ISACA CRISC – IT Risk Assessment
Welcome to the preparatory course for the Isaca RiskManagement Series. This is the third module of a total of five modules. In the first module, we learned the full context and fundamental concepts of risk management. In the second module, we understood in detail the entire process of risk education. And in this third module, we will learn about risk assessment. It is a brief module, but it contains the essential concepts required for risk management.
Some topics we will address are: what was not done in the education of risk that will be carried out in the risk assessment? What are the techniques used to evaluate its risks? What are the factors that affect the calculation of the risk assessment? What are the types of information that require secure controls? How do I check the current status of secured controls? How is risk assessment done? What are the methodologies for risk assessment? How is risk classification carried out? The next modules are the continuation of phase one of the risk management lifecycle. That is, module four will deal with risk response and mitigation, and module five will deal with risk and control, monitoring, and reporting. training for everyone.
The next step in the risk management lifecycle is to access its risk levels in terms of impact. Its risk assessment will measure the impact of an IT-related problem on the business services that its systems support. That is, in all areas of the company, there are ITC systems that support business activities. In this phase of the life cycle, we are going to measure, check various methods of measurement, and determine the impact that these failures in the IT system will have on the business. This assessment or impact calculation should consider the dependencies of other systems, departments, business partners, and users affected by the IT system, that is, the whole ecosystem inside and outside the company that can be affected by that failure. What is this for?
As a result, decision-makers will have a better understanding of the overall impact of the risk. We can properly prioritise the risk management activities, and we can more assertively select the risk response and mitigation activities that are the next stage in the life cycle of risk management. According to ISACA, risk assessment is a process used to identify and access risks and their potential effects, which include assessments of the following critical functions required for the business to continue its operations: So here the company will need to know its core processes, its mission-critical activities, and what really are the ones that are most important for the continuity of the business. then the risk associated with each of the critical functions. So we should map the identified risks to mission-critical activities. This is usually done by mapping the systems that support these mission-critical processes.
Next, we intensify safety controls already in place to reduce exposure and its cost. That is, although there is risk, it is also very likely that some mitigation actions and safety controls have already been implemented that reduce the level of risk for that activity. It may be a process, a piece of software, or some other mechanism, but most likely some single-source solution exists and must be considered. number four, then prioritising the risk based on its probability and potential impact. We will then verify several ways of calculating these probabilities and potential impacts. Five, and finally, the relationship between risk and tolerance and the risk appetite of the company to actually verify it. If, after all the assessment of the risk, it is clear and visible where it fits in relation to the risk appetite of the company, its priority, and how it should be treated, The bottom line is that this risk assessment process generates the information necessary to respond to risk in an appropriate manner with adequate cost and benefit.
It is critical for the risk professional to be aware of the existence of various risk assessment methods. But the official review manual only sees the names. All the techniques below were extracted from Isaac 31,010 of 2009, as quoted by Isaac itself.
The important thing here is to know that a rational should be chosen that fits into the company’s organisational future and that our stakeholders agree on its use. No technique will be completely objective and mathematically accurate. But how will this valuable information help in gaining insights into the level of risk? Look at these as techniques that are not unique to risk management. But I use it for the specific purpose of risk assessment. That is, as long as it serves the purpose of this phase of the life cycle, the technique can be used, not necessarily only by those seated by Isaca for the proof. As we have said, it is enough to have superficial knowledge that the techniques exist and are used for this purpose.
The impact of a risk event is difficult to calculate with any degree of accuracy because there are many factors that affect the outcome of an event. It is important to note that the risk scenarios that we developed in the recent indication phase will be used to communicate with the business and collect the data necessary to understand the potential or probable impact of the risk event if and when it occurs. The first factor that affects the calculation is the organisational structure and future of the company. A major company will have policies and procedures and an effective reporting structure in place to effectively detect, nullify, and escalate the situation.
The risk management function must have a corporate-enterprisewide mandate that enables risk professionals to access and contribute to our business processes, participate in incident management activities, and be responsible for reviewing incidents for lesson learning and improving incident planning, detection, and recovery. The next item is the policies, standards, and procedures put into place in the company. Please do not underestimate the power of these documents. They must be written, validated, and published carefully. Policies provide guidance on acceptable and unacceptable behaviors and actions for the organization. Standards and procedures support the requirements defined in the specific policies.
