CISM EXAM

PREPARATION

©Copyright 2016 ISACA. All rights reserved.

 Domain 2

Information Risk Management

©Copyright 2016 ISACA. All rights reserved.

Domain 2

Manage information risk to an acceptable

level based on risk appetite in order to
meet organizational goals and objectives.

3 ©Copyright 2016 ISACA. All rights reserved.

Domain 2 (cont’d)

 This domain reviews the knowledge base that the

information security manager must understand in
order to appropriately apply risk management
principles and practices to an organization’s
information security program.

4 ©Copyright 2016 ISACA. All rights reserved.

Domain Objectives

 Ensure that the CISM Candidate has the knowledge

necessary to:
– Understands the importance of risk management as a tool
for meeting business needs and developing a security
management program to support these needs.
– Understands ways to identify, rank and respond to risk in a
way that is appropriate as defined by organizational
directives.
– Assesses the appropriateness and effectiveness of
information security controls.
– Reports on information security risk effectively.

5 ©Copyright 2016 ISACA. All rights reserved.

On the CISM Exam

 This domain represents 30% (approximately 45

questions) of the CISM exam.

Domain 4: Domain 1:
Information Security Information Security
Incident Governance, 24%
Management, 19%

Domain 3:
Information Security
Domain 2:
Program
Information Security
Development and
Risk Management,
Management, 27%
30%

6 ©Copyright 2016 ISACA. All rights reserved.

Defining Risk

 Risk: The combination of the  ISO definition: The

probability of an event and its
effect of uncertainty
consequences
upon objectives
– Uncertainty = probability
– Effect = consequences
– Upon objectives =
consequences that impact
goals

7 ©Copyright 2016 ISACA. All rights reserved.

Domain 2 Overview

 Section One: Risk Identification

 Section Two: Risk Analysis and Treatment
 Section Three: Risk Monitoring and Reporting

Refer to the CISM Job Practice

for Task and Knowledge
Statements.

8 ©Copyright 2016 ISACA. All rights reserved.

 Section One

Risk Identification

©Copyright 2016 ISACA. All rights reserved.

 Task Statements

 T2.1 Establish and/or maintain a process for

information asset classification to ensure that
measures taken to protect assets are proportional to
their business value
 T2.2 Identify legal, regulatory, organizational and
other applicable requirements to manage the risk of
noncompliance to acceptable levels
 T2.3 Ensure that risk assessments, vulnerability
assessments and threat analyses are conducted
consistently, and at the appropriate times, to identify
and assess risk to the organization’s information

10 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.1 Classification is a necessary precondition of risk management, and appropriate
methods are needed to do it properly.
K2.2 Clear ownership and authority facilitates classification, assessment, treatment
and reporting. Information risk belongs to the owners of information assets
associated with the risk.
K2.3 Without clear methods for identifying and analyzing impact, an information
security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to monitor
risk factors informs reassessment decisions and timeframes.

11 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.5 Being able to properly value information assets is essential to understanding the
potential business impact associated with these assets.

K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

12 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.9 A working knowledge of threats, vulnerabilities and exposure guides risk
treatment decisions as circumstances change over time.
K2.10 Different environments may be more easily assessed and analyzed using certain
methods over other methods.
K2.14 Controls are mechanisms used to mitigate risk, and it may be more cost-
effective to employ known approaches rather than “reinventing the wheel.”

K2.16 Optimal risk treatment may require substantial planning to move from the
current state to the desired state.

13 ©Copyright 2016 ISACA. All rights reserved.

 Key Terms
Key Term Definition
Advanced persistent An adversary that possesses sophisticated levels of expertise and
threat significant resources which allow it to create opportunities to achieve its
objectives using multiple attack vectors (NIST SP800-61)

Boundary The defined limit of the scope

Impact Magnitude of loss resulting from a threat exploiting a vulnerability
Likelihood The probability of something happening

Probability The extent to which an event is likely to occur, measured by the ratio of
the favorable cases to the whole number of cases possible

Scope The activities included in the risk manage program

Risk analysis The initial steps of risk management: analyzing the value of assets to the
business, identifying threats to those assets and evaluating how vulnerable
each asset is to those threats.

See www.isaca.org/glossary for more key terms.

