CRISC Domain 2: IT Risk Assessment
Connecting to the cyberspace offers convenience and opportunities for companies but also exposes them to risks. Fortunately, there are procedures that can be followed in order to protect data and assets. A two-step process comprising of Risk Identification and Assessment techniques can be used to recognize the types of dangers that can affect organizations and evaluate events, cyber issues and vulnerabilities which are unique to their situation.
Why care about IT-related risk? As hackers and attackers fine-tune their skills and technical advances help them in their attempt to breach more computer networks and target a critical infrastructure—be it the businesses’ activities or individuals’ devices—companies need to find ways to protect their assets not only by responding to offences but also by preventing them or mitigating their effects. This can be done by companies before becoming the target of a cyber-security incident by putting in place actionable steps to enhance security, acknowledging the possible threats beforehand. Employing professionals with the right skills is paramount and employers rightly look for individuals who can prove they have up-to-date knowledge and skills in the role.
What is an IT Risk Assessment?
In the fight towards network breaches and info compromises, it is important for companies to identify, address and manage potential cyber security related issues thorough IT risk assessments that allow them to prevent malicious attacks, potentially leading to network damage or loss of privacy of data. A risk assessment can give a better insight on how resilient the IT infrastructure is, and if there are any flaws in the company’s’ security posture thanks to the utilization of toolsets apt to perform a thorough analysis.
During the risk assessment, professionals identify the possible risks to which the organization is prone, both of an environmental type or caused by man. That’s not enough though, as in order to decide whether it is worth to invest in resources on the mitigation or eradication of each risk, all are evaluated for the likelihood of occurrence and their possible impact on the business; the worst-case scenarios are reviewed. In a perfect world, in fact, companies would have unlimited resources to address any issues and risks found, but, in reality, budget concerns need to be addressed and a thorough risk assessment and analysis can help assure the best use for the available resources. This exercise can also help identify other issues and indispensable steps the company needs to make. Identifying the possible risks can prompt a revision of the procedures in place as well as the policies, in order to help mitigate their likelihood. It can help take a good look at the data retention and of its destruction rules, as well as at the effectiveness and reliability of incident plans in place and the response to the possible scenarios identified; it can then help decide even whether insurance is needed or if the current policy is insufficient.
The Benefits of CRISC
Professionals who are Certified in Risk and Information Systems Control (CRISC) have the knowledge and skills required to recognize business risks and neutralize them; they are able to apply tools and logical reasoning to ensure that risks are managed by the relevant IS controls and can give an understanding of the impact of IT threats and how they relate to the company’s environment; thus, allowing management to look at implementing cyber security in new ways.
Why become a CRISC? To “defend, protect and future-proof [an] enterprise,” says ISACA that goes on to state that “CRISC is the only certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise.” There’s no better time to get a CRISC.
Launched in 2010 by ISACA, the CRISC certification is internationally recognized and held by thousands of IT professionals worldwide who identify and manage risks through the development, implementation and maintenance of information systems controls.
Who can benefit from becoming a CRISC? Definitely, IT risk management professionals, control and assurance practitioners, but also CIOs and CISOs, chief compliance, risk or privacy officers, business analysts and even executives like CEOs and CFOs. These are some of the job roles associated with a CRISC qualification.
To become a CRISC, one must be familiar with the job practice areas which serves as the basis for the exam—all with different applied weights—and the requirements to earn the certification are currently covered through four domains (they were decreased from five, effective 2015):
- Domain 1—IT Risk Identification (27%)
It covers the identification of IT risk, strategy in support of business objectives as for the enterprise risk management (ERM) strategy.
- Domain 2—IT Risk Assessment (28%)
It covers the analysis of risks, as well as the evaluation of their likelihood and impact on the organization.
- Domain 3—Risk Response and Mitigation (23%)
It covers the possible ways company can address risks in accordance to the business objectives.
- Domain 4—Risk and Control Monitoring and Reporting (22%)
It covers the monitoring and reporting functions to stakeholders so that risk management strategies stay aligned with business objectives.
Candidates have four hours to answer 150 questions via a computer-based testing session. (Note: Examination is only available during three testing windows per year.) However, to earn the CRISC credential, applicants must first pass the exam and have at least three years of relevant work experience. And for recertification, professionals are required to attain at least 20 CPE hours per year and 120 CPE hours every three years.
When ready to earn this credential, candidates can count on several available textbooks and training courses, including the CRISC ‘Boot Camp’ Course that is a valuable tool to prepare and pass the exam.
Risk Assessment in the CRISC Exam
Risk assessment is covered in the second domain of the CRISC certification test and knowledge weigh is at 28%; thus, comprising the largest number of questions in the exam. This domain is important as it covers a key component of any risk management effort, the assessment that allows to ascertain which of the acknowledged risks identified poses a true problem to the organization and which are worth addressing in depth. “Risk scenarios are analyzed against the characteristics of the organization, its structure, infrastructure and policies. It also covers how to test current controls and effectively communicate the results of the assessment to management and other stakeholders.”
To effectively complete an IT Risk Assessment, a CRISC must…
- 1 – Analyze risk scenarios
- 2 – Identify the current state of existing IS controls
- 3 – Assess any gaps between current and desired states of the IT risk environment
- 4 – Ensure accountability by ensuring the correct risk ownership is assigned
- 5 – Communicate results of the IT risk assessment to senior managers to enable risk-based decision making
- 6 – Update the risk register for easy re-evaluation of any residual risks
As stated by ISACA, “CRISC is the most current and rigorous assessment available to evaluate the risk management proficiency of IT professionals…”
What Risk Assessment Standards, Frameworks and Techniques are Covered?
