CISM EXAM PREP

DOMAIN 2
INFORMATION RISK MANAGEMENT
DOMAIN 2

Manage information risk to an acceptable level based on risk

appetite in order to meet organizational goals and objectives.
This domain reviews the knowledge base that the information
security manager must understand in order to appropriately
apply risk management principles and practices to an
organization’s information security program.
DOMAIN OBJECTIVES

Ensure that the CISM Candidate has the knowledge

necessary to:
• Identify the importance of risk management as a tool for meeting
business needs and developing a security management program
to support these needs.
• Determine ways to identify, rank and respond to risk in a way that
is appropriate as defined by organizational directives.
• Assesses the appropriateness and effectiveness of information
security controls.
• Reports on information security risk effectively.
ON THE CISM EXAM

This domain represents 30% (approximately 45 questions) of the CISM exam.

Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
DEFINING RISK

Risk: The combination of the probability of an event and its

consequences ISO definition: The
effect of uncertainty
upon objectives
Uncertainty =
probability
Effect = consequences
Upon objectives =
consequences that
impact goals
DOMAIN 2 OVERVIEW

Section One: Risk Identification

Section Two: Risk Analysis and Treatment
Refer to the CISM
Section Three: Risk Monitoring and Reporting
Job Practice for Task
and Knowledge
Statements.
SECTION ONE
RISK IDENTIFICATION
TASK STATEMENTS

T2.1 Establish and/or maintain a process for information asset classification to ensure
that measures taken to protect assets are proportional to their business value
T2.2 Identify legal, regulatory, organizational and other applicable requirements to
manage the risk of noncompliance to acceptable levels
T2.3 Ensure that risk assessments, vulnerability assessments and threat analyses are
conducted consistently, and at the appropriate times, to identify and assess risk to the
organization’s information
KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.1 Classification is a necessary precondition of risk management, and

appropriate methods are needed to do it properly.
K2.2 Clear ownership and authority facilitates classification, assessment,
treatment and reporting. Information risk belongs to the owners of
information assets associated with the risk.
K2.3 Without clear methods for identifying and analyzing impact, an
information security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to
monitor risk factors informs reassessment decisions and timeframes.
KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.5 Being able to properly value information assets is essential to

understanding the potential business impact associated with these
assets.
K2.6 Legal, regulatory, organizational and other requirements may influence
risk treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely
sources are needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.
KNOWLEDGE STATEMENTS

How does Section One relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.9 A working knowledge of threats, vulnerabilities and exposure guides risk

treatment decisions as circumstances change over time.
K2.10 Different environments may be more easily assessed and analyzed
using certain methods over other methods.
K2.14 Controls are mechanisms used to mitigate risk, and it may be more
cost-effective to employ known approaches rather than “reinventing the
wheel.”
K2.16 Optimal risk treatment may require substantial planning to move from
the current state to the desired state.
KEY TERMS

Key Term Definition

Advanced persistent threat An adversary that possesses sophisticated levels of expertise and significant resources
which allow it to create opportunities to achieve its objectives using multiple attack vectors
(NIST SP800-61)

Boundary The defined limit of the scope

Impact Magnitude of loss resulting from a threat exploiting a vulnerability
Likelihood The probability of something happening

Probability The extent to which an event is likely to occur, measured by the ratio of the favorable cases
to the whole number of cases possible

Scope The activities included in the risk manage program

Risk analysis The initial steps of risk management: analyzing the value of assets to the business,
identifying threats to those assets and evaluating how vulnerable each asset is to those
threats.
See www.isaca.org/glossary for more key terms.
KEY TERMS

Key Term Definition

Risk appetite The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its
mission
Risk assessment A process used to identify and evaluate risk and its potential effects.

Risk management The coordinated activities to direct and control an enterprise with regard to risk

Risk profile An evaluation of an individual or organization's willingness to take risks, as well as the
threats to which an organization is exposed.
Risk scenario The tangible and assessable representation of risk

Risk tolerance The acceptable level of variation that management is willing to allow for any particular risk
as the enterprise pursues its objectives
Threat Anything (e.g., object, substance, human) that is capable of acting against an asset in a
manner that can result in harm.
Vulnerability A weakness in the design, implementation, operation or internal control of a process that
could expose the system to adverse threats from threat events
IMPACT DRIVES RISK

Consequences only matter if they impact the pursuit of business objectives.