14 ©Copyright 2016 ISACA. All rights reserved.
 Key Terms
Key Term Definition
Risk appetite The amount of risk, on a broad level, that an entity is willing to accept in
pursuit of its mission
Risk assessment A process used to identify and evaluate risk and its potential effects.

Risk management The coordinated activities to direct and control an enterprise with regard
to risk 

Risk profile An evaluation of an individual or organization's willingness to take risks,

as well as the threats to which an organization is exposed.
Risk scenario The tangible and assessable representation of risk

Risk tolerance The acceptable level of variation that management is willing to allow for
any particular risk as the enterprise pursues its objectives
Threat Anything (e.g., object, substance, human) that is capable of acting against
an asset in a manner that can result in harm.
Vulnerability A weakness in the design, implementation, operation or internal control of
a process that could expose the system to adverse threats from threat
events

15 ©Copyright 2016 ISACA. All rights reserved.

 Impact Drives Risk

 Consequences only matter if

they impact the pursuit of
business objectives.
 Something happened: What
was affected and how was it
affected?

16 ©Copyright 2016 ISACA. All rights reserved.

 Managing Risk

 Management = Estimating risk and choosing an

appropriate response
 Goals of risk management:
– Keep risk within the risk appetite
– Keep senior management informed of changes
 Must be supported and understood

17 ©Copyright 2016 ISACA. All rights reserved.

 Building a Risk Management Program

 Steps in developing a risk

management program:
– Establish context and
purpose
– Define scope and charter
– Define authority, structure
and reporting
– Ensure asset identification,
classification and ownership
– Determine objectives
– Determine methodologies
– Designate a team

18 ©Copyright 2016 ISACA. All rights reserved.

 The Risk Assessment Process

Identification

Analysis

Evaluation
Risk treatment

19 ©Copyright 2016 ISACA. All rights reserved.

 COBIT 5 Risk Management Process

20 ©Copyright 2016 ISACA. All rights reserved.

 Asset Identification

 In order to protect
something, you need to
identify it.
 Essential to managing risk
at an enterprise level
 Systems and data are
considered information
assets

21 ©Copyright 2016 ISACA. All rights reserved.

 Valuation of Assets

 Can be straight forward (i.e., hardware costs)

 Can be related to consequential costs (i.e., regulatory
sanctions)
 Examples of information assets include:
– Proprietary information
– Current financial records and future projections
– Acquisition/merger plans
– Strategic marketing plans
– Trade secrets
– Patent-related information
– PII

22 ©Copyright 2016 ISACA. All rights reserved.

 Valuation of Assets

 Work with asset owners for

estimates
 Quantitative: Dollar-value High
figures
 Qualitative:
Perception/judgement of
value Medium

Low
23 ©Copyright 2016 ISACA. All rights reserved.
 Discussion Question

 What are some advantages of a quantitative approach to asset

valuation over a qualitative one?
 What are some advantages of a qualitative approach over a
quantitative one?

24 ©Copyright 2016 ISACA. All rights reserved.

 Good to Know

 Quantitative results can be used to inform rank orderings if

qualitative results are more suited to the goals of the
organization.

25 ©Copyright 2016 ISACA. All rights reserved.

 Loss Scenarios

 Loss of information may affect processes outside the scope of

its owner’s control.
 Loss scenarios can help pinpoint how particular assets may
affect operations.
 Valuation does not need to be accurate as long as the process is
consistent.

26 ©Copyright 2016 ISACA. All rights reserved.

 Loss Scenarios

27 ©Copyright 2016 ISACA. All rights reserved.

 Risk Assessment

 The next step is considering the probability of loss

occurring.
 Requires knowledge of the threat environment and
the vulnerability of the information assets
 Structured methodologies can help to direct the
process.

Note: Information security managers should have broad knowledge of various

methodologies to determine the most suitable approach for their organization.
Specific approaches will not be tested in the CISM examination.

28 ©Copyright 2016 ISACA. All rights reserved.

 FAIR

29 ©Copyright 2016 ISACA. All rights reserved.

 Threats

 Threat: Anything that is capable of acting against an

asset in a manner that can result in harm
 Threat event: Any event during which a threat
element/actor acts against an asset in a manner that
has the potential to directly result in harm
 Threat actor: A person who initiates a threat event

30 ©Copyright 2016 ISACA. All rights reserved.