Policies empower the risk of it and secure the management team. The organization’s policies should clearly state the position of top management in relation to information protection, which will allow the development of procedures, standards, and baselines that reflect management priorities. Risk professionals should identify the presence or absence of policies and work to determine whether or not they are being followed. “High standard” means a requirement, code of practice, or specification approved by a recognized organisation of external standards. Procedures are more important than standards, and they support their implementation. A procedure is a document that contains detailed descriptions of the steps required to perform specific operations in accordance with applicable standards. Lack of standards and procedures makes it difficult to conduct activities in a systematic manner and can result in unrealisable, inconsistent, and high-risk operations.
The important thing here is to note that they are specific proposed documents, and each document is used with greater intensity by a certain target audience. The procedures are the last level, the most detailed, and are usually used by the person who actually performs the work. In this way, the strategy that has been translated into the policy is mapped to the procedures so that there is consistency throughout the company. Surely it is difficult to have all the policies, standards, and procedures, but you have to start. You start with the most important ones and establish a document creation program. However, it is critical to emphasise that each document must have an honour and that it must be revised on a regular basis in order for the policy to be maintained. Technology is certainly a crucial factor in risk assessment. Some of the considerations that affect technology-related risk assessment include equipment, age, experience available for maintenance, variety of vendors, documentation of systems, availability of spare parts, ability to test systems or equipment, operational environment, and user experience.
A bill to correct or mitigate vulnerabilities talking now about Architecture: a key factor in the maturity of an organization’s processes and practises is the development of a corporate approach to risk management, architecture, and business continuity. Relatively few companies have a major IT architecture. As the complexity of an architecture increases, it always becomes more challenging for the organisation that has to protect it and ensure compliance with security standards, regulations, and best practices. As architecture here, we mean the macro view of the systems that form it, how they connect, how they evolve, and how they are configured. That is its view as a single, functioning circuit operating to generate value for the business. Finally, controls are factors that also affect the calculation of risk assessment. Controls are implemented to reduce or maintain risk at acceptable levels. However, the controls may be inefficient, not suitable for the risk they should control, or configured incorrectly. Controls should be regularly reviewed to determine and ensure their effectiveness. Processes should be established to ensure that controls are implemented and operated correctly.
The controls are usually classified as belonging to one of the six categories that we will see below. I do not really like the terms because sometimes they use little usage words that they can confuse. But I will use the official terms of ISACA and try to explain a little about each one. The first is the preventive measure that is used to inhibit attempts to violate secure policies.
The second is a deterrent, which is one that is disabled. AV provides warnings that may deter agents from attempting to compromise a particular system or process. Basically, a control that makes the attacker change his mind Third is the directive that is used to establish the behavior, specifying which actions are and are not allowed. That is the control that establishes good guidelines, as is the case with policies. Firstly, the detector, which aims to provide warnings of violations or attempts to breach a secured policy, Control usage is what detects violations. The fifth type of control is corrective, which I’m sure remedies errors, omissions, unauthorised uses, and intrusions when detected, and finally compensation control, which corrects a deficiency or weakness in the company’s control structure. It is important for you to note that a single control system sometimes plays a variety of roles.
A viral infection, for example, can be preventive-detective, corrective, and compensatory. The following is a graph from the review manual that shows the interaction between control types. In the center, we find a treat event; a threat creates a treat event. A deterrent control, like a compensating control, reduces the likelihood of the threat event. Detective control uncovers the threat event and at the same time triggers preventative control that reduces the impact and protects the system from vulnerability. Vulnerability results in impact, and corrective control reduces that impact. Finally, the threat event exploits the vulnerability, and this is the entire chain of interaction between the threat, the threat event, the vulnerability, the impact, and the control we saw on the previous slide.
As we have seen, part of the risk assessment is to determine the current state of safety. Controls should determine the actual impact of a given risk.
So, how can we verify the current state of knowledge? Secure Controls determines the current state of the risk using the reports generated by the controls themselves and the results of the control testing activities and incident management programs. The following are some of the features to check the current state of those controls: The first is the audit. An audit is a formal inspection and verification to verify that a standard or set of guidelines are being followed. The requirements are accurate, or the efficiency and effectiveness goals are being met. The following is the Business Continuity Plan: The purpose of business continuity planning is to enable a company to continue critical services in the event of disruption, up to and including the ability to survive a disastrous outage. That is, when everything goes wrong, how will we continue to exist?
The main data source used in business continuity planning is the business impact analysis, which identifies the critical timelines for services and products associated with value creation. The business impact analysis also determines the recovery point objective RPO and the recovery time objective RTO for a process, which define the amount of data that can be lost during the recovery and the speed with which it should be performant. The business continuity plan is a critical subject that the risk professional must stand by and thoroughly understand, as it is one of the primary ways of adding value to the company as a whole.
