CISA+Domain+2+Cyvitrix+ +updated+2024
Uploaded by
animeshbiswas00CISA+Domain+2+Cyvitrix+ +updated+2024
Uploaded by
animeshbiswas00www.cyvitrix.
com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Cyvitrix.com
Certified Information
System Auditor Training
Domain 2 – Governance of IT
CYVITRIX - ALL RIGHTS RESERVED ©
124
WWW.CYVITRIX.COM
CYVITRIX - ALL RIGHTS RESERVED ©
125
Do not copy/distribute/modify without
official permission 1
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
About This Document
This document is property for Cyvitrix.com GRC Training.
https://cyvitrix.com/the-grc-ultimate-bootcamp
The goal of making this document available is to assist our
learners in following up with the course content and taking
notes whenever needed.
If you have any queries, please reach us out
https://cyvitrix.com/contact-us
CYVITRIX - ALL RIGHTS RESERVED ©
126
About This Training
Certified Information System Auditor - CISA
Information Systems Audit and Control Association®
Covers IS Auditing
The training will give you all what you need and more
Certification Process
◦ Pass the exam, 150 questions in 4 Hours
◦ Submit the application post the exam, attest it, and pay processing fees
◦ If you meet the criteria's, you will be certified
Post Certification
◦ Meet Continues Education requirements – 120 total across a period of 3 years, minimum 20 per year
◦ Pay Annual maintenance fees
◦ Certificate is valid for a three years
ISACA Membership can give you a discount on AMF, Materials, and Exams
CYVITRIX - ALL RIGHTS RESERVED ©
127
Do not copy/distribute/modify without
official permission 2
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
CISA Knowledge domains “ 2024
Domain 2 : Domain 3 : IS
Domain 1 : IS Auditing Governance and Acquisition,
Process (18%) Management of IT Development and
(18%) Implementation (12%)
Domain 4 : IS
Domain 5 : Protection
Operations and
of Information Assets
Business Resilience
(26%)
(26%)
CYVITRIX - ALL RIGHTS RESERVED ©
128
About Domain 2
Domain 2 represents 17% of the questions on the CISA exam
(approximately 25 questions).
Content
1. IT Governance and corporate structure and responsibilities
2. IT Key frameworks and Enterprise Architecture and ways to assess maturity
3. IT Management
4. IT Management practices
5. Quality assurance
CYVITRIX.COM - ALL RIGHTS RESERVED
129
Do not copy/distribute/modify without
official permission 3
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Governance and Management
130
What is Governance
Governance is a set of practices to set the strategic direction of the organization
Governance sets the goals for management to achieve and tackle
Through Governance, there should be a way where all stakeholders can provide input in decision-making
processes, the thing which leads to objective achievement and value creation.
Governance of any function aims to manage and use resources to support the interest of stakeholders.
Governance is the Board of Directors’ responsibility
Leadership, structure, policies and standards, and monitoring are all elements of effective governance.
131
Do not copy/distribute/modify without
official permission 4
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Governance vs Management
• Senior Management and Board of • Management roles, oversee the
directors' role day-to-day operations
• Setting the direction and the • Develop the plans which help to
based-on Business requirements achieve the outcomes of the
• Set the overall Business Strategy strategy
• Monitor and evaluate the • Execute the plans, and provide
performance feedback
• Set the strategy • Ensure the alignment with
Business requirements
Governance Management
132
Governance outcomes
Accountability roles,
Governance is Directors IT Strategy should be
responsibilities and
and Senior management Stakeholders input developed on the basis
authorities, need to be
role of business strategy.
defined
133
Do not copy/distribute/modify without
official permission 5
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Benefits of Governance
IT Resource Performance Portfolio Compliance
Service management
Management Measurement Management Management
• Track and monitor • Monitor IT • Decide to invest or • Consider legal, • Align with business
IT inventory of all resources and not invest based on contractual and requirements, IT is
resources benchmark it with strategic direction regulatory service provider,
• Manage risks predefined of the organization requirements into and business is the
related to IT indicators processes consumer
(generally accepted
standards and
peers
benchmarking)
• Analyze monitoring
results, and take
actions to improve
performance
134
Lack of Governance Leads to
Excessive cost and Budget overruns
Numerous suspended projects
High staff turnover and Inexperienced staff
Lack of adequate training
Frequent errors and Business interruption
Excessive backlog of user requests
Unsupported hardware/software purchases
135
Do not copy/distribute/modify without
official permission 6
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Information Security
136
Information Security
A management function in any organization
The goal is to safeguard information assets and to handle risk efficiently.
Information Security goal is to maintain Confidentiality, Integrity, and availability of assets
Help organizations take advantage of opportunities while mitigating information risk.
Like any function, Information Security management should align with Business requirements and strategy
The Security strategy should be developed based on the Business Strategy
The Security Program should be developed to implement the strategy requirements
Without Senior management sponsorship, Information Security governance will not be effective
Senior management states the business requirements, if no engagement, then there is no alignment
Without Senior management sponsorship, no budget will be allocated, and no support will be given
137
Do not copy/distribute/modify without
official permission 7
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Information and Cybersecurity
Information Security
Cybersecurity
• Secure All forms of Data • Focus on securing data in
(physical or digital) digital form.
• Propose new controls to ensure • Deploy security controls and
Digital
CIA from high-level perspective. keep it running.
data
• Digital and physical threats • Focus on digital threats,
whether they are internal and mostly external ones.
external
138
Roles of Information Security
Information Security
Incident Business
Security Security Policies Security Risk Security Integration with Vendor Compliance
Management and continuity
Governance development Management Awareness IT/Business Management Management
guidance management
139
Do not copy/distribute/modify without
official permission 8
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Effective information security
Supports what the organization is trying to do
Keeps risk within acceptable levels
Tracks success and areas of improvement
Manage compliance requirements
Raise Security Awareness
Fewer interruptions due to security incidents
140
Outcomes of Governance of Information
Security
Strategic alignment: Information security should support business strategy and organizational
outcomes.
Risk management: The information security program should include measures to manage and
mitigate risk. This will be discussed in more detail later.
Value delivery: Security investments should be optimized in support of business objectives.
Resource optimization: Information security knowledge and infrastructure should be used
efficiently and effectively.
Performance measurement: The information security program should monitor and report on
information security processes to ensure objectives are achieved.
Assurance process integration: The information security program should integrate all relevant
assurance factors to ensure that processes operate as intended from end to end.
141
Do not copy/distribute/modify without
official permission 9
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
SABSA
SABSA (Sherwood Applied Business Security Architecture) is a framework for developing risk-driven
enterprise security architectures.
SABSA adopts a risk-driven approach to security architecture, aligning security measures with the
organization's business objectives and risk tolerance. It emphasizes understanding and mitigating
business risks through adequate security measures.
SABSA strongly emphasizes understanding the business context and aligning security measures
with business goals and strategies. It aims to integrate security into the organization's overall
business architecture, ensuring that security supports and enables business objectives.
SABSA utilizes a layered architecture model comprising six layers: Contextual, Conceptual, Logical,
Physical, Component, and Operational. Each layer represents a different level of abstraction and
guides how security requirements and solutions can be designed and implemented.
SABSA emphasizes the importance of governance and assurance mechanisms to ensure the
effectiveness of security measures and ongoing alignment with business objectives.
CYVITRIX - ALL RIGHTS RESERVED ©
142
SABSA
CYVITRIX - ALL RIGHTS RESERVED ©
143
Do not copy/distribute/modify without
official permission 10
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Different Perceptions
CYVITRIX - ALL RIGHTS RESERVED ©
144
Enterprise Architecture
CYVITRIX - ALL RIGHTS RESERVED ©
145
Do not copy/distribute/modify without
official permission 11
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Enterprise Architecture (EA)
Enterprise Architecture (EA) aligns an organization's structure, processes, information, and
technology with its strategic goals.
Technology Architecture focuses on the design and organization of technology infrastructure,
systems, and applications.
Components of Technology Architecture include hardware, software, integration,
interoperability, and security.
Business Architecture focuses on understanding and defining the organization's business
strategy, goals, processes, and structure.
Components of Business Architecture include business strategy, processes, organizational
structure, and performance measurement.
CYVITRIX - ALL RIGHTS RESERVED ©
146
Enterprise Architecture Models
Architecture models provide structured and visual representations of enterprise architecture.
Commonly used architecture models include the Zachman Framework, TOGAF ADM, Business
Model Canvas, and UML.
The Zachman Framework categorizes enterprise artifacts across six dimensions.
These dimensions are What, How, Where, Who, When, and Why. It helps organizations capture
and organize architectural artifacts and encourages multidimensional thinking.
The TOGAF ADM (Architectural Development Method) provides a step-by-step approach to
developing and managing enterprise architecture.
The Business Model Canvas helps describe, design, and analyze business models.
UML (Unified Modeling Language) is a standardized modeling language for visualizing and
designing software systems.
CYVITRIX - ALL RIGHTS RESERVED ©
147
Do not copy/distribute/modify without
official permission 12
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
EA Summary & Objectives
Main goal is to make the alignment
happen!
Acquire the most effective technology
the compatible with IT framework
EA can be Technology-driven EA or
Business-driven EA
CYVITRIX.COM - ALL RIGHTS RESERVED
148
Policies
CYVITRIX - ALL RIGHTS RESERVED ©
149
Do not copy/distribute/modify without
official permission 13
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Policies
Reflect management intention, which each function in the organization should create based on the
situation.
define acceptable behavior and speak in high-level, simple language tailored to most audiences.
set the organization’s tone to reflect management intention; the highest management should sign this
document.
Each policy statement should state only one mandate, written in clear and straightforward language.
Policy document defines responsibilities and supports goals stated in strategy.
Policy needs to be regularly reviewed (At least every year)
Should be communicated to the policy audience
The original approver should approve exceptions for the policy statement.
No control should be introduced until mandated by Policy or Regulation
CYVITRIX - ALL RIGHTS RESERVED ©
150
Policies
• Directly traceable to strategy elements
• Broad enough to not require regular revision but should be periodically reviewed
• Approved at the highest level
• Pave the way for effective implementation
Attributes of Good Policy
◦ Should capture the intent, expectations, and direction of management
◦ Should state only one general security mandate
◦ Must be clear and easily understood
◦ Includes just enough context to be useful
◦ Rarely number more than two dozen in total
CYVITRIX - ALL RIGHTS RESERVED ©
151
Do not copy/distribute/modify without
official permission 14
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Example of Policy Statement
Example for policy statements
“Password must be strong, and regularly changed ”
The above statement is unlikely to be changed for long term, but policy should be reviewed on
yearly basis.