 Threat Identification

 An absence of a threat doesn’t

mean the threat no longer
exists.
 New threats emerge as
behaviors change.
 Sources of threat data:
– Prior threat assessments
– News outlets
– External reports
– Official notices
– Industry publications

31 ©Copyright 2016 ISACA. All rights reserved.

 External Threats

Data Disease
Criminal acts Espionage
corruption (epidemics)

Hardware
Facility flaws Fire Flooding
flaws

Power
Industrial Mechanical
Lost assets surge/utility
accidents failures
failure

Seismic Software
Sabotage Severe storms
activity errors

Supply chain
Terrorism Theft
interruption

32 ©Copyright 2016 ISACA. All rights reserved.

 Advanced Persistent Threat
 Advanced = Method of gaining
access include multiple attack
vectors
 Persistent = An ability to remain
present in a network for a long time
without detection
 Threat = Anything that is capable of
acting against an asset in a manner
that can result in harm
 Often linked to nation-state actors,
activist groups or criminal
enterprises

33 ©Copyright 2016 ISACA. All rights reserved.

 Advanced Persistent Threat

 Typical APT life cycle

– Initial compromise
– Establish foothold
– Escalate privileges
– Internal reconnaissance
– Move laterally
– Maintain presence
– Complete mission

34 ©Copyright 2016 ISACA. All rights reserved.

 Good to Know

 APT is more about persistence than advanced capabilities.

 Working over time, a threat actor may be able carry out effects
that would be detected, prevented or corrected by controls if
done more quickly.

35 ©Copyright 2016 ISACA. All rights reserved.

 Internal Threats

 A threat actor needs knowledge of the environment.

– Those operating within a organization are trusted with
information and access.
 Screen applicants prior to employment.
 Periodically remind staff of organizational policies.
 At the end of employment, all organizational assets
should be returned.

36 ©Copyright 2016 ISACA. All rights reserved.

 Types of Internal Threats

 Intentional
– Malicious
– Often disgruntled employees
– Control: Understand
frustrations/complaints and seek
to resolve them
– Control: Enforce SoD and least
privilege
 Unintentional
– Doing something they don’t
realize is a threat
– Providing information via social
engineering
– Control: Awareness training and
regular reviews

37 ©Copyright 2016 ISACA. All rights reserved.

 Vulnerabilities

 Vulnerability: A weakness in the design,

implementation, operation or internal control of a
process that could expose the system to adverse
threats from threat events
 Exist when a weakness is left unaddressed (known or
unknown)

38 ©Copyright 2016 ISACA. All rights reserved.

 Vulnerability Assessment

 Vulnerability can be estimated

using quantitative or
qualitative methods.
– Automated scanning tools
– Interviews
– Structured walkthroughs
 Results should be considered
a rough estimate

39 ©Copyright 2016 ISACA. All rights reserved.

 Vulnerability Areas

Network vulnerabilities

Physical access

Applications and web-facing

services

Utilities

Supply chain

Processes

Equipment

Cloud computing

Internet of Things

40 ©Copyright 2016 ISACA. All rights reserved.

 Exposure

 Risk = Threats ×
Vulnerabilities ×
Consequences
 Exposure: The potential loss
to an area due to the
occurrence of an adverse
event.

41 ©Copyright 2016 ISACA. All rights reserved.

 Exposure Example

HIGH = 5

Threat event

LOW = 1

Threat

42 ©Copyright 2016 ISACA. All rights reserved.

 Exposure Example

MEDIUM-HIGH = 4

4 × 5 = 20 4×1=4

MEDIUM-HIGH LOW

43 ©Copyright 2016 ISACA. All rights reserved.

 Risk Scenarios

 Risk scenarios are a starting point for risk

identification.
– Assume all significant vulnerabilities and threats are
identified
 Structured and supportive of creative thinking and
judgement

44 ©Copyright 2016 ISACA. All rights reserved.

 Risk Categorization

 Risk can be categorized by:

– Its origin
– A certain threat
– Its consequences, results or impact
– A specific reason for its occurrence
– Protective controls
– Time and place of occurrence

45 ©Copyright 2016 ISACA. All rights reserved.

 Risk Scenarios

46 ©Copyright 2016 ISACA. All rights reserved.

 The Risk Register

 Maintains the organization’s overall risk profile

 Includes:
– Summary of the risk based on threat type and associated
event or actor
– Category and classification of the risk
– Risk owner
 Also documents risk treatment choices

47 ©Copyright 2016 ISACA. All rights reserved.

