CISM Chapter 2 – Information Risk Management (IRM)

IRM accounts for 22 percent of the CISM exam or about 44 questions.  In 2010, ISACA reorganized the CISM Review Manual and separated each chapter into two major sections.  Section 1 of each chapter contains the definitions and objectives with the corresponding tasks and knowledge statements that are test on the exam.  Section 2 contains reference material and content that supports the knowledge statements and is pertinent for CISM candidates’ knowledge and/or understanding when preparing for the exam.

There are seven (7) task statements for IRM and 14 knowledge statements.  The seven task statements are:

  1. Establish a process for information asset classification and ownership.
  2. Implement a systematic and structured information risk assessment process.
  3. Ensure that business impact assessments are conducted periodically.
  4. Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
  5. Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
  6. Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., project management, development, procurement and employment life cycles).
  7. Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.

There are several “Suggested Resources” in Chapter 2.  Of the seven listed, there are five which you should have in your personal library — and should have read — as several questions on the exam comes from this material.  The five specific ones are:

  1. ISACA; Implementing and Continually Improving IT Governance, USA, 2009
  2. Jaquith, Andrew; Security Metrics, Addison Wesley, USA, 2007
  3. Killmeyer, Jan; Information Security Architecture: An Integrated Approach to Security in the Organization, 2nd Edition, Auerbach Publications, USA, 2006
  4. Peltier, Thomas R.; Information Security Risk Analysis, 2nd Edition, Auerbach Publications, USA, 2005
  5. Van Grembergen, Wim; Steven De Haes; Measuring and Demonstrating the Value of IT, IT Governance Institute, USA, 2005

In IRM there are three approaches to performing a risk assessment;

  1. Quantitative,
  2. Qualitative and
  3. Semiquantitative

In IRM there are also six outcomes to effective risk management;

  1. Understanding the threat, vulnerability and risk profile,
  2. Understanding the risk exposure and potential consequences of compromise,
  3. Awareness of risk management priorities,
  4. Organizational risk mitigation strategy,
  5. Organizational acceptance/deference and
  6. Measurable evidence that IRM resources are used appropriately.

You will need to know what the organizations risk management strategy is and how that relates to IT.  And in order for the risk management strategy to be effective as mentioned in Number Three above, the organization needs to be aware of management’s priorities regarding risk

In order for Information Security Risk Management to be effective there has to be a defined risk management program which covers five areas:

  1. What is the context and purpose of the IRM program?
  2. The IRM’s scope and charter need to be defined.
  3. Clear objectives and priorities for the IRM need to be established.
  4. The methodology that the organization is going to follow has to be defined.
  5. Who’s going to do IRM, who’s going to be on the team?

In addition to the aforementioned five areas clear roles and responsibilities need to be defined and included in the person’s job description.  NIST SP 800-30 has a very good description for the key roles of the personnel who must support and participate in the risk management process.  Pay particular attention to the Information Security Manager’s role and Senior Management’s role.

There are several IRM concepts that you will need to memorize.  Things like threats, vulnerabilities, exposures, impact, recovery time objective (RTO), recovery point objective (RPO), service delivery objectives (SDOs), and acceptable interruption window (AIW).  All of these are defined in detail in the 2011 CISM review manual, which you should get a copy of, then get a highlighter and some post-it flags and find, highlight, and flag the definitions.

When implementing IRM there are several basic steps.  You need to establish the scope and boundaries, then do a risk assessment, then come up with a risk treatment plan that reduces risk to an acceptable level (That’s a test question, by the way.), accept the residual risk (Who does this is another T.Q.) and then communicate the IRM plan and monitor to see if the controls are actually working (Which is another T.Q.).

There is no right or wrong approach for selecting a methodology and then conducting a risk assessment.  It is an iterative process which begins with asset valuation (AV) moves on to vulnerability and threat assessment, then once that is done assesses the risk, determines which controls to implement; then determines residual risk and monitors the controls and reports to management as to whether the controls are working or not (This is twice you’ve heard this. That’s a hint you might see this again).

While I just said there’s no right or wrong way to do a risk assessment, ISACA wants you to be intimately familiar with the NIST SP 800-30 approach

Memorize this:

Once you’ve finished the risk assessment, you have the option of doing either AVOID the risk, MITIGATE the risk, TRANSFER the risk, or ACCEPT the risk.  Another one of those “memory” things.

Controls fit into several different categories, such as; preventive, detective, corrective, compensating, and deterrent.  The CISM manual in Exhibit 2.14 on page 112 has a very good diagram of control types and effects.

How much value you place on your information resource will determine how much you spend on protecting that resource.  There are a number of financial formulas like net present value (NPV) and return on security investment (ROSI) which the accountants will want you to understand when determining information resource value.  What ISACA is looking for is to determine if you understand the impact associated with loss of integrity, loss of availability, and loss of confidentiality and how you might measure those losses.

Recovery time objectives also include recovery point objectives, service delivery objectives and acceptable interruption window.  For RTO you need to understand that the breakeven point is where the impact of the disruption begins to be greater than the cost of recovery.  RPO is based entirely on the acceptable loss of data.  SDOs are defined as the minimal level of service that must be restored after an event to meet business requirements until normal operations can be resumed, and AIW defines the maximum amount of time that service can be interrupted.  All of these go into determining what controls will be utilized to mitigate the risk of loss of availability, confidentiality and integrity.

It’s basic and often overlooked but IRM should be integrated into the organization’s system development life cycle, from project initiation to project disposal.

Setting security control baselines allows you to measure how effective your IRM program is.  As an example, if you set a baseline for patch management processes, you can then measure to see if patches were applied in a timely manner; you can determine the cost associated with applying a patch in terms of man-hour effort; and you can then report to management the risks associated with not following the baseline, say by delaying the patches to monthly from weekly.  Say it costs $1,000 per week to apply patches to the servers and you opt to change that to monthly thereby saving $3,000 in man-hour cost.  The risk of a vulnerability being exploited because a critical system was not patched in a timely manner could be established at P = 0.6 and breach cost being $1,000,000 for monthly patching as opposed to P = 0.1 and breach cost being $1,000,000 for weekly patching.  So in essence there is a 60% probability equating to a $600,000 expense versus a 10% probability equating to a $100,000 expense for spending $3,000 to keep the systems patched on a timely basis.  If I were management (and I realize the logic may be flawed) but I’ll spend the $3,000 and reduce my probability to 0.1.  You will too if you want the right answer to that type of question.

If you do risk monitoring and communication effectively and on a regular basis, management will begin to see the return on security investment (ROSI) and will have less problem approving expenditure requests for additional controls.  Remember management is not interested in the minute technical details, so keep the reports at a high level, as in a “Balanced Scorecard” report.

Two final items both of which deserve some space.  First, training and awareness and then documentation.  Everyone who is associated with the IRM program needs to have some training so they understand how to do their job and what is expected of them.  And of course, different levels of staff will require different levels of training.

Finally, if it isn’t written down, it doesn’t exist.  Everything you do in IRM must be documented.  Simple things like keeping a Risk Registry or a Controls Registry as well as the annual statement to management on the current state of risk needs to be documented.  Of particular note, is that in some circumstances (think SOX), a compliance and due diligence statement may be required to ensure that managers formally acknowledge their responsibility to comply with risk management policies and procedures.

To review the other CISM Domains, you can find links to those reviews here.