CYVITRIX - ALL RIGHTS RESERVED ©
152
Example of Policies
Human Resource Policy
IT Service Policy
Security Policy
Access Control Policy
Vendor management Policy
AUP (Acceptable Use Policy)
Code of Conduct Policy
CYVITRIX - ALL RIGHTS RESERVED ©
153
Do not copy/distribute/modify without
official permission 15
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
TOP DOWN
Consider Enterprise Lead to more Time
requirements consistency consuming
Top-down approach
CYVITRIX - ALL RIGHTS RESERVED ©
154
Bottom-Up
Could lead to
Consider business unit inconsistency across Could miss some
requirements multinational strategic objectives
organization
Bottom-up approach
CYVITRIX - ALL RIGHTS RESERVED ©
155
Do not copy/distribute/modify without
official permission 16
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Standards
CYVITRIX - ALL RIGHTS RESERVED ©
156
Standards
Medium-level “extra detailed and technical” document
Defines requirements to ensure common understanding and follow the policy
Provides the basis for measurement
Standard is subject to change when the situation changes “new requirements or regulation.”
Could need to be reviewed more frequently.
Tell you what to configure/do/perform/follow – Policy defines what is needed
The baseline differs from the standards; the baseline defines the minimum requirements.
CYVITRIX - ALL RIGHTS RESERVED ©
157
Do not copy/distribute/modify without
official permission 17
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Standards
• Provide measurement for compliance
• Govern procedure and guideline creation
• Set security baselines
• Reflect acceptable risk and control objectives
• Act as criteria for evaluating acceptable risk
• Are unambiguous, consistent, and precise
• Are disseminated to those governed by them and those impacted
CYVITRIX - ALL RIGHTS RESERVED ©
158
Example for Standard
“Minimum password length is 8, contains upper and lower case and special characters, and
must be changed every 60 days.”
The above statement is subject to changes when new needs arise.
CYVITRIX - ALL RIGHTS RESERVED ©
159
Do not copy/distribute/modify without
official permission 18
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Standard Examples
Software Development Standards: These standards define the processes, tools, and techniques
that should be used during software development. They ensure that software is developed
efficiently, securely, and highly quality.
Network Security Standards define the requirements for securing an organization's network
infrastructure. They may include firewall requirements, intrusion detection and prevention
systems, and other security controls.
Access Control Standards: These standards define the requirements for controlling access to an
organization's systems and data. They may include requirements for authentication, authorization,
and other access control mechanisms.
CYVITRIX - ALL RIGHTS RESERVED ©
160
Third Party Standards
There are many security standards that organizations may choose to adopt to help ensure the security
of their information and systems.
Here are some examples:
ISO/IEC 27001 -> ISMS
NIST Cyber Security Framework
PCI-DSS
CIS Controls
FIPS 140-2
SANS Top 20 Critical Security Controls
CSA Cloud Controls Matrix
CYVITRIX - ALL RIGHTS RESERVED ©
161
Do not copy/distribute/modify without
official permission 19
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Baseline
A baseline is a minimum level of security that an organization sets for its systems, applications,
and infrastructure.
A baseline defines the minimum-security requirements that must be met by all systems,
applications, and infrastructure components to ensure a consistent level of security across the
organization.
For example, an organization may establish a baseline that includes basic security controls such
as antivirus software, firewalls, and regular updates and patches.
A security standard, on the other hand, may include additional controls such as intrusion
detection and prevention systems, data encryption, and access controls.
CYVITRIX - ALL RIGHTS RESERVED ©
162
Summary
Policies Standards Controls
Part of security
Governance tools Management tools
architecture
“Constitution” “Laws” “Enforcement”
CYVITRIX - ALL RIGHTS RESERVED ©
163
Do not copy/distribute/modify without
official permission 20
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Procedures and Guidelines
CYVITRIX - ALL RIGHTS RESERVED ©
164
PROCEDURES
Low-level, step-by-step & detailed guide to follow to apply the standard.
implement the intent of the policy.
The subject is to be changed entirely if the process is changed.
If the way of doing the task changes, the procedure needs to be reviewed.
Compliance is mandatory.
Example of Procedures
To change password:-
1. From your keyboard, Press control + alt + delete
2. Click Change password
3. Type the password that meets the standard at the first box
4. Repeat the same password at the second box.
5. Press ok
CYVITRIX - ALL RIGHTS RESERVED ©
165
Do not copy/distribute/modify without
official permission 21
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
GUIDELINES
Optional document, provide recommendations, and compliance might not be mandatory.
Can be used without clear standards, as it provides insight into best practices.
Usually, it defines the best practices.
For example, the password should meet the following criteria, but you still can use an easy-to-guess
password.
To achieve compliance with your organization, you need to understand cultural differences and
mindsets regarding guidelines; some companies treat specific guidelines as operational standards
(Example Center of Internet Security CIS)
CYVITRIX - ALL RIGHTS RESERVED ©
166
Clear desk policy
A clear desk policy is a set of rules and guidelines that require employees to keep their workspaces
clean, organized, and free of confidential or sensitive information when they are not present.
The policy aims to reduce the risk of sensitive information being lost, stolen, or accessed by
unauthorized individuals.
A clear desk policy typically includes the following requirements:
No confidential information should be left on desks or in open view.
All documents and files should be stored securely when not in use.
Computer screens should be locked or turned off when employees are away from their desks.
All removable media, such as USB drives, CDs, or DVDs, should be stored securely.
Desks and workspaces should be cleared at the end of each workday.
No food or drinks should be left on desks.
CYVITRIX - ALL RIGHTS RESERVED ©
167
Do not copy/distribute/modify without
official permission 22
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Acceptable use policy
An acceptable use policy (AUP) is a set of rules and guidelines that define what is and is not
acceptable behavior for employees when using an organization's computer systems, networks,
and other IT resources.
The purpose of an AUP is to ensure that employees use these resources responsibly and in a way
that protects the organization from security risks and legal liabilities.
Components of AUP Policy
◦ Scope
◦ Acceptable use and non-acceptable use
◦ Consequences
◦ Acknowledgement
CYVITRIX - ALL RIGHTS RESERVED ©
168
Documents Maintenance
CYVITRIX - ALL RIGHTS RESERVED ©
169
Do not copy/distribute/modify without
official permission 23
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Review of Documents
Policies and standards should be reviewed on a regular basis, typically every one to three years,
depending on the nature of the policy or standard and the regulatory requirements that apply.
A review team should be established to conduct the review. The team should be composed of
individuals with relevant expertise and experience and should include representatives from key
stakeholder groups.
The review team should establish criteria for evaluating the effectiveness of the policy or
standard, including its relevance, accuracy, completeness, and clarity. The criteria should be
documented and communicated to relevant stakeholders.
The recommendations made by the review team should be reviewed and approved by the
appropriate stakeholders, such as senior management or the board of directors. The approval
process should be documented and communicated to relevant stakeholders.
CYVITRIX - ALL RIGHTS RESERVED ©
170
Document Control & Version Control
Document control refers to the process of managing documents throughout their lifecycle, from
creation to distribution to storage and disposal.
Document control involves establishing policies and procedures for creating, reviewing,
approving, distributing, and archiving documents.
The goal of document control is to ensure that documents are accurate, complete, up-to-date,
and accessible to the people who need them.
Version control, on the other hand, specifically refers to the management of different versions of
a document or other type of information asset. Version control ensures that changes to a
document are tracked and that different versions of the document can be easily identified and
retrieved.
CYVITRIX - ALL RIGHTS RESERVED ©
171
Do not copy/distribute/modify without
official permission 24
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Types of documentations
• Policies and standards, which form the basis for information risk management.
• Procedures and guidelines are used for security awareness training and education.
• Risk analysis and recommendations determine risk treatment choices and controls.
CYVITRIX.COM - ALL RIGHTS RESERVED
172
PROPERTIES OF GOOD
DOCUMENTATIONS
• Assigned owner
• Approved and Communicated
• Reviewed Periodically
• Well Protected according to the classification label
• Large enterprises have document management system, so Information security manager does
not maintain the custodianship of security documentation
CYVITRIX.COM - ALL RIGHTS RESERVED
173
Do not copy/distribute/modify without
official permission 25
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Documents maintenance
• The official ISO/IEC 27001 standard itself outlines the requirements for establishing,
implementing, maintaining, and continually improving an ISMS. Clause 7.5 specifically
addresses the control of documents, including requirements for document approval, review,
distribution, and changes.
• In NIST 800-53 SP, Control SA-5 (Information System Documentation)
• Version Control and Document Information are required
• Changes in Higher level document should trigger updates to the related documents, for
example policies and standards
• Approval, owner, last update date need to be clearly mentioned
CYVITRIX.COM - ALL RIGHTS RESERVED
174
Laws, Acts and Regulations
• Some Sectors and industries are regulated “such as Banks, Utility, etc..”
• Regulations might be financial, operational and IS audit functions.
• Compliance is mandatory to avoid losses due to fines..
• Differentiate between Standard and Regulation
175
175
Do not copy/distribute/modify without
official permission 26
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Regulations and Standards
The Sarbanes-Oxley Act - SOX Act ( Promote Disclosure +
Liability)
Basel Accord standard (Risk Management controls)
Gramm-Leach-Bliley Act (Data Protection + Liability)
The Health Insurance Portability and Accountability Act -
HIPAA (Privacy of medical reports)
176
176
Regulations and Standards
Federal Information Security Management Act - FISMA
(Security controls standard)
General Data Privacy Regulation – GDPR (Data Privacy)
PCI-DSS (Card numbers and destruction)
177
177
Do not copy/distribute/modify without
official permission 27
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Role of auditor
• Identify legal requirements, to assure business compliance and
document it.
• Review regulation related procedures that support the
compliance, which can be used as check list.
• Reviewing an organization's policies, procedures, and controls to
Ensure they meet legal and regulatory requirements.
• Provide guidance to management on legal and regulatory issues
related to information systems. This may include helping to
develop policies and procedures to ensure compliance with
applicable laws and regulations. 178
178
Risk Management
CYVITRIX - ALL RIGHTS RESERVED ©
179
Do not copy/distribute/modify without
official permission 28
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
The Reasonable level of security
When you apply security controls, each control comes with a
fingerprint that might affect system usability.
Good Security can decrease the risk of a particular threat to an
acceptable level without affecting system usability and functionality.
Security control's existence and investments need to be justified and
guarantee that they can decrease the level of particular risk.
Controls need to be justified through the Risk Management Process.
CYVITRIX - ALL RIGHTS RESERVED ©
180
What is Risk
Risk is the effect of uncertainty on objective
Risk can be measured objectively or subjectively depending on the
asset that we assess risks related to it
Risks are tied to assets. In Risk management, we try to assess the risk
impact and probability, decide on a proper risk response to reduce
this risk to an acceptable level, and monitor the risk
Risk is a product of likelihood and impact
CYVITRIX - ALL RIGHTS RESERVED ©
181
Do not copy/distribute/modify without
official permission 29
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
RISK MANAGEMENT PROCESS
SIMPLIFIED Identify Asset and Asset Asset
scope – Context Est. Register Scoring
Risk Assessment
TM Sc.