 Activity: Risk Register Template

48 ©Copyright 2016 ISACA. All rights reserved.

 Section One

49 ©Copyright 2016 ISACA. All rights reserved.

 In the Big Picture

• In order to manage risk, you

must first identify what risk
the organization faces.
• Understanding concepts such
as threat, vulnerability,
Section One exposure and likelihood can
Risk Identification help you to prioritize risk
management efforts.
• Risk is ever-changing, so risk
identification is not a one-
time effort.

50 ©Copyright 2016 ISACA. All rights reserved.

 Section One

Practice Questions

©Copyright 2016 ISACA. All rights reserved.

 Practice Question

Why should the analysis of risk include consideration of potential

impact?

A. Potential impact is a central element of risk.

B. Potential impact is related to asset value.
C. Potential impact affects the extent of mitigation.
D. Potential impact helps determine the exposure.

52 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

A risk management process is MOST effective in achieving

organizational objectives if:

A. asset owners perform risk assessments.

B. the risk register is updated regularly.
C. the process is overseen by a steering committee.
D. risk activities are embedded in business processes.

53 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

Reducing exposure of a critical asset is an effective mitigation

measure because it reduces:

A. the impact of a compromise.

B. the likelihood of being exploited.
C. the vulnerability of the asset.
D. the time needed for recovery.

54 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

The classification level of an asset must be PRIMARILY based

on which of the following choices?

A. Criticality and sensitivity

B. Likelihood and impact
C. Valuation and replacement cost
D. Threat vector and exposure

55 ©Copyright 2016 ISACA. All rights reserved.

 Section Two

Risk Analysis and Treatment

©Copyright 2016 ISACA. All rights reserved.

 Task Statements

 T2.4 Identify, recommend or implement appropriate

risk treatment/response options to manage risk to
acceptable levels based on organizational risk
appetite.
 T2.5 Determine whether information security controls
are appropriate and effectively manage risk to an
acceptable level.

57 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.10 Different environments may be more easily assessed and analyzed using certain
methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.

K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which approach
to use when, and why, because choosing the wrong treatment may lead to
excessive cost, fail to manage risk to tolerable levels or both.

K2.14 Controls are mechanisms used to mitigate, and it may be more cost effective to
employ known approaches rather than “reinventing the wheel.”

58 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.5 Being able to properly value information assets is essential to understanding the
potential business impact associated with these assets.

K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

59 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.15 Understanding controls is fundamental to managing risk.

K2.16 Optimal risk treatment require substantial planning to move from the current
state to a desired state.
K2.17 Risk management is most effective when it is built into business processes.

K2.19 Risk recommendations may require business justification.

60 ©Copyright 2016 ISACA. All rights reserved.

 Key Terms

Key Term Definition

Current risk Risk as it exists without applying any additional controls
Residual risk The remaining risk after management has implemented a risk response

Risk acceptance If the risk is within the enterprise's risk tolerance or if the cost of
otherwise mitigating the risk is higher than the potential loss, the
enterprise can assume the risk and absorb any losses
Risk avoidance The process for systematically avoiding risk, constituting one approach to
managing risk
Risk mitigation The management of risk through the use of countermeasures and controls

Risk transfer The process of assigning risk to another enterprise, usually through the
purchase of an insurance policy or by outsourcing the service
Risk treatment The process of selection and implementation of measures to modify risk
(ISO/IEC Guide 73:2002)

See www.isaca.org/glossary for more key terms.

61 ©Copyright 2016 ISACA. All rights reserved.
 Calculating Risk

Risk = Threat × Vulnerability ×

Consequences

 Calculated for each risk

pairing
 ALE quantifies annual effects
or risk

62 ©Copyright 2016 ISACA. All rights reserved.

 Good to Know

 Business impact analyses can be used to identify the

magnitude of impact (loss) associated with effects upon
particular target systems and assets.

63 ©Copyright 2016 ISACA. All rights reserved.

 Risk Analysis

 Qualitative analysis:
– Based on category assignment (Low, Medium, High)
– Scales can be adjusted to suit circumstances
– Can be used:
• As an initial assessment
• To consider nontangible aspects of risk
• When there is a lack of adequate information

64 ©Copyright 2016 ISACA. All rights reserved.

