Information Risks Management and Compliance Tutorial

2.1 Welcome

Hello and welcome to Domain 02, Information Risk Management and Compliance of Certified Information Security Manager (CISM®) Course offered by Simplilearn. CISM® is a registered trade mark of ISACA. ISACA® is a registered trade mark of Information Systems Audit and Control Association. Let us explore Information risk management in the next screen.

2.2 Information Risk Management

Information risk management involves application of management policies, procedures and practices to the tasks of identifying, analyzing, evaluating, reporting, treating, and monitoring information related risk in a systematic way. Let us explore the objectives of this domain in the next screen.

2.3 Objectives

After completing this domain, you will be able to: • Understand the concept of risk management • Discuss the risk management strategy • Describe effective Information security risk management • Explain how to implement risk management • Define risk assessment • Develop information resource valuation • Recall how to integrate life cycle processes • Discuss security control baselines • Develop risk monitoring and communication plan • Identify training and awareness programs We will look at the task statements in the next screen.

2.4 Tasks Statements

Task statements are what a CISM® candidate is expected to know and perform. The following nine task statements have to be performed to achieve the information security goals: • Establish and maintain a process for classifying information assets • Identify legal, regulatory, organizational, and other applicable requirements • Ensure that vulnerability assessments, risk assessments, and threat analyses are consistently and periodically carried out • Determine appropriate risk treatment options • Evaluate information security controls Let us look at some more task statements in the next screen.

2.5 Tasks Statements (contd.)

Some of the other task statements are: • Identifying the gap between current and desired risk levels • Integrating information risk management into business and IT processes • Monitoring existing risk • Reporting changes in information risk as well as non-compliance to management Let us attempt a quick recall question in the next screen.

2.6 Knowledge Check

This question will help you to recall the concepts you have learned. Let us now look at the knowledge statements in the next screen.

2.7 Knowledge Statements

The CISM® candidate must have a good understanding of each of the 19 areas delineated by the knowledge statements to perform the task statements. These knowledge statements are: • Knowledge of methods to classify information assets • Knowledge of methods used to assign the responsibilities for and ownership of information assets and risk • Knowledge of evaluating adverse events that impact businesses • Knowledge of how information assets can be valued • Knowledge of legal, regulatory, organizational, and other information security related requirements Let’s continue learning about other knowledge statements in the next screen.

2.8 Knowledge Statements

Some more knowledge statements are: • Knowledge of sources of information that is reliable, reputable, and timely • Knowledge of events that may require risk reassessments and changes • Knowledge of vulnerabilities, threats, and exposures and how they evolve • Knowledge of risk assessment and analysis methodologies and also knowledge of methods used to prioritize risk We will continue learning more about other knowledge statements in the next screen.

2.9 Knowledge Statements (contd.)

A few other knowledge statements are: • Knowledge of risk reporting requirements • Knowledge of methods used to monitor risk • Knowledge of how risk can be treated and applied within an enterprise. • Knowledge of the relationship between control baseline modeling and risk-based assessments • Knowledge of Information security controls, methods, and countermeasures We will look at the final set of knowledge statements in the next screen.

2.010 Knowledge Statements (contd.)

And finally the CISM® candidate should have: • Knowledge of how to analyze gaps within information security • Knowledge of how risk management can be integrated to IT and business processes • Information on compliance requirements and reporting processes • Knowledge of cost and benefit analysis of various means to treat risk. Let us attempt a quick recall question in the next screen.

2.11 Knowledge Check

This question will help you to recall the concepts you have learned. Let us have an overview of risk management in the next screen.

2.12 Risk Management

National Institute of Standards and Technology (NIST) defines risk management as the process that is involved with the identification, control, measurement, and minimization of information security risks to a level that can justify the assets protected. • Risks are inherent in any business and cannot be avoided. • Risk cannot be removed but they can be minimized to an acceptable level. Let us look at the various types of risk assessments in the next screen.

2.13 Risk Assessment types

Risk assessment can be quantitative or qualitative or, as is usually the case, a combination of both or semi-quantitative. Click each risk assessment type to know more. • Quantitative: Quantitative risk assessment analysis provides an approximate measure of the magnitude of impact, usually in financial terms. • Qualitative: A qualitative risk assessment may be easier to perform and can enable prioritization of risk and help in identifying areas of vulnerabilities requiring immediate attention. The approach involves ranking relative risk on a basis reflecting low risk to high risk. • Semi-quantitative: Semi-quantitative is a typical risk assessment where one will often use a combination of both quantitative and qualitative methods. This is becoming a popular first-step approach to risk assessment due to the speed and low complexity of the method. Let us attempt a quick recall question in the next screen.

2.14 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the risk management processes and its importance in the next screen.

2.15 Risk Management

Risk management is an iterative process that provides justification for investment in information security. The graphic represents the risk management cycle that involves: • Identifying the risk areas • Assessing the risk • Developing the risk management plan • Implementing management actions • Re-evaluating the risk Let us look at the risk management design in the next screen.

2.16 Risk Management Design

To implement risk management, it is necessary to design the risk management process. The design and implementation of the risk management processes in the organization are influenced by: • The organization’s culture • The organization’s objectives and mission • The organizational structure • Its products and services • Its management and operation processes • The environmental and physical conditions • Legal and regulatory conditions. Let us attempt a quick recall question in the next screen.

2.17 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the outcomes of risk management in the next screen.