Communication and
Risk Identification Int.
Consultation
Likelihood Existing
Risk Analysis controls
Impact Risk Monitoring &
Risk Reporting
Compensating
(Risk Register)
Appetite
Review
(Risk Acceptance Form) Risk Evaluation (KRI)
Tolerance
Risk Treatment Accept, Avoid, Transfer,
Mitigate (ATM)
Sr.Mgmt
CYVITRIX - ALL RIGHTS RESERVED ©
182
Risk Level and Types
CYVITRIX - ALL RIGHTS RESERVED ©
183
Do not copy/distribute/modify without
official permission 30
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk (Inherent and Residual)
The Risk introduced by introducing a new function is called inherent risk.
Inherent risk is known as gross risk
After apply controls, the remaining risk is known as residual risk. Residual
risk is known as net risk
Control is effective if the residual risk is in an acceptable range
Risk is reviewed to ensure residual risk remain in an acceptable level
CYVITRIX - ALL RIGHTS RESERVED ©
184
Risk Levels
CYVITRIX - ALL RIGHTS RESERVED ©
185
Do not copy/distribute/modify without
official permission 31
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Management Frameworks
CYVITRIX - ALL RIGHTS RESERVED ©
186
Risk Management Frameworks
CYVITRIX - ALL RIGHTS RESERVED ©
187
Do not copy/distribute/modify without
official permission 32
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
NIST SP 800-37 - RMF
The Risk Management Framework is a structured process for managing information security risks that
is designed to be flexible and scalable and can be applied to a wide range of information systems.
It consists of six steps
1.Categorize the information system and the information processed, stored, and transmitted by the
system based on an impact analysis.
2.Select appropriate security controls for the system based on the results of the categorization step and
tailor the controls to meet the system’s specific needs.
3.Implement the selected security controls within the system.
4.Assess the effectiveness of the implemented security controls.
5.Authorize the system to operate based on the results of the assessment.
6.Monitor the security controls on an ongoing basis and report any changes or issues to stakeholders
CYVITRIX - ALL RIGHTS RESERVED ©
188
Risk Identification
CYVITRIX - ALL RIGHTS RESERVED ©
189
Do not copy/distribute/modify without
official permission 33
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk identification (RI)
◦ The process of documenting any risks that could keep an organization or program
from reaching its objective.
◦ Multiple ways to identify the risk, including
◦ Brainstorming
◦ Risk scenario
◦ Threat Modeling
◦ Feedback and questionnaire
◦ Risk identification is everyone’s responsibility
◦ Upon identification of risk, the risk owner should be identified
◦ Risk Owner: The individual ultimately accountable for ensuring the risk is managed
appropriately.
CYVITRIX - ALL RIGHTS RESERVED ©
190
Risk Scenario
Group’s effort to do brainstorm and develop different risk scenarios
Evaluate vulnerabilities based on available and realistic threats
Identify the corresponding risks
Could be
◦ Top Down -> consider Business Goals when thinking about possible issues
◦ Bottom Up -> hypothetical scenarios
CYVITRIX - ALL RIGHTS RESERVED ©
191
Do not copy/distribute/modify without
official permission 34
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Analysis
CYVITRIX - ALL RIGHTS RESERVED ©
192
Risk Analysis (RA)
Upon identify risks related to assets, understand their impact and effect, you start
with risk analysis.
Analysis can be subjective (qualitatively) or objective (quantitively).
Objective approach is not applicable in IT
Objective approach require historical information, and time consuming.
In a subjective way, subjective terms are used as output for risk levels such as (Low,
Medium, High, v. High).
Subjective R-analysis results depend on assessor quality.
Semi-quantitative analysis use a mixture of objective and subjective
CYVITRIX - ALL RIGHTS RESERVED ©
193
Do not copy/distribute/modify without
official permission 35
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Analysis Steps
1. Identify Risk
2. Assess Impact
3. Assess Likelihood
4. Rank Risks
5. Consider Risk Interdependencies
6. Review and Refine
CYVITRIX - ALL RIGHTS RESERVED ©
194
Cascading Risk
Cascading risk refers to the phenomenon where the failure or disruption in one system or sector
triggers a chain reaction of failures or disruptions in interconnected systems or sectors.
Cascading risk occurs due to the interdependencies and interconnectedness between various
systems, organizations, or sectors.
A disruption in one area can propagate and impact others.
The impact of cascading risk tends to amplify as failures cascade through interconnected
systems.
The initial failure can lead to secondary failures, creating a domino effect, potentially causing
widespread disruption or systemic collapse.
CYVITRIX - ALL RIGHTS RESERVED ©
195
Do not copy/distribute/modify without
official permission 36
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Objective Risk Analysis
Single loss expectancy = SLE
Annual rate of occurrence = ARO
Annual loss expectancy = ALE
Value at Risk = VAR “a measure that summarizes the potential financial loss an organization or investment
portfolio may face within a specified time frame, often expressed with a certain level of confidence.“
◦ SLE = ASSET VALUE * EXPOSURE FACTOR
◦ ARO = HOW MANY TIMES INCIDENT OCCURRED / AMOUNT OF YEARS
◦ ALE = SLE * ARO
◦ VAR = ALE * Confidence level
◦ In objective approach, we need data such as asset value, exposure
factor information and historical data.
CYVITRIX - ALL RIGHTS RESERVED ©
196
Objective Approach Example
Let's consider a company that wants to assess the risk associated with a potential data breach in
their IT infrastructure using semi-quantitative risk analysis.
They gather the following information:
SLE (Single Loss Expectancy): The estimated financial loss that would result from a single occurrence of the
risk event. For this example, let's assume the SLE for a data breach is $100,000.
ARO (Annualized Rate of Occurrence): The estimated frequency at which the risk event is expected to
occur within a year. Let's assume an ARO of 0.2, meaning a data breach is expected to happen once every
five years.
Using these parameters, the risk analysis results are:
◦ Annualized Loss Expectancy (ALE): $20,000 (expected financial loss per year due to data breaches)
◦ Value at Risk (VAR): To calculate VAR, we can multiply the ALE by the desired confidence level. Let's
assume a 95% confidence level. VAR = ALE * Confidence level = $20,000 * 0.95 = $19,000.
◦ In this example, the Exposure factor was not mentioned, but usually, we use Asset value * EF to get SLE;
for example, if the asset's total cost was 1,000,000, as the Exposure factor equals 10%, then SLE =
1M*0.1=100,000
CYVITRIX - ALL RIGHTS RESERVED ©
197
Do not copy/distribute/modify without
official permission 37
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Semi-Quantitative Approach
Semi-quantitative risk analysis combines qualitative and
quantitative techniques.
Risks are evaluated using qualitative scales or predefined
numerical ranges.
Expert knowledge and subjective assessments are used, which
may result in less precision and objectivity compared to fully
quantitative analysis.
Limited quantitative data, such as historical incidents or basic
probabilities, may be utilized, but complex mathematical
models are not heavily relied upon.
Semi-quantitative risk analysis aids in effective communication
by providing a structured framework and visual representation
of risk levels, enhancing stakeholder understanding.
CYVITRIX - ALL RIGHTS RESERVED ©
198
Risk Evaluation & Response
CYVITRIX - ALL RIGHTS RESERVED ©
199
Do not copy/distribute/modify without
official permission 38
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk evaluation (RE)
The target of risk evaluation is to compare the identified risk level with the acceptable
risk level defined by management’s “risk appetite.”
It is not the assessor decision of which risk response method to be followed, but
recommendation can be justified based on evaluation of risk.
Risk should be documented along with the result of RA and evaluation and corrective
measures taken.
Risk assessment and evaluation and recommendation results should be submitted to
management to take the decision
CYVITRIX - ALL RIGHTS RESERVED ©
200
Risk Managing/response
Mitigation • Risk is unacceptable; use security controls to reduce the risk level to an acceptable level.
Accept Risk / Risk • The loss is within acceptable range, taking certain risks is part of the business challenge to
retention, Bearing, Keeping make revenue.
• Cascade the risk to another party by outsourcing insurance, but this does not remove
Risk Transfer / Risk Sharing accountability or liability.
• Outsourcing is transfer, Insurance is sharing – but usually there no difference in daily use
Risk Avoidance • We will remove the source of the risk by terminating the process which the risk sourced from,
for non-business priorities.
CYVITRIX - ALL RIGHTS RESERVED ©
201
Do not copy/distribute/modify without
official permission 39
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Reporting & Monitoring
CYVITRIX - ALL RIGHTS RESERVED ©
202
Risk Reporting
Risk reporting should be tailored to audiences
Risk should be documented in Risk register
Accepted risk should undergo formal
acceptance process through related form such
as RAF “RISK ACCEPTANCE FORM”
Identified Risk should have identified owner.
CYVITRIX - ALL RIGHTS RESERVED ©
203
Do not copy/distribute/modify without
official permission 40
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Register
It is a central repository for all risk-related information, and it provides a structured approach for
identifying, assessing, and managing risks.
The risk register is a living document that requires regular updates as new risks are identified, existing
risks evolve, and mitigation strategies are implemented or adjusted. It should be reviewed and updated
throughout the project or organizational lifecycle.
The risk register is a core component of risk management processes and integrates with other risk
management activities, such as risk assessment, analysis, and response planning. It serves as a
reference for decision-making, resource allocation, and communication related to risks.
The risk register facilitates collaboration and communication among stakeholders by providing a shared
understanding of risks and their management. It allows stakeholders to contribute to risk identification,
analysis, and response planning.
The risk register serves as a historical record of risks, their management, and outcomes. It supports
reporting to relevant stakeholders, regulatory compliance, and lessons learned for future projects or
initiatives.
CYVITRIX - ALL RIGHTS RESERVED ©
204
Risk Register Components
Risk Risk Risk Mitigation
Risk Owner Risk Category Risk Status Risk Reporting Risk Ranking
Description Assessment Plan
• A brief • The person or • The category • A qualitative • The plan for • The current • The • A ranking
description of team or type of or reducing or status of the frequency or scoring
the risk, responsible risk, such as quantitative eliminating risk, including and format of system that
including the for managing financial, assessment of the risk, whether it reports that prioritizes
potential the risk. operational, the risk, including has been will be used risks based on
impact and or strategic. including the specific mitigated or to their
likelihood of probability actions, is still open. communicate potential
occurrence. and impact of timelines, and risk-related impact and
occurrence. responsible information likelihood of
parties. to occurrence.
stakeholders.
CYVITRIX - ALL RIGHTS RESERVED ©
205
Do not copy/distribute/modify without
official permission 41
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Risk Register Example
CYVITRIX - ALL RIGHTS RESERVED ©
206
Risk Monitoring and Review
Risk monitoring is the process that tracks and evaluates the levels of risk in an
organization.