 Risk Analysis

 Quantitative analysis
– Assigned numerical values
• Based on statistical probabilities and monetary values
– Quality depends on accuracy and validity
– Consequences may be expressed in terms of:
• Monetary Technical
• Operational
• Human impact criteria

65 ©Copyright 2016 ISACA. All rights reserved.

Risk Analysis

 Semiquantitative analysis

66 ©Copyright 2016 ISACA. All rights reserved.

 Discussion Question

 What are some of the reasons for using a semiquantitative

approach to risk analysis? Can you think of any drawbacks?

67 ©Copyright 2016 ISACA. All rights reserved.

 Activity

Using semiquantitative analysis, determine the relative value of the

following:
1. Reputational risk if a product line fails: The product development
team has indicated that the market is ready for this particular product,
but the infrastructure needed to launch the product is new to the
organization and has been rushed into production to meet the desired
launch date.
2. Noncompliance with new local regulation: Local government has
passed a new law mandating businesses operating within the
jurisdiction to update HVAC systems to more energy-efficient models.
The cost of upgrading the existing system would be US $500,000,
whereas the annual fine for noncompliance would be $10,000.
3. Email quarantine system is outdated: The company’s email quarantine
system is outdated, and messages are not being filtered as successfully
as they had been in the past.
68 ©Copyright 2016 ISACA. All rights reserved.
 Activity: Scenario 1

69 ©Copyright 2016 ISACA. All rights reserved.

 Activity: Scenario 2

70 ©Copyright 2016 ISACA. All rights reserved.

 Activity: Scenario 3

71 ©Copyright 2016 ISACA. All rights reserved.

 Good To Know

 Although numbers tend to impress people, it’s actually often

difficult to know what they mean, especially when the results
don’t represent dollar figures. One big advantage of a
qualitative approach is that the rating something “Low,
Medium or High” is immediately understood by order of
importance.

72 ©Copyright 2016 ISACA. All rights reserved.

 Specialized Techniques

 Bayesian analysis
 Bow tie analysis
 Delphi method
 Event tree analysis
 Fault tree analysis
 Markov analysis
 Monte-Carlo analysis

73 ©Copyright 2016 ISACA. All rights reserved.

 Risk Evaluation

 Risk evaluation is the last step in the risk assessment

process.
 Evaluation leads to risk treatment/mitigation options:
– Does the risk meet acceptable risk criteria?
 Evaluation may lead to further analysis.

74 ©Copyright 2016 ISACA. All rights reserved.

 Risk Treatment

 Current risk considered in risk evaluation.

 Four possible options:
– Avoid
– Transfer
– Mitigate
– Accept

TX
75 ©Copyright 2016 ISACA. All rights reserved.
 Good To Know

 In addition to current risk, you may see references to “inherent

risk,” which is the level of risk that exists with no controls or
other treatment in place. Where there are no controls, inherent
risk and current risk are equal. In most organizations,
information security managers inherit a particular set of
controls that has already been implemented, and whether these
are effective or not, the rest of their implementation is that
inherent risk is transformed into current risk. If controls are
removed, risk may increase.

76 ©Copyright 2016 ISACA. All rights reserved.

 Risk Avoidance

 Rare that no means would reduce risk to acceptable

levels
 Cost may be prohibitive
 Best choice is to stop/not engage in the activity
 Cost-benefit analysis should consider long-term
effects and opportunities for growth

77 ©Copyright 2016 ISACA. All rights reserved.

 Risk Transfer

• Insurance policies and service level agreements are risk

transfer mechanisms.
• Organizations always retain some responsibility for
consequences of compromise.
• Generally, risk is transferred when likelihood is low, but
impact is high.

78 ©Copyright 2016 ISACA. All rights reserved.

 Risk Mitigation

 Control = The means of managing risk, including

policies, procedures, guidelines, practices or
organizational structures, which can be of an
administrative, technical, management, or legal
nature
 Reduce risk by affecting threat, vulnerability and/or
consequences

79 ©Copyright 2016 ISACA. All rights reserved.

 Risk Acceptance

 No additional action is taken.

 A formal decision made by
someone with the proper
authority
 Changes in risk
environment/risk appetite may
affect accepted risk

80 ©Copyright 2016 ISACA. All rights reserved.

 Selecting a Risk Treatment Option

 The choice is usually straightforward.