2.18 Risk Management Outcomes

Once risk management has been implemented, it is necessary to monitor the effectiveness by identifying the outcomes. Outcomes of effective risk management ensures that organization: • Operates at a level of predictability Supports the enterprise’s ability to operate profitably and effectively. • It also ensures that the organization monitors, manages, and mitigates risks and reduces potential business impacts to an acceptable level by conducting periodic risk and vulnerability assessments. • In addition, stakeholders are made aware of risk and appropriate action to be taken at different levels through awareness and training campaigns. Let us continue looking at the outcomes of risk management in the next screen.

2.19 Risk Management Outcomes

Outcomes of effective risk management ensures that organization: • Is aware of its critical information assets and its value to the organization. • Is aware of the threats and vulnerabilities that can affect or attack the business assets and the resulting business exposure and business impact if the threats happen. • Is aware of its legal, regulatory, and internal organizational compliance requirements as well as any other applicable requirements and manage the non-compliance risk to a level that is acceptable. • Implements appropriate measures that is aligned with business objectives. We will attempt a quick recall question in the next screen.

2.20 Knowledge Check

This question will help you to recall the concepts you have learned. Let us look at the risk management strategy in the next screen.

2.21 Risk Management Strategy

An effective risk management strategy sets the parameters and charts the course for the organization’s risk management program. Internal factors such as organizational maturity, history, culture, risk tolerance, and structure, as well as external factors such as regulatory requirements will affect risk management strategies. Risk management has to be communicated throughout the organization and awareness sessions should be held to ensure that risk management is incorporated within the organization’s culture. A risk management strategy must include determining the optimal approach to align processes, technology, and behavior. Let us look at effective information risk management in the next screen.

2.22 Effective Information Risk Management

Effective information security risk management activities must be supported on an ongoing basis by all members of the organization. Executive or C-suite support lends credibility and impetus to risk management efforts. An organizational culture that includes sound information security practices coupled with senior management commitment for effective risk management is required to achieve the objectives of the program. In addition, the personnel must understand their responsibilities and be trained in applicable control procedures. Compliance to information security controls must be tested and enforced on a continuing basis. The information security manager must also consider developing approaches to achieve a level of integration with the typically numerous risk management activities of other parts of the organization. These can include legal, facilities, physical security, HR, audit, and privacy and compliance activities. Let us look at risk the management program in the next screen.

2.23 Risk Management Program

Risk management program has to consider the following: • Purpose and context of the program • The scope and charter of the program • Asset identification, ownership, and classification • The objectives • The methodology used • The Implementation team. Let us look at the support system in the next screen.

2.24 Risk Management Support System

To ensure effective information security risk management, the following key personnel have to support risk management process as well as participate in it: • Governing Boards and Senior Management • Chief Risk Officer • Chief Information Officer • Chief Information Security Officer • Information Security Manager • Information Owners • Business and Functional Managers • IT Security Practitioners • Security Awareness Trainers Click each personnel to know about their responsibilities. • Governing Boards and Senior Management— Senior management, in exercising due care and responsibility for mission accomplishment, should ensure that the necessary resources are applied to make sure the mission is accomplished. • Chief Risk Officer – Responsible for enterprise risk management, which may include information security in some cases. • Chief Information Officer—The chief information officer (CIO) is responsible for ensuring that the IT function is well planned, budgeted, and well-performing and includes information security metrics • Chief Information Security Officer — Performs the same functions as an information security manager but these functions are done at the strategic and management level and typically reports to the CEO. • Information Security Manager— is responsible for their organizations’ security programs, usually including information risk management. They play a key role in introducing a methodology that will identify, minimize, and evaluate the risks to the information assets which in turn support the organization’s goals. Information Owners—The information and system owners must ensure that there are adequate controls to maintain confidentiality, integrity, and availability of information systems. They have to approve any changes to the IT system, including any users who need access to the system. Business and Functional Managers—They are responsible for IT procurement process and business operations and should therefore take a key role in risk management. These managers have authority in making trade-in achieving mission. IT Security Practitioners—They are responsible for implementing information security requirements. They include network administrators, and application or database administrators among others. Security Awareness Trainers —They train organization’s employees on the uses of the information technology systems. They ensure that IT systems are set in accordance with the organization’s policies. We will attempt a quick recall question in the next screen.

2.25 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at information security management concepts in the next screen.

2.26 Information Security Management

In addition to awareness of new technologies, Information security managers must also be aware of the following concepts: • Threats and vulnerabilities • Exposures and risk • Impact and Controls • Countermeasures • Resource valuation • Criticality and Sensitivity Let us look at the other information security management concepts in the next screen.

2.27 Information Security Management

A few other concepts that the information security manager needs to know are: • Recovery Time Objectives (RTOs) • Recovery Point Objectives (RPOs) • Service Delivery Objectives (SDOs) • Acceptable Interruption Window (AIW) • Redundancy site Let us look at the technologies the information security manager should be aware of in the next screen.

2.28 Information Security Management

Let’s now learn about the technologies that the information security manager should be aware of. These are: • Application security • Physical and environmental controls • Logical access controls • Network access controls • Routers, bridges, and firewalls • Intrusion detection or prevention systems Let us look at the other technologies that the information security manager should be aware of in the next screen.

