S9uh95tgryacwl8zrveb Signature Poli 150208165036 Conversion Gate01

COBIT, CISA, CISM, CRISC and CGEIT are registered trademarks of ISACA.
Start and finish
Course style
Coffee and breaks
Lunch
M00 - Course introduction
2/8 | 2/430
Introduction to CRISC role and certification

Understanding the IT Risk Management
domains and related concepts
Understanding of ISACA Risk IT
Framework structure, concepts,
definitions and processes dedicated to
risk management
Presenting business value and
requirements of IT Risk Management
Main goal
Be prepared for CRISC exam
Secondary goal
Awareness of IT risk as a business risk
3/8 | 3/430
Please share with the class:

Your name and surname
Your organization
Your profession (title, function,
job responsibilities)
Your experience with the
ITSM/ITIL/InfoSec/IT Audit
Your personal session
expectations
4/8 | 4/430
CRISC Review Manual 2016
Knowledge and experience

from IT Risk Management
on CRISC exam is validated
against knowledge and way
of thinking presented in this
manual
CRISC Review Manual cover, copyright ISACA.
Pages: 204
Published: 2015
Publisher: ISACA
Format: Softcover
ISBN-13: 978-1604203714
5/8 | 5/430
6/8 | 6/430
quizlet.com/42706262/
7/8 | 7/430
Mirosaw Dbrowski
Agile Coach, Trainer, Consultant
(former JEE/PHP developer, UX/UI designer, BA/SA)
Creator
linkedin.com/in/miroslawdabrowski
google.com/+miroslawdabrowski
twitter.com/mirodabrowski
miroslaw_dabrowski
Writer / Translator
Creator of 50+ mind maps from PPM and related

Product Owner of biggest Polish project
topics (2mln views): miroslawdabrowski.com
management portal: 4PM: 4pm.pl (15.000+ views
Lead author of more than 50+ accredited materials
each month)
from PRINCE2, PRINCE2 Agile, MSP, MoP, P3O, ITIL, Editorial Board Member of Official PMI Poland
M_o_R, MoV, PMP, Scrum, AgilePM, DSDM, CISSP,
Chapter magazine: Strefa PMI: strefapmi.pl
CISA, CISM, CRISC, CGEIT, TOGAF, COBIT5 etc.
Official PRINCE2 Agile, AgilePM, ASL2, BiSL methods
Creator of 50+ interactive mind maps from PPM
translator for Polish language
topics: mindmeister.com/users/channel/2757050
Agile Coach / Scrum Master

8+ years of experience with Agile projects as a
Scrum Master, Product Owner and Agile Coach
Coached 25+ teams from Agile and Scrum
Agile Coach coaching C-level executives
Scrum Master facilitating multiple teams
experienced with UX/UI + Dev teams
Experience multiple Agile methods
Author of AgilePM/DSDM Project Health Check
Questionnaire (PHCQ) audit tool
Trainer / Coach
English speaking, international, independent
trainer and coach from multiple domains.
Master Lead Trainer
11+ years in training and coaching / 15.000+ hours
100+ certifications
5000+ people trained and coached
25+ trainers trained and coached
linkedin.com/in/miroslawdabrowski
PM / IT architect
Notable clients
Dozens of mobile and ecommerce projects

IT architect experienced in IT projects with budget
above 10mln PLN and timeline of 3+ years
Experienced with (traditional) projects under high
security, audit and compliance requirements based
on ISO/EIC 27001
25+ web portal design and development and
mobile application projects with iterative,
incremental and adaptive approach
ABB, AGH, Aiton Caldwell, Asseco, Capgemini, Deutsche Bank,