Something happened: What was affected and how was it affected?
MANAGING RISK

Management = Estimating risk and choosing an appropriate response

Goals of risk management:
• Keep risk within the risk appetite
• Keep senior management informed of changes

Must be supported and understood

BUILDING A RISK MANAGEMENT PROGRAM

Steps in developing a risk management program:

Determine
Ensure asset objectives
identification,
Define classification
authority, and
structure and ownership
Define reporting
scope and
charter
Establish
context
and
purpose
THE RISK ASSESSMENT PROCESS

Identification

Analysis

Evaluation
Risk treatment
COBIT 5 RISK MANAGEMENT PROCESS
ASSET IDENTIFICATION

Systems and data are

considered information
assets
Essential to managing risk
at an enterprise level

In order to protect
something, you need to
identify it.
VALUATION OF ASSETS

Can be straight forward (i.e., hardware costs)

Can be related to consequential costs (i.e., regulatory sanctions)
Examples of information assets include:
• Proprietary information
• Current financial records and future projections
• Acquisition/merger plans
• Strategic marketing plans
• Trade secrets
• Patent-related information
• PII
VALUATION OF ASSETS

Work with asset owners for estimates

High
Quantitative: Dollar-value figures
Qualitative: Perception/judgement of
value
Medium

Low
 DISCUSSION QUESTION

What are some advantages of a quantitative

approach to asset valuation over a qualitative
one?
What are some advantages of a qualitative
approach over a quantitative one?
GOOD TO KNOW

Quantitative results can be used to inform rank orderings if

qualitative results are more suited to the goals of the
organization.
LOSS SCENARIOS

Loss of information may affect processes outside

the scope of its owner’s control.
Loss scenarios can help pinpoint how particular
assets may affect operations.
Valuation does not need to be accurate as long as
the process is consistent.
LOSS SCENARIOS

26 ©Copyright 2016 ISACA. All rights reserved.

RISK ASSESSMENT

The next step is considering the probability of loss occurring. Note: Information
security managers
Requires knowledge of the threat environment and the should have broad
vulnerability of the information assets knowledge of various
methodologies to
Structured methodologies can help to direct the process. determine the most
suitable approach for
their organization.
Specific approaches
will not be tested in the
CISM examination.
FAIR
THREATS

Threat Threat event Threat actor

Any event during which

Anything that is
a threat element/actor
capable of acting
acts against an asset in A person who initiates a
against an asset in a
a manner that has the threat event
manner that can result
potential to directly
in harm
result in harm
THREAT IDENTIFICATION

An absence of a threat doesn’t mean the threat no longer exists.

New threats emerge as behaviors change.
Sources of threat data:
• Prior threat assessments
• News outlets
• External reports
• Official notices
• Industry publications
EXTERNAL THREATS

Disease
Criminal acts Data corruption Espionage Facility flaws
(epidemics)

Industrial
Fire Flooding Hardware flaws Lost assets
accidents

Power
Mechanical
surge/utility Sabotage Seismic activity Severe storms
failures
failure

Supply chain
Software errors Terrorism Theft
interruption
ADVANCED PERSISTENT THREAT

Often linked to nation-state actors, activist groups or criminal enterprises

Advanced

• Method of gaining access include multiple attack vectors

Persistent

• An ability to remain present in a network for a long time

without detection

Threat

• Anything that is capable of acting against an asset in a

manner that can result in harm
ADVANCED PERSISTENT THREAT

Typical APT life cycle

Initial
compromise

Complete Establish
mission foothold

Maintain Escalate
presence privileges

Internal
Move laterally
reconnaissance
GOOD TO KNOW

APT is more about persistence than advanced capabilities.

Working over time, a threat actor may be able carry out
effects that would be detected, prevented or corrected by
controls if done more quickly.
INTERNAL THREATS

A threat actor needs knowledge of the environment.

• Those operating within a organization are trusted with information and access.

Screen applicants prior to employment.

Periodically remind staff of organizational policies.
At the end of employment, all organizational assets should be returned.
TYPES OF INTERNAL THREATS

• Malicious
• Often disgruntled employees
Intentional • Control: Understand frustrations/complaints and seek to
resolve them
• Control: Enforce SoD and least privilege

• Doing something they don’t realize is a threat

Unintentional • Providing information via social engineering
• Control: Awareness training and regular reviews
VULNERABILITIES

Vulnerability
• A weakness in the design, implementation, operation or internal control of a process that could
expose the system to adverse threats from threat events

Exist when a weakness is left unaddressed (known or unknown)

VULNERABILITY ASSESSMENT

Vulnerability can be estimated using quantitative or qualitative methods.