2.29 Information Security Management

A few other technologies that an information security manager must know are: • Wireless security • Platform security • Encryption methodologies • Antivirus/Spyware/malware • Antispam devices • Telecommunication equipment A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.30 Implementing Risk Management

• Implementing risk management involves integration of various organizational risk activities within an organization. It must also integrate with other risk management teams that deal with risks within an organization such as physical risk, credit risk as well as compliance functions such as audit. • This prevents duplication of efforts, minimizes gaps in assurance functions and in addition, ensures effective processes in other domains supports the information security risk management. Let us explore the risk management process in the next screen.

2.31 Risk Management Process

The risk management process involves weighing policy alternatives with considerations from interested parties, taking into account risk assessment as well as other factors. These ensure that an appropriate prevention and control option is selected that has an acceptable cost. Click each factor to know more. • When instituting scope and boundaries, one has to take into consideration both internal and external factors in establishing global parameters for risk management within an organization. • Carrying out risk assessment involves risk identification, risk analysis, and risk evaluation. • Defining risk treatment ensures that strategies selected respond to risk depending on the business’ risk appetite. Such response includes, risk avoidance, implementation of mitigating activities, or transferring the risk to a third party such as insurance. Risk acceptance is also possible if there is no cost effective way to mitigate it, it has little exposure, or it is not feasible to address it. • Residual Risk is the risk that remains after treatment, which can then be accepted. It must be ensured that residual risk is at an acceptable level • The information security management must ensure constant communication and monitoring of risk management by exchanging information on the risk identified between decision-makers as well as other stakeholders, who could be within or outside the organization. We will attempt a quick recall question in the next screen.

2.33 Risk Management Framework

A risk management framework is normally chosen from a reference model that reflects the desired state of an organization. This reference model can then be used and adapted to an organization to come up with a risk management program. There are a number of such reference models that you might have heard about. These include: • COBIT 5 developed by ISACA • ISO 31000:2009 Risk Management that provide guidelines in implementing risk management • HB 436:2004 Risk Management Guidelines • ISO/IEC Standard 27005:2008 provides a guideline on information Security risk management. • NIST’s Risk Management guide for Information Technology Systems Let us learn about risk management requirements in the next screen.

2.34 Risk Management Requirements

Risk management, based on a reference model, has to define a number of requirements in coming up with the risk management framework. Click each requirement to know more. The first requirement is a policy, which must be defined by the senior management that includes its commitment to risk management. The policy should be relevant to the organizational context. The second requirement is planning and resourcing where personnel required to implement a risk management framework must be identified. In addition, all the resources and tools that will be required should also be defined at this point. Third on the requirement list is an implementation program that defines the implementation steps to be followed for an effective risk management system. A review carried out by the senior management to review risk management systems on a periodic basis should be put in place to ensure they satisfy the requirements in setting up this program. The fourth requirement is periodic management review of the risk management system, which must be performed by the executive management to ensure that the system is stable and effective in satisfying requirements of the program. The management should also maintain the records of such reviews. As the fifth requirement, a risk management process should be applied to all levels of the organization and risk treatment should be prioritized based on organization’s objectives, risk tolerance, and regulatory environment. Finally, adequate documentation of the whole risk management process should be kept to facilitate an independent review. We will attempt a quick recall question in the next screen.

2.35 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at the internal and external environment factors in the next screen.

2.36 Defining External and Internal Environment

Both the external and internal environment affect the way an organization implements its risk management program. The external environment is defined as the environment in which the organization operates. This includes the industry the enterprise is operating in, the regulatory environment, socio-cultural environment, and other external stakeholders. The internal environment of an enterprise includes key business drivers, the SWOT analysis (Strength, Weaknesses, Opportunities and Threats) of the organization, the organizational structure and assets, goals of the enterprise, and internal stakeholders such as employees. Let us look at the risk management context in the next slide.

2.37 Risk Management Context

The information security manager should at all times, ensure that a risk management program provides a perfect balance between cost and benefits. Risk management context involves: • Defining the range of organizational activities • Duration of the program • Full scope of risk management activities • Roles and responsibilities of the participants in a risk management program. The criteria used in determining the risk management program should be based on its impact, the likelihood of the risk materializing, and the rules that determine risk level acceptance or further treatment. Let us look at the gap analysis in the next screen.

2.38 GAP Analysis

Gap analysis can be defined in the context of managing risk as the gap between controls and control objectives. This gap arises because control objectives change due to exposes, business objectives, or regulation that keep changing as risk management activities are implemented. Gap analysis should be carried out on a periodic basis. When effectiveness of controls exceeds the defined risk tolerances, controls should be modified with additional control activities. Let us look at other organizational support in the next screen.

2.39 Other Organizational Support

The information security manager may get additional information from the industry, which will assist in monitoring the security environment if integrated with a risk management program. Such areas include good practices organizations, security networking, vulnerability alerting services, and security training organizations. Click each area to know more. • Good practices organizations such as ISACA®, ISC2, and SANS periodically provide valuable information on data that can be used to evaluate a security program. • The information security manager will also gain insights by attending security networking roundtables where security professionals from similar industry discuss latest trends on information security. • Vulnerability alerting services alert information security manager of new vulnerabilities that have been discovered for the technologies being used and the remedies for them. • The information security manager will improve his organization’s response to security issues by being in contact with security training organizations that facilitate classes on information security topics, such as strategies on security configuration and vulnerability analysis. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.40 Introduction to Risk Assessment

Risk assessment is the process of analyzing the threat and vulnerability landscape of an enterprise’s information assets to determine exposure and the risk of compromise of the organization. Risk assessment is a formal evaluation of risk and it: • Uses qualitative, quantitative, and semi quantitative assessments • Determine adequacy of existing security and controls of an organization • Recommends newer mitigation plans; and • It consists of risk analysis. Let us learn about risk analysis, evaluation, and management in the next screen.

