used to
improve future projects.
37
37
Review Question
A business case developed to support risk mitigation efforts for a
complex application development project should be retained until:
A. the project is approved.
B. user acceptance of the application.
C. the application is deployed.
D. the application’s end of life.
38
38

39
39
Enterprises encounter threat events on a near-constant basis.
Under the right circumstances, a threat Effective risk management considers the
actor may create effects that have real full spectrum of these possibilities with
business impact, which may range from the goal of creating resiliency across the
minor to catastrophic. enterprise.
Resilient enterprises are not necessarily

Two fundamental disciplines associated
unaffected by threat events focus on
with enterprise resiliency are business
minimizing harmful impacts and returning
continuity and disaster recovery.
to normal on an expedited basis.
40
40

Business Continuity Plan (BCP)

Enables a business to continue critical services in the event of a disruption, up to
and potentially including an interruption on a disastrous scale
Requires rigorous planning and commitment of resources for success
May be established at the enterprise level, by each department or for each process
Provide a sufficient level of functionality in the business operations immediately after

encountering an interruption so that the enterprise can continue as a viable entity
Single integrated plan Individual plans

May lead to gaps that cause failures during real-
Ensures proper coordination among various
world interruptions. Best for enterprises divided
components and increase the likelihood that
into units with relatively high autonomy or
resources are used in the most effective way.
distinct business goals,
41
41
Business Continuity Plan (BCP) Development
Starts with identifying the strategic business Risk depends on the magnitude of impact
processes for the permanent growth of the to the business if interrupted AND the
business and the fulfillment of the business goals. probability of interruption.
Risk assessment results should identify:
The overall target for enterprise recovery and • HR, data, infrastructure elements and
empowers those people involved in developing, other resources
testing and maintaining the plans. • A list of potential vulnerabilities
• The estimated probability of the
occurrence of these threats
Risk Practitioners should assess the
adequacy and completeness of BCPs, • The efficiency and effective ness of
depending on the levels of risk. existing risk countermeasures
42
42

Business Continuity Planning

Begins with the Business Impact Assessment
(BIA), which is the process of determining the Determine how the BIA was developed to
impact of losing the support of any enterprise. validate accuracy and consideration of all
relevant risk factors
Includes:
• Manual processing for previously
automated tasks
RPO RTO • Outsourced support
How much data can How quickly the process
be lost in recovery • Use of on-hand inventory in lieu of
must be accomplished
production
• Use of alternate facilities
• Displacement of less critical
Certain processes may be more or less important
at certain times of the month or year. Planning
functions on remaining capacity
should consider this variable prioritization.
43
43
Review Question
Which of the following activities is the MOST important related to
testing the IT continuity plan?
A. A test based on defined recovery priorities
B. A test limited to the recovery of IT infrastructure
C. A test that can be performed at any time
D. Roundtable exercises, if testing is not feasible
44
44

Disaster Recovery
The reestablishment of business and IT Includes specific information on hardware
services following a disaster or incident within and software requirements for restoration,
a predefined schedule and budget which systems, in what order, how to
accomplish the restorations under multiple
Commonly associated with recovery from an IT scenarios, and how many user logins are
perspective but can be considered a relative of required in what time frames.
business continuity
Examples:
Timeframes specified in the disaster recovery • Files
plan (DRP) are based on the cost and length of • Transactions
outage management is willing to accept • OSs
• Databases
• Patches
Include at least a primary and alternate for every • Configurations
activity and allow a wide variety of staff members • Applications
to complete assigned tasks
45
45
Review Question
Due to changes in the IT environment, the disaster recovery plan of a
large enterprise has been modified. What is the GREATEST benefit
of testing the new plan? To ensure that:
A. the plan is complete.
B. the team is trained.
C. that all assets have been identified.
D. that the risk assessment was validated.
46
46

47
47
Data Management
Implementing a proper and complete data management program ensures the appropriate level of
protections at each stage, including data destruction.
Ensure that data is appropriately protected Store sensitive data in separate networks or on
relative to its value. systems accessible only to authorized personnel
(isolation) using appropriate controls.
Examples include:
Data protection applies to all formats, • Principle of least privilege
regardless of the medium • Role-based access controls
• Separation of duties
• Network segmentation
• Encryption in-transit, at-rest and in-use
Logical Physical People • Data minimization/anonymization
• Nondisclosure agreements
48
48

