Global Information Security

Society for Professionals of

Pakistan
How to use Zoom Client

If you are using Zoom for the first time than these points will be useful for you .

• If you are unable to hear audio than you need to connect via device audio . Look at the
bottom left corner .
• Kindly turn off your camera while connecting to Zoom as we respect your privacy .
• The Speaker will keep you muted during the session however if you want to ask any
question during QA session ,you can click on the three dots and “raise hand” so that
the speaker can unmute you .
• You can click on the participants tab to chat with host or to send a member to all
participants
• If you are attending the session while doing some other work ,kindly mute yourself in
case if the host unmutes all users during QA session

Global Information Security Society for Professionals of Pakistan 2

CRISC

M. Adnan Khan
CISM, CRISC, VCP-DCV, CCNA, MCSE, CSS

Global Information Security Society for Professionals of

3
Pakistan
Risk Risk Management

Global Information Security Society for Professionals of

4
Pakistan
Definitions of Risk
• ISO 31000: Risk is the “effect of uncertainty on objectives”

• NIST SP 800-30: Risk is a function of the likelihood of a given threat-

source's exercising a particular potential vulnerability, and the
resulting impact of that adverse event on the organization.

• COBIT5: IT risk as business risk, specifically, the business risk

associated with the use, ownership, operation, involvement,
influence and adoption of IT within an enterprise.

Global Information Security Society for Professionals of

5
Pakistan
What is Risk?
• Risk is the potential for uncontrolled loss of something of value
• Event that is expected to occur in future and impacts something
• An unknown factor
• An uncertain event
• The combination of probability of the event and its consequence
• Risk = probability x impact

Realized risk is an incident

Global Information Security Society for Professionals of
6
Pakistan
Risk Management
Definition 1:
Risk management refers to the practice of identifying potential risks in
advance, analyzing them and taking precautionary steps to reduce
the risk.

Definition 2:
Risk management is the process of identifying, assessing and
controlling threats to an organization

Global Information Security Society for Professionals of

7
Pakistan
Risk Management
Risk management is all about question and answers and then actions

• Q1. What am I trying to achieve?

• Q2. What might affect me?
• Q3. Which are most important?
• Q4. What should we do about it?
• Q5. Did it work?
• Q6. What has changed?

Global Information Security Society for Professionals of

8
Pakistan
CRISC
ISACA®'s Certified in Risk and Information Systems Control™ (CRISC™)
certification instantly validates your skills and expertise in risk and
information systems control.

It proves your ability to understand and articulate business risk,

implement appropriate IS controls and develop effective plans to
mitigate risk.

Global Information Security Society for Professionals of

9
Pakistan
Global Information Security Society for Professionals of
10
Pakistan
CRISC Exam Portion Coverage
CRISC domains tested on the exam in domains and percentages listed
below:

Global Information Security Society for Professionals of

11
Pakistan
About Exam
• No. of total questions: 150
• Allotted time: 4 hours
• Type: Questions are weighted
• Negative marking: NO. So answer every question
• Iterative: YES. You can mark the questions and get back to them at
any stage of the exam

Global Information Security Society for Professionals of

12
Pakistan
Global Information Security Society for Professionals of
13
Pakistan
 Domain 1

IT Risk Identification

Global Information Security Society for Professionals of

14
Pakistan
IT Risk Identification : Learning objectives
The objective of this domain is to ensure that the CRISC candidate has
the knowledge necessary to:
• Collect information
• Identify assets, potential thread and vulnerabilities
• Risk scenarios
• Identify key stakeholders
• IT risk register
• Identify risk appetite and tolerance
• Risk awareness program

Global Information Security Society for Professionals of

15
Pakistan
Key terms and definitions
• Risk Capacity: The objective amount of loss an enterprise can tolerate
without its continued existence being called into question.

• Risk appetite: The amount of risk that an entity is willing to accept in

pursuit of its mission.

“Able to or Can” vs “willing to”

• Risk tolerance: Risk tolerance levels are deviations from risk appetite

Global Information Security Society for Professionals of

16
Pakistan
Key terms and definitions
• Inherent Risk:
• Risk or Exposure prior to control implementation

• Residual Risk
• Risk that remains after control has been implemented

• Secondary Risk:
• One risk response may cause second risk event

• Systemic Risk:
• Threats to a system, market or economic segment

Global Information Security Society for Professionals of

17
Pakistan
Elements of Risk
• Assets
• Vulnerabilities
• Threats
• Asset value
• Impact
• Likelihood/Probability

Global Information Security Society for Professionals of

18
Pakistan
Risk flow

Global Information Security Society for Professionals of

19
Pakistan
CIA Triad
• Confidentiality

• Integrity

• Availability

(Nonrepudiation)