2.41 Risk Analysis Evaluation and Management

Risk assessment involves analyzing the risk, evaluating the risk, and then managing the risk. Click each area to know more. • Risk analysis involves examining reports and information and identifying and analyzing probable threats to an organization. • Risk evaluation involves comparison of results in establishment against likelihood and impact as well as acceptability for residual risk. • On the other hand, risk management involves a systematic application of security policies, procedures, and practices to the tasks which identify, analyze, evaluate, treat, monitor, and communicate the risk. Let us now look at the risk rating matrix in the following screen.

2.42 Risk Rating Matrix

After assessing the risk, we need to rate the risk and check its impact. The table below displays a sample of the risk rating and its impact. When likelihood is almost certain and impact is insignificant, risk is low. When likelihood is likely and the impact is insignificant, then the risk is low. When likelihood is possible and the impact is insignificant, then the risk is low. When likelihood is unlikely and the impact is insignificant, then the risk is very low. When likelihood is rare and the impact is insignificant, then the risk is very low. When likelihood is almost certain and the impact is minor, then the risk is significant. When likelihood is likely and the impact is minor, then the risk is significant. When likelihood is possible and the impact is minor, then the risk is low. When likelihood is unlikely and the impact is minor, then the risk is low. When likelihood is rare and the impact is minor, then the risk is low. When likelihood is almost certain and the impact is moderate, then the risk is high. When likelihood is likely and the impact is moderate, then the risk is significant. When likelihood is possible and the impact is moderate, then the risk is significant. When likelihood is unlikely and the impact is moderate, then the risk is significant. When likelihood is rare and the impact is moderate, then the risk is low. When likelihood is almost certain and the impact is major, then the risk is high. When likelihood is likely and the impact is major, then the risk is high. When likelihood is possible and the impact is major, then the risk is high. When likelihood is unlikely and the impact is major, then the risk is significant. When likelihood is rare and the impact is major, then the risk is low. When likelihood is almost certain and the impact is catastrophic, then the risk is high. When likelihood is likely and the impact is catastrophic, then the risk is high. When likelihood is possible and the impact is catastrophic, then the risk is high. When likelihood is unlikely and the impact is catastrophic, then the risk is significant. When likelihood is rare and the impact is major, then the risk is significant. We will attempt a quick recall question in the next screen.

2.43 Knowledge Check

This question will help you to recall the concepts you learned. Let us see the popular methodologies used in risk assessment in the following screen.

2.44 Risk Assessment

Information Security manager will select the best methodology to suit the needs of the organization. Such methodologies include: COBIT, OCTAVE, NIST 800-30, AS/NZS 4360-2005, ITIL, CRAMM, Factor analysis of information risk (FAIR), Risk factor analysis and Value at risk (VAR). While these methodologies are important for the information security manager, the CISM exam does not test these methodologies. Let us look at the steps of Risk Assessment Methodology in the next screen.

2.45 NIST Risk Assessment Methodology

National Institute of Standards and Technology or NIST recommends the following nine primary steps of risk assessment methodology: • Step 1 is System characterization • Step 2 is Threat identification • Step 3 is Vulnerability identification • Step 4 is Control analysis • Step 5 is Likelihood determination • Step 6 is Impact analysis • Step 7 is Risk determination • Step 8 is Control recommendations, and • Step 9 is Results documentation We will attempt a quick recall question in the next screen.

2.46 Knowledge Check

This question will help you to recall the concepts you learned. Let us now look at probabilistic risk assessment in the next screen.

2.47 Probabilistic Risk Assessment

Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology used to evaluate risks associated with a complexly engineered technological entity. It defines risk as a feasible detrimental outcome of an activity or action. Risk is characterized by two quantities: • The magnitude of the possible adverse consequences, and • The probability of occurrence of each consequence Let us look at factor analysis of information risk in the next screen.

2.48 Factor Analysis of Information Risk

Factor Analysis of Information Risk (FAIR) provides a logical framework for answering the following: Click each factor to know more. • A taxonomy of the factors, which make up information risk, provide a foundational understanding of information risk, and a set of standard definitions for enterprise terms • A method for measuring the factors that drive information risk • A computational engine that mathematically simulates the relationship between measured factors to derive a risk • A simulation model that allows to apply the taxonomy measurement method and computational engine, to build and analyse risk scenarios of virtually any size or complexity Let us continue looking at factor analysis of information risk in the next screen.

2.49 Factor Analysis of Information Risk (contd.)

FAIR illustrates a means of decomposing risk using a reasonable and detailed analysis process. In this process: • Risk can be categorized into two major classes: Loss event frequency and probable loss magnitude. • Loss event frequency can further be classified into threat event frequency and vulnerability. Furthermore, threat event frequency can be classified into contact and action, while vulnerability is classified into control strength and threat capability. • Probable loss magnitude, on the other hand, is classified into primary loss factors and secondary loss factors. Furthermore, primary loss factors are classified into asset loss factors and threat loss factors while secondary loss factors are classified into organizational loss factors and external loss factors. Let us see aggregated risk and cascading risk in the following screen.