Determining Appropriate Data Protection

Requires identifying data in terms of its use and then classifying it based on its
value by determining the importance of the business processes that use it.
Data Collection Data Validation Data Protection
• Understand purpose and intent • Whitelist or blacklist of data • Changes made will not
of data collected negatively affect the data or
• Whitelisting preferred in
data processing operations
• Classify data (subject to environments based on static
validation) information • Requires control over
permissions and authorization
• Ensure appropriate formatting • Blacklisting preferred in
levels of users or process that
before acceptance or processing environments with broad ranges
can access data and the
of data values
• Detect embedded commands supporting applications
that adversely affect automated
processing systems
49
49
Review Question
The IT department wants to use a server for an enterprise database,
but the hardware is not certified by its manufacturer for the intended
operating system or database software. A risk practitioner determines
that introducing the hardware presents:
A. a minimal level of risk.
B. an unknown level of risk.
C. a medium level of risk.
D. a high level of risk.
50
50

Data Loss Prevention Solutions
Enterprises that focus on data protection frequently implement specialized software for
data loss prevention (DLP).
These solutions leverage data classification Violations may result in automated alerts,
schemes to determine what controls should mandatory encryption, or other automated
apply to data and apply policies to access, protective actions meant to safeguard the
moved, shared or stored based classification. organization and prevent data loss.
51
51
52
52


Systems exist to serve a business function but have a limited life span. Whether due to advances in
technology or changes in business practices, it is critical to ensure a formal SDLC to ensure risk is
properly managed through the life of a system.
Initiation
Disposal Development
Maintenance Implementation
53
53
Key Risk Management Tasks
Risk Identification
Risk Analysis, Evaluation & Assessment
Risk Response & Treatment options
Monitoring & Reporting Requirements
54
54

Managing Risk in the SDLC

As a system moves the phases of the SDLC, new risk Waterfall
may emerge. This invalidates previous results and
requires a new risk assessment to be conducted. • Needs requirements to be defined
prior to development taking place.
Ensure development team is following enterprise • Communication is a key element to
policies and standards for secure system development, success.
aligned with approved enterprise architecture.
Agile
Work with the project team to identify threats and
determine optimal responses to risk. • Regular releases of a minimum viable product
• Regular engagement with stakeholders for
feedback on deliverables in progress
Distinguish between project risk and risk to enterprise • Helps ensure that projects focus on delivering
ability to achieve its target goals and objectives. what the organization expects or needs
55
55
Review Question
In which phase of the system development life cycle should the
process to amend the deliverables be defined to prevent the risk of
scope creep?
A. Feasibility
B. Development
C. User acceptance
D. Design
56
56

Review Question
Which of the following system development life cycle stages is MOST
suitable for incorporating internal controls?
A. Development
B. Testing
C. Implementation
D. Design
57
57
Emerging Trends in Technology
58
58

Emerging Trends in Technology
Desire to deploy new technologies Consider the potential risk and

for competitive advantage may controls for the application of these
cause the enterprise to lose sight of technologies that may present value
the business risk involved to the enterprise.
New
Technology
Evaluate and assess enterprise Sensitive information might be

approach to accepting, reviewing imaged at almost any time making
and securing new technologies as security awareness training even
they become available. more important.
59
59
Omnipresent Connectivity
People are more accustomed than ever to using technology in their daily lives.
• Cost beneficial
• Personal devices may be superior to
The Internet
company provisioned devices
of Things (IOT)
• Considered a form of risk sharing
• Should be subject to controls
• Practical devices built to leverage IT

Bring Your to communicate
Own Device • Prioritize functionality
(BYOD) • Promise substantial cost reductions
by allowing dynamic programming
• Limited security provisions
60
60