Third disaster recovery, which is part of the business’s continued plan Disaster recovery refers to the establishment of business and its services after a disaster or incident within a predefined schedule and budget. Realize that disaster recovery is a small part of the continuity plan. Incident management begins with preparation and planning that create an incident response plan. The main focus of incident management is to get your organisation, affected systems, and operations back to normal as quickly as possible. The risk professional should be clear that as long as risk management is efficient and proper controls are in place, incidents will occur.
Knowing how to respond to these incidents in a clear and structured way is a necessity that differentiates major organizations. The manager should review each incident to draw lessons learned in order to improve the prevention, detection, and establishment of future incidents of a similar nature. That way we can create a future of learning, focus on the root cause, seek to learn from failure, and optimise the whole organisation with learning. Finally, enterprise architects focus on producing a view of the current state of IT, establishing a vision for a future state, and generating a strategy to get there. In any knowledge-based organization, business architecture is a key component of environmental control. Risk professionals should question the existence of a corporate architecture and evaluate it to determine its maturity. Observation media reports on specialized sites, third-party departure verification, user feedback, and a penetration test inventory assessment are also important ways to assess the current state of security controls.
There are other sources of risks that are constantly changing and that should be considered when evaluating It risks. For example, a substantial change in the risk environment may arise as a result of changing technology. New technology is emerging in the market continually. The pressure to implement these new technologies is often influenced by exaggerated expectations of their usability and maturity. A focus on product functionality without attention to security can harm the organization.
It is the responsibility of the entire risk management team to consider the potential risks and safety controls necessary for the implementation of those technologies that can present value to the organization. The topic of change in technology is pretty obvious to most IT security professionals, but change in business practises must also be observed by the risk professional. A failure of the department to adapt to or support new business models can result in substantial losses for the organization. That is why it must be close to the business, influence its decisions, and deeply understand the company’s strategy so that it can be a step ahead in readiness for the next steps planned for the organization. The risk professional must evaluate the maturity of the department and the organisation as a whole by monitoring and adapting to new trends and markets.
When a project is at risk, it is important to identify the root cause of the problem and take steps to address it as quickly as possible. Lack of good project management can lead to several problems, such as indirect financial loss, loss of competitive advantage, direct financial loss, breach of contract or SLAs, inability to adapt to a changing operating environment, reputation damage, dissatisfaction among the project team, and others. Regardless of the methodology used for project management, the principles are the same: adequate supervision, clear requirements, user engagement, communications between team members and users, and pediatrics. A review of project progress is key to project success. The challenge of identifying project risk is the problem of obtaining accurate start-up data and being able to identify the root cause of the project problem.
How, in fact, does this assessment of its risk impact performance? In practice, the risk assessment seeks to identify the level of risk relative to an acceptable level for the organization. The risk taker makes this assessment by comparing the current state of the risk to the desired state, taking into account the effectiveness of any existing controls.
As we have seen, the current state of its risk is close to the level of risk acceptance defined by top management. As a result, the risk professional must first ensure that the organization’s risk appetite is established. Threat modelling is done by mapping the possible methods, approaches, steps, and techniques used by an opponent to perpetrate an attack. That is, it consists of using consultancies or experts to check the ways that threats use vulnerabilities to make an impact. But another way threat modelling is done is by mapping potential methods, approaches, steps, and techniques used by an opportunity to effect an attack.
Root-cause analysis is also used for risk assessment, and it is the diagnostic process for determining the origin of events so that these events can be used to learn from their consequences. The actions that companies take in response to risks are often based on lessons learned from past events. And all of these lessons that are generated through root cause analysis are used to assess risk in the risk management process. Finally, the gap analysis must determine the desired state of risk that management wants to achieve, and the current state has been carefully assessed. The risk professional can identify the existence of a risk gap and the scope of actions that will be required to close those gaps. It means planning how we will arrive at the future stage once we also understand the current state. This gap analysis also serves as a tool to support project prioritisation by the project team.
Risk can be assessed quantitatively, qualitatively, or in a way that combines the two methods. Quantitative risk assessment is based on numerical calculations, such as monetary values. When quantitative risk assessment is desired, the risk taker may appear to approximate probability by calculating a mean probability across the population using empirical or historical data. Unfortunately, the cost associated with a particular risk can be quite difficult to quantify, especially if it includes subjective elements such as reputation or employee morale. Therefore, this type of assessment may not be appropriate for all cases. The qualitative risk assessment assigns values on a comparative or ordinary basis as high, medium, and low, or on a scale from one to ten.