• Automated scanning tools
• Interviews
• Structured walkthroughs

Results should be considered a rough estimate

VULNERABILITY AREAS

Network vulnerabilities

Physical access

Applications and web-facing services

Utilities

Supply chain

Processes

Equipment

Cloud computing

Internet of Things
EXPOSURE

Risk = Threats × Vulnerabilities × Consequences

Exposure: The potential loss to an area due to the occurrence of an adverse event.
RISK SCENARIOS

Risk scenarios are a starting point for risk identification.

• Assume all significant vulnerabilities and threats are identified

Structured and supportive of creative thinking and judgement

RISK CATEGORIZATION

Its origin

Time and place A certain threat

of occurrence

Its
Protective consequences,
controls results or
impact
A specific
reason for its
occurrence
RISK SCENARIOS
THE RISK REGISTER

Maintains the organization’s overall risk profile

Includes:
• Summary of the risk based on threat type and associated event or actor
• Category and classification of the risk
• Risk owner

Also documents risk treatment choices

ACTIVITY: RISK REGISTER TEMPLATE
SECTION ONE SUMMARY

Risk Identification
• In order to manage risk, you must first identify what risk the
organization faces.
• Understanding concepts such as threat, vulnerability, exposure and
likelihood can help you to prioritize risk management efforts.
• Risk is ever-changing, so risk identification is not a one-time effort.
SECTION ONE
PRACTICE QUESTIONS
PRACTICE QUESTION

Why should the analysis of risk include consideration of

potential impact?

A. Potential impact is a central element of risk.

B. Potential impact is related to asset value.
C. Potential impact affects the extent of mitigation.
D. Potential impact helps determine the exposure.
PRACTICE QUESTION

A risk management process is MOST effective in achieving

organizational objectives if:

A. asset owners perform risk assessments.

B. the risk register is updated regularly.
C. the process is overseen by a steering committee.
D. risk activities are embedded in business processes.
PRACTICE QUESTION

Reducing exposure of a critical asset is an effective mitigation

measure because it reduces:

A. the impact of a compromise.

B. the likelihood of being exploited.
C. the vulnerability of the asset.
D. the time needed for recovery.
PRACTICE QUESTION

The classification level of an asset must be PRIMARILY

based on which of the following choices?

A. Criticality and sensitivity

B. Likelihood and impact
C. Valuation and replacement cost
D. Threat vector and exposure
SECTION TWO
RISK ANALYSIS AND TREATMENT
TASK STATEMENTS

T2.4 Identify, recommend or implement appropriate risk treatment/response options to

manage risk to acceptable levels based on organizational risk appetite.
T2.5 Determine whether information security controls are appropriate and effectively
manage risk to an acceptable level.
KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.10 Different environments may be more easily assessed and analyzed

using certain methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.

K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which
approach to use when, and why, because choosing the wrong treatment
may lead to excessive cost, fail to manage risk to tolerable levels or
both.
K2.14 Controls are mechanisms used to mitigate, and it may be more cost
effective to employ known approaches rather than “reinventing the
wheel.”
KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.5 Being able to properly value information assets is essential to

understanding the potential business impact associated with these
assets.
K2.6 Legal, regulatory, organizational and other requirements may influence
risk treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely
sources are needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.
KNOWLEDGE STATEMENTS

How does Section Two relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.15 Understanding controls is fundamental to managing risk.

K2.16 Optimal risk treatment require substantial planning to move from the
current state to a desired state.
K2.17 Risk management is most effective when it is built into business
processes.
K2.19 Risk recommendations may require business justification.
KEY TERMS

Key Term Definition

Current risk Risk as it exists without applying any additional controls

Residual risk The remaining risk after management has implemented a risk response

Risk acceptance If the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk
is higher than the potential loss, the enterprise can assume the risk and absorb any losses

Risk avoidance The process for systematically avoiding risk, constituting one approach to managing risk

Risk mitigation The management of risk through the use of countermeasures and controls

Risk transfer The process of assigning risk to another enterprise, usually through the purchase of an
insurance policy or by outsourcing the service
Risk treatment The process of selection and implementation of measures to modify risk (ISO/IEC Guide
73:2002)

See www.isaca.org/glossary for more key terms.