2.50 Aggregated Risk and Cascading Risk

Risks can be aggregated risk or cascading risk. Click each type of risk to know more. • Aggregated risk is when threats (single or multiple) affect a large number of minor vulnerabilities. Individual impact may be acceptable to the organization but the aggregate impact of all minor vulnerabilities can be catastrophic. An example is when there is a generic account in an application and that application has vulnerable services running on them such as File Transfer Protocol (FTP). • Cascading risk is when threats (single or multiple) create a “chain reaction” of unacceptable impacts. Highly coupled systems or systems with multiple dependencies are candidates for cascading risks. An example is a failure at a power utility in a small town in the USA, which caused a cascade of failures across the power grid leading to a blackout in the whole of the north-eastern part of the USA. We will attempt a quick recall question in the next screen.

2.51 Knowledge Check

This question will help you to recall the concepts you learned. Let’s look at risk identification methodology in the next screen.

2.52 Risk Identification Methodology

Methodology used for risk identification include the following: Click each methodology to know more. • Brainstorming, where ideas are gathered spontaneously as they are contributed by experts • Interviewing, where risk is identified through discussions with risk experts and management • Delphi technique, where consensus is generated within risk experts. • Other risk identification methods include diagramming techniques where cause and effect diagrams, process flowcharts, and influence diagrams are used to identify risks • Analysis of processes to facilitate identification of operational risk • Expert judgment, where input from subject matter experts or employees with relevant experience is used to identify risk. • SWOT analysis is used to examine the organizational risks from the perspectives of Strengths, Weaknesses, Opportunities, and Threats. Let’s us look at threats in the next screen.

2.53 Threats

Once the risks have been identified, threats to information resources and the likelihood of their occurrence must be assessed. In this context, threats are any circumstances or events which can cause harm by exploiting vulnerabilities in information systems. Threats are usually categorized as natural, unintentional, intentional physical, and intentional nonphysical. Click each category to know more. • Natural threats arise from acts of nature such as fire, flood, rain, and earthquakes. • Unintentional threats are results of unintentional activities, such as loss of utility services, water, fire, or equipment failure • Intentional physical threats arise due to malicious physical acts such as bombs, fire, theft, and water • Intentional nonphysical threats are results of malicious non-physical acts such as espionage, hacking, fraud, identity theft, social engineering, and malicious code Let us continue looking at threats in the next screen.

2.54 Threats (contd.)

The information security manager should be aware of advanced persistent threats which are defined by NIST publication 800-61 as “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors such as cyber, physical and deception.” We will attempt a quick recall question in the next screen.

2.55 Knowledge Check

This question will help you to recall the concepts you learned. Let us understand vulnerability in the next screen.

2.56 Vulnerability

Vulnerability is a weakness in the design, implementation, operation, or internal controls in a process that could be exploited to violate system security. Examples of vulnerabilities include: • Defective software • Improperly configured equipment • Lack of compliance enforcement • Poorly designed network • Defective or uncontrolled processes • Inadequate management • Inadequate staff • Inadequate knowledge to support users • Lack of security functionality • Inadequate proper maintenance • Weak passwords • Untested technology • Unprotected communication • Inadequate redundancy • Poor communication in the organization Let us look at risk profiles of organizations in the next screen.

2.57 Risk

The information security manager must understand the business risk profile of the organization. Risk is an inherent part of business. Since it is impractical and costly to eliminate all risks, every organization has a level of risk that it will accept. • To determine the reasonable level of acceptable risk, the risk manager must determine an optimal point where the cost of losses intersects with the costs associated with mitigating or otherwise treating the risk. We will attempt a quick recall question in the next screen.

2.58 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at operational risk areas in the next screen.

2.59 Operational Risk

The information security manager should be aware of the following operational risk areas : • Facilities and operating environment risk • Health and safety risk • Information security risk • Control frameworks risk • Legal and regulatory compliance risk • Corporate governance risk • Reputation risk • Strategic risk • Processing and behavioral risk • Technology risk • Project management risk • Criminal and illicit acts risk • Human resources risk • Supplier risk • Management information risk • Ethics risk • Geopolitical risk • Cultural risk • Climate and weather risk Let us look at the qualitative risk analysis in the following screen.

2.60 Qualitative Risk Analysis

Qualitative risk analysis: • Is a subjective analysis of risks and threats to the organization • Is the initial assessment to identify risks • Ranks threats based on probability and understanding of different risk scenarios. • Is based on expert judgment, intuition, and experience than financial values; and • It considers organization’s culture, reputation, and brand image. Let us look at the qualitative assessment in the next screen.

2.61 Qualitative Risk Analysis (contd.)

Qualitative assessment uses: • Relative probability or likelihood of occurrence • Impact on organizational business objective, and • Organization’s risk tolerance Let’s focus on probability scales in the following screen.

2.62 Probability Scales

The probability scales: • Show the assignment of value to the likelihood of a risk occurring • Ranges from 0.0 to 1.0 where 0.0 indicates no probability and 1.0 indicates certainty. • Probability scales are designed using relative probability values such as linear, non-linear, and ordinal scale. The graph shows the assignment of value to the likelihood of a risk occurring. We will attempt a quick recall question in the next screen.

2.63 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at the quantitative risk analysis in the following screen.