Descom, Ericsson, Ericpol, Euler Hermes, General Electric,
Glencore, HP Global Business Center, Ideo, Infovide-Matrix,
Interia, Kemira, Lufthansa Systems, Media-Satrun Group,
Ministry of Defense (Poland), Ministry of Justice (Poland),
Nokia Siemens Networks, Oracle, Orange, Polish Air Force,
Proama, Roche, Sabre Holdings, Samsung Electronics, Sescom,
Scania, Sopra Steria, Sun Microsystems, Tauron Polish Energy,
Tieto, University of Wroclaw, UBS Service Centre, Volvo IT
miroslawdabrowski.com/about-me/clients-and-references/
Accreditations/certifications (selected): CISA, CISM, CRISC, CASP, Security+, Project+, Network+, Server+, Approved
Trainer: (MoP, MSP, PRINCE2, PRINCE2 Agile, M_o_R, MoV, P3O, ITIL Expert, RESILIA), ASL2, BiSL, Change Management,
Facilitation, Managing Benefits, COBIT5, TOGAF 8/9L2, OBASHI, CAPM, PSM I, SDC, SMC, ESMC, SPOC, AEC, DSDM Atern,
DSDM Agile Professional, DSDM Agile Trainer-Coach, AgilePM, OCUP Advanced, SCWCD, SCBCD, SCDJWS, SCMAD, ZCE 5.0,
ZCE 5.3, MCT, MCP, MCITP, MCSE-S, MCSA-S, MCS, MCSA, ISTQB, IQBBA, REQB, CIW Web Design / Web Development /
Web Security Professional, Playing Lean Facilitator, DISC D3 Consultant, SDI Facilitator, Certified Trainer Apollo 13 ITSM
Simulation
www.miroslawdabrowski.com
8/8 | 8/430
1. Overview of the CRISC certification

2. Domain 1 - IT Risk Identification
3. Domain 2 - IT Risk Assessment
4. Domain 3 - Risk Response and
Mitigation
5. Domain 4 - Risk and Control
Monitoring and Reporting
6. IS Control Design and
Implementation
7. IS Control Monitoring and
Maintenance
M01 - Overview of the CRISC certification
2/10 | 10/430
Domain 1
Risk Identification
Domain 2
Risk Assessment
Domain 3
Risk Response and Mitigation
Domain 4
Risk and Control Monitoring and
Reporting
3/10 | 11/430
Domain 1
Risk Identification
provides
input into
Domain 2
Risk Assessment
is a
subset of
Domain 3
Risk Response and
Mitigation
Domain 4
Risk and Control
Monitoring and
Reporting
4/10 | 12/430
The CRISC certification is

designed to meet the growing
demand for professionals who
can integrate Enterprise Risk
Management (ERM) with
discrete IS control skills
The technical skills and practices
the CRISC certification promotes
and evaluates are the building
blocks of success in this growing
field, and the CRISC designation
demonstrates proficiency in this
role
The CRISC certification /

designation reflects reflects a
solid achievement record in the
areas of enterprise / IT risk
management as well the design,
implementation, monitoring and
maintenance of controls
Certification lunched: 2011

Number of certified: 17,000
5/10 | 13/430
CRISC exam questions are developed with the intent of

measuring and testing practical knowledge and the
application of general concepts and standards
PBE & CBE (only pencil & eraser are allowed)
4 hour exam
200 multiple choice questions designed with one best
answer
No negative points
No pre-requisite for exam (only for attending to exam)
6/10 | 14/430
Must
ISACA CRISC official glossary
ISACA CRISC Item Development Guide
ISACA CRISC QAE Item Development
Guide
ISACA Risk IT Framework
Should
ISACA CRISC Review Manual
ISACA The Risk IT Practitioner Guide
Could
COBIT 5 main publication / for Risk / for
Information Security
7/10 | 15/430
Candidate who pass the CRISC exam are not automatically

CRISC-certified / qualified and cannot use the CRISC
designation
All current requirements are present in official CRISC
Application for CRISC Certification document:
www.isaca.org/criscapp
8/10 | 16/430
ISACA CRISC Review Manual Structure

Part I - CRISC Domain Structure
Part II - Risk Management and IS Control in Practice
About the CRISC exam

Recommended reading for CRISC exam
Earning the CRISC qualification
9/10 | 17/430
10/10 | 18/430
1. Overview of the CRISC certification

2. Domain 1 - IT Risk Identification
3. Domain 2 - IT Risk Assessment
4. Domain 3 - Risk Response and
Mitigation
5. Domain 4 - Risk and Control
Monitoring and Reporting
6. IS Control Design and
Implementation
7. IS Control Monitoring and
Maintenance
M02 - Domain 1 - IT Risk Identification
2/88 | 20/430
Learning objectives
Domain 1 - CRISC exam relevance
Module agenda
Risk Management Process

Risk Governance
Risk Culture
Risk Management Frameworks, Standards,
Best practices
Risk Identification, Assessment and
Evaluation Processes
Risk Scenario
Risk Factors
Risk Analysis Process
Risk Analysis methods
Ways of describing IT Risk in business terms
3/88 | 21/430
After this module, the CRISC candidate should be able to