CALCULATING RISK

Risk = Threat × Vulnerability × Consequences

Calculated for each risk pairing

ALE quantifies annual effects or risk
GOOD TO KNOW

Business impact analyses can be used to identify the

magnitude of impact (loss) associated with effects upon
particular target systems and assets.
RISK ANALYSIS

Qualitative analysis:
• Based on category assignment (Low, Medium, High)
• Scales can be adjusted to suit circumstances
• Can be used:
• As an initial assessment
• To consider nontangible aspects of risk
• When there is a lack of adequate information
RISK ANALYSIS

Quantitative analysis
• Assigned numerical values
• Based on statistical probabilities and monetary values
• Quality depends on accuracy and validity
• Consequences may be expressed in terms of:
• Monetary Technical
• Operational
• Human impact criteria
RISK ANALYSIS

Semiquantitative analysis
 DISCUSSION QUESTION

What are some of the reasons for using a

semiquantitative approach to risk analysis? Can
you think of any drawbacks?
 ACTIVITY

Using semiquantitative analysis, determine the relative value of the following:

1. Reputational risk if a product line fails: The product development team has indicated
that the market is ready for this particular product, but the infrastructure needed to
launch the product is new to the organization and has been rushed into production
to meet the desired launch date.
2. Noncompliance with new local regulation: Local government has passed a new law
mandating businesses operating within the jurisdiction to update HVAC systems to
more energy-efficient models. The cost of upgrading the existing system would be
US $500,000, whereas the annual fine for noncompliance would be $10,000.
3. Email quarantine system is outdated: The company’s email quarantine system is
outdated, and messages are not being filtered as successfully as they had been in
the past.
ACTIVITY: SCENARIO 1
ACTIVITY: SCENARIO 2
ACTIVITY: SCENARIO 3
GOOD TO KNOW

Although numbers tend to impress people, it’s actually often

difficult to know what they mean, especially when the results
don’t represent dollar figures. One big advantage of a
qualitative approach is that the rating something “Low,
Medium or High” is immediately understood by order of
importance.
SPECIALIZED TECHNIQUES

Bayesian
analysis

Monte-Carlo Bow tie

analysis analysis

Markov
Delphi method
analysis

Fault tree Event tree

analysis analysis
RISK EVALUATION

Risk evaluation is the last step in the risk assessment process.

Evaluation leads to risk treatment/mitigation options:
• Does the risk meet acceptable risk criteria?

Evaluation may lead to further analysis.

RISK TREATMENT

Current risk considered in risk evaluation.

Four possible options:

Avoid Transfer Mitigate Accept

GOOD TO KNOW

In addition to current risk, you may see references to

“inherent risk,” which is the level of risk that exists with no
controls or other treatment in place. Where there are no
controls, inherent risk and current risk are equal. In most
organizations, information security managers inherit a
particular set of controls that has already been implemented,
and whether these are effective or not, the rest of their
implementation is that inherent risk is transformed into current
risk. If controls are removed, risk may increase.
RISK AVOIDANCE

Rare that no means would reduce risk to acceptable levels

Cost may be prohibitive
Best choice is to stop/not engage in the activity
Cost-benefit analysis should consider long-term effects and opportunities for growth
RISK TRANSFER

Insurance policies and service level agreements are risk transfer mechanisms.
Organizations always retain some responsibility for consequences of compromise.
Generally, risk is transferred when likelihood is low, but impact is high.
RISK MITIGATION

Control = The means of managing risk, including

policies, procedures, guidelines, practices or
organizational structures, which can be of an
administrative, technical, management, or legal
nature
Reduce risk by affecting threat, vulnerability and/or
consequences
RISK ACCEPTANCE

No additional action
is taken.

Changes in risk A formal

environment/risk decision made
appetite may by someone
affect accepted with the proper
risk authority
SELECTING A RISK TREATMENT OPTION

The choice is usually straightforward.

• Risk within risk appetite should be accepted.
• For risk outside of the appetite:
• If value of continuing < cost of transfer/mitigation, avoid.
• If value of continuing > cost of transfer/mitigation, choose most cost-effective choice

The minimum cost/cost-effective solution is the solution to adopt.

LEGAL AND REGULATORY CONSIDERATIONS

Treatment needs to consider legal or regulatory requirements.

Different requirements may need to be considered for different jurisdictions/industries
Legal/regulatory risk should be treated as any other risk.
 DISCUSSION QUESTION

When evaluating legal and regulatory non-

compliance as a risk, what might you use in the
risk equation to represent threat, vulnerability and
consequences?
SECTION TWO SUMMARY

Risk Analysis and Treatment

• Risk must be managed to ensure that the organization doesn’t take on
more risk it is willing to accept.