A CRISC professional needs to be aware of all major risk assessment standards, frameworks and techniques (e.g., trend analysis, modeling) to determine a course of action that will bring risk to an acceptable level.
Questions on the CRISC exam evolve around international standards or best practices concerning risk management, such as ISO/IEC 27005:2011 or ISACA Risk IT that aligns with major ERM frameworks and promotes assessment methods, roles and responsibilities, tools, techniques, to be used across the enterprise; in Risk IT, risk assessment information are found in the Risk Evaluation step.
The exam can also cover frameworks such as NIST SP800-30 (Guide for Conducting Risk Assessment) as part of the NIST Risk Management Framework, different OCTAVE methodologies (that makes use of workgroups) and FAIR.
The techniques covered in the exam are various and might be found in most frameworks; they go from collecting data through interviews, observations of systems along with functioning and assets while used, reviews of documentation and testing of processes. Students should also be familiar with the differences between quantitative (based on a numerical system) and qualitative (low, medium, high…) risk analysis.
What Capability Assessment Models, Improvement Techniques & Strategies are Studied?
IT risk management requires continuous improvement due to the ever-changing scenarios that new threats create. This dynamic situation generates the need for an ongoing process that takes in to consideration any changes made in the IT environment, procedures and regulations.
A CRISC is knowledgeable of capability assessment models and improvement techniques and strategies, such as COBIT (Control Objectives for Information and Related Technologies) that supports risk management and governance. They need to be aware of the integration of Risk IT and Val IT process models.
What Control Assessment Types are Tested?
Vulnerability assessments and penetration tests are two strategies that can help identify cybersecurity risks and can help CRISC professionals check the effectiveness of IS controls to see if they are producing the desired result. The exam will also cover audits, self-assessment tools and techniques as well as the role of third-party assurance.
What Risk Events / Incident Concepts are Explored?
Testers will need to know all elements of risk from the impact on assets to probability, mitigation and vulnerability to threats of the company. In addition, they need to be able to consider possible sources of threats, probability of their success, contributing factors and predisposing conditions, as well as mitigation effectiveness, and be able to identify meaningful lessons learned from previous incidents. They also need to be able to assess the likelihood (or frequency) and magnitude of loss that can be identified through knowledge of the assets, threats, and control conditions present in an organization.
Furthermore, professionals who are Certified in Risk and Information Systems Control need to understand the what, when and how of an IT Risk Assessment, as well as be able to assess and advise on the control decisions related to the risk factors that make sense for organizations as they differ by industry and “risk scenarios.” Therefore, they must take into consideration organizational criteria (e.g., organizational structure, policies, standards, technology, architecture, controls) uncovered through a thorough preliminary analysis.
The way forward to cybersecurity begins with professionals able to help companies identify the risk scenarios in which they move. CRISC IT practitioners are capable of performing rigorous assessments to evaluate the risk management proficiency of an organization applying concepts associated with “risk,” “threats” and “vulnerabilities and can really help companies’ management make the right, budget-conscious decision that can help maintain the security of their data and assets.
Therefore, it is more important than ever that organizations develop, recruit, and retain risk-management proficient IT practitioners who have knowledge and on-hands experience in identifying entity-specific threats with risk identification, assessment, and evaluation, plus can effectively manage IT assets with their ability to design, implement, monitor, and maintain IS controls. ISACA credential holders can demonstrate just that as the test covers all main aspects of the knowledge this type of professionals need to acquire in order to excel in the field. Basically, achieving CRISC certification validates that a professional has the knowhow and expertise to help companies understand business risk.
Brecht, D. (n.d.). CRISC: Overview of Domains. Retrieved from https://resources.infosecinstitute.com/category/certifications-training/crisc/crisc-domain-overview/
Computer Science Zone. (n.d.). The 10 Most Lucrative IT Certifications of 2018. Retrieved from https://www.computersciencezone.org/lucrative-information-technology-certifications/
Eckle, J. (2012, August 13). Career Watch: A certification for risk professionals. Retrieved from https://www.computerworld.com/article/2505693/it-management/career-watch–a-certification-for-risk-professionals.html
ISACA. (n.d.). The Benefits of CRISC. Retrieved from http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/What-is-CRISC/Pages/The-Benefits-of-CRISC.aspx
Khan, M. (2018, January 31). CRISC Certification: Overview & Career Path. Retrieved from https://resources.infosecinstitute.com/category/certifications-training/crisc/#gref
Magee, K. (2015, March 4). ISACA’s CRISC 2015 Certification – What has changed? Retrieved from https://resources.infosecinstitute.com/isacas-crisc-2015-certification-changed/
Moramarco, S. (2018, February 8). How to Break Into the Field of Security Risk Management. Retrieved from https://resources.infosecinstitute.com/break-field-security-risk-management/
Ramachandran, R. (2017). 2018 Predictions for Cyber Security. Retrieved from https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=912
Roman, J. (2016, July 12). Certification Profile: ISACA Certified in Risk and Information Systems Control (CRISC). Retrieved from http://www.yorksolutions.net/news/certification-profile-isaca-certified-in-risk-and-information-systems-control-crisc/
Shakeel, I. 2018, February 28. Risk Management Tools and Tech. Retrieved from https://resources.infosecinstitute.com/risk-management-tools-tech/#gref
Tittel, E. & Kyle, M. (2017, August 22). Best IT Governance Certifications 2018. Retrieved from http://www.tomsitpro.com/articles/it-governance-certifications,2-646-5.html
Violino, B. (2010, May 3). IT risk assessment frameworks: real-world experience. Retrieved from https://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks–real-world-experience.html