Documente Academic
Documente Profesional
Documente Cultură
Course style
Lunch
2/8 | 2/430
3/8 | 3/430
4/8 | 4/430
Pages: 204
Published: 2015
Publisher: ISACA
Format: Softcover
ISBN-13: 978-1604203714
5/8 | 5/430
6/8 | 6/430
quizlet.com/42706262/
7/8 | 7/430
Mirosaw Dbrowski
Agile Coach, Trainer, Consultant
(former JEE/PHP developer, UX/UI designer, BA/SA)
Creator
linkedin.com/in/miroslawdabrowski
google.com/+miroslawdabrowski
twitter.com/mirodabrowski
miroslaw_dabrowski
Writer / Translator
Trainer / Coach
English speaking, international, independent
trainer and coach from multiple domains.
Master Lead Trainer
11+ years in training and coaching / 15.000+ hours
100+ certifications
5000+ people trained and coached
25+ trainers trained and coached
linkedin.com/in/miroslawdabrowski
PM / IT architect
Notable clients
Accreditations/certifications (selected): CISA, CISM, CRISC, CASP, Security+, Project+, Network+, Server+, Approved
Trainer: (MoP, MSP, PRINCE2, PRINCE2 Agile, M_o_R, MoV, P3O, ITIL Expert, RESILIA), ASL2, BiSL, Change Management,
Facilitation, Managing Benefits, COBIT5, TOGAF 8/9L2, OBASHI, CAPM, PSM I, SDC, SMC, ESMC, SPOC, AEC, DSDM Atern,
DSDM Agile Professional, DSDM Agile Trainer-Coach, AgilePM, OCUP Advanced, SCWCD, SCBCD, SCDJWS, SCMAD, ZCE 5.0,
ZCE 5.3, MCT, MCP, MCITP, MCSE-S, MCSA-S, MCS, MCSA, ISTQB, IQBBA, REQB, CIW Web Design / Web Development /
Web Security Professional, Playing Lean Facilitator, DISC D3 Consultant, SDI Facilitator, Certified Trainer Apollo 13 ITSM
Simulation
www.miroslawdabrowski.com
8/8 | 8/430
2/10 | 10/430
Domain 1
Risk Identification
Domain 2
Risk Assessment
Domain 3
Risk Response and Mitigation
Domain 4
Risk and Control Monitoring and
Reporting
3/10 | 11/430
Domain 1
Risk Identification
provides
input into
Domain 2
Risk Assessment
is a
subset of
Domain 3
Risk Response and
Mitigation
Domain 4
Risk and Control
Monitoring and
Reporting
4/10 | 12/430
6/10 | 14/430
Must
ISACA CRISC official glossary
ISACA CRISC Item Development Guide
ISACA CRISC QAE Item Development
Guide
ISACA Risk IT Framework
Should
ISACA CRISC Review Manual
ISACA The Risk IT Practitioner Guide
Could
COBIT 5 main publication / for Risk / for
Information Security
M01 - Overview of the CRISC certification
7/10 | 15/430
8/10 | 16/430
9/10 | 17/430
10/10 | 18/430
2/88 | 20/430
Learning objectives
Domain 1 - CRISC exam relevance
Module agenda
3/88 | 21/430
4/88 | 22/430
5/88 | 23/430
6/88 | 24/430
7/88 | 25/430
8/88 | 26/430
9/88 | 27/430
10/88 | 28/430
11/88 | 29/430
12/88 | 30/430
13/88 | 31/430
14/88 | 32/430
15/88 | 33/430
16/88 | 34/430
17/88 | 35/430
18/88 | 36/430
19/88 | 37/430
20/88 | 38/430
21/88 | 39/430
22/88 | 40/430
23/88 | 41/430
24/88 | 42/430
25/88 | 43/430
Risk Capacity:
Risk Tolerance:
Risk Appetite:
26/88 | 44/430
27/88 | 45/430
28/88 | 46/430
29/88 | 47/430
https://www.youtube.com/watch?v=bFtGogUiCXI
30/88 | 48/430
Aggressive
Risk Taking
Blaming
Culture
Learning
Culture
Behaviour
Towards
Negative
outcomes
Behaviour
Towards
Taking risk
Risk
Culture
Conservative
Risk Taking
Behaviour
Towards
Policy
compliance
Non compliance
Compliance
31/88 | 49/430
32/88 | 50/430
is a series of behaviours
33/88 | 51/430
34/88 | 52/430
part of the business
35/88 | 53/430
36/88 | 54/430
e.g. use plain language (Language clarity), are logically ordered and easy to navigate
(Structural clarity / logic flow), highlight important information, explain complex
information in plain language
e.g. concise document is a piece of writing that conveys only the needed material
e.g. at the paragraph level, coherence is achieved by organizing material into a topic
sentence and supporting sentences
e.g. aimed at the correct audience based on levels of knowledge, format of report
37/88 | 55/430
38/88 | 56/430
39/88 | 57/430
40/88 | 58/430
41/88 | 59/430
42/88 | 60/430
43/88 | 61/430
44/88 | 62/430
45/88 | 63/430
46/88 | 64/430
47/88 | 65/430
48/88 | 66/430
Loss of revenue
Loss of sensitive information and data
Loss of reputation / brand visibility / brand image
Loss of public confidence
Loss of SLAs / OLAs levels
LOE to correct problems caused by Threat Actions
Loss of credibility
Damage to enterprises interest
System repair costs
49/88 | 67/430
Premise
Most business processes are dependent on working information
systems
Automated controls require business processes to utilize
information systems
50/88 | 68/430
Mutual
51/88 | 69/430
event occurs?