Review Question
When evaluating risk related to Internet of Things (IoT) devices used
on enterprise networks, which of the following would the risk
practitioner recommend addressing FIRST?
A. IoT devices with hard-coded passwords
B. IoT devices with no vendor support
C. IoT devices with passwords changing less than every 30 days
D. IoT devices connected to the trusted network
61
61
Massive Computing Power
Decryption Deepfakes Big Data
• Safeguards data if accessed • Manufactured audio and • Reduced storage costs and
by an unauthorized third- video created using digitally increased connectivity led to
party manufactured imitations of large expansion in data
a person based on samples volume
• Increases in available
computing power allows • Difficult to distinguish • Data analysis is necessary
individuals to more easily for many enterprises
• Poses challenges to
attempt to break encryption enterprises that require • Enterprises must consider
verbal approval impact of privacy
62
62

Blockchain
Maintains a timeline of transactions Absence of centralization facilitates

and shows the history of data transparency in transaction logging
without centralized processing. inherent to the blockchain structure
Very difficult to falsify a blockchain Implemented in pseudo-currencies

entry, as entry contains its own based on cryptography. Touted to
digital hash and that of the previous. revolutionize banking, healthcare,
property titles, and voting.
63
63
Artificial Intelligence
As machines become increasingly capable of processing logical decision matrices,
the parameters for intelligence tend to exclude what is accomplished, so that
artificial intelligence (AI) is sometimes seen as an unattainable standard.
In 1950, a computer was Today, computers can Distinction between human and
considered intelligent when accomplish tasks that mimic rational response and any rules
able to engage in behavior human behavior within narrow that can be positively verified
indistinguishable from a human constraints can also be exploited
If improvement is poorly
Decision trees and use cases Oversight of AI especially
defined, iteration to refine
are subject to testing aligned important in cases involving
outcomes results in lasting
with the potential impacts machine learning (ML)
deviation from goals.
64
64

Break
65
Information Security Concepts, Frameworks

and Standards
66
66

Information Security Principles Overview

One goal of risk management is ensuring that technology used in the
enterprise is adequately protected, secure and reliable.
Consider:
• Training for users and administrators
The risk practitioner should ensure
• Creation of policies and procedures
the risk assessment and response
program: • Inclusion of systems in backup schemes and
continuity plans
• Evaluates new technology
• Assignment of risk ownership
• Provides effective advice on how
to deploy • Consent of information owners for any technology
that may handle sensitive information
• Directs use within acceptable risk
boundaries • Review of legal or regulatory requirements
• Assignment of responsibility for monitoring and
reporting on proper technology use
67
67
System Ownership
Every system is the responsibility of a system owner.

Usually this a senior manager in the department for which
the system was built.
Responsible for the proper use and operation of the

system and usually must approve expenses for system
implementation, changes, upgrades and removal.
System owners engage the IT department or an external

supplier to manage and operate systems under their
ownership on behalf of their functional areas.
Responsibility can be delegated—accountability cannot.

68
68

Review Question
Which of the following is the MOST important requirement for setting
up an information security infrastructure for a new system?
A. Performing a business impact analysis
B. Considering personal devices as part of the security policy
C. Basing the information security infrastructure on a risk

assessment
D. Initiating an IT security awareness campaign, training and

familiarization
69
69
Information Security Strategy

Large enterprises may have many system owners from various departments, making it
difficult to manage, oversee and ensure consistent operation of the systems consistently.
If system protection is the sole

responsibility of the system owner there
may be significant differences in security
and risk enforcement for each system.
Information sharing and system

dependencies make it likely that a breach
or vulnerability in any one system is a risk
to the entire enterprises.
Take an enterprise approach to security to

ensure consistent, reliable and secure
operations.
70
70

Security for Legacy Systems
Legacy systems often require special attention because of gaps between their
designs and current security standards.
Risk Actions
• Can lack security features entirely • Work with the risk owner to create an
• Contain features misaligned with observed acceptable level of risk.
threats • Compensating controls may be effective
• More susceptible to failure as a result of supplements to existing security where
aging conventional improvements are either
• Options are limited due to cost of replacing technically infeasible or cost prohibitive.
or upgrading.
71
71
Review Question
An enterprise recently developed a breakthrough technology that
could provide a significant competitive edge. Which of the following
FIRST governs how this information is to be protected from within the
enterprise?
The data classification policy
The acceptable use policy
Encryption standards
The access control policy
72
72

Information security is the protection of information and information systems from risk events.
Information security controls Risk is the primary justification

are based on risk for information security controls
Predicted impact is often limited Actual events may have long-

to direct and immediate effects term consequences
The risk practitioner should consider two forms of impact:

• Impact due to the loss or compromise of information
• Impact due to the loss or compromise of an information system
73
73
CIA Triad Confidentiality
The protection of information from unauthorized

disclosure
Integrity
Confidentiality
The accuracy and completeness of information
in accordance with business values and
expectations
Security
Availability
The ability to access information and resources

Integrity Availability required by the business process
74
74

Review Question
Which of the following business requirements BEST relates to the
need for resilient business and information systems processes?
A. Effectiveness
B. Confidentiality
C. Integrity
D. Availability
75
75
Nonrepudiation
A positive guarantee that a given action was carried out by a given individual or process and is
an important part of tracing responsibility and enforcing accountability.
Digital signatures and certificate- Shared or generic logon credentials

based authentication in a public key do not provide the same assurance as
infrastructure (PKI) individual usernames and passwords
The risk practitioner should seek evidence of nonrepudiation in situations where actions could
have significant impact on an enterprise
76
76

System Authorization
Review Authorization Operation
• Determine the security of design, • Official decision by the senior • May operate the system
development, testing, deployment manager granting approval for according to restrictions or time
and operations operational use period granted
• Examine aspects of mitigating • Explicit acceptance of risk • Any substantial changes in the
controls in parallel with SDLC documented in evaluator’s report system or enterprise risk profile
may require new evaluation and
• Provide report to senior • Can come with caveats (time reauthorization of the system if
management recommending restrictions, in-progress updates) not continuously monitored
whether to authorize the system
77
77
Review Question
An information system that processes weather forecasts for public
consumption is MOST likely to place its highest priority on:
A. nonrepudiation.
B. confidentiality.
C. integrity.
D. availability.
78
78

Segregation of Duties
A basic internal control that prevents or detects errors and irregularities by assigning
separate individuals the responsibility certain tasks using mutual exclusivity.
A single person cannot Does not prevent

Easier to detect
execute both parts of collaborated
issues over time
the same transaction circumvention
79
79
Cross-Training and Job Rotation

Reduce reliance on key staff, making it possible for multiple
individuals to step in and fill a vital role as needed.
Benefits Job rotation is typically associated with business

continuity and enterprise resiliency:
Cross-training allows people on the same team
to learn one another’s roles • Reduces potential for collusion
• Makes it possible for an enterprise to rotate • Increases the odds that prior collusion can be
people between different jobs detected by an uninvolved person
Drawbacks
• Decreased efficiency during times of transition
• Employees with broader skill sets may be
more attractive to other employers • Less diligent employees
80
80

Authentication Methods
Method Challenges Good Practices
Knowledge
Subject to replay attacks. Encourage users to change
Password, code phrase or Less secure over time as they passwords on a regular basis.
other secret value can be figured out eventually.
Possession
Physical items can be damaged, Check for workarounds that
Item such as smart card, lost or stolen. Legitimate users can represent vulnerabilities.
token, code or ID badge can be denied access.
Characteristic Some users find biometrics to Authentication of devices or

be intrusive. Biometric data may network nodes may also use
Biometrics, physiology be subject to laws and characteristics as determining
factors or behavior regulations governing privacy. factors.
81
81
Review Question
The BEST control to prevent unauthorized access to an enterprise’s
information is user:
A. accountability.
B. authentication.
C. identification.
D. access rules
82
82

Isolation
Prevents a user from using account privileges at times when they are not required and
allows an organization to maximize the effectiveness of its controls by reducing the
potential scope of monitoring.
Authorization is typically granted only If the source of an authentication request is

for a limited period, which may be a outside a likely geographic area, additional
fixed duration before timeout or a set verification may be required, or the access
period when permissions are required. attempt might be blocked entirely.
83
83
Encryption
Mathematical means of altering data from a readable form into an unreadable form in a manner
that can be reversed by someone who has access to the appropriate numeric value (key).
Make data unreadable • Integrity

Two basic forms:
to anyone who is • Nonrepudiation
• Symmetric
unauthorized to protect • Access control
• Asymmetric
data confidentiality. • Authentication
84
84