• To know how much risk an organization is taking, it is necessary to first

identify risk and then analyze it to provide the basis for informed decisions.

• Risk treatment decisions are based on the lowest cost that meets
business goals.
SECTION TWO
PRACTICE QUESTIONS
PRACTICE QUESTION

Quantitative risk analysis is MOST appropriate when

assessment results:

A. include customer perceptions.

B. contain percentage estimates.
C. lack specific details.
D. contain subjective information.
PRACTICE QUESTION

Which of the following techniques MOST clearly indicates

whether specific risk-reduction controls should be
implemented?

A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation
PRACTICE QUESTION

The fact that an organization may suffer a significant

disruption as the result of a distributed denial-of service
(DDoS) attack is considered:

A. an intrinsic risk.
B. a systemic risk.
C. a residual risk.
D. an operational risk.
PRACTICE QUESTION

Management requests that an information security manager

determine which regulations regarding disclosure, reporting
and privacy are the most important for the organization to
address. The recommendations for addressing these legal
and regulatory requirements will be MOST useful if based on
which of the following choices?

• The extent of enforcement actions

• The probability and consequences
• The sanctions for noncompliance
• The amount of personal liability
SECTION THREE
RISK MONITORING AND REPORTING
TASK STATEMENTS

T2.6 Facilitate the integration of information risk management into business and IT
processes (e.g., systems development, procurement, project management) to enable a
consistent and comprehensive information risk management program across the
organization.
T2.7 Monitor for internal and external factors (e.g., threat landscape, cybersecurity,
geopolitical, regulatory change) that may require reassessment of risk to ensure that
changes to existing, or new, risk scenarios are identified and managed appropriately.
T2.8 Report noncompliance and other changes in information risk to facilitate the risk
management decision-making process.
T2.9 Ensure that information security risk is reported to senior management to support an
understanding of potential impact on the organizational goals and objectives.
KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.3 Without clear methods for identifying and analyzing impact, an

information security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to
monitor risk factors informs reassessment decisions and timeframes.
K2.6 Legal, regulatory, organizational and other requirements may influence
risk treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely
sources are needed for effective risk management.
K2.8 Identifying clear criteria for reassessment of risk helps to ensure a
consistent approach to risk management.
K2.9 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.
KNOWLEDGE STATEMENTS

How does Section Three relate to each of the following knowledge statements?

Knowledge Connection
Statement

K2.10 Different environments may be more easily assessed and analyzed

using certain methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.
K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which
approach to use when, and why, because choosing the wrong treatment
may lead to excessive cost, fail to manage risk to tolerable levels, or
both.
K2.17 Risk management is most effective when it is built into business
processes.
K2.18 Timelines and content of risk reports are often driven by explicit
compliance standards.
KEY TERMS

Key Term Definition

Allowable interruption window The longest that operations can be interrupted before financial impacts threaten the organization’s
continued existence.

Key risk indicator A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating
important risk.

Maximum allowable downtime The absolute longest amount of time that the system can be unavailable without direct or indirect
ramifications to the organization.
Maximum tolerable outage Maximum time that an enterprise can support processing in alternate mode.

Service delivery objective Directly related to the business needs, SDO is the level of services to be reached during the alternate
process mode until the normal situation is restored.

Recovery point objective Determined based on the acceptable data loss in case of a disruption of operations. It indicates the
earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible
amount of data loss in case of interruption.

Recovery time objective The amount of time allowed for the recovery of a business function or resource after a disaster occurs.
LIFE CYCLE INTEGRATION

Integration with life cycle processes leads to more effective risk management.
Change management should include consideration of risk.
• Should extend beyond hardware and software
• Should include review of the risk register
• Should include information security representative
SECURITY BASELINES

Security baselines can help manage risk implications

• Has many benefits:
• Standardizes the minimum amount of security measures
• Provides a convenient point of reference for measurement
• May be built by:
• Observation of current controls
• Using published third-party standards
VOLATILITY

Each component of the risk formula is subject to change

Volatile environments experience large variations in risk
• Base calculations on the highest observed risk values to ensure effective risk management
INTERNAL AND EXTERNAL ENVIRONMENTS

Risk changes both inside and outside of the organization.

• These shifts can be difficult to track.