Associate business strategies, goals, objectives, information, processes,
technologies and initiatives with risk
Explain the principles of risk ownership within the organizational structure
Identify standards, frameworks and leading practices related to risk
Differentiate between threats and vulnerabilities
Apply risk identification, classification, quantitative / qualitative assessment and
evaluation techniques
Describe the key elements of a risk register
Describe risk scenario development tools and techniques
Help develop and support risk awareness training
tools and techniques
Translate laws and regulations into business
risk requirements
Relate security concepts to risk assessment
4/88 | 22/430
Ensure that the CRISC candidate

Identifies risk including emerging risk and risk associated with
people, processes, technology, architecture, applications,
information, natural factors and physical threats
Assess the risk levels associated with each threat including
anticipated risk likelihood and impact, threats and vulnerabilities,
and the effectiveness of current and planned controls
Evaluates the potential qualitative and quantitative risk values
including the impact on business objectives, other related
organizations or society
5/88 | 23/430
There are 9 general task statements pertaining to IT Risk

Management in CRISC Certification Job Practice
In general
Develop and implement a risk-based IT audit strategy

Collect information and review documentation.
Identify legal, regulatory and contractual requirements
Identify potential threats and vulnerabilities for business processes
Create and maintain a risk register
Assemble risk scenarios to estimate the likelihood and impact of significant
events
Analyze risk scenarios to determine their impact on business objectives
Develop a risk awareness program and conduct training
Correlate identified risk scenarios to relevant business processes
Validate risk appetite and tolerance with senior leadership
6/88 | 24/430
There are 22 general knowledge statements pertaining to IT

Risk Management in CRISC Certification Job Practice
Knowledge of (selected)
Standards, frameworks and leading practices
Techniques for risk identification, classification, assessment
Quantitative and qualitative risk evaluation methods
Business goals and objectives
Risk scenarios related to business processes and initiatives
Threats and vulnerabilities related to business processes
Information systems architecture
Risk scenario development tools and techniques
Risk awareness training tools and techniques
Current and forthcoming laws, regulations and standards
7/88 | 25/430
8/88 | 26/430
All enterprises must provide value to their stakeholders or

they will seize to exist
Value is created, preserved and eroded
By management decisions
Through deploying resources
Management must recognize and understand the potential

rewards and inherent risks associated with the business
operations
This understanding is the basis for risk identification, assessment,
and evaluation activities
IT itself does not provide value

9/88 | 27/430
- the potential for events and their consequences,

contains both (aka. two sides of the risk coin)
for benefit (upside / benefits)

to success (downside / disbenefits)
Risk reflects the combination of the likelihood of events

occurring and the impact those events have on the
enterprise
10/88 | 28/430
- the coordinated activities to direct

and control an enterprise with regard to risk
11/88 | 29/430
- process used to identify and

evaluate risk and its potential effects
12/88 | 30/430
- process by which frequency and

magnitude (impact) of IT risk scenarios are estimated
Risk Analysis is a process that helps you identify and
manage potential problems that could undermine key
business initiatives or projects.
To carry out a Risk Analysis, you must first identify the
possible threats that you face, and then estimate the
likelihood that these threats will materialize.
13/88 | 31/430
Effective Risk Management process involve

1. Collecting data on the operating environment and associated risk
events
2. Identifying internal and external risk factors
3. Analysing and estimating risk
4. Identifying business process resilience levels
Is the (constant) process of balancing the risk associated

with business activities with an adequate level of control
that will enable the business to meet its objectives
14/88 | 32/430
Holistically covers all concepts and processes affiliated with

managing risk, including
Systematic application of management policies, procedures and
practices
Establishing the context (external and internal)
Communicating / consulting (engaging stakeholders)
Identifying
Analysing
Evaluating
Treating
Controlling
Monitoring
Reviewing
15/88 | 33/430
An ISACA Risk IT framework principles (6)

1. Connect to Business Objectives
2. Align (integrate) IT Risk Management with into Enterprise Risk
Management (ERM)
3. Balance costs / benefit of IT Risk
4. Promote fair and open communication
5. Establish tone at the top and (assign personal) accountability
6. Function as a part of daily activities
16/88 | 34/430
An ISACA Risk IT framework is a 3rd component of ITGIs IT