– Risk within risk appetite should be accepted.
– For risk outside of the appetite:
• If value of continuing < cost of transfer/mitigation, avoid.
• If value of continuing > cost of transfer/mitigation, choose most
cost-effective choice
 The minimum cost/cost-effective solution is the
solution to adopt.

81 ©Copyright 2016 ISACA. All rights reserved.

 Legal and Regulatory Considerations

 Treatment needs to consider

legal or regulatory
requirements.
 Different requirements may
need to be considered for
different
jurisdictions/industries
 Legal/regulatory risk should
be treated as any other risk.

82 ©Copyright 2016 ISACA. All rights reserved.

 Discussion Question

 When evaluating legal and regulatory non-compliance as a

risk, what might you use in the risk equation to represent
threat, vulnerability and consequences?

83 ©Copyright 2016 ISACA. All rights reserved.

 Good to Know

 In general the potential for criminal penalties brought against

top executives will result in risk being deemed unacceptable,
but it would be naïve to assume that organizations comply
with laws and regulations simply because they are mandated
to do so.
 Where penalties are minimal and compliance is expensive,
organizations might well choose non-compliance as a “cost of
doing business.” This happens more often than most people
realize.

84 ©Copyright 2016 ISACA. All rights reserved.

 Section Two

85 ©Copyright 2016 ISACA. All rights reserved.

 In the Big Picture

• Risk must be managed to

ensure that the organization
doesn’t take on more risk it is
willing to accept.
• To know how much risk an
organization is taking, it is
Section Two necessary to first identify risk
and then analyze it to provide
Risk Analysis and Treatment the basis for informed
decisions.
• Risk treatment decisions are
based on the lowest cost that
meets business goals.

86 ©Copyright 2016 ISACA. All rights reserved.

 Section Two

Practice Questions

©Copyright 2016 ISACA. All rights reserved.

 Practice Question

Quantitative risk analysis is MOST appropriate when assessment

results:

A. include customer perceptions.

B. contain percentage estimates.
C. lack specific details.
D. contain subjective information.

88 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

Which of the following techniques MOST clearly indicates

whether specific risk-reduction controls should be implemented?

A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation

89 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

The fact that an organization may suffer a significant disruption

as the result of a distributed denial-of service (DDoS) attack is
considered:

A. an intrinsic risk.
B. a systemic risk.
C. a residual risk.
D. an operational risk.

90 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

Management requests that an information security manager

determine which regulations regarding disclosure, reporting and
privacy are the most important for the organization to address.
The recommendations for addressing these legal and regulatory
requirements will be MOST useful if based on which of the
following choices?

A. The extent of enforcement actions

B. The probability and consequences
C. The sanctions for noncompliance
D. The amount of personal liability

91 ©Copyright 2016 ISACA. All rights reserved.

 Section Three

Risk Monitoring and Reporting

©Copyright 2016 ISACA. All rights reserved.

 Task Statements

 T2.6 Facilitate the integration of information risk management into

business and IT processes (e.g., systems development,
procurement, project management) to enable a consistent and
comprehensive information risk management program across the
organization.
 T2.7 Monitor for internal and external factors (e.g., threat
landscape, cybersecurity, geopolitical, regulatory change) that may
require reassessment of risk to ensure that changes to existing, or
new, risk scenarios are identified and managed appropriately.
 T2.8 Report noncompliance and other changes in information risk
to facilitate the risk management decision-making process.
 T2.9 Ensure that information security risk is reported to senior
management to support an understanding of potential impact on
the organizational goals and objectives.

93 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Connection
Statement
K2.3 Without clear methods for identifying and analyzing impact, an information
security manager may overlook significant risk.
K2.4 The risk environment is always changing, and understanding how to monitor
risk factors informs reassessment decisions and timeframes.
K2.6 Legal, regulatory, organizational and other requirements may influence risk
treatment decisions.
K2.7 Because the risk environment changes often, reliable and timely sources are
needed for effective risk management.
K2.8 Identifying clear criteria for reassessment of risk helps to ensure a consistent
approach to risk management.
K2.9 A working knowledge of threats, vulnerability and exposure guides risk
treatment decisions as circumstances change over time.

94 ©Copyright 2016 ISACA. All rights reserved.