2.64 Quantitative Risk Analysis Techniques

Quantitative risk analysis is a technique used to: • Assess the risk exposure events to overall organizational objectives • Determine the confidence levels of achieving the organizational objectives, and • Quantify the magnitude of impact in financial terms and prioritize risks. Value or numbers arrived at may be subject to variations, margins, and errors. Quantitative risk analysis techniques include Sensitivity analysis, Expected monetary value (EMV) analysis, and Modelling and simulation. Click each technique to know more. • Sensitivity analysis involves examination of uncertain elements that affect the organization • Expected monetary value (EMV) analysis is the calculation of the average outcome under uncertainty • Modelling and simulation involves cost risk analysis using the Monte Carlo method. Let us see semi-quantitative risk analysis in the next screen.

2.65 Semi-Quantitative Risk Analysis

Semi-quantitative methods are used to describe the relative risk scale. In semi-quantitative methods, the values used can be: • Indicative and not real • Inconsistent in reflecting analogies between risks Semi-quantitative methods can be used in formulae that take these limitations into account. We will attempt a quick recall question in the next screen.

2.66 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at probability distribution in the next screen.

2.67 Probability Distribution

Probability distribution is the scattering of values assigned to likelihood in a sample population. • It can be visually depicted in a form of a probability density function (PDF). • In a PDF, the vertical axis refers to the probability of the risk event and the horizontal axis refers to the impact the risk event will have on the project objectives. Let us see the types of probability in the next screen.

2.68 Probability Types

Probability can either be subjective or objective. Click each type to know more. • Subjective probability is based on people’s opinions, which may be shaped by information, experience, attitude, and perceptions. Different people deduce different determinations of the probability of an event. • On the other hand, objective probability is deduced mathematically based on each recorded measure of risk occurrence. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.69 Evaluation of Risk

Risk evaluation implies how to treat the risk as well as use the treatment priorities. Thresholds of risk evaluation should be specified in terms of: • Consequences (example, Impacts) • The likelihood of events • The cumulative impact of a series of events that could occur simultaneously • Risk treatment cost, and • The ability of the organization to absorb losses We will look at risk treatment options in the next screen.

2.70 Risk Treatment

The risk treatment strategies can be positive or negative. Positive risk treatment techniques involve seeing risk as an opportunity and this includes: exploiting the risk, sharing the risk, enhancing the company profile as well as accepting the risk. Negative risk treatment is where risk is treated as a threat and therefore treatment options include avoiding the risk, transferring the risk to a third party, mitigating the risk through implementing controls, and finally terminating the activity that is causing the risk. In the next screen, we will look at the negative risk treatment techniques.

2.71 Negative Risk Strategies

Common strategies for negative risks are : • Risk avoidance or risk termination involves terminating the activity giving rise to the risk. • Risk transference is shifting the impact of a risk event and ownership of the risk response to a third party. • Risk mitigation or risk treatment involves reducing the probability or impact of a potential risk event to an acceptable level. • Risk acceptance is accepting, actively or passively, the existence of a risk. • Risk tolerance involves ignoring the risk, which is immaterial in nature, when the likely exposure and impact is small. But it is inadvisable otherwise. Let us attempt a quick recall question in the next screen.

2.72 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at residual risk in the following screen.

2.73 Residual Risk

Let’s understand what residual risk means. • Residual risk is the balance risk remaining after identifying and controlling risks to the maximum extent. • The impact of residual risk costs lesser than the controls. • The residual risk must be within the enterprise’s risk appetite. • The aim of information security is to bring residual risk within the enterprise’s risk appetite, not necessarily below zero. Let us look at the acceptance of residual risk in the next screen.

2.74 Residual Risk (contd.)

For determining the level of compliance and priority within an enterprise, one should take into account the following while accepting residual risk: • Regulatory and legal compliance • Organization policy • Sensitive information assets • Accepting the level of impact • Uncertainty in the risk assessment • Cost-effectiveness of implementation We will attempt a quick recall question in the next screen.

2.75 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at risk impact in the next screen.

2.76 Risk Impact

Impact of risk can be quantified in terms of financial loss by many commercial organizations. Financial loss could be due to the following: • Loss of money • Civil or criminal liability • Reputational damage • Share value fall • Conflict of interest • Loss of confidence • Lost business opportunity • Market share loss • Operational efficiency loss • Business activity interruption, and • Noncompliance with laws and regulations Let us look at legal and regulatory requirements in the next screen.

2.77 Legal and Regulatory Requirements

Regulatory and legal requirements should be considered in terms of risk and its impact. This assists in: • Determining the level of compliance and priority within an enterprise • Evaluating the risks posed by non-compliant areas of an enterprise and • Evaluating potential impact (financial and reputational damage) based on full compliance, partial compliance, and non-compliance. Executive management determines the: • Level, nature, and extent of compliance and • Choice of non-compliance versus full compliance We will attempt a quick recall question in the next screen.

2.78 Knowledge Check

This question will help you to recall the concepts you learned. Let’s see the cost benefit analysis in the next screen.

2.79 Cost benefit analysis

Cost benefit analysis is initiated through the evaluation of: • Value of the information assets that need protection • Depreciation in value of information assets when they are compromised Information about the consequences of the vulnerability should be explored before the strategy is decided. The criteria for deciding the strategies are: • The value of assets, which the control is designed for protection • The economic feasibility while implementing information security controls and safeguards Let us look at the events affecting security baselines in the next screen.