52/88 | 70/430
53/88 | 71/430
Enterprise Risk
Strategic
Risk
Environment
Risk
Market
Risk
Credit
Risk
Operational
Risk
Compliance
Risk
IT-related Risk
IT Benefit / Value
Enablement Risk
IT Programme and
Project Delivery Risk
IT Operations and
Service Delivery Risk
The Open Group, Risk Taxonomy Standard v2.0 (O-RT). The objective of this Risk Taxonomy
(O-RT) Standard is to provide a single logical and rational taxonomical framework for anyone
who needs to understand and / or analyze information security risk.
M02 - Domain 1 - IT Risk Identification
54/88 | 72/430
Examples
IT Benefit / Value
Enablement
IT Programme and
Project Delivery
IT Operations and
Service Delivery
Gain
Lose
Maintain
Business Value
55/88 | 73/430
2. Analyze
Risk
3.
Maintain
Risk
Profile
M02 - Domain 1 - IT Risk Identification
56/88 | 74/430
57/88 | 75/430
58/88 | 76/430
59/88 | 77/430
1.
2.
3.
4.
5.
Threat Actor
Threat Type
Event
Asset / Resource
Time /
Timing Dimension
Threat
Actor
Asset /
Resource
Event
Risk
Scenario
Threat
Type
Time
60/88 | 78/430
- generates the threat is a source of threat
Threat Actors can be also human or nonhuman
Not every threat requires a Threat Actor
Examples
61/88 | 79/430
2007
2008
Unknown
Employees
Hackers
Former employees
Business partner
Customer
Other
Terrorist/ foreign government
N/A
48%
41%
21%
19%
9%
20%
6%
42%
34%
28%
16%
15%
8%
8%
4%
2008
2009
73%
74%
Insiders
18%
20%
Business partner
39%
32%
30%
39%
Reference:
The Global State of Information Security 2008. CSO Online.
Verizon 2009 Data Breach Investigations Report
62/88 | 80/430
Reference:
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model. CERT Program, Software Engineering Institute and CyLab at Carnegie Mellon
University, June 2009
63/88 | 81/430
64/88 | 82/430
Reference: 2011 Data Breach Investigations Report, Verizon, January 2012 (http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigationsreport-2011_en_xg.pdf)
65/88 | 83/430
Examples
Malicious
Accidental
Failure
Natural
External Requirement
66/88 | 84/430
affect
Examples
Disclosure
Interruption
Modification
Theft
Destruction
Ineffective design
Ineffective execution
Rules and regulations
Inappropriate use
67/88 | 85/430
(physical attributes)
Information
Reputation
Trust
68/88 | 86/430
related information to scenario
Examples
- specification of time
Duration
69/88 | 87/430
Event
Threat Type
Malicious
Accidental
Failure
Natural
External Requirement
Disclosure
Interruption
Modification
Theft
Destruction
Ineffective design
Ineffective execution
Rules and regulations
Inappropriate use
Asset / Resource
People and organisation
Process
Facilities
IT infrastructure
Information
Software
Risk
Scenario
Timing of occurrence
Timing to detect
Timing to react
Timing to recover
Timing lag
Duration
70/88 | 88/430
71/88 | 89/430
72/88 | 90/430
Top-down Scenario
identification
Business
Objectives
Generic Risk
Scenarios
Refined and
contextual
IT Risk
Scenarios
Determine
Frequency &
Impact
IT Risk
Bottom-up Scenario
identification
Risk Factors
External
Environmental
Internal
Environmental
Risk
Management
Capability
IT Capability
IT related
Business
Capability
73/88 | 91/430
Systemic Risk
Outcome of an event with business partner that affects an entire
area or industry
Contagious Risk
Events that happen to several business partners in a short time
frame
Obscure Risk
Risk that has not yet occurred (non-historical) and is unlikely or
difficult to fathom
74/88 | 92/430
75/88 | 93/430
76/88 | 94/430
Organizational Buy-in
Risk Culture
Often one of the most if not the most important enabler
77/88 | 95/430
78/88 | 96/430
- is a
that influences the
and or business
of risk scenarios
IT
Capability
External
Environmental
IT
Related Business
Capability
Internal
Environmental
Environment
Risk
Management
Capability
Capabilities
Examples of
(according to Risk IT)
79/88 | 97/430
Market / economy
Rate of change in the market
Industry / competition
Geopolitical situation
Regulatory environment
Technology status and evolution
Suppliers and partners status
Acts of god / natural disasters
Circumstances that can increase the likelihood or impact or an event
Not always controllable by the enterprise / organisation
e.g. Government, International law, local law etc.
M02 - Domain 1 - IT Risk Identification
80/88 | 98/430
Strategic Importance of IT
Complexity of IT
Complexity of enterprise / organization
Degree of change / degree of agility
Change management capability
Risk management philosophy and values
Risk appetite
Risk tolerances
Operating model
81/88 | 99/430
Managements integrity and commitment to ethical values
influence preferences and judgments which are translated into
standards of behaviour
82/88 | 100/430
Competence - Reflects the knowledge and skills needed to perform
assigned tasks
Enterprise polices
Enterprise strategy and objectives
Implementation and achievement
Trade off between competence and cost
83/88 | 101/430
Perform oversight
Question and scrutinize managements activities
Present alternative views
Impose penalties and disciplinary actions
84/88 | 102/430
85/88 | 103/430
How well enterprise is executing the core risk management
processes.
86/88 | 104/430
87/88 | 105/430
MIROSLAWDABROWSKI.COM/downloads