Global Information Security Society for Professionals of

20
Pakistan
Risk Factors
• Organizational Culture
How the organization function
• Risk culture
How organization deals with risk
• Ethics
Perception of right or wrong
• Behavior
Actions individuals take

Global Information Security Society for Professionals of Pakistan 21

Organizational Culture
• The ways the organization conducts its business,
• Treats its employees, customers and community
• The extent to which freedom is allowed in decision
making, developing new ideas and personal
expression
• How power and information flow through its
hierarchy
• How committed employees are towards collective
objectives
Global Information Security Society for Professionals of
22
Pakistan
Organizational Culture

Global Information Security Society for Professionals of

23
Pakistan
Risk Culture
Risk culture can be defined
as the norms and tradition
of behavior of individuals
and of groups within the
organization that determine
the way in which they
manage risks.

Global Information Security Society for Professionals of

24
Pakistan
Ethics
• Individual’s perception of
right and wrong

Global Information Security Society for Professionals of

25
Pakistan
Organizational Structure’s Impact on Risk
• Positioning of risk management function
• Risk framework
• Three line of defense
• First line of defense: manages risk
• Second line of defense: guided, directed, influenced and/or assessed
• Third line of defense: independent oversight, review and monitoring

Global Information Security Society for Professionals of

26
Pakistan
Context establishment
Define parameters that organizations must consider to manage risk.

Global Information Security Society for Professionals of

27
Pakistan
Context establishment – sample
• What are the aims and objectives of your organization?
• What is your organization’s core activity?
• Who is involved with your organization (internally & externally)?
• What is your organization currently doing to manage risk?
• What is the legal structure of your organization? Is it incorporated?
• What laws, regulations, rules or standards apply to your organization?

Global Information Security Society for Professionals of

28
Pakistan
IT risk strategy of the business
• IT risk is business risk
• Look beyond IT
• Senior management support
• Communicate with senior management
• Should be aligned with business strategy, goals and objectives

Global Information Security Society for Professionals of

29
Pakistan
Alignment with business goals & objectives

The purpose of information security, information

technology as a whole is just to support the
business and to bring value to the business

Global Information Security Society for Professionals of

30
Pakistan
Risk practitioner should…
• Listen to the senior management
• Understand the business strategy
• Seek out ways to secure
• Build relationships
• Communicate with business
• Keep an strong check on risk of change
• Understand past events

Global Information Security Society for Professionals of

31
Pakistan
Risk identification process
• Risk identification is the process of
discovering, recognizing and documenting
the risk an organization faces
• Risk identification should start early
• It is iterative process

Global Information Security Society for Professionals of

32
Pakistan
Risk identification process

Global Information Security Society for Professionals of

33
Pakistan
Standards and Frameworks
• These are set of well tested practices
• Every framework does the same thing
• There are MANY standards exists to assist us. Following are some of
those;
• NIST: 800-39 - Managing Information Security Risk
• ISO: 27005 - risk management standard
• COBIT5
• HIPPA

Global Information Security Society for Professionals of

34
Pakistan
Tools and techniques
The risk practitioner has several possible sources for identification of risk, including:

Past Present
• Experience of previous projects or • Contracts
plans or operations
• Tech specs
• Checklists capturing previous
experiences • Resource plans
• Public media • Reviews
Future • Assumption analysis
• Brainstorming • SWOT
• Scenario analysis
• Delphi technique
• Pre-mortem
Global Information Security Society for Professionals of
35
Pakistan
RISK SCENARIOS – “WHAT IF”
• A potential risk event that can affect an organization.
• A risk scenario should include:
• Actor
• Threat type
• Event
• Asset type
• Time

IMAGINATION and it requires creativity

Global Information Security Society for Professionals of

36
Pakistan
RISK SCENARIOS

Each scenario should be related to a business

objective or impact.

Global Information Security Society for Professionals of

37
Pakistan
RISK SCENARIOS

Global Information Security Society for Professionals of

38
Pakistan
RISK SCENARIOS - Sample

Global Information Security Society for Professionals of

39
Pakistan
Ownership and Accountability
• Risk requires ownership and accountability
• RACI Matrix (Responsible, Accountable, Consulted, Informed)

Global Information Security Society for Professionals of

40
Pakistan
Risk Register
• Output of Risk Identification process
• Purpose is to consolidate all information about risk into a central
repository
• This register has many elements including the following;
• Risk Owner
• Severity
• Current status

Remember: Risk Register is not a communication tool

Global Information Security Society for Professionals of

41
Pakistan
Risk Register – Example 1

Global Information Security Society for Professionals of

42
Pakistan
Risk Register – Example 2

Global Information Security Society for Professionals of

43
Pakistan
Risk Register – important points
• Triggers are part of risk register
• This is created in Risk Identification phase
• Gets updated in all other risk processes
• This is a live document
• This should include owner
• This should include risk ranking
• This is not a communication tool

Global Information Security Society for Professionals of

44
Pakistan
RISK AWARENESS
Awareness is a powerful tool in creating the culture, forming ethics and
influencing the behavior of the members of an organization.
This develop a team approach to risk management
• Risk awareness acknowledges that;
• Risk is well understood and known.
• IT risk issues are identifiable.
• The enterprise recognizes and uses the means to manage risk.

