CRISC Domain 1: IT Risk Identification
The CRISC Exam consists of 4 domains, and this writing focuses on the first one.
Often regarded as an adverse event, a risk is the likelihood of event to happen along with its concomitant consequences. A risk thrives on cybersecurity vulnerabilities, exploits and its ability to impact assets. Identifying risks presumably involves not only imminent threats, but also the mere opportunities for risks to become realized security threats.
Risk identification is a process that aims to identify all risk events in the project. Moreover, identifying IT risks is an integral part of the risk management life cycle, and it is the first of the four processes in this cycle, but it is also a process for discovering and documenting risks that exist in a corporate environment.
Within the context of CRISC, to identify the risk might mean:
- Evaluate the IT assets
- Determine the threats the IT assets are subject to
- Identify the vulnerabilities associated with these assets
- Map and document security controls in place at the moment
- Interpret the risks, and vulnerabilities, and realize the consequences
In effect, identifying potential threats and vulnerabilities that are invariably connected to business, supporting processes, and associated data will contribute to the accurate evaluation of enterprise risk. Therefore, in addition to creating the risk management plan, risk planning determines how risks will be identified, analyzed, monitored, controlled, and mitigated.
Risk identification as a Process
First, one should collect information from every source, even hard-copy documents (see Risk Register). This is necessary because all risk scenarios must be identified.
Second, identification of legal and regulatory requirements is also advisable along with contractual requirements, organizational policies and standards related to IT systems. In doing so, it would be possible to be determined the impact of these components on the business objectives.
Risk Register (Where to look for risks)
It serves as a main point of reference for every risk-related action (for example, risk prioritization and response). A security expert should be able to trace and subsequently document all identified risks. The creation of an IT risk register will itemize each risk found.
The search for potential threats and vulnerabilities should not be limited to the IT infrastructure – its scope should be broad enough to include all people and processes directly or indirectly associated with IT assets. Usual places to look for identifying risks are: audit reports, incident management, public media, annual reports, press releases, vulnerability assessments / penetration tests, business continuity / disaster recovery plans, interviews and workshops, and threat intelligence services.
There are 3 methods to identify the risk:
1) Historical – it is contingent on lessons learned from past incidents
2) Systematic – what is specific about this approach is the fact that it is typically based on expert opinion. The goal is to inspect the entire array of business processes so that possible points of failure may come to the surface, if there are any
3) Inductive (Theoretical) analysis – this approach uses a new technology or process review to spot attack vectors
Key Risk Indicators (KRIs)
During the process that is the main subject of this article, one could choose to utilize various methods, one of which is finding Key Risk Indicators. KRIs are indicators of risk that function as an early warning system, allowing decision-makers to be aware of the fact that a high risk is emerging so that these people can take proactive steps early on to counter the identified potential risk before it actually turns itself into a loss; hence, within the context of risk identification, KRIs have a pre-emptive monitoring function.
Once the KRI set is complete, it initiates a balancing exercise between indicators for risk, root causes, and business impact in order to indicate the risk and predict its impact in the most precise way.
It should be noted that KRIs are the prime monitoring indicators at disposal to the enterprise, since they possess utmost quality of both indicating and predicting risks. In addition, KRIs can help decision-makers avoid relying on a large number of risks indicators that may lead to confusing results.
Some important types of risks:
– systemic risks – they affect an important business partner, but at the same time happen to a substantial group of organizations within a sector or industry (for instance, an 8-hour air traffic control computer outage will disrupt air traffic on a very large scale)
– contagious risks – they occur in a short span of time and at the same time affect a business partner’s enterprise
– operational risks – these risks happen during the organization’s regular, day-to-day operations or internal events, as a result of a failure associated with processes, people or technologies
– reporting risks – it is perhaps self-explanatory, but they are the direct consequence of inaccurate reporting, which in turn misleads decision-makers
With regard to IT risk scenarios, what will help to establish accountability is identifying key stakeholders. If a security specialist designs various IT risk scenarios based on all available information, he will be able to determine the level of potential influence on business objectives and activities. In essence, identifying the type and severity of IT risk contributes to the fulfillment of a company’s IT risk management program, which in turn facilitates business objectives and acts in alignment with the enterprise risk management strategy (i.e., ERM strategy). An actual alignment with business objectives may become reality, however, after key stakeholders and senior leadership manage to identify risk appetite and tolerance (through metric setting).
Exercise: Match the sentence halves
|Match this half||with its corresponding half here|
|1. Risk Register||…function as an early warning system|
|2. Identify risk appetite and tolerance defined by senior leadership and key stakeholders||…uses a new technology or process review to spot attack vectors|
|3. Operational Risks||…is the likelihood of event and its consequences to happen|
|4. KRIs are indicators of risk that||…serves as a main point of reference for every risk-related action|
|5. Identifying risks||…occur during the regular, day-to-day operations or internal events|
|6. Inductive (Theoretical analysis)||…to ensure alignment with business objectives|
|7. In the context of this writing, a risk||…include imminent threats and opportunities for risks to become realized security threats|
cisco-latest-pdf (2016). ISACA CRISC questions & CRISC exam dumps. Available at http://cisco-latest-pdf.hatenablog.jp/entry/2016/12/28/182447 (10/01/2018)
Firebrand Training Ltd (2017). ISACA: CRISC Certification (Certified in Risk and Information Systems Control). Available at http://www.firebrandtraining.co.uk/pdf/learn/isaca/isaca-crisc-courseware.pdf (10/01/2018)
ISACA (2013). 2013 Candidate’s Guide to the CRISC TM Exam and Certification. Available at https://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Prepare-for-the-Exam/Documents/CRISC-Exam-Candidates-Guide-English-2013.pdf (10/01/2018)
ISACA (2015). Job Practice Areas 2015. Available at http://www.isaca.org/certification/crisc-certified-in-risk-and-information-systems-control/pages/job-practice-areas-2015.aspx (10/01/2018)
officialcerts.com. CRISC. http://www.officialcerts.com/pdf/bycode/CRISC.pdf (10/01/2018)
3arlgr3y (2016). CRISC | Module 2 – Risk Identification. Available at https://www.cybrary.it/notes/3arlgr3y/crisc/module-2-risk-identification/ (10/01/2018)
- Risk Register serves as a main point of reference for every risk-related action.
- Identifying risk appetite and tolerance defined by senior leadership and key stakeholders ensures alignment with business objectives.
- Operational risks occur during the regular, day-to-day operations or internal events.
- KRIs are indicators of risk that function as an early warning system.
- Identifying risks include immanent threats and opportunities for risks to become realized security threats.
- Inductive (Theoretical) analysis is the likelihood of event and its consequences to happen.
- In the Context of this writing, a risk uses a new technology or process review to spot attack vectors.