Governance Framework:
ValIT - creation of business value
RiskIT - protection of information assets
COBIT - control/govern and improve IT

https://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Documents/Risk-IT-Brochure.pdf
17/88 | 35/430
Accountability - applies to those who either own the

required resources or those who have the authority to
approve the execution and / or accept the outcome of an
activity within specific risk management processes
Ideally only one person should be accountable (accountability
reasons)
e.g. IT Director is accountable for risk affecting IT department/s
e.g. Project Management is accountable for risk affecting his
project
e.g. Team Leader is accountable for risks affecting his team and
work
18/88 | 36/430
Responsibility - belongs to those who must ensure that the

activities are completed successfully
Ideally more than one person should be responsible (additional
workforce, human resource backup in case of unavailability of first
person)
Used as a delegation of risk management responsibilities for
people below the accountable person
e.g. Software Developer
e.g. Server Administrator
e.g. Data Custodian
19/88 | 37/430
The CRISC in Risk Management

Process executes on
Risk identification
Risk evaluation
Risk facilitation
Risk response
The CRISC functions within the risk

governance framework established
within the enterprise
20/88 | 38/430
21/88 | 39/430
Risk Governance - strategic business function that helps

ensure that
Risk Management activities align with the enterprises loss capacity
and leaderships subjective
Risk Management strategy is aligned with the overall business
strategy
Risk Governance is ultimately the responsibility of the

board of directors and senior management
They establish risk culture and acceptable level of risk
22/88 | 40/430
For IT governance to be effective, senior management

should review and approve the risk action plan, agree to
priorities and commit the necessary resources to execute
the plan effectively
An IT executive committee with representation of all
stakeholders should review and approve the plan
collectively, on behalf of the board
23/88 | 41/430
Risk Appetite - the broad-based amount of risk that a

company or other entity (CEO, organization / department /
sub department) is willing to accept in pursuit of its mission
/ vision / objectives
Appetite is always different across organizations
Appetite change over time
It reflects the enterprises risk management philosophy

and, in turn, influences the enterprises culture and
operating style
Enterprises must balance risk with reward and ensure that
the cost of risk mitigation does not exceed the cost of a
potential loss
24/88 | 42/430
Risk Tolerance - The acceptable variation (lower and higher)

relative to the achievement of an objective
Risk Tolerance are often best measured in the same units as
those used to measure the related objectives: costs, time,
etc.
Risk tolerance always need to be measureable in order to
be controlled
You cannot control it, if you cannot measure it.
25/88 | 43/430
Risk Capacity:
The maximum amount of risk that an

organisation or subset of it, can bear,
linked to factors such as its
reputation, capital, assets and ability
to raise additional funds.
Risk Tolerance:
The threshold levels of risk exposure

that, with appropriate approvals, can
be exceeded, but which when
exceeded will trigger some form of
response (e.g. reporting the situation
to senior management for action)
Risk Appetite:
The amount of risk the organisation,

or subset of it, is willing to accept
26/88 | 44/430
27/88 | 45/430
28/88 | 46/430
29/88 | 47/430
https://www.youtube.com/watch?v=bFtGogUiCXI
30/88 | 48/430
Aggressive
Risk Taking
Blaming
Culture
Learning
Culture
Behaviour
Towards
Negative
outcomes
Behaviour
Towards
Taking risk
Risk
Culture
Conservative
Risk Taking
Behaviour
Towards
Policy
compliance
Non compliance
Compliance
31/88 | 49/430
Allows for open discussions about risk components

Acceptable levels of risk are understood and maintained
Begins at the top (board and executive)
Set direction
Communicate risk-aware decision making
Reward effective risk management behaviors
Implies that all levels are aware of how and when to

respond to adverse IT events
32/88 | 50/430
is a series of behaviours
Behavior toward taking risk

Behavior toward negative outcomes
Behavior toward policy compliance
Symptoms of inadequate or problematic risk culture include

Misalignment between real culture and policies
Resulting in potential non-compliance and/or undue risk
Misalignment between real risk appetite and translation into

policies
Existence of a
vs
33/88 | 51/430
The A-B-C of Risk Culture: How to be Risk-Mature by Dr

David Hillson, PMI Fellow, PMP, HonFAPM, FRSA, FIRM,
FCMI, CMgr, MIOD
The A-B-C of Risk Culture:

How to be Risk-Mature
http://www.risk-doctor.com/publications/publications-papers_general
34/88 | 52/430

part of the business
- acknowledging that risk is an integral
- risk is to be managed, it must

first be discussed and effectively communicated throughout
the enterprise
35/88 | 53/430
Benefits of good communication include
Contributing to managements understanding of exposures