Review Question
Which of the following controls BEST protects an enterprise from
unauthorized individuals gaining access to sensitive information?
A. Using a challenge response system
B. Forcing periodic password changes
C. Monitoring and recording unsuccessful logon attempts
D. Providing access on a need-to-know basis
85
85
Message Integrity and Hashing Algorithms
Early computer networks used voice-grade

telephone cable with limited bandwidth.
Error correcting was needed due to the
combination of slow speed and interference.
Developed by cryptologists to reduce the
amount of data and computational power
needed for error checking
For any message provided, a hash algorithm

calculates a fixed-length value (digest,
fingerprint or thumbprint). The length depends
on the hash algorithm used. To ensure a message is not affected by noise
or network problems, hash the message and
send the digest along with the message to
the receiver.
86
86

Digital Signatures
Only a message that is both Digitally signing a message Public key encryption
signed and encrypted is: applies encryption only to ensures that the holder of a
• protected against the digest and does not private key can decrypt what
unauthorized viewing make the message content is encrypted with the
• guaranteed to have arrived confidential. corresponding public key.
in the form that it was
originally sent A message may be: However, it does not prove
• known to have originated • Encrypted and not signed that the person who owns the
from the person who claims • Signed and not encrypted public key being distributed is
to have sent it. • Signed and encrypted who he or she claims to be.
87
87
Certificates
Certificates link public keys with specific owners by relying on the
endorsement of a trusted third party known as a certificate authority (CA).
Process Based on the X.509 standard ensuring certificates can

be accessed by most web browsers, systems and
• CA verifies identity software even if they are issued by different CAs.
• CA generates the certificate on
behalf of the owner of a public
key Each certificate is valid for a defined time period and
• Recipient knows that the owners can request to cancel at any time.
message was signed and sent
by the claimed sender
• Recipient uses the public key to Requests to validate a certificate that is on a CRL result
encrypt a response will yield a in notification of revocation, warning that the certificate
message that only the intended should not be trusted to verify identity.
recipient can open.
88
88

89
89

User familiarity with technology may reduce enterprise or operation training costs and help
boost productivity but is also considered a risk.
Current threat actors have correctly identified

human users as the weakest link in the
information security foundation of modern To lessen threats from social
enterprises. engineering, a training program should:
Making human users more resilient to the tactics • Provide methods of alerting internal
of threat actors is a major purpose of security security response capabilities
awareness and training programs. • Outline policies and regulatory
requirements
• Incorporate role-based training
Educate and train the workforce on proper tenets • Implement ethical phishing email
of information and cybersecurity to counter the exercises
risk.
90
90

Security Awareness Training Programs

Review the scope of information security training and awareness
programs against identified threats faced by the organization.
Threats from social Methods to alert internal

Measure the level of engineering, which are security response
exposed risk for principal threat vector capabilities ensuring
program improvement for attacks targeting prompt notification and
human users response
Policies and regulatory Role-based training for

requirements specific to administrators and Ethical phishing email
the enterprise or its others who handle exercises
business sector sensitive tasks or data
91
91
Review Question
Despite a comprehensive security awareness program annually
undertaken and assessed for all staff and contractors, an enterprise
has experienced a breach through a spear phishing attack. What is
the MOST effective way to improve security awareness?
A. Review the security awareness program and improve coverage

of social engineering threats.
B. Launch a disciplinary process against the people who leaked the

information.
C. Perform a periodic social engineering test against all staff and

communicate summary results to the staff.
D. Implement a data loss prevention system that automatically

points users to corporate policies.
92
92

Data Privacy and Principles of Data Protection
93
93
Data Privacy and Principles of Data Protection
Privacy is a dynamic field subject to regular changes and that rules applicable to certain contexts
may conflict with those that apply to other contexts, including geography and types of data.
Japan
GDPR CPRA GLBA Act
Australian
HIPAA PIPEDA LGPD
Privacy Act
Consider each set of laws and regulations specific to a given context and strive to maintain
awareness of new or changing regulations.
94
94

Key Concepts of Data Privacy

Informed Consent Privacy Impact Assessment
• Data subject to privacy regulations collected,
• Identify and manage risk related to privacy
used and retained with informed consent of the
whenever personal information is collected,
subject
used, shared and maintained
• Signed consent forms typically used but may
• Ensures adequate measures in place to
not be enough to establish informed consent
protect data
• Revocation of consent process also required
Minimization Destruction
• Potential disaster for enterprises subject • Destroyed once purpose is concluded.