Risk monitoring should be a continuous process for treated or accepted risks
Key Performance Indicators should be identified when we implement a control to
review the control performance.
Key Risk indicators should be identified when we treat the risk as well to set the
condition when the risk is no longer properly managed.
KRI is linked with KPI, Every KRI is a KPI, but not every KPI is suitable to be a KRI
CYVITRIX - ALL RIGHTS RESERVED ©
207
Do not copy/distribute/modify without
official permission 42
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Key Risk Indicator
CYVITRIX - ALL RIGHTS RESERVED ©
208
Key Risk Indicators
A Key Risk Indicator is a metric or indicator used to monitor and measure the
risk associated with a particular activity, process, or operation.
KRI is used to provide early warning signs of potential risks or problems, allowing
organizations to take proactive measures to prevent or mitigate adverse effects.
Key Risk Indicators are typically chosen based on their ability to provide insights
into specific risks' likelihood and potential impact. They are often selected based
on their relevance to the organization's operations, ability to provide actionable
information, and ease of measurement and interpretation.
CYVITRIX - ALL RIGHTS RESERVED ©
209
Do not copy/distribute/modify without
official permission 43
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
KPI vs KRI
KPI should poses some qualities,
KRI should poses some qualities
known as SMART
SPECIFIC MEASURABLE
MEASURABLE ACCURATE
ATTAINABLE RELEVANT
RELEVENT SENSITIVE
TIME BOUND
CYVITRIX - ALL RIGHTS RESERVED ©
210
KRI Basis of Selection
Relevance Measurability Sensitivity Predictiveness
• KRIs should be • KRIs should be • KRIs should be • KRIs should be
aligned with the measurable using sensitive to predictive,
organization's reliable data changes in risk, providing insight
goals, risk sources, allowing enabling the into the likelihood
appetite, and for easy collection detection of shifts and potential
tolerance levels, and reporting to in the impact of risks,
providing insights provide an organization's risk enabling proactive
into the most accurate profile and serving measures to
significant risks. representation of as early warning prevent or
risk levels. signs. mitigate adverse
effects.
CYVITRIX - ALL RIGHTS RESERVED ©
211
Do not copy/distribute/modify without
official permission 44
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
KRI Basis of Selection
Actionability Timeliness Understandability Auditability
• KRIs should provide • KRIs should provide • KRIs should be • KRIs should be based
information that can information in a presented in a clear on traceable,
be used to inform risk timely manner, using and concise format verifiable, and
management up-to-date data that is easily auditable data,
decisions and trigger collected regularly to understood and ensuring their
appropriate actions ensure the relevance interpreted by reliability and
or risk mitigation and currency of risk relevant accuracy for
plans. information. stakeholders, compliance purposes
facilitating informed and demonstrating
decision-making. adherence to
regulatory
requirements or
contractual
obligations.
CYVITRIX - ALL RIGHTS RESERVED ©
212
Examples of KRI
The number of cybersecurity incidents or breaches is a common KRI for organizations to track. This could
include measures such as the number of attempted attacks, the number of successful attacks, or the
number of data breaches.
KRIs can also be used to track compliance with regulations or internal policies. For example, an
organization may track the number of compliance violations, the severity of those violations, or the
number of fines or penalties incurred.
KRIs can also be used to track operational metrics such as the number of customer complaints, the rate
of product defects, or the number of supply chain disruptions.
Every KRI is originally a KPI, but not every KPI can serve as KRI
CYVITRIX - ALL RIGHTS RESERVED ©
213
Do not copy/distribute/modify without
official permission 45
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
KRI Types
Leading KRIs
◦ Forward-looking indicators that provide early warning signs of potential risks or problems.
◦ Used to predict future outcomes based on current trends or patterns.
◦ Used to monitor risk drivers and to identify potential risks before they materialize.
◦ Examples include customer complaints, employee turnover rate, and number of near-misses in workplace
safety incidents.
Lagging KRIs
◦ Backward-looking indicators that measure the actual results or outcomes of past events or activities. Used to
evaluate the effectiveness of risk management strategies and to identify areas for improvement.
◦ Used to measure the impact of risks that have already occurred.
◦ Examples include financial losses due to fraud, and number of customer complaints that have already been
resolved.
CYVITRIX - ALL RIGHTS RESERVED ©
214
Security Controls
CYVITRIX - ALL RIGHTS RESERVED ©
215
Do not copy/distribute/modify without
official permission 46
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Security Controls?
Help in minimizing security risks to assets.
Technical and nontechnical methods.
The cost of control and amount of investment should be relative to the value
of the asset.
Security investment cannot be linked to ROI (Return on Investment), but
there is ROSI (Return on Security investment)
Controls can be categorized in terms of function into four types (Preventive,
Detective, Deterrent, and Corrective)
CYVITRIX - ALL RIGHTS RESERVED ©
216
Controls Classification
Class Func on
Preventive •
•
Detect problems before they arise.
Monitor both opera on and inputs.
• A empt to predict poten al problems before they occur and make adjustments.
• Prevent an error, omission, or malicious act from occurring.
Detective • Detect and report the occurrence of an error, omission, or malicious act.
Corrective •
•
Minimize the impact of a threat.
Remedy problems discovered by detec ve controls.
• Correct errors arising from a problem.
Deterrent • Reduce the likelihood of the violation
CYVITRIX - ALL RIGHTS RESERVED ©
217
Do not copy/distribute/modify without
official permission 47
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Before, During & After
Before During After
Detective controls (Discover Attack,
Deterrent controls (Prevent provide warning, trigger response) – Corrective controls (limit the
the incident by reduce SIEM / Logging damage, recover) - Tape
likelihood) – CCTV – Preventive controls (Prevent the backup – BCP
incident by protect the vulnerability) –
Warning banner. IPS – Access controls AKA-Recovery controls
CYVITRIX - ALL RIGHTS RESERVED ©
218
Security Controls In Action
Deterrent Control Corrective
Reduce likelihood Decrease
Adversary Uses Threat To initiate Attack Exploit Flaw Asset Cause Impact
Detect Protect Prevent or limit it
Detective Preventive
Trigger response
CYVITRIX - ALL RIGHTS RESERVED ©
219
Do not copy/distribute/modify without
official permission 48
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Summary
Security controls are safeguards used to protect assets and minimize security risks.
Security controls can be categorized based on their function: preventive, detective, or corrective.
◦ Preventive controls aim to prevent attacks or problems from occurring, and some can also detect and prevent
attacks.
◦ Detective controls focus on detecting attacks or malicious activities.
◦ Corrective controls are implemented after an attack to minimize the impact and restore systems or services.
◦ Deterrent controls are used to reduce the likelihood of an attack by discouraging potential attackers.
Security controls can be used before, during, or after an attack, depending on their purpose and
effectiveness.
The cost of security controls should be considered relative to the value of the asset, and a cost-
benefit analysis should be performed.
Return on security investment can include benefits such as customer retention and gaining a
competitive advantage.
CYVITRIX - ALL RIGHTS RESERVED ©
220
IT General (ITG) Controls and
Control Examples
CYVITRIX - ALL RIGHTS RESERVED ©
221
Do not copy/distribute/modify without
official permission 49
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
ITG - Information Technology General
Controls
Information Technology General Controls (ITGC) are the foundational
controls that ensure the reliability and integrity of information
systems.
They support the effective functioning of application controls within
a given IT environment.
These controls are essential for maintaining the security, accuracy,
and reliability of data within an organization's IT systems.
Mitigates risks associated with IT systems and processes.
CYVITRIX - ALL RIGHTS RESERVED ©
222
Detective Controls
SIEM (Security Information and Event Management) solutions: These systems collect and analyze security-
related data from various sources in real-time, helping to identify and respond to potential threats.
Intrusion detection systems (IDS): These systems monitor network or system activities for malicious
activities or policy violations and generate alerts when such activities are detected.
Vulnerability scanners: Tools that scan systems and networks to identify security weaknesses that could be
exploited by attackers.
Audits: Formal reviews and examinations of an organization’s systems, processes, and controls to ensure
compliance with security policies and regulations.
Security reviews: Regular evaluations of security policies, procedures, and controls to ensure they are
effective and up-to-date.
Motion sensors: Devices that detect physical movement within a specified area, often used to detect
unauthorized physical access.
Video cameras: Surveillance equipment used to monitor and record activities within or around a facility,
helping to detect and investigate security incidents.
CYVITRIX - ALL RIGHTS RESERVED ©
223
Do not copy/distribute/modify without
official permission 50
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Deterrent Controls
Login banners: Messages displayed on login screens that inform users of security policies and
potential penalties for unauthorized access, discouraging unauthorized attempts.
Monitoring tools: Software or systems that continuously observe network or system activities to
detect and alert on suspicious behavior.
Security awareness programs: Training and educational initiatives designed to inform employees
about security risks and best practices, reducing the likelihood of human error.
Fences: Physical barriers that restrict unauthorized access to a facility, acting as a visible
deterrent to potential intruders.
Warning banners: Signs or notifications that alert individuals to the presence of security
measures, such as surveillance cameras or alarm systems, to discourage unauthorized actions.
CYVITRIX - ALL RIGHTS RESERVED ©
224
Preventive Controls
Firewalls: Hardware or software systems that monitor and control incoming and outgoing
network traffic based on predetermined security rules, preventing unauthorized access.
Antivirus software: Programs designed to detect, prevent, and remove malware, protecting
systems from infections.
EDR (Endpoint Detection and Response) solutions: Advanced tools that continuously monitor
end-user devices to detect and respond to cyber threats in real-time.
Quality assurance processes: Procedures that ensure security measures are integrated into the
development and deployment of systems and applications, preventing vulnerabilities from being
introduced.
CYVITRIX - ALL RIGHTS RESERVED ©
225
Do not copy/distribute/modify without
official permission 51
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Corrective Controls
Backup and recovery solutions: Systems and processes for regularly backing up data and
restoring it in the event of data loss or corruption, ensuring business continuity.
Network isolation: Techniques for segmenting networks to limit the spread of an attack and
contain damage, helping to prevent the escalation of security incidents.
Incident response plans: Detailed strategies and procedures for identifying, managing, and
mitigating security incidents, reducing their impact and facilitating quick recovery.
Fire suppression systems: Equipment and processes designed to detect and extinguish fires,
protecting physical assets and minimizing damage from fire-related incidents.