Awareness
Transparency to external stakeholders
Provides direction
Reduces rumours or suspicion
Aligns all stakeholders with the mission
Encourages consistency
Mandates accountability
Consequences of poor communication include
False sense of confidence relating to exposure

Incorrect perception by external stakeholders
Perception that the enterprise lacks transparency with external
stakeholders
36/88 | 54/430
Effective reports should be:
e.g. use plain language (Language clarity), are logically ordered and easy to navigate
(Structural clarity / logic flow), highlight important information, explain complex
information in plain language
e.g. concise document is a piece of writing that conveys only the needed material
e.g. at the paragraph level, coherence is achieved by organizing material into a topic
sentence and supporting sentences
e.g. enable decision making
e.g. aimed at the correct audience based on levels of knowledge, format of report
37/88 | 55/430
38/88 | 56/430
Framework - Generally accepted, business process-oriented

structures that establish a common language and enable
repeatable business processes
ISACA - The Risk IT Framework
NIST Risk Management Framework (RMF)
DHS Risk Management Framework
COSO ERM - Integrated Framework
AXELOS M_o_R - Management of Risk
39/88 | 57/430
Management of Risk: Guidance for

Practitioners
3rd edition, 2011
ISBN-13: 978-0117068575
Strategic, Programme, Project,

Operational
Part of AXELOS Global Best Practice

family of 7 management standards
from UK
(outside the scope of the exam)
M_o_R handbook cover, copyright AXELOS Ltd.
Standard and best practice for

enterprise wide Risk Management
Provides 4 Perspectives of Risk
Management
40/88 | 58/430
41/88 | 59/430
Standards - Established mandatory rules, specifications and

metrics used to measure compliance against quality, value,
etc.
Standards are usually intended for compliance purposes
Examples
ISACA IT Audit and Assurance Standards
AS/NZS 4360:1995 (status: EoL)
ISO 31000:2009
ISO/EIC 27001:2013
A Risk Management Standard (Ferma)
PCI DDS v3
42/88 | 60/430
Good Practice / Leading Practice - frequent or unusual

actions performed as an application of knowledge
Practices are issued by a recognized authority
Leading practices are actions that optimally apply
knowledge in a particular area
Practices are usually derived from supplement / support
standards and frameworks
Examples
ISACA - The Risk IT Practitioner Guide
Project Risk Analysis and Management (PRAM) Guide
CAN/CSA-Q634-91 (status: EoL)
PMBOK Guide (includes Risk Management guidelines in projects)
43/88 | 61/430
Project Management Body

of Knowledge (PMBOK
Guide)
Standard and best practice

for Project Management
Part of PMI family of
standards
(outside the scope of the
exam)
PMBOK handbook cover, copyright PMI.
5thtd edition, 2013

ISBN-13: 978-1935589679
44/88 | 62/430
45/88 | 63/430
46/88 | 64/430
- process of determining the risk

that an enterprise / organization faces (globally or in
specific organization activity: programme, project)
The identification of risk is based on the recognition of threats,
opportunities, vulnerabilities, assets and controls in the enterprise
/ organization operational environment
- process used to identify and

evaluate risk and its potential effects
- process of comparing the estimated

risk against given risk criteria to determine the significance
of the risk
47/88 | 65/430
IT risk is risk to the Business
- business risk associated with the

Use
Ownership
Operation
Involvement
Influence
Adoption
of IT and IS within the enterprise / organization
48/88 | 66/430
Loss of revenue
Loss of sensitive information and data
Loss of reputation / brand visibility / brand image
Loss of public confidence
Loss of SLAs / OLAs levels
LOE to correct problems caused by Threat Actions
Loss of credibility
Damage to enterprises interest
System repair costs
49/88 | 67/430
Premise
Most business processes are dependent on working information
systems
Automated controls require business processes to utilize
information systems
50/88 | 68/430
Meaningful IT risk assessments and risk based decisions

require
IT risk to be expressed in
Mutual
over which risks need to be managed, why and

under which requirements and constraints
This implies building non blame risk culture with IT personnel being
aware of risk and business priorities and business stakeholders /
decision-makers threating IT risk as strategic risk
51/88 | 69/430
How Risk Appetite relates to risk scenarios with varying

Frequency and Magnitude?
event occurs?
- How often is the event expected to occur?