2.80 Security Baseline Changes

Information security managers need to monitor and assess events that affect security baselines, which might affect the organization’s security program. Based on this assessment, the information security manager must determine if the organization’s security plans and test plans require modification. Security baselines may be modified for various reasons; for example: • A vendor identifies that a parameter in its software or hardware must be changed to achieve the desired protection. • Another reason could be an outside event that requires increased baselines. For example, if there is a protest or other civil unrest near the organization’s facility, the baseline for physical security may need to be increased for a period of time until that threat passes. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.81 Information Resource

Information resource valuation is carried out on completion of information asset inventory and information classification. The categories of typical information assets include: • Proprietary information • Trade secrets • Patent information • Personally identifiable information (PII) and • Copyright information Let us look at the asset evaluation in the next screen.

2.82 Information Resource

2.83 Information Asset

Companies normally do not have an accurate list of information assets. The reasons for this could be: • Providing exact value for known assets (example: trade secrets or PII) is difficult. • Having an approach to prioritize efforts is more important than accuracy of information resource valuation. In addition, • The values within the same order of magnitude as the actual loss are sufficient for planning purposes Let us look at information asset valuation in the next screen. Organizations should be in a position to place value on each of the information asset it owns. Values could be based on the: • Cost to acquire or create the asset • Cost of recreating the asset or its recovery • Cost of asset maintenance • Worth of the asset to the enterprise • Worth of the asset to the organization’s competitors Let’s look at the asset valuation with consideration for potential loss in the next screen.

2.84 Potential Loss

Organizations must be able to calculate potential loss, that may occur from the exploitation of vulnerability, based on the following questions: • What loss could occur, and what financial impact would it have? • What would it cost to recover from the attack, in addition to the financial impact of damage? and • What is the single loss expectancy for each risk? Let us see the techniques used in information resource valuation in the next screen.

2.85 Techniques

Single loss expectancy (SLE) is the greatest likely loss from an attack. It is an estimate of the asset value and percentage of loss that would occur from the attack. Single Loss Expectancy (SLE) is product of asset value and exposure factor where exposure factor is the loss as a percentage when a vulnerability is exploited. Annualized Rate of Occurrence (ARO) is the likelihood of an attack in a given time frame when annualized per year. Annualized Loss Expectancy (ALE) is the annual expected financial loss to an asset, resulting from one specific threat. Annualized Loss Expectancy is the product of Single Loss Expectancy and Annualized Rate of Occurrence. We will attempt a quick recall question in the next screen.

2.86 Knowledge Check

This question will help you to recall the concepts you learned. Let us look at information classification in the next screen.

2.87 Information Classification

Information classification is carried out by the information owner after asset inventory. Classification categories must be comprehensive and mutual. Certain information could require additional classification scheme depending on their role such as trade secrets and strategic information. Information classification ensures that: • Information is appropriately protected against breaches of confidentiality, integrity, availability, and authentication; and • The information assets are protected based on criticality, sensitivity, and value A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.88 Business Impact Analysis

Business impact analysis (BIA) is performed to identify the impact of adverse events through: • Determining the current state of risk • Potential impacts that threaten an organization • Acceptable levels of response • A framework for building resilience • Capability for an effective response and • Safeguarding the interests of its key stake holders, reputation, brand and value creating activities We will look at impact analysis and risk assessment in the next screen.

2.89 Impact Analysis and Risk Assessment

Business Impact Analysis (BIA) is a process designed to prioritize essential business functions by assessing quantitative and qualitative impacts. It identifies: • Resource dependencies • Recovery Time Objectives (RTO) • Recovery Point Objectives (RPO); and • Gaps between function RTO and technical RPO Let us now look at the Recovery Time Objective in the next screen.

2.90 Recovery Time Objective

Recovery Time Objective or RTO is the duration of time and a service level in which a business process should be restored after a disaster. This would ensure that consequences which are unacceptable can be avoided. Recovery time objective, as an objective, is established by the process owner along with business continuity planner and approved by senior management. It includes: • Time for fixing the problem in the absence of a recovery • Recovery, tests, user communication; and • Decision time for users representative Let us learn about Recovery Point Objective in the next screen.

2.91 Recovery Point Objective

Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which the data must be recovered, and beyond that is an "acceptable loss" in a disaster situation. For example: If the RPO of a company is 2 hours, the time it takes to get the data back into production is 5 hours, the RPO will be 2 hours. Based on this RPO, the data must be restored to within 2 hours of the disaster. Let us attempt a quick recall question in the next screen.

2.92 Knowledge Check

This question will help you to recall the concepts you learned. In the following screen, we will understand the integration with life cycle processes.

2.93 Integration with Life Cycle processes

The information security manager should ensure that risk management is integrated to life cycle processes. This involves ensuring that risk identification, analysis, and mitigation in to change management process. By integrating risk identification, analysis and mitigation activities into change management (life cycle processes) • The information security manager can ensure that critical information resources are adequately protected. This is a proactive approach, enabling the information security manager to better plan and implement security policies and procedures in alignment with the business goals and objectives of the organization. • These include for example ensuring that risk management is a component of the System development life cycle (SDLC) in the following stages: • Initiation • Development • Implementation • Operation • Disposal We will look at security control baseline in the next screen.