CYVITRIX - ALL RIGHTS RESERVED ©
226
Examples for Controls
Type Technical Administrative/Managerial Physical
Detective • SIEM Solution • Audit • Motion Sensors
• Intrusion Detection • Security Review • Laser beam
• Vulnerability Scanners • Mandatory Leaves • Video Cameras
• Quality Control • Smoke Detectors
• Security Alarm System
Deterrent • System login banner • Security awareness • Fences
• Monitoring tools • Policies and Standards • Security Cameras
• Exit interview • Warning Banners
• Non-Disclosure Agreement
Preventive • Firewalls • Change management • Fences
• Antivirus • Quality Assurance • Security gates
• Endpoint detection and • Segregation of duties • Man-trap for entry doors
response (EDR) • Job rotation • Fire Suppression system
• XDR • Security awareness training
• Email Gateway • Safety training
• IDPS and WAF
Corrective • Backup and Recovery • Incident Response Plan • Fire Suppression
• Network Isolation • Disaster Recovery Plan • Segmentation
CYVITRIX - ALL RIGHTS RESERVED ©
227
Do not copy/distribute/modify without
official permission 52
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
The Strong Security Controls
A strong security system should consider all forms of controls
covering all functions.
Preventive controls should include:
◦ Technological/technical controls (e.g., system monitoring)
◦ technological and logical controls often refer to the same concept.
◦ Administrative controls (e.g., disciplinary actions against violators)
◦ Physical controls (e.g., enforced physical security)
Not all controls can be purely technical.
Physical security is crucial; without it, technological security
controls are ineffective since physical theft can compromise
security.
CYVITRIX - ALL RIGHTS RESERVED ©
228
Control Objective
Compensating Controls
Countermeasures
CYVITRIX - ALL RIGHTS RESERVED ©
229
Do not copy/distribute/modify without
official permission 53
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Requirements
Dictate what needs to be achieved to ensure security, functionality, and
compliance.
They guide the design and implementation of controls.
CYVITRIX - ALL RIGHTS RESERVED ©
230
Control Objectives
Control objective is the expected result to be achieved by implementing controls.
The role of control is to address risks and help deal with them.
Performance Indicators (PIs) should be defined during the control design and
control performance should be continuously monitored using the performance
indicators to assess control performance.
CYVITRIX - ALL RIGHTS RESERVED ©
231
Do not copy/distribute/modify without
official permission 54
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Key Control Indicator (KCI)
Key Control Indicators (KCIs) are metrics or measures that provide insight into the
effectiveness and performance of critical controls within an organization's risk
management and internal control framework.
KCI helps management and stakeholders monitor the status of critical controls
and assess whether they are operating as intended to mitigate risks.
Key Performance Indicators (KPIs) are measurable metrics that gauge the
performance of an organization, department, or process in achieving its goals.
KPIs provide a more comprehensive view of overall organizational performance,
considering various key aspects beyond internal controls
CYVITRIX - ALL RIGHTS RESERVED ©
232
Compensating Control
Compensating control is employed when the utilization of a preventive control is not
feasible for any reason. For instance, if regulations prohibit the use of a specific
control, alternative measures are sought to achieve the intended security benefits.
Examples
While best practices dictate against using shared accounts, certain systems may lack
the ability to create named accounts. In such cases, compensating controls, such as
additional monitoring or access restrictions, are implemented to mitigate associated
risks.
This could involve password security, where the password is split in half. To perform
an action, two individuals must present their respective halves of the password,
enhancing security through a dual-authentication process.
CYVITRIX - ALL RIGHTS RESERVED ©
233
Do not copy/distribute/modify without
official permission 55
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Countermeasures
Designed to
Counter a specific
issue that is
there!
The goal is to
Reduce the Reactive
Impact
CYVITRIX - ALL RIGHTS RESERVED ©
234
Defence in Depth
CYVITRIX - ALL RIGHTS RESERVED ©
235
Do not copy/distribute/modify without
official permission 56
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Defence in Depth
Defence in depth is a comprehensive security strategy that involves
using multiple layers of security controls to protect an organization's
critical resources.
By using multiple layers of security, organizations can improve their
overall security posture and reduce the risk of a successful attack.
it is essential to note that defense-in-depth is not a fool-proof
strategy and that no security measure can provide 100% protection
against all threats. Therefore, it is necessary for organizations to
continuously evaluate and improve their security measures to stay
ahead of evolving threats.
CYVITRIX - ALL RIGHTS RESERVED ©
236
CYVITRIX - ALL RIGHTS RESERVED ©
237
Do not copy/distribute/modify without
official permission 57
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
DID Strategy Components
1. Prevention Layer
2. Containment Layer
3. Detection Layer
4. Reaction Layer
5. Forensics
6. Recovery
CYVITRIX - ALL RIGHTS RESERVED ©
238
Layers Examples
Physical Security: Locks, guards, and surveillance.
Network Security: Firewalls, intrusion detection systems, and secure access
controls.
Endpoint Security: Antivirus software, patch management, and secure
configurations.
Application Security: Secure coding practices, application firewalls, and
regular security testing.
Data Security: Encryption, access controls, and data loss prevention.
User Security: Training, awareness programs, and multi-factor authentication.
Policy and Procedures: Security policies, incident response plans, and
compliance.
CYVITRIX - ALL RIGHTS RESERVED ©
239
Do not copy/distribute/modify without
official permission 58
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Example for Layered Defences
Physical security
◦ Locks, fences, security cameras, and access control systems can control access to physical spaces where
critical resources are located.
Network Perimeter security
◦ Firewalls and intrusion detection systems can protect systems within the network perimeter and
prevent unauthorized access from the outside.
Internal Network Security
◦ Encryption for data in transit, Network Admission Control (NAC), and access control lists (ACLs) can
protect data in transit and control access to network resources.
Host Security
◦ Antivirus software, operating system patches, and intrusion prevention systems can be used to protect
individual systems from attack.
CYVITRIX - ALL RIGHTS RESERVED ©
240
Example for Layered Defences
Application Security
◦ Secure coding practices, input validation, and access control can be used to protect web applications
and other software from attack.
Data Security
◦ Data encryption for data at rest and use of digital rights management.
User education
◦ Help improve the organization's security posture by helping users recognize and avoid potential security
threats, such as phishing attacks or social engineering.
CYVITRIX - ALL RIGHTS RESERVED ©
241
Do not copy/distribute/modify without
official permission 59
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Best Practices for Controls
Implementation
CYVITRIX - ALL RIGHTS RESERVED ©
242
Best practices for developing and
implementing effective security controls
Conduct a risk assessment
◦ Before implementing security controls, it is important to conduct a risk assessment to identify potential security
risks and threats to the organization.
◦ This will help to ensure that the security controls are designed to address the specific risks and threats that are
relevant to the organization.
Develop a comprehensive security policy
◦ A comprehensive security policy should outline the organization's approach to managing information security,
including its goals, objectives, and the specific security controls that will be implemented.
Implement a layered approach to security
◦ A layered approach to security involves implementing multiple layers of security controls, such as access
controls, encryption, and monitoring, to provide defense in depth against potential threats.
CYVITRIX - ALL RIGHTS RESERVED ©
243
Do not copy/distribute/modify without
official permission 60
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Best practices for developing and
implementing effective security controls:
Regularly monitor and review security controls
◦ Security controls should be regularly monitored and reviewed to address the organization's security risks and
threats effectively. This may involve conducting regular security assessments, penetration testing, and
vulnerability scanning.
Ensure compliance with relevant laws and regulations
◦ Security controls should be designed to meet relevant laws, regulations, and industry standards for information
security, such as the GDPR, HIPAA, or ISO 27001.
Provide security awareness training
◦ Employees should be provided with regular security awareness training to ensure that they understand the
importance of security and know the specific security policies, procedures, and controls in place.
CYVITRIX - ALL RIGHTS RESERVED ©
244
Best practices for developing and
implementing effective security controls:
Regularly test and update security controls
◦ Security controls should be regularly tested and updated to address the organization's security risks and threats
effectively.
◦ This may involve conducting regular penetration testing, vulnerability scanning, security assessments, and
updating security controls to address new or emerging threats.
Plan for continuity and what-if scenarios
◦ Plan for control failure to be prepared and ready, for example, having a well-prepared and testing incident
response plan.
CYVITRIX - ALL RIGHTS RESERVED ©
245
Do not copy/distribute/modify without
official permission 61
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Management of it
CYVITRIX.COM - ALL RIGHTS RESERVED
246
The IT Function Structure
CIO/IT Director
Application Security Vendor
IT Operations IT Project
Department Operations Management
Network
Development Linux/Microsoft
Security
Application
Production Database
Security
Access
QA&QC Backup
Management
Monitoring
CYVITRIX.COM - ALL RIGHTS RESERVED
247
Do not copy/distribute/modify without
official permission 62
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
• Service Portfolio Management • Service Catalog Management • Change Management
• Financial Management for IT • Service Level Management • Service Asset
Services • Capacity Management and Configuration Management
• Business • Availability Management • Release and Deployment
Relationship Management • IT Service Continuity Management Management
• Information Security Management • Knowledge Management
• Supplier Management
Service
Service Strategy Service Design
Transition
• Event Management • Service Measurement
• Incident Management • Service Reporting
• Problem Management • Service Improvement
• Request Fulfillment
• Access Management
Service
Continual
Itil framework
Operation
Service
Improvement for service
CYVITRIX.COM - ALL RIGHTS RESERVED management
248
functions
Human Resource Financial & Vendor Physical
IT Management
Management Management Security
Workforce Employment Monitoring Asset Portfolio Performance Service
management Lifecycle expenditure Management Management Management Delivery
CYVITRIX.COM - ALL RIGHTS RESERVED
249
Do not copy/distribute/modify without
official permission 63
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security
CYVITRIX - ALL RIGHTS RESERVED ©
250
Personnel Security?
It protects an organization's information assets by ensuring that employees, contractors, and third-
party service providers are trustworthy and have appropriate access privileges.
Personnel security concerns about people accessing the organization's information rather than the
technology or systems that store or transmit that information.
Personnel security requires collaboration efforts between security functions and human resources
functions in the organization.
CYVITRIX - ALL RIGHTS RESERVED ©
251
Do not copy/distribute/modify without
official permission 64
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security Measures
Background checks
Organizations may conduct background checks on employees, contractors, and third-party service providers to
verify their identity, employment history, criminal history, and other relevant information. It can be used for
vendor screening.
It could be international, local, or stat
It can take multiple approaches, such as:-
◦ Criminal History
◦ Employment History
◦ Education verification
◦ Credit History
◦ Reference checks “personal or professional.”
◦ License verification
◦ Social Media Screening
◦ Drug screening
Background checks must comply with relevant laws and regulations, such as the Fair Credit Reporting
Act (FCRA) in the United States, which regulates consumer information collection, use, and disclosure by
consumer reporting agencies; also, applicant consent is needed before conducting such activity.
CYVITRIX - ALL RIGHTS RESERVED ©
252
Personnel Security Measures
Onboarding Checklist
An onboarding checklist for security can help organizations ensure that new employees know
their security responsibilities and have the necessary knowledge and tools to protect their information
assets.