- What is the impact to the enterprise when the
- process of integration risk assessments at a

corporate level to obtain a complete view of the overall risk for the
enterprise
- process by which frequency and magnitude

(impact) of IT risk scenarios are estimated
52/88 | 70/430
Connectivity of risk appetite and risk tolerance

Review and approval of exceptions to risk tolerance
standards
Above and below as well
Risk appetite and tolerance change over time

Conduct formal review at least once a year ending with formal
approval of new tolerance levels
Cost of risk mitigation options can affect risk tolerance
53/88 | 71/430
Enterprise Risk
Strategic
Risk
Environment
Risk
Market
Risk
Credit
Risk
Operational
Risk
Compliance
Risk
IT-related Risk
IT Benefit / Value
Enablement Risk
IT Programme and
Project Delivery Risk
IT Operations and
Service Delivery Risk
The Open Group, Risk Taxonomy Standard v2.0 (O-RT). The objective of this Risk Taxonomy
(O-RT) Standard is to provide a single logical and rational taxonomical framework for anyone
who needs to understand and / or analyze information security risk.
54/88 | 72/430
Examples
Technology enabler for new

business initiatives
Technology enabler for efficient
operations
Technology enabler for higher
SLAs / OLAs levels
IT Benefit / Value
Enablement
IT Programme and
Project Delivery
Project relevance / priority

Project time / budget overrun
Project quality
IT service interruptions (SLAs /

OLAs crisis)
Security issues
Compliance / regulatory issues
IT Operations and
Service Delivery
New Business Value

Fail to gain
Gain
Lose
Maintain
Business Value
55/88 | 73/430
The high-level process phases (part of Risk Evaluation

domain from Risk IT) of the risk identification, assessment
and evaluation process are
1. Collect
Data
2. Analyze
Risk
3.
Maintain
Risk
Profile
56/88 | 74/430
57/88 | 75/430
Risk Scenario is a description of an event that can lead to a

business impact, when and if it should occur
Risk Scenario is a technique used to make risk more
concrete and tangible and allow for proper risk assessment
and analysis
58/88 | 76/430
Purpose of Risk Scenario

Bring realism
Provide insight
Awareness
Facilitate organizational engagement
Provide improved analysis and structure to the complex nature of
enterprise risk
59/88 | 77/430
1.
2.
3.
4.
5.
Threat Actor
Threat Type
Event
Asset / Resource
Time /
Timing Dimension
Threat
Actor
Asset /
Resource
Event
Risk
Scenario
Threat
Type
Time
60/88 | 78/430

- generates the threat is a source of threat
Threat Actors can be also human or nonhuman
Not every threat requires a Threat Actor
Examples
(to the organization)

e.g. employee, contractor
(to the organization)

e.g. competitor, outsider, business partner, regulator, market, act of god
61/88 | 79/430
Threat sources varies, but insider and business partners

are a great concern
Source of Incidents
2007
2008
Unknown
Employees
Hackers
Former employees
Business partner
Customer
Other
Terrorist/ foreign government
N/A
48%
41%
21%
19%
9%
20%
6%
42%
34%
28%
16%
15%
8%
8%
4%
In 2009, Verizon Data Breach Investigation Report:

Source of Data Breach Incidents
2008
2009
External threat sources
73%
74%
Insiders
18%
20%
Business partner
39%
32%
Involved multiple parties
30%
39%
Reference:
The Global State of Information Security 2008. CSO Online.
Verizon 2009 Data Breach Investigations Report
In 2008, CSO Magazine reported:
62/88 | 80/430
In 2009, a CERT/SEI CyLab study found that:

68% of the insider attack occurred at the workplace
73% of crimes were committed during working hours
Over 3/4 of the insider had authorized access to information assets
None of the insider had privileged access
20% involved in theft of physical properties (e.g., document,
laptops, PCs, removable media, etc.)
Reference:
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model. CERT Program, Software Engineering Institute and CyLab at Carnegie Mellon
University, June 2009
63/88 | 81/430
Majority of malware are installed remotely...