Global Information Security Society for Professionals of

45
Pakistan
Risk Communication
• Proper and planned communication is the key to the
success of any management plan so is the case with
risk management plan
• It is the process of exchanging information and views
about risk among decision-makers and stakeholders
• As CRISC you should know that communication has
to be focused to who needs to be informed
• It defines who will be available to share information
on risks and responses throughout the project.

Global Information Security Society for Professionals of

46
Pakistan
Important takeout
• Risk capacity and appetite is decided by the board of directors
• Above should be defined and approved by senior management
• In some cases, setting the risk appetite may be delegated by the
board of directors to senior management as part of strategic
planning.
• Worst culture is blame culture
• Risk practitioner always suggests or recommends.
• You cannot manage risk if you cannot identify them.

Global Information Security Society for Professionals of

47
Pakistan
Exam question samples

Global Information Security Society for Professionals of

48
Pakistan
Question 1
You work as the project manager for ABC company. Your project has
several risks that will affect several stakeholder requirements. Which
project management plan will define who will be available to share
information on the project risks?

• A. Resource Management Plan

• B. Risk Management Plan
• C. Stakeholder management strategy
• D. Communications Management Plan

Global Information Security Society for Professionals of

49
Pakistan
Question 1
You work as the project manager for ABC company. Your project has
several risks that will affect several stakeholder requirements. Which
project management plan will define who will be available to share
information on the project risks?

• A. Resource Management Plan

• B. Risk Management Plan
• C. Stakeholder management strategy
• D. Communications Management Plan

Global Information Security Society for Professionals of

50
Pakistan
Question 2
You are the project manager of a large construction project. This project will last for 18
months and will cost $750,000 to complete. You are working with your project team,
experts, and stakeholders to identify risks within the project before the project work
begins. Management wants to know why you have scheduled so many risk identification
meetings throughout the project rather than just initially during the project planning. What
is the best reason for the duplicate risk identification sessions?

• A. The iterative meetings allow all stakeholders to participate in the risk identification
processes throughout the project phases.
• B. The iterative meetings allow the project manager to discuss the risk events which have
passed the project and which did not happen.
• C. The iterative meetings allow the project manager and the risk identification
participants to identify newly discovered risk events throughout the project.
• D. The iterative meetings allow the project manager to communicate pending risks
events during project execution.

Global Information Security Society for Professionals of

51
Pakistan
Question 2
You are the project manager of a large construction project. This project will last for 18
months and will cost $750,000 to complete. You are working with your project team,
experts, and stakeholders to identify risks within the project before the project work
begins. Management wants to know why you have scheduled so many risk identification
meetings throughout the project rather than just initially during the project planning. What
is the best reason for the duplicate risk identification sessions?

• A. The iterative meetings allow all stakeholders to participate in the risk identification
processes throughout the project phases.
• B. The iterative meetings allow the project manager to discuss the risk events which have
passed the project and which did not happen.
• C. The iterative meetings allow the project manager and the risk identification
participants to identify newly discovered risk events throughout the project.
• D. The iterative meetings allow the project manager to communicate pending risks
events during project execution.

Global Information Security Society for Professionals of

52
Pakistan
Question 3
You are the project manager of GHT project. Your project team is in the
process of identifying project risks on your current project. The team
has the option to use all of the following tools and techniques to
diagram some of these potential risks EXCEPT for which one?

• A. Process flowchart
• B. Ishikawa diagram
• C. Influence diagram
• D. Decision tree diagram

Global Information Security Society for Professionals of

53
Pakistan
Question 3
You are the project manager of GHT project. Your project team is in the
process of identifying project risks on your current project. The team
has the option to use all of the following tools and techniques to
diagram some of these potential risks EXCEPT for which one?

• A. Process flowchart
• B. Ishikawa diagram
• C. Influence diagram
• D. Decision tree diagram

Global Information Security Society for Professionals of

54
Pakistan
SUMMARY
Risk identification sets out a clear path for the later processes of risk
management. Main elements of risk identification are;
• Collect information (including business context)
• Identify potential thread and vulnerabilities
• Create Risk scenarios
• Identify key stakeholders
• Create Risk register
• Identify risk appetite and tolerance
• Risk awareness program

Global Information Security Society for Professionals of

55
Pakistan
Thank you

Global Information Security Society for Professionals of

56
Pakistan