 Knowledge Statements

How does Section Three relate to each of the

following knowledge statements?
Knowledge Connection
Statement
K2.10 Different environments may be more easily assessed and analyzed using certain
methods over other methods.
K2.11 It’s not always possible to address all risk simultaneously.
K2.12 Reporting should be aligned with business goals and needs.

K2.13 There are four ways to address risk, and it’s essential to know which approach
to use when, and why, because choosing the wrong treatment may lead to
excessive cost, fail to manage risk to tolerable levels, or both.

K2.17 Risk management is most effective when it is built into business processes.

K2.18 Timelines and content of risk reports are often driven by explicit compliance
standards.

95 ©Copyright 2016 ISACA. All rights reserved.

 Key Terms

Key Term Definition

Allowable interruption The longest that operations can be interrupted before financial impacts threaten the
window organization’s continued existence.

Key risk indicator A subset of risk indicators that are highly relevant and possess a high probability of
predicting or indicating important risk.

Maximum allowable The absolute longest amount of time that the system can be unavailable without
downtown direct or indirect ramifications to the organization.
Maximum tolerable Maximum time that an enterprise can support processing in alternate mode.
outage
Service delivery Directly related to the business needs, SDO is the level of services to be reached
objective during the alternate process mode until the normal situation is restored.

Recovery point Determined based on the acceptable data loss in case of a disruption of operations. It
objective indicates the earliest point in time that is acceptable to recover the data. The RPO
effectively quantifies the permissible amount of data loss in case of interruption.

Recovery time objective The amount of time allowed for the recovery of a business function or resource after
a disaster occurs.

96 ©Copyright 2016 ISACA. All rights reserved.

 Life Cycle Integration

 Integration with life cycle processes leads to more

effective risk management.
 Change management should include consideration of
risk.
– Should extend beyond hardware and software
– Should include review of the risk register
– Should include information security representative

97 ©Copyright 2016 ISACA. All rights reserved.

 Security Baselines

 Security baselines can help manage risk implications

– Has many benefits:
• Standardizes the minimum amount of security measures
• Provides a convenient point of reference for measurement
– May be built by:
• Observation of current controls
• Using published third-party standards

98 ©Copyright 2016 ISACA. All rights reserved.

 Volatility

 Each component of the risk

formula is subject to change
 Volatile environments
experience large variations in
risk
– Base calculations on the highest
observed risk values to ensure
effective risk management

99 ©Copyright 2016 ISACA. All rights reserved.

 Internal and External Environments

 Risk changes both inside and outside of the

organization.
– These shifts can be difficult to track.
 Vulnerabilities identified publically may encourage
threat actors to try to exploit them before
organizations can patch them.
 Patching is vital, but moving too fast can also
introduce new weaknesses.

100 ©Copyright 2016 ISACA. All rights reserved.

 Key Risk Indicators

 Indicators that are highly relevant to risk and possess

a high probability of indicating a change in risk
 Specific to each enterprise and selection depends on a
number of parameters
 Careful selection provides input for a dashboard view
of risk

101 ©Copyright 2016 ISACA. All rights reserved.

 Criteria for KRIs

 Impact
 Effort
– To implement
– To measure
– To report
 Reliability
 Sensitivity

102 ©Copyright 2016 ISACA. All rights reserved.

 Criteria for KRIs

 Consider when an indicator begins to show changes:

– Leading: Predictive and allow for correction
– Lagging: Reveal that a change has occurred
 May reveal immediate information and trends over
time
 Need to be checked regularly due to evolving risk
environment

103 ©Copyright 2016 ISACA. All rights reserved.

 Changes in Goals and Operations

 Should be conscious of business decisions that affect

the risk profile
 New business initiatives may substantially change the
consequences of known exposures
 Information security is not always included in
planning for line-of-business activities, but teams task
with business continuity typically are.

104 ©Copyright 2016 ISACA. All rights reserved.

 Discussion Question

 Why would business continuity teams be regularly included in

planning for line-of-business activities?

105 ©Copyright 2016 ISACA. All rights reserved.

 Continuity and Risk

 Each business function is

responsible for its own
continuity.
 Strong communications
between information security
and business continuity can
provide good insight.

106 ©Copyright 2016 ISACA. All rights reserved.

 Continuity and Risk

 Information security managers should watch for

changes in:
– Recovery time objectives
– Recovery point objectives
– Service delivery objectives
– Maximum tolerable outage
– Allowable interruption window

107 ©Copyright 2016 ISACA. All rights reserved.