Vulnerabilities identified publically may encourage threat actors to try to exploit them
before organizations can patch them.
Patching is vital, but moving too fast can also introduce new weaknesses.
KEY RISK INDICATORS

Indicators that are highly relevant to risk and

possess a high probability of indicating a change in
risk
Specific to each enterprise and selection depends
on a number of parameters
Careful selection provides input for a dashboard
view of risk
CRITERIA FOR KRIS

Impact
Effort
• To implement
• To measure
• To report

Reliability
Sensitivity
CRITERIA FOR KRIS

Consider when an indicator begins to show changes:

• Leading: Predictive and allow for correction
• Lagging: Reveal that a change has occurred

May reveal immediate information and trends over time

Need to be checked regularly due to evolving risk environment
CHANGES IN GOALS AND OPERATIONS

Should be conscious of business decisions that affect the risk profile

New business initiatives may substantially change the consequences of known
exposures
Information security is not always included in planning for line-of-business activities, but
teams task with business continuity typically are.
 DISCUSSION QUESTION

Why would business continuity teams be

regularly included in planning for line-of-business
activities?
CONTINUITY AND RISK

Each business function is responsible

for its own continuity.
Strong communications between
information security and business
continuity can provide good insight.
CONTINUITY AND RISK

Information security managers should

watch for changes in: Recovery Recovery
time point
objectives objectives

Service Maximum
delivery tolerable
objectives outage

Allowable
interruption
window
RISK REPORTING AND CONVERGENCE

Business operations are managed by considering the effects of risk upon goals.
Risk reporting used to be segregated by risk type.
• New initiatives to consolidate risk reporting
• Due to the fact that risk in one area can cascade to another
CONSIDERATIONS FOR RISK
REPORTING
Reports should be tailored to the intended audience
Use categories like “HIGH,” “MEDIUM,” “LOW.”
Use data to back up rationale.
The information security manager is responsible for
information risk.
ESCALATION

Clear escalation criteria are needed

Based on risk appetite/senior manager preferences
Good practice to integrate into incident response
SECTION THREE SUMMARY

Risk Monitoring and Reporting

• Executives base decisions in part on their understanding of the risk
environment and rely on risk reports to have the information they
need to make good decisions.
• The risk environment changes constantly, so tools such as KRIs
and security baselines are useful in estimating changes to
information risk.
• Risk should be reported regularly and in a way preferred by the
intended audience, but quick escalation may be needed if risk
changes suddenly and drastically.
SECTION THREE
PRACTICE QUESTIONS
PRACTICE QUESTION

There is a delay between the time when a security

vulnerability is first published, and the time when a patch is
delivered. Which of the following should be carried out FIRST
to mitigate the risk during this time period?

• Identify the vulnerable systems and apply compensating controls.

• Minimize the use of vulnerable systems.
• Communicate the vulnerability to system users.
• Update the signatures database of the intrusion detection system.
PRACTICE QUESTION

An information security manager is advised by contacts in law

enforcement that there is evidence that the company is being
targeted by a skilled gang of hackers known to use a variety
of techniques, including social engineering and network
penetration. The FIRST step that the security manager should
take is to:

• perform a comprehensive assessment of the organization’s

exposure to the hackers’ techniques.
• initiate awareness training to counter social engineering.
• immediately advise senior management of the elevated risk.
• increase monitoring activities to provide early detection of intrusion.
PRACTICE QUESTION

The information security policies of an organization require

that all confidential information must be encrypted while
communicating to external entities. A regulatory agency
insisted that a compliance report must be sent without
encryption. The information security manager should:

• extend the information security awareness program to include

employees of the regulatory authority.
• send the report without encryption on the authority of the regulatory
agency.
• initiate an exception process for sending the report without
encryption.
• refuse to send the report without encryption.
PRACTICE QUESTION

Which of the following activities MUST a financial-services

organization do with regard to a web-based service that is
gaining popularity among its customers?

• Perform annual vulnerability mitigation.

• Maintain third-party liability insurance.
• Conduct periodic business impact analyses.
• Architect a real-time failover capability.
DOMAIN 2
SUMMARY
SUMMARY

Risk management includes risk identification; assessment

and analysis; and risk monitoring and reporting.
If risk is not identified, it cannot be mitigated.
Risk scenarios and the risk register are tools that can be used
to identify risk, and subsequently can be used to analyze risk.
Impact, vulnerability and likelihood all need to be taken into
consideration when ranking and evaluating risk.
SUMMARY

Cost, whether tangible or intangible, should be considered

when deciding on a risk treatment option.
Changes in the risk environment (often KRIs) should be used
to monitor changes in risk.
Information security and business continuity should be in
communication with one another.
Risk reports should be clear and written to the preferences of
senior management.
Escalation processes need to be in place for major incidents.
THANK YOU