Reference: 2011 Data Breach Investigations Report, Verizon, January 2012
(http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigationsreport-2011_en_xg.pdf)
Most of data breaches are from hacking and malware...
64/88 | 82/430
Advanced Persistent Threat (APT) is very real

Malware is now a tool for hackers for stealing data
Reference: 2011 Data Breach Investigations Report, Verizon, January 2012 (http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigationsreport-2011_en_xg.pdf)
65/88 | 83/430

Examples
- a nature of the event
Malicious
Accidental
Failure
Natural
External Requirement
66/88 | 84/430

affect
- can be categorized along the vectors which they
Events generating the negative impact
Events contributing to the magnitude or frequency of loss events occurring
Circumstances or events that can trigger loss events
Examples
Disclosure
Interruption
Modification
Theft
Destruction
Ineffective design
Ineffective execution
Rules and regulations
Inappropriate use
67/88 | 85/430
- any object (tangible, intangible)

that has value to enterprise / organization
Examples
(physical attributes)
People and organization

Process
Facilities
Infrastructure / IT Infrastructure
Application / Software
(no physical attributes)
Information
Reputation
Trust
68/88 | 86/430

related information to scenario
Examples
- specification of time
Timing of occurrence (in critical business moment or not)

Timing to detect
Timing to react
Timing to recover
Timing lag between event and impact / consequences
Immediate impact / consequences
Delayed impact / consequences
Duration
69/88 | 87/430
Event
Threat Type
Malicious
Accidental
Failure
Natural
External Requirement
Disclosure
Interruption
Modification
Theft
Destruction
Ineffective design
Ineffective execution
Rules and regulations
Inappropriate use
Asset / Resource
People and organisation
Process
Facilities
IT infrastructure
Information
Software
Time / Timing Dimension

Threat Actor
Internal
External
Risk
Scenario
Timing of occurrence
Timing to detect
Timing to react
Timing to recover
Timing lag
Duration
70/88 | 88/430
Risk Scenario Approaches
Approaches are complementary and should be used

simultaneously
71/88 | 89/430
1. Use list of example

to define a
manageable set of concrete scenarios for the enterprise
2. Perform a validation against business objectives of the
entity
3. Refine the selected scenarios and detail them in line with
criticality to entity
4. Reduce number of scenarios to
5. Keep all risks in a
for easy re-evaluation
6. Include in scenarios how to handle unspecified events
72/88 | 90/430
Top-down Scenario
identification
Business
Objectives
Generic Risk
Scenarios
Identify business objectives

Identify scenarios with
most impact
Identify possible scenarios

Reduce through high-level
analysis
Refined and
contextual
IT Risk
Scenarios
Determine
Frequency &
Impact
IT Risk
Bottom-up Scenario
identification
Risk Factors
External
Environmental
Internal
Environmental
Risk
Management
Capability
IT Capability
IT related
Business
Capability
73/88 | 91/430
Systemic Risk
Outcome of an event with business partner that affects an entire
area or industry
Contagious Risk
Events that happen to several business partners in a short time
frame
Obscure Risk
Risk that has not yet occurred (non-historical) and is unlikely or
difficult to fathom
74/88 | 92/430
Determination of the value of an asset or business process

at risk
Identify potential threats and vulnerabilities that could lead
to loss event
Assessment for relevance and realism
Documenting the selected scenarios into the risk register
Ensuring successful requires keeping the set of scenarios
manageable and as generic as possible
75/88 | 93/430
Ensuring successful requires keeping the set of scenarios

manageable and as generic as possible.
Make sure that a risk assessment (e.g. reviewing risk
scenarios) is conducted
or anytime
there is a change to a critical system or process
Simple scenarios needs to be expanded to complex
scenarios to ensure that cascading or coincidental impacts
and dependencies are also documented
76/88 | 94/430
Organizational Buy-in
Risk Culture
Often one of the most if not the most important enabler
Skilled scenario facilitation / identification

Thorough understanding of environment (internal and
external)
Involvement of all stakeholders (especially decision-makers)
77/88 | 95/430
78/88 | 96/430
- is a
that influences the
and or business
of risk scenarios
IT
Capability
External
Environmental
IT
Related Business
Capability
Internal
Environmental
Environment
Risk
Management
Capability
Capabilities
Examples of
(according to Risk IT)
79/88 | 97/430
Market / economy
Rate of change in the market
Industry / competition
Geopolitical situation
Regulatory environment
Technology status and evolution
Suppliers and partners status
Acts of god / natural disasters
Circumstances that can increase the likelihood or impact or an event
Not always controllable by the enterprise / organisation
e.g. Government, International law, local law etc.
80/88 | 98/430
Strategic Importance of IT
Complexity of IT
Complexity of enterprise / organization
Degree of change / degree of agility
Change management capability
Risk management philosophy and values
Risk appetite
Risk tolerances
Operating model
81/88 | 99/430