 Risk Reporting and Convergence

 Business operations are

managed by considering the
effects of risk upon goals.
 Risk reporting used to be
segregated by risk type.
– New initiatives to consolidate
risk reporting
– Due to the fact that risk in one
area can cascade to another

108 ©Copyright 2016 ISACA. All rights reserved.

 Considerations for Risk Reporting

 Reports should be
tailored to the intended
audience
 Use categories like
“HIGH,” “MEDIUM,”
“LOW.”
 Use data to back up
rationale.
 The information security
manager is responsible
for information risk.
109 ©Copyright 2016 ISACA. All rights reserved.
 Escalation

 Clear escalation criteria are

needed
 Based on risk appetite/senior
manager preferences
 Good practice to integrate into
incident response

110 ©Copyright 2016 ISACA. All rights reserved.

 Section Three

111 ©Copyright 2016 ISACA. All rights reserved.

 In the Big Picture

• Executives base decisions in part on

their understanding of the risk
environment and rely on risk reports to
have the information they need to
make good decisions.
• The risk environment changes
constantly, so tools such as KRIs and
security baselines are useful in
Section Three •
estimating changes to information risk.
Risk should be reported regularly and
Risk Monitoring and Reporting in a way preferred by the intended
audience, but quick escalation may be
needed if risk changes suddenly and
drastically.

112 ©Copyright 2016 ISACA. All rights reserved.

 Section Three

Practice Questions

©Copyright 2016 ISACA. All rights reserved.

 Practice Question

There is a delay between the time when a security vulnerability is

first published, and the time when a patch is delivered. Which of
the following should be carried out FIRST to mitigate the risk
during this time period?

A. Identify the vulnerable systems and apply compensating

controls.
B. Minimize the use of vulnerable systems.
C. Communicate the vulnerability to system users.
D. Update the signatures database of the intrusion detection
system.

114 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

An information security manager is advised by contacts in law

enforcement that there is evidence that the company is being
targeted by a skilled gang of hackers known to use a variety of
techniques, including social engineering and network penetration.
The FIRST step that the security manager should take is to:

A. perform a comprehensive assessment of the organization’s

exposure to the hackers’ techniques.
B. initiate awareness training to counter social engineering.
C. immediately advise senior management of the elevated risk.
D. increase monitoring activities to provide early detection of
intrusion.

115 ©Copyright 2016 ISACA. All rights reserved.

 Practice Question

The information security policies of an organization require that

all confidential information must be encrypted while
communicating to external entities. A regulatory agency insisted
that a compliance report must be sent without encryption. The
information security manager should:

A. extend the information security awareness program to include

employees of the regulatory authority.
B. send the report without encryption on the authority of the
regulatory agency.
C. initiate an exception process for sending the report without
encryption.
D. refuse to send the report without encryption.
116 ©Copyright 2016 ISACA. All rights reserved.
 Practice Question

Which of the following activities MUST a financial-services

organization do with regard to a web-based service that is gaining
popularity among its customers?

A. Perform annual vulnerability mitigation.

B. Maintain third-party liability insurance.
C. Conduct periodic business impact analyses.
D. Architect a real-time failover capability.

117 ©Copyright 2016 ISACA. All rights reserved.

 Domain 2

Summary

©Copyright 2016 ISACA. All rights reserved.

 Summary

 Risk management includes risk identification;

assessment and analysis; and risk monitoring and
reporting.
 If risk is not identified, it cannot be mitigated.
 Risk scenarios and the risk register are tools that can
be used to identify risk, and subsequently can be used
to analyze risk.
 Impact, vulnerability and likelihood all need to be
taken into consideration when ranking and evaluating
risk.

119 ©Copyright 2016 ISACA. All rights reserved.

 Summary

 Cost, whether tangible or intangible, should be

considered when deciding on a risk treatment option.
 Changes in the risk environment (often KRIs) should
be used to monitor changes in risk.
 Information security and business continuity should
be in communication with one another.
 Risk reports should be clear and written to the
preferences of senior management.
 Escalation processes need to be in place for major
incidents.

120 ©Copyright 2016 ISACA. All rights reserved.

 Questions

121 ©Copyright 2016 ISACA. All rights reserved.