2.94 Security Control Baseline

• The information security manager is responsible for implementing the security baselines. Implementing baselines for security processes set the minimum security requirements throughout the organization so they are consistent with acceptable risk levels. • Regular evaluation of baselines is necessary due to the dynamic nature of IT hardware and software as well as external factors such as changing geopolitical risk, emerging regulatory requirements, or volatility in financial markets. • To establish control baselines, security managers can refer to many of the published standards that may be implemented within the organization. • Setting security baselines for an organization’s operational enterprise has a number of benefits, such as: • It standardizes the minimum amount of security measures that must be employed throughout the organization; this results in positive benefits for risk management. • Secondly, it provides a convenient point of reference to measure changes to security and identify corresponding effects on risk. • Controls suitable for the organization must be developed based on a variety of factors such as • Organization structure • Risk tolerance, and • Culture We will attempt a quick recall question in the next screen.

2.95 Knowledge Check

This question will help you to recall the concepts you learned. We will look at risk monitoring and communication in the next screen.

2.96 Risk Monitoring and Communication

Successful risk management program requires continuous monitoring of: • Risks, and • Risk management program and capabilities Communication channels must allow information security manager to: • Report and disseminate information, and • Receive information about risk-related activities. We will look at training and awareness in the next screen.

2.97 Training and Awareness

End-user information security training should include, among other things, sessions on: • The importance of adhering to the security policies, standards, and procedures of the enterprise • How they can react in emergency events. • Significance of logical access in an IT environment • Confidentiality and privacy requirements • Identifying security incidents and reporting on them • Understanding social engineering and how to respond to them. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

2.98 Case Study One

To understand the key concepts of Information Risks Management and Compliance, consider this case. A global 100 US company noted evidence of non-compliance to its policies by their vendor through an internal audit review. The company initiated a process of ensuring that the policies would be followed by the business partner. An external consultant was engaged to determine the full extent of the non-compliance. The consultant noted that the contract process was devoid of controls and that many agreements were outside the agreed policies and standards. This way, the company was able to institute efficient and effective controls around their contract processes and were able to refresh their contract master list. Let us look at another case study in the next screen.

2.99 Case Study Two

An investment bank with more than 60,000 employees was unsure of the barriers between its investment decisions and how they complied with the regulatory authority. The investment bank was also unsure of how they could prevent leakage of sensitive customer information. The company was faced with various questions which were addressed in the following ways: • To protect customer data in computers, laptops, and mobile devices, the company defined data protection policies that could be monitored and enforced centrally • To ensure employees could not disclose unpublished research, the CIO established barriers to unpublished information and employees within the research and development department were required to sign non-disclosure agreements • To protect customer’s confidential information from unauthorized or accidental disclosure, the information security manager ensured that such access to confidential information was restricted. • To ensure that confidential pieces of information was hidden before distribution, the information security manager introduced an application that automated the hiding and removal of confidential information prior to distribution. • To restrict use of removable media within the organization, the information security manager introduced a whitelist of devices to be used within the organization. Let us have a quick recap of what we have learned in the next screen.

2.100 Quiz

The quiz will help you to check your understanding of the concepts covered.

2.101 Summary

Here is a quick recap of what we have learned: • Risk management is the process concerned with identification, control, minimization, and measurement of information security risks to a level within the assets being protected • The risk management cycle consists of identifying the risk areas, assessing the risks, developing risk management plan, implementing risk management actions, and re-evaluating the risks. • Risk management strategies are affected by internal and external factors. • Concepts that information security manager must know include impact, controls, RTOs, RPOs, SDOs and AIW. • Defining a risk management framework based on an internationally recognized reference model. • Recognizing that risk management context should always strike a balance between costs and benefits. • A periodic review of the gap between controls implemented and control objectives to ensure they always fall within the organization risk appetite. Let us continue with the recap in the next screen.

2.102 Summary (contd.)

• The information security manager should seek other industry services such as security networking roundtables that provide an update on any emerging issues on information security. • Risk analysis involves examining reports and information and identifying and analyzing probable threats to an organization • Aggregated risk is when threats affect a large number of minor vulnerabilities, while cascading risk is when threats create a “chain reaction” of unacceptable impacts. • Residual risk is the balance risk remaining after identifying and controlling risks to the maximum extent. • Information resource valuation is carried out on completion of information asset inventory and information classification. • Single Loss Expectancy is the value associated with greatest likely loss from an attack while Annualized Rate of Occurrence is the likelihood of an attack within a specific time, and then this measure is extrapolated for a whole year. Let us continue with the recap in the next screen.

2.103 Summary (contd.)

• Information classification is carried out by information owner after asset inventory. Classification categories must be comprehensive and mutual. Certain information could require additional classification scheme depending on their role. • Business Impact Analysis (BIA) is a process designed to prioritize essential business functions by assessing quantitative and qualitative impacts. • The Recovery Time Objective is the duration of time and a service level in which a business process should be restored after a disaster. This would ensure that consequences which are unacceptable can be avoided. • Recovery Point Objective describes the acceptable amount of data loss measured in time. • The information security manager should ensure that risk management is integrated to life cycle processes. This involves ensuring that risk identification, analysis and mitigation are integrated to the change management process. • Successful risk management program requires continuous monitoring of risks and risk management program and capabilities.

2.104 Conclude

This concludes the domain on Information Risk Management and Compliance. The next domain will focus on Information Security Program Development and Management.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

We use cookies on this site for functional and analytical purposes. By using the site, you agree to be cookied and to our Terms of Use. Find out more

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)

By proceeding, you agree to our Terms of Use and Privacy Policy

We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*

By proceeding, you agree to our Terms of Use and Privacy Policy