Example could be
1. Sign the contract and NDA and contractual requirements
2. Acknowledge the code of Ethics
3. Acknowledge the security and privacy and data classification policies and AUP
4. Attend security awareness training
5. Get a username and change the password to secure on, and get a badge or access card
CYVITRIX - ALL RIGHTS RESERVED ©
253
Do not copy/distribute/modify without
official permission 65
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security Measures
Training and Awareness
Organizations may provide training and awareness programs to employees, contractors, and third-party
service providers to ensure they understand the importance of information security and their
responsibilities for protecting organizational assets.
Training is mandatory before accessing data and assets as part of the onboarding process.
Training is not a one-time activity; it should be repeated as risks and threats evolve.
Cross-training could be something usual in many organizations. Still, we may need to understand that
some functions should not be cross-trained as we will have the risk that a single individual knows many
things regarding the system, “talking about non-awareness training.”
The organization should maintain a skills inventory to identify training needs.
CYVITRIX - ALL RIGHTS RESERVED ©
254
Personnel Security Measures
Separation of duties
Organizations may implement separation of duties to ensure that no single individual has too much
control over information assets. This can help prevent fraud, errors, and other types of abuse.
Examples of Functions that require SoD
Creation of purchase orders: One employee is responsible for creating purchase orders in the financial
system. This employee is not authorized to approve payments.
Approval of purchase orders: A different employee is responsible for approving purchase orders in the
financial system. This employee is not authorized to create payments.
Creation of payments: A third employee is responsible for creating payments in the financial system. This
employee is not authorized to approve purchase orders.
Approval of payments: A fourth employee is responsible for approving payments in the financial system.
This employee is not authorized to create purchase orders.
CYVITRIX - ALL RIGHTS RESERVED ©
255
Do not copy/distribute/modify without
official permission 66
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security Measures
Mandatory Vacation
Mandatory vacations, also known as compulsory vacations or forced vacations, are a human resources
policy that requires employees to take a specified amount of time off from work.
Mandatory vacations reduce the risk of fraud, errors, or other security incidents when employees have
too much control over a process or system.
During the mandatory vacation, the employee is typically prohibited from accessing work-related systems
or performing work-related tasks.
Mandatory vacation policies must comply with relevant labor laws and regulations and not discriminate
against employees based on protected characteristics such as race, gender, or age.
Mandatory vacation policies must be communicated clearly to employees and applied consistently and
fairly across the organization.
Very common in the Banking sector.
CYVITRIX - ALL RIGHTS RESERVED ©
256
Personnel Security Measures
Job Rotation
Job rotation is a human resources practice that involves moving employees through different
organizational positions.
Job rotation typically involves moving an employee to a different department or role within the
organization for a specified period, such as six months to a year. The employee may be assigned to a
position different from their current role or move to a similar role in a different department or location.
In addition to several benefits of job rotation, “include skill development, and engagement and exposure”,
it also helps prevent fraud and collusion.
Collusion involves two or more individuals or groups working together to commit a security breach. For
example, two employees may collude to steal sensitive data, or an employee and an external attacker
may collude to gain unauthorized access to a system.
CYVITRIX - ALL RIGHTS RESERVED ©
257
Do not copy/distribute/modify without
official permission 67
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security Measures
Non-Disclosure Agreement
A non-disclosure agreement (NDA), or a confidentiality agreement, is a legal contract between two or
more parties that outlines confidential information that the parties will share for a specific purpose and
requires them to keep that information confidential and not disclose it to third parties.
An NDA can be used in various situations, such as when a company shares confidential information with a
potential partner or investor or when an employee is given access to sensitive company information. An
NDA can help protect the organization's intellectual property and trade secrets and can also help maintain
the confidentiality of sensitive customer or employee information.
One of the reasons for the exit interview is to remind the employee of the NDAs signed before with the
organization.
CYVITRIX - ALL RIGHTS RESERVED ©
258
Personnel Security Measures
Internal Transfer
Revoke all permission and ask for it from the beginning
The goal is to eliminate Privilege or permission creep
As a best practice, in Access control solutions, it is recommended to apply role-based access control.
CYVITRIX - ALL RIGHTS RESERVED ©
259
Do not copy/distribute/modify without
official permission 68
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Personnel Security Measures
Termination Procedures
Organizations may have procedures to ensure that employees, contractors, and third-party service
providers can no longer access information assets when their employment or contract ends.
This can include revoking access privileges, returning company equipment, and ensuring confidential
information is returned or deleted.
An exit interview is a meeting between the employee and their manager or HR representative to discuss
the reason for termination, the employee's experience with the organization, and any feedback or
suggestions they may have about the organization. The information gathered during exit interviews can
improve the organization's policies and practices; it is also an excellent opportunity to remind the
employees of previous NDAs in such meetings.
NDA does not end by the end of employment.
CYVITRIX - ALL RIGHTS RESERVED ©
260
Outsourcing
CYVITRIX - ALL RIGHTS RESERVED ©
261
Do not copy/distribute/modify without
official permission 69
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Benefits of Outsourcing
Outsourcing is the practice of contracting or delegating certain business functions, processes, or
tasks to external third-party organizations or individuals.
Instead of handling these activities in-house, companies transfer the responsibility and
operation of specific functions to external entities.
The outsourcing arrangement typically involves hiring a specialized service provider or vendor
that has expertise in the particular area being outsourced.
This allows the company to leverage the provider's skills, resources, and economies of scale to
improve operational efficiency, reduce costs, and focus on core business activities.
The decision to outsource should be based on a careful analysis of the specific requirements,
cost-benefit considerations, and the potential impact on the organization's overall operations
and strategic objectives.
CYVITRIX - ALL RIGHTS RESERVED ©
262
Benefits of Outsourcing
• By outsourcing certain functions, companies can reduce operational costs
Cost Savings associated with hiring and training in-house staff, maintaining infrastructure,
and managing overhead expenses.
• Outsourcing allows companies to tap into the specialized skills and knowledge
Access to Expertise of external service providers who have experience and expertise in specific
areas.
Focus on Core • Outsourcing non-core activities enables companies to concentrate their
resources and efforts on their core business functions, strategic initiatives, and
Competencies value-added activities.
Scalability and • Outsourcing provides the ability to scale operations up or down quickly based
on business needs, without the need for significant investments in
Flexibility infrastructure or personnel.
CYVITRIX - ALL RIGHTS RESERVED ©
263
Do not copy/distribute/modify without
official permission 70
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Work Style / Sourcing Practices
WORK STYLE SOURCING
WORKING ONSITE IN-SOURCE
WORKING REMOTELY OUT-SOURCE
HYBRID OFFSHORE
SAME COUNTRY
MANAGED SERVICE
CYVITRIX - ALL RIGHTS RESERVED ©
264
Outsourcing Considerations
You should not outsource:-
Core functions
Specialized Function that is strategic or critical
Functions cannot be outsourced due to regulatory requirements
What you can achieve locally with lower risk and cost compared to
outsourcing!
CYVITRIX - ALL RIGHTS RESERVED ©
265
Do not copy/distribute/modify without
official permission 71
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Outsourcing Steps
1. Define the function that can be outsourced
2. Define Service Level Requirement
3. Cost-benefit analysis
4. Bidders screening and RFP drafting
5. Draft the contractual requirements
o SLA / Security and Availability
o Right to Audit
o Terms and Conditions
CYVITRIX - ALL RIGHTS RESERVED ©
266
Outsourcing Risks
• Risk of data breaches, unauthorized access, or mishandling of sensitive data. Assess the
Data Security and Privacy risks security measures and data protection practices of the outsourcing provider.
• Challenges in managing quality, timeliness, and adherence to organizational standards.
Loss of Control risks Establish clear communication channels, performance metrics, and service level agreements.
Communication and Cultural • Language barriers, time zone differences, and cultural nuances may pose challenges.
Differences risks Implement effective communication strategies, regular interactions, and cultural sensitivity.
Dependency on the Service Provider • High degree of dependency on the provider. Conduct due diligence on their financial stability,
risks reputation, and reliability.
CYVITRIX - ALL RIGHTS RESERVED ©
267
Do not copy/distribute/modify without
official permission 72
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Outsourcing Risks
• Ensure compliance with laws, regulations, and contractual obligations. Consider data
Legal and Compliance risks protection, intellectual property rights, and industry-specific regulations.
• Ongoing monitoring, performance evaluation, and issue resolution required. Establish clear
Vendor Management challenges governance structures, regular reporting, and periodic performance reviews.
• Poor performance or unethical practices by the provider can harm the organization's
Reputation and Brand risks reputation. Conduct thorough background checks, obtain references, and monitor provider
behavior and performance.
CYVITRIX - ALL RIGHTS RESERVED ©
268
Outsourcing Risk Examples
• Requirements should be included in SLA and
Non-Compliance with Reviewed with the Right to Audit
performance requirements • Indemnity clause to get compensation
Dependence on Single supplier • Using multiple suppliers and avoid using single source
for technology or service
Startup Software house can quit • Software Escrow agreement to help you get access to
the market source code if provider is not in market any more
CYVITRIX - ALL RIGHTS RESERVED ©
269
Do not copy/distribute/modify without
official permission 73
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Code Escrow Agreement
A Code Escrow Agreement is a legal agreement between a software developer (licensor), a
software user (licensee), and an escrow agent.
It ensures that the software’s source code is deposited with a neutral third party (escrow agent)
and released to the licensee under specific circumstances.
CYVITRIX - ALL RIGHTS RESERVED ©
270
SOC Audit Report
CYVITRIX - ALL RIGHTS RESERVED ©
271
Do not copy/distribute/modify without
official permission 74
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
SOC Report
Service Organization Control (SOC) – Changed in 2018 to “System Organization
Controls”
Cloud providers, ISPs, and Hosting companies can benefit from it, including AWS,
AZURE, GCP, STRIPE, PAYPAL, PAYONEER, SALESFORCE
When customers request the right to audit requests, service providers can send
a copy of their latest SOC audit report.
SOC report is a result of the SOC Audit
3 Types of SOC Report
CYVITRIX - ALL RIGHTS RESERVED ©
272
Types of SOC Reports
SOC-1
• Designed to address internal controls over financial reporting
• Financial information
• For Customers
• Based on SSAE 16/18 standard
• ISAE3402 is another name of SOC-1 (Assurance Reports on Controls at a Service)
SOC-2
• Addresses a service organization's controls that are relevant to their operations and compliance
• Report on controls for customers, include private info.
• 2 Types available (1 – examine 5 domains, 2 include additional attestation)
• Introduced by SSAE16
• Conducted every 6 months
SOC-3
• Is a public report of internal controls over security, availability, processing integrity, and confidentiality.
