Professional Documents
Culture Documents
Session 1 CRISC Exam Prep Course - Domain 1 IT Risk Identification PDF
Session 1 CRISC Exam Prep Course - Domain 1 IT Risk Identification PDF
SESSION 1
Your Instructor
16. Organizational assets The asset inventory should include people, processes
(e.g., people, technology, and technology. Processes and technology may be
data, trademarks, either tangible or intangible.
intellectual property) and
business processes,
including enterprise risk
management (ERM)
17. Organizational policies Managerial assets/controls include company policies
and standards and standard operating procedures.
Service/
Cash and Customer
Research People business
investments lists
processes
Supply
Facility Fire or Industrial Disease
chain
breakdowns flooding accidents (epidemic)
interruption
Power
Seismic Severe
surge/utility
activity weather
failure
The likelihood
or probability
of an attack
is influenced by
the following:
– The attacker’s
level of
motivation
– The skills and
tools available
to an attacker
– The presence of
a vulnerability
28. Information security Risk scenarios must consider the impacts to a given
concepts and principles, asset should the requirements of confidentiality
including confidentiality, (excessive or inappropriate access), integrity
(unapproved or inappropriate alteration or removal)
integrity and availability
and/or availability (unscheduled downtime, system
of information lockouts or failures) cannot be met.
23. Principles of risk and Each risk scenario should be assigned to a risk owner
control ownership to make sure the scenario is thoroughly analyzed.
36. IT risk management best Using risk management practices like risk scenarios
practices bring clarity to the risk management process. The
effectiveness of practices such as the development of
risk scenarios relies on participation by all the parties
that engage in a given process under review.
A – Accountable
• The stakeholder role defined as “Accountable” is described as follows:
• The person is accountable (liable, answerable) for the completion of
the task.
• He/she is responsible for the oversight and management of the
person(s) responsible for performing the work effort.
• He/she may also play a role in the project and bear the responsibility
for project success or failure.
• In order to be effective, accountability should be with a sole role or
person.
I – Informed
• The stakeholder role defined as “Informed” is described as follows:
• This is the person(s) who are informed of the status,
achievement and/or deliverables of the task.
• The person(s) who may be interested but who are often not
directly responsible for the work effort.
Collect risk
I A C R
data
Deliver the
I A I R
risk report
Prioritize risk
A I R C
response
Monitor risk I A R C
7. Methods to identify risk Several sources that can aid in risk identification
include: vendor documents, industry bulletins, policy
and procedure review, press releases, breach and
vulnerability reporting services, and many more.
10. Risk events/incident When building risk scenarios, one must not only
concepts (e.g., consider a single asset being impacted by a single
contributing conditions, event, but also cascading and considering incidents.
Include these complex scenarios in the risk register.
lessons learned, loss
result)
The risk
register • Risk identified in audits
contains all • Vulnerability assessments
risk detected • Penetration tests
by various • Incident reports
departments
or activities • Process reviews
of the • Management input
organization, • Risk scenario creation
including the • Security assessments
following:
Risk owner
Event
Asset/Resource
Timing
12. Risk appetite and Risk appetite is the amount of risk a company is
tolerance willing to achieve in pursuit of reaching its
organizational goals. Risk tolerance, determined by
the risk owner, is the acceptable degree of variation
that an organization may accept for a particular asset
at a particular point in time.
24. Characteristics of Residual risk is the risk remaining after mitigation and
inherent and residual risk is the risk upon which management will base final risk
acceptance.