to strong privacy regulations regarding breaches • Complicated by retention policies due to laws,
• Privacy best assured when only data expressly regulations, or contractual obligations.
needed and relevant for a particular purpose is • May also require specific parameters for
collected destruction
95
95
Risk Management in a Privacy Context

Data privacy is a comprehensive field involving multiple principles, frameworks, standards and
widely varying legal or regulatory requirements with potentially high penalties for violation.
Enterprises need substantial privacy expertise Data should:

on staff and should invest in security aligned • Be encrypted at rest and in transit
to the potential impact • Contain positive identification and
• Provide nonrepudiation of sending authorities
Principles of data protection that apply
Strong authentication is highly recommended
to confidentiality in other security contexts
for access to systems hosting data covered by
also tend to apply to privacy
privacy laws.
Limit access to information subject to privacy Where specific jurisdictional security requirements
considerations to those with valid business exist, risk practitioners should ensure that these
need using the principle of least privilege are addressed by appropriate security control
96
96

Review Question
Which of the following would create the GREATEST benefit for an
enterprise deploying new IT infrastructure processing personal data?
A. Privacy by design
B. Privacy notices
C. Data encryption
D. Data classification
97
97
Summary and Q/A

Project Management
Emerging Technologies
Information Security Principles
Data Privacy and Data Protection Principles
98
98

Course Summary
99
99
Course Summary
Domain 1: Domain 3:
Governance Risk Response
Domain 2: and Reporting Domain 4:
IT Risk Information
Assessment Technology and
Security
100
100

CRISC 2022 Domain4

Uploaded by

Copyright:

Available Formats

CRISC 2022 Domain4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CRISC 2022 Domain4

Uploaded by

Copyright:

Available Formats

CRISC Virtual Instructor-Led Course –

Participant Guide Session 4

Information Technology and Security

©2021. ISACA. All Rights Reserved 1

Data Life Cycle Management

System Development Life Cycle

Information Security Principles

Information Security Frameworks and Standards

Information Security Awareness Training

Data Privacy and Data Protection Principles

Identify IT components and their areas of concern relating to

Describe the project risk and how it is addressed in the project

Outline the steps and requirements needed to maintain enterprise

Assess areas of risk throughout the data life cycle

Articulate key security and support tasks to perform during the

Evaluate emerging technologies and changes to the environment

©2021. ISACA. All Rights Reserved 2

Leverage information security frameworks and standards to

Review the scope of information security training and

Apply data privacy and data protection principles to risk

©2021. ISACA. All Rights Reserved 3

Comprise a cycle of examination, evaluation and

Enterprise Architecture Guidance

Presenting architecture in terms Visualizing architecture in a

Goals, inputs, actions, and outputs Needed skillsets, training and

TOGAF Zachman DODAF FEAF SABSA

©2021. ISACA. All Rights Reserved 4

Determine Assess Determine

2 This alternative to CMM focuses on measurements and controls.

3 There is no consensus on whether this dynamic represents an

©2021. ISACA. All Rights Reserved 5

A. develop and deploy an acceptable use policy for BYOD.

B. place a virtualized desktop on each mobile device.

C. blacklist social media websites for devices inside the

D. provide the DBA with user awareness training.

©2021. ISACA. All Rights Reserved 6

Close and Working Relate areas to

Supply Chain Management

Purchasing equipment tested and evaluated Validate that vendor-accessible maintenance

©2021. ISACA. All Rights Reserved 7

IT Components and Areas of Concern

Software Environmental Databases Networks

TCP/IP Stack Application Data

App Application Data

TCP App Transport Layer

ICP TCP App Internet Layer

Frame ICP TCP App Link Layer Frame

©2021. ISACA. All Rights Reserved 8

Common Networking Components

Repeaters Intrusion Systems

Switches Domain Name Systems

Routers Wireless Access Points

Firewalls Network Architecture

Types of Network Topologies

Bus Star Ring Mesh

©2021. ISACA. All Rights Reserved 9

Demilitarized Zone (DMZ) Network borders exist to prevent outsiders

Web Server Services intended for outside use are typically

Internet Firewall IDSs or IPSs are generally placed to monitor,