• Summary report on controls
• Publicly available
CYVITRIX - ALL RIGHTS RESERVED ©
273
Do not copy/distribute/modify without
official permission 75
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
SOC 2 criteria's
The SOC 2 audit process includes five categories of Trust Services Criteria:
◦ Security (or Common Criteria)
◦ Availability
◦ Confidentiality
◦ Processing Integrity
◦ Privacy
These categories each cover a set of internal controls related to different aspects of
your information security program.
CYVITRIX - ALL RIGHTS RESERVED ©
274
SOC Reports
CYVITRIX - ALL RIGHTS RESERVED ©
275
Do not copy/distribute/modify without
official permission 76
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Financial management
SERVICES of it & SECURITY
CYVITRIX.COM - ALL RIGHTS RESERVED
276
It Financial management
Focuses on managing the financial aspects of IT services, including budgeting, accounting, and cost
optimization.
IT services can represent a significant portion of a company's overall budget.
A. Shared cost -> easier to finance, but lead to user dissatisfaction
B. Charge-back -> pay-as-you-go charge on system use
C. Sponsor Pays -> governance challenge as sponsor pay for all then he may request more
authority, and it may purchase extra capacity that is not measured by IT. It is notorious
for Segregation of duties.
Help in aligning IT sepdning with business objectives, optimize IT cost by identify opportunities of cost
reduction and provide financial insight for the decision makers.
CYVITRIX.COM - ALL RIGHTS RESERVED
277
Do not copy/distribute/modify without
official permission 77
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
IT Portfolio Management
involves managing a portfolio of IT services, applications, and infrastructure to optimize the
delivery of IT services in support of business objectives.
The strategic goal is to determine the opportunities of investment, or would the organization
continue in certain investment.
Helps in adjusting investments via built-in feedback mechanisms, and Prioritizing IT investments
Effective IT portfolio management requires collaboration between IT and business stakeholders,
as well as a deep understanding of the organization's business objectives, IT service
requirements, and risk management strategies.
CYVITRIX.COM - ALL RIGHTS RESERVED
278
It capacity management
Focuses on ensuring that an organization's IT infrastructure and services have the necessary
capacity to meet current and future business requirements.
Ensure that the IT infrastructure and services are able to deliver the required level of
performance, availability, and scalability in a cost-effective manner.
Optimize the capacity utilization Helps to optimize the utilization of IT resources, such as servers,
storage, and network bandwidth, to minimize waste and reduce costs.
Identifying and mitigating capacity-related risks and assist in planning for future capacity
requirements.
CYVITRIX.COM - ALL RIGHTS RESERVED
279
Do not copy/distribute/modify without
official permission 78
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
It supplier management
Focuses on managing the relationships and contracts with IT suppliers and vendors.
Ensure that the organization's IT services are delivered effectively and efficiently by third-party
suppliers, and to manage the risks associated with outsourcing IT services.
Help to manage the contracts with IT suppliers, ensuring that they are aligned with the
organization's requirements and that the terms and conditions are met.
Effective IT Supplier Management requires collaboration between IT and procurement
departments
CYVITRIX.COM - ALL RIGHTS RESERVED
280
CAPEX
Capex, or capital expenditures, refers to the funds that a company spends on acquiring or
upgrading physical assets such as property, equipment, and infrastructure.
Capital expenditures are typically investments in long-term assets that are expected to generate
benefits for the company over a period of years.
Examples of capital expenditures include building a new factory, purchasing machinery or
equipment, or expanding a warehouse.
Companies often make decisions about capex spending based on factors such as the expected
return on investment, the company's financial position, and the overall business strategy.
CYVITRIX.COM - ALL RIGHTS RESERVED
281
Do not copy/distribute/modify without
official permission 79
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
opex
Opex, or operating expenses, refers to the costs that a company incurs in order to maintain its
day-to-day operations.
Examples of operating expenses include employee salaries and benefits, rent, utilities,
marketing and advertising expenses, and office supplies.
Unlike capex, which is typically a one-time expense, operating expenses are recurring and are
incurred on an ongoing basis.
Managing opex is an important aspect of financial management for companies, as it can impact
the company's profitability and cash flow.
Companies often seek to reduce operating expenses by optimizing processes, negotiating better
contracts with suppliers, and making other efficiency improvements.
CYVITRIX.COM - ALL RIGHTS RESERVED
282
ROI
ROI stands for Return on Investment.
It is a financial metric used to evaluate the profitability of an investment by comparing the amount of
return on the investment to the cost of the investment.
ROI is typically expressed as a percentage or a ratio.
A high ROI indicates that the investment is profitable, while a low ROI indicates that the investment is
not profitable.
ROI is commonly used by businesses and investors to assess the potential benefits of investing in a
particular project or asset, and to compare the profitability of different investment opportunities.
ROI for IT is not only financial, but it could also be non-financial as well
CYVITRIX.COM - ALL RIGHTS RESERVED
283
Do not copy/distribute/modify without
official permission 80
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
ROI Example
A company's investment in a new marketing campaign. Let's say the company spends $50,000
on a marketing campaign and as a result, generates $100,000 in new sales revenue. The net
return on investment would be $50,000, which is the revenue generated ($100,000) minus the
cost of the campaign ($50,000).
ROI = (Net return on investment / Total cost of investment) x 100%
ROI = ($50,000 / $50,000) x 100% = 100%
This means that for every dollar invested in the marketing campaign, the company gained $1 in
return.
CYVITRIX.COM - ALL RIGHTS RESERVED
284
ROSI
ROSI stands for Return on Security Investment.
ROSI measures the return on investment (ROI) specifically related to security spending
and is calculated by dividing the net return on security investment by the total cost of
the security investment.
The net return on security investment is the total value of the benefits gained from the
investment in security measures minus the total cost of the investment.
A high ROSI indicates that the security investment is delivering significant benefits
relative to its cost, while a low ROSI indicates that the investment may not be
providing sufficient value.
CYVITRIX.COM - ALL RIGHTS RESERVED
285
Do not copy/distribute/modify without
official permission 81
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
ROSI Example
The implementation of a new security system in a company's network infrastructure. Let's say the
company invests $100,000 in a new security system to prevent cyber attacks, and as a result, the system
helps prevent a major data breach that would have cost the company $1 million in damages.
ROSI = (Net return on security investment / Total cost of security investment) x 100%
ROSI = ($900,000 / $100,000) x 100% = 900%
This means that for every dollar invested in the security system, the company gained $9 in return. A
ROSI of 900% indicates that the investment in the security system was highly effective in reducing the
risk of a security breach and generated significant value for the company.
CYVITRIX.COM - ALL RIGHTS RESERVED
286
ROI & ROSI – SELF READ
CYVITRIX - ALL RIGHTS RESERVED ©
287
Do not copy/distribute/modify without
official permission 82
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
ROI & ROSI
ROI: Centers on overall profitability and
financial gain from investments.
ROSI: Concentrates on the cost savings and risk
reduction achieved through security
investments.
CYVITRIX - ALL RIGHTS RESERVED ©
288
Calculating the ROI
CYVITRIX - ALL RIGHTS RESERVED ©
289
Do not copy/distribute/modify without
official permission 83
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Calculating the ROSI
CYVITRIX - ALL RIGHTS RESERVED ©
290
Securing the Budget
Tie the Investment to Real Business Risks: Connect the need for
the security investment to tangible business risks.
Make a Solid Business Case: Present a well-documented business
case that outlines the benefits and mitigates concerns.
Develop Good Relationships and Be Diplomatic: Foster strong
relationships with key stakeholders and communicate diplomatically.
Educate About Security: Raise management's awareness of security
issues and the potential reputational damage that could occur from
security breaches.
CYVITRIX - ALL RIGHTS RESERVED ©
291
Do not copy/distribute/modify without
official permission 84
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
MATURITY ASSESSMENT
CYVITRIX.COM - ALL RIGHTS RESERVED
292
Maturity Frameworks
Maintaining consistency, efficiency and effectiveness of IT processes
requires the implementation of a process maturity framework.
COBIT Process CMMI
Assessment Model
(PAM)
• defines the minimum • Used as a guide to process
requirements for conducting improvement across a
an assessment to ensure project, division or
reliable results organization, consist of 5
levels
CYVITRIX.COM - ALL RIGHTS RESERVED
293
Do not copy/distribute/modify without
official permission 85
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Example of maturity assessment models
Project Management Maturity Model (PMMM)
Cybersecurity Capability Maturity Model (C2M2)
Business Process Maturity Model (BPMM)
ITIL Framework
Develop or use existing checklist and make the assessment based on
maturity levels!
CYVITRIX.COM - ALL RIGHTS RESERVED
294
CYVITRIX.COM - ALL RIGHTS RESERVED
295
Do not copy/distribute/modify without
official permission 86
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Plan/do/check/act
• Establish Do • Study results Act
objectives and from the “Do”
processes • Implement the step, looking for • Analyze
needed to deliver plan, collecting deviations from deviations and
desired results. data for charting desired results. request corrective
and analysis. actions.
Plan Check
A four-step iterative management methodology used for continuous improvement of business
processes and products. The PDCA cycle was first introduced by W. Edwards Deming, a
renowned quality management guru, and has become a widely adopted framework for
process improvement in various industries.
CYVITRIX.COM - ALL RIGHTS RESERVED
296
Business process re-engineering
CYVITRIX.COM - ALL RIGHTS RESERVED
297
Do not copy/distribute/modify without
official permission 87
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Business process re-engineering
Business process re-engineering (BPR) is the practice of redesigning and restructuring business
processes to improve efficiency, effectiveness, and overall performance.
Business process re-engineering mainly target non-working processes to improve it.
Identify processes
to be re- Redesign Monitor and
engineered processes measure results
Gain Implement and Continues
understanding for test new processes improvement
the process details
and pitfalls
CYVITRIX.COM - ALL RIGHTS RESERVED
298
Business process re-engineering
techniques and tools
Process mapping is a visual tool that helps to identify the steps involved in a process, as well as
the inputs, outputs, and stakeholders involved. This can help to identify inefficiencies,
redundancies, and opportunities for improvement.
Root cause analysis is a technique that helps to identify the underlying causes of problems or
inefficiencies in a process. By identifying the root cause, it becomes easier to develop effective
solutions to address the problem.
Benchmarking involves comparing an organization's processes to those of other organizations or
industry best practices. This can help to identify areas where the organization can improve its
processes and achieve better results.
CYVITRIX.COM - ALL RIGHTS RESERVED
299
Do not copy/distribute/modify without
official permission 88
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
IT PERFORMANCE
MANAGEMENT
CYVITRIX.COM - ALL RIGHTS RESERVED
300
IT Performance Management
Performance metrics should be developed for monitoring
performance.
Performance metrics should be developed on basis expected
output.
Metrics should be regularly assessed for adequacy
Metrics should be Specific, Measurable, Achievable, Relevant and
time bound.
CYVITRIX.COM - ALL RIGHTS RESERVED
301
Do not copy/distribute/modify without
official permission 89
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Performance Management Techniques
• A quantitative process analysis methodology for process improvement and
Six Sigma reduction of defects.
IT Balanced Scorecard • A process management evaluation technique that can be effectively applied
to assess IT functions and processes
(IT BSC) • Holistic view of IT, and help in alignment with Business
Key Performance Indicators • Measure performance against predetermined goals
• Key indicator of goal achievement
(KPI)
• The Process of diagnosis to establish the origins of events so that controls can
Root Cause Analysis (RCA) be developed to address these causes.
CYVITRIX.COM - ALL RIGHTS RESERVED
302
IT Balanced Scorecard (IT-BCS)
One of the most effective IT governance tools
IT BCS requires presence of KPIs
Show efficiency and value creation of the IT team
Help in aligning IT with business requirements
IT BCS Evaluate:-
o Financial saving or Profit
o Customer satisfaction and retention
o Internal operational processes efficiency and time saving
o Innovation and growth and leading the market
CYVITRIX.COM - ALL RIGHTS RESERVED
303
Do not copy/distribute/modify without
official permission 90
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
IT Balanced Score Card example
Financial Customer Internal Process Learning and Growth
IT cost per user Service desk response Number of successful IT Staff training hours
time projects
IT budget variance Service desk IT service availability Employee satisfaction
satisfaction rate with training and
development
opportunities
IT spending as a Number of incidents Percentage of IT Number of new
percentage of revenue resolved within SLA incidents resolved on first technology initiatives
contact implemented
CYVITRIX.COM - ALL RIGHTS RESERVED
304
Quality assurance
and control
CYVITRIX.COM - ALL RIGHTS RESERVED
305
Do not copy/distribute/modify without
official permission 91
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Quality Assurance
Process Oriented
Set standards and requirements
Prevent the defect from occurring
Preventive Control
Proactive
QA Specialist should not be from actual programming or coding team – Separation of
duties should be in place.
List and promote the specifications required on Product level, software, process and
compliance requirements, they issue the standard which should be applied by
developing team for example.
CYVITRIX.COM - ALL RIGHTS RESERVED
306
Quality Management/ Quality Control
Product Oriented
Review product standards and requirements
detect the defect in the product
Re-active
Detective control
QC Specialist should not be from actual programming or coding team – Separation of
duties should be in place.
They are like auditors
Review the specifications as per the QA standard on Product level, software, process and
compliance requirements.
CYVITRIX.COM - ALL RIGHTS RESERVED
307
Do not copy/distribute/modify without
official permission 92
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
SELF READING
CYVITRIX - ALL RIGHTS RESERVED ©
308
ISO 9001 – quality management system
ISO 9001 is a quality management standard that provides a framework for organizations to
establish, implement, maintain, and continually improve a quality management system (QMS).
The standard is designed to help organizations meet the needs and expectations of their
customers and other stakeholders, while also improving their internal processes and efficiency.
QMS process
Context of Planning the into the
the quality operational
Organization objectives process Improvement
Leadership Obtain Evaluation
commitment resources to
maintain the
QMS
CYVITRIX.COM - ALL RIGHTS RESERVED
309
Do not copy/distribute/modify without
official permission 93
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
ISO 12207
Standard for software life cycle processes. This standard defines a set of processes and activities
that are required for the development, operation, and maintenance of software. ISO/IEC 12207
provides a framework for the management of software projects and helps ensure that the
software meets the specified requirements and quality standards.
In-House
Acquisition Development
Process Process Maintenance
Supply Process Operation Disposal
to external Process
customer and
Delivery and
Installation
CYVITRIX.COM - ALL RIGHTS RESERVED
310
COBIT Framework
CYVITRIX - ALL RIGHTS RESERVED ©
311
Do not copy/distribute/modify without
official permission 94
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
COBIT (Control Objectives for
Information and Related Technology)
A framework for IT governance and management, developed by the
Information Systems Audit and Control Association (ISACA).
provides a comprehensive set of guidelines, practices, and tools for
managing and controlling IT processes, policies, and procedures.
COBIT provides a comprehensive set of control objectives and control
practices that organizations can use to manage their IT processes
effectively.
CYVITRIX - ALL RIGHTS RESERVED ©
312
COBIT guiding principals
Meeting Stakeholder Needs
Covering the Enterprise End-to-End
Applying a Single Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management
Focusing on Key Risk
Enabling a Continuous Improvement Culture
CYVITRIX - ALL RIGHTS RESERVED ©
313
Do not copy/distribute/modify without
official permission 95
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
COBIT governance system components
(enablers)
CYVITRIX - ALL RIGHTS RESERVED ©
314
Governance and Management controls
Define and communicate IT governance framework
Establish and manage IT strategy
Ensure compliance with legal and regulatory requirements
Manage IT risks
Manage relationships with stakeholders
Ensure transparency and accountability
CYVITRIX - ALL RIGHTS RESERVED ©
315
Do not copy/distribute/modify without
official permission 96
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Mapping stakeholder needs to cobit
CYVITRIX - ALL RIGHTS RESERVED ©
316
Governance and management objectives
CYVITRIX - ALL RIGHTS RESERVED ©
317
Do not copy/distribute/modify without
official permission 97
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
COBIT
Core
MODEL
PRM
CYVITRIX - ALL RIGHTS RESERVED ©
318
COBIT focus areas
Describe a certain governance topic that can be addressed by a collection of
governance and management objectives in the customized components
according to the nature of focus area.
The examples of COBIT 2019 focus areas are
◦ SME
◦ Information Security
◦ Risk
◦ DevOps
◦ .. The number of Focus areas is unlimited, can be added by Subject matter
experts
CYVITRIX - ALL RIGHTS RESERVED ©
319
Do not copy/distribute/modify without
official permission 98
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
Information and technology controls
Define and manage IT architecture
Manage IT risks
Ensure Data quality and availability
Manage IT Service Delivery
Manage and Monitor IT Operations
Manage IT Projects
CYVITRIX - ALL RIGHTS RESERVED ©
320
Design Factors
CYVITRIX - ALL RIGHTS RESERVED ©
321
Do not copy/distribute/modify without
official permission 99
www.cyvitrix.com - ALL Rights are Reserved - Based on Latest CISA CRM v28
[email protected]
COBIT implementation
CYVITRIX - ALL RIGHTS RESERVED ©
322
COBIT & Capability Maturity Assessment
CYVITRIX - ALL RIGHTS RESERVED ©
323
Do not copy/distribute/modify without
official permission 100
You might also like
- IT Governance Information Security GovernanceNo ratings yetIT Governance Information Security Governance57 pages
- Isaca: The Recognized Global Leader in IT Governance, Control, Security and AssuranceNo ratings yetIsaca: The Recognized Global Leader in IT Governance, Control, Security and Assurance83 pages
- CISM Chapter 1-Information Security Governance100% (1)CISM Chapter 1-Information Security Governance103 pages
- Chapter 2 IT Governance and Management of IT100% (1)Chapter 2 IT Governance and Management of IT125 pages
- Domain 2 - Governance and Management of ITNo ratings yetDomain 2 - Governance and Management of IT96 pages
- Domain 02 - Governance and Management of IT100% (1)Domain 02 - Governance and Management of IT12 pages
- Ebook CISSP Domain 01 Security and Risk ManagementNo ratings yetEbook CISSP Domain 01 Security and Risk Management202 pages
- IT Governance Information Security GovernanceNo ratings yetIT Governance Information Security Governance57 pages
- CISA Review Manual 28 Edition Summary Chapter-2No ratings yetCISA Review Manual 28 Edition Summary Chapter-211 pages
- Ebook - CISSP - Domain - 01 - Security and Risk ManagementNo ratings yetEbook - CISSP - Domain - 01 - Security and Risk Management202 pages
- Dedicated Departments For Information Security and IT OperationsNo ratings yetDedicated Departments For Information Security and IT Operations4 pages
- Cism Exam Preparation: Pre-Course Question 1100% (1)Cism Exam Preparation: Pre-Course Question 166 pages
- Topic 1 - Information Security GovernanceNo ratings yetTopic 1 - Information Security Governance33 pages
- 06 08 Governance and Management of IT V2No ratings yet06 08 Governance and Management of IT V28 pages
- CISA Certified Information Systems AuditorNo ratings yetCISA Certified Information Systems Auditor13 pages
- (@CyberBankSa) - SLIDES CyberTrain Branded CISM July 20 2020100% (1)(@CyberBankSa) - SLIDES CyberTrain Branded CISM July 20 2020361 pages
- Information+security+governance KeyTakeaways 2024-08-31No ratings yetInformation+security+governance KeyTakeaways 2024-08-315 pages
- 2003 10 00 Dave McCurdy Risk Management and Insurance Presentation To ManufacturersNo ratings yet2003 10 00 Dave McCurdy Risk Management and Insurance Presentation To Manufacturers35 pages
- IT Security E&A-Lecture 1 - Students - VerNo ratings yetIT Security E&A-Lecture 1 - Students - Ver69 pages
- Gartner It Score For Enterprise Architecture and Technology Innovation Sample Excerpt100% (3)Gartner It Score For Enterprise Architecture and Technology Innovation Sample Excerpt8 pages
- Comparative Analysis of Defense Industry Frameworks For C4I SystemNo ratings yetComparative Analysis of Defense Industry Frameworks For C4I System5 pages
- First-Business-IT-Summit-Latam AAnaya NEtComp TMF2015 v1 4 PDFNo ratings yetFirst-Business-IT-Summit-Latam AAnaya NEtComp TMF2015 v1 4 PDF79 pages
- Full Download Solutions Architecture: A Modern Approach To Cloud and Digital Systems Delivery Wasim Rajput PDF100% (1)Full Download Solutions Architecture: A Modern Approach To Cloud and Digital Systems Delivery Wasim Rajput PDF47 pages
- Application Transforming The Foundation of An OrganisationNo ratings yetApplication Transforming The Foundation of An Organisation6 pages
- XYZ Consulting Services Management - Discussion DocumentNo ratings yetXYZ Consulting Services Management - Discussion Document27 pages
- 2024 Gartner® Magic Quadrant™ For Enterprise Architecture ToolsNo ratings yet2024 Gartner® Magic Quadrant™ For Enterprise Architecture Tools4 pages
- An Enterprise Architecture Compliance ChecklistNo ratings yetAn Enterprise Architecture Compliance Checklist3 pages
- Defining The Enterprise Architecture Service Catalog Dec 2018No ratings yetDefining The Enterprise Architecture Service Catalog Dec 201812 pages
- DAMA DMBOK2 Framework V2 20140317 FINAL PDF88% (8)DAMA DMBOK2 Framework V2 20140317 FINAL PDF27 pages
- A Comparison of The Top Four Enterprise-Architecture MethodologiesNo ratings yetA Comparison of The Top Four Enterprise-Architecture Methodologies31 pages