Managements integrity and commitment to ethical values
influence preferences and judgments which are translated into
standards of behaviour
Tone at the top

Eliminate inappropriate incentives and temptations
Ethical values must be
Communicated
Accompanied by Guidance
Established in Formal Code Of Corporate Conduct (and communication
channel)
82/88 | 100/430

Competence - Reflects the knowledge and skills needed to perform
assigned tasks
Enterprise polices
Enterprise strategy and objectives
Implementation and achievement
Trade off between competence and cost
83/88 | 101/430

Perform oversight
Question and scrutinize managements activities
Present alternative views
Impose penalties and disciplinary actions
Provides a framework to plan, execute, control and monitor

activities
Includes
Defining key areas of authority and responsibility
Establishing appropriate lines of reporting, delegation and escalation
84/88 | 102/430
Surrendering central control of certain business decisions to

individuals closer to everyday business transactions
It may give others the ability to sell, negotiate, and/or enter in
alliances or joint ventures on behalf of superiors
85/88 | 103/430

How well enterprise is executing the core risk management
processes.
Mature and well-controlled IT processes
Degree to which business management is capable of managing the

direction and performance of IT
86/88 | 104/430
87/88 | 105/430
I hope you enjoyed

this presentation. If so,
please like, share and
leave a comment
below.
Endorsements on
LinkedIn are also
highly appreciated!
(your feedback = more free stuff)
MIROSLAWDABROWSKI.COM/downloads

S9uh95tgryacwl8zrveb Signature Poli 150208165036 Conversion Gate01

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

S9uh95tgryacwl8zrveb Signature Poli 150208165036 Conversion Gate01

Încărcat de

Drepturi de autor:

Formate disponibile

COBIT, CISA, CISM, CRISC and CGEIT are registered trademarks of ISACA.

Start and finish

Coffee and breaks

M00 - Course introduction

Introduction to CRISC role and certification

Please share with the class:

M00 - Course introduction

CRISC Review Manual 2016

Knowledge and experience

CRISC Review Manual cover, copyright ISACA.

M00 - Course introduction

M00 - Course introduction

Creator of 50+ mind maps from PPM and related

Agile Coach / Scrum Master

Dozens of mobile and ecommerce projects

ABB, AGH, Aiton Caldwell, Asseco, Capgemini, Deutsche Bank,

M00 - Course introduction

1. Overview of the CRISC certification

M01 - Overview of the CRISC certification

M01 - Overview of the CRISC certification

The CRISC certification is

M01 - Overview of the CRISC certification

The CRISC certification /

Certification lunched: 2011

CRISC exam questions are developed with the intent of

M01 - Overview of the CRISC certification

Candidate who pass the CRISC exam are not automatically

M01 - Overview of the CRISC certification

ISACA CRISC Review Manual Structure

About the CRISC exam

M01 - Overview of the CRISC certification

M01 - Overview of the CRISC certification

1. Overview of the CRISC certification

Risk Management Process

M02 - Domain 1 - IT Risk Identification

After this module, the CRISC candidate should be able to

Ensure that the CRISC candidate

M02 - Domain 1 - IT Risk Identification

There are 9 general task statements pertaining to IT Risk

Develop and implement a risk-based IT audit strategy

M02 - Domain 1 - IT Risk Identification

There are 22 general knowledge statements pertaining to IT

M02 - Domain 1 - IT Risk Identification

All enterprises must provide value to their stakeholders or

Management must recognize and understand the potential

IT itself does not provide value

- the potential for events and their consequences,

for benefit (upside / benefits)

Risk reflects the combination of the likelihood of events

M02 - Domain 1 - IT Risk Identification

- the coordinated activities to direct

M02 - Domain 1 - IT Risk Identification

- process used to identify and

M02 - Domain 1 - IT Risk Identification

- process by which frequency and

M02 - Domain 1 - IT Risk Identification

Effective Risk Management process involve

Is the (constant) process of balancing the risk associated

M02 - Domain 1 - IT Risk Identification

Holistically covers all concepts and processes affiliated with

An ISACA Risk IT framework principles (6)

M02 - Domain 1 - IT Risk Identification

An ISACA Risk IT framework is a 3rd component of ITGIs IT