The assignment of qualitative values depends heavily on experience and specialized knowledge. The results of a qualitative risk assessment are typically presented in the form of a table comparing the likelihood of a risk event with its impact on the organization, where the confluence of the two factors generates the relative level of risk. The semi-quantitative risk assessment in turn combines the value of quantitative and qualitative assessments. A hybrid approach has the real-risk aspect of a qualitative assessment combined with the numerical scale used to determine the impact of a quantitative assessment. In practice, it means creating a qualitative table where a quantitative scale is associated with each qualitative value base. For example, if we are talking about high, medium, and low, we assign a range of values to high, arrange for medium, and arrange for low.
Risk classification is derived from a combination of our risk components, including the recognition of threats and the characteristics and capabilities of a threat source, the severity of a vulnerability, the likelihood of a successful attack when considering the effectiveness of controls, and the impact on the organisation of a successful attack. Together, these indicate the level of risk associated with a threat. There are several ways to classify risks, and in practice, each organisation will find its own way, giving weight to what it considers most important. The first method is actually an example of Denise Special Publication 813, Revision One Document, which is a free and open document that you can find on the NISS website, which is the United States National Institute of Standards and Technology. This publication is a guide to conducting risk assessment.
So we have an example table with several fields such as the source of a threat, relevance, probability, and impact. In the version of the document that I downloaded, this template was on page 89. It is not the one in the attached image, which is filled, but it is the same concept. Octave is actually an approach to risk assessment and rating. It is based on three phases: the first is the creation of asset-based threat profiles; the second is the identification of infrastructure vulnerabilities; and the third is the development of security strategies and mitigation plans. The manual does not go into detail, but it is important to know that there is such an approach and what it is for. Finally, the risk map means putting the already-evaluated risk into a matrix of magnitude and frequency to see where it fits in relation to the risk tolerance of the organization.
Well, we have completed the third IT risk assessment module, where we understood how the impact of risks in business areas is assessed and how risks are categorised for the next phase of the risk management lifecycle. That is precisely the definition of risk response and mitigation at the end of the module. We hope that each student is able to answer the questions that have been asked and that they are clear about the reason for each answer.
The first question was to understand what has not yet been done in the identification of risks. We have seen that in the risk assessment phase, we identified the existing controls and their effectiveness. What is the real probability and impact for the business? Is the risk prioritization based on the level of risk identified and the relationship between the company’s risk tolerance and appetite for risk? The techniques listed below can be used to gain access to the risks posed by Isaak. Most techniques are well known and widely used in other contexts, such as management. Then we saw that the factors that affect the calculation of the risk assessment are the organisational structure and future, the policies, nerves, and procedures, the technology, the architecture, and the existing controls on the types of control.
We have seen that they are the preventive, the deterrent, the directive, the detector, the corrective, and the compensative, and that a single control can have several roles and belong to more than one of these types. The next question was how to check the current state of the security controls, which is an essential activity in order to be able to access the potential impact of a particular identified risk. And we have seen that there are various forms such as audits, business continuity plans, disaster recovery plans, incident management, and enterprise architecture assessments. Then we saw what other sources of risk needed to be evaluated. We chart the change in technology, the change in business practice, and the management of projects and programs. The last one is always treated in a special way because all major changes to the company are implemented through projects, which makes them a constant source of new risks.
Next, we saw that IT risk assessment can be done in a number of ways, but the most common is with a comparison between the current state and the desired state, followed by threat modeling, root cause analysis, and gap analysis. It basically means knowing where we are and where we want to get in terms of the risks. What are the methodologies for risk assessment? We have seen that there are three forms, namely quantitative risk assessment, qualitative risk assessment, and semi-quantitative risk assessment, which is a widely used hybrid method that we are even using in our template for the proposed activities. Finally, we understood how his classification works, where each company will use a method that makes sense for its business operation depending on what it considers most important to correct. First, we commented on three methods seated by Isaac. What is really important is having a method that is known and supported by all stakeholders within the organization.
Well, that’s the end of the third module of risk assessment. Next, we go to module four of the training, which is risk response and mitigation, where we will understand in detail this process of selecting and choosing the best strategy to address each identified and evaluated risk. In it, we will understand all the factors that the response of tourists must consider: what are the options to respond to risks, what are the main techniques to determine the best response to risks, and what are the types of risks? I hope you’re having as much fun as Idol, and I’m looking forward to seeing everyone in module four. See you there!