CRISC

Exam Preparation Workshop

April 2025
 Quiz
The MAIN objective of IT risk management is to:

A. prevent loss of IT assets.

B. provide timely management reports.
C. ensure regulatory compliance.
D. enable risk-aware business decisions.
 Quiz
The MAIN objective of IT risk management is to:

A. prevent loss of IT assets.

B. provide timely management reports.
C. ensure regulatory compliance.
D. enable risk-aware business decisions.
 Quiz
Which of the following would be the BEST approach for a global enterprise that is subject to
regulation by multiple governmental jurisdictions with differing requirements?

A. Bringing all locations into conformity with the aggregate requirements of all governmental
jurisdictions
B. Bringing all locations into conformity with a generally accepted set of industry good practices
C. Establishing a baseline standard incorporating the requirements all jurisdictions have in
common
D. Establishing baseline standards for all locations and add supplemental standards as required
 Quiz
Which of the following would be the BEST approach for a global enterprise that is subject to
regulation by multiple governmental jurisdictions with differing requirements?

A. Bringing all locations into conformity with the aggregate requirements of all governmental
jurisdictions
B. Bringing all locations into conformity with a generally accepted set of industry good practices
C. Establishing a baseline standard incorporating the requirements all jurisdictions have in
common
D. Establishing baseline standards for all locations and add supplemental standards as required
 Quiz
Who MUST give final sign-off on the IT risk management plan?

A. IT auditors performing the risk assessment

B. Business process owners
C. Senior managers
D. IT security administrators
 Quiz
Who MUST give final sign-off on the IT risk management plan?

A. IT auditors performing the risk assessment

B. Business process owners
C. Senior managers
D. IT security administrators
 Quiz
Which of the following is the PRIMARY reason that a risk practitioner determines the
security boundary prior to conducting a risk assessment?

A. To decide which laws and regulations apply

B. To identify the scope of the risk assessment
C. To identify the business owners of the system
D. To decide whether a quantitative or qualitative analysis is appropriate
 Quiz
Which of the following is the PRIMARY reason that a risk practitioner determines the
security boundary prior to conducting a risk assessment?

A. To decide which laws and regulations apply

B. To identify the scope of the risk assessment
C. To identify the business owners of the system
D. To decide whether a quantitative or qualitative analysis is appropriate
 Quiz
Which of the following groups would be the MOST effective in managing and executing an
enterprise’s risk program?

A. Mid-level managers
B. Senior managers
C. Frontline employees
D. The incident response team
 Quiz
Which of the following groups would be the MOST effective in managing and executing an
enterprise’s risk program?

A. Mid-level managers
B. Senior managers
C. Frontline employees
D. The incident response team
 Quiz
The board of directors of a one-year-old start-up company has asked the chief information
officer to create the enterprise’s IT policies and procedures, which will be managed and
approved by the IT steering committee.
The committee will make the IT decisions for the enterprise, including those related to the
technology budget.
The IT steering committee will be BEST represented by:

A. members of the executive board

B. high-level members of the IT department
C. IT experts from outside the enterprise
D. key members from each department
 Quiz
The board of directors of a one-year-old start-up company has asked the chief information
officer to create the enterprise’s IT policies and procedures, which will be managed and
approved by the IT steering committee.
The committee will make the IT decisions for the enterprise, including those related to the
technology budget.
The IT steering committee will be BEST represented by:

A. members of the executive board

B. high-level members of the IT department
C. IT experts from outside the enterprise
D. key members from each department
 Domain 2: IT Risk Assessments
ISACA CRISC (Certified in Risk and Information Systems Control)

Domain 2: IT Risk Assessments

• Focus Area: IT Risk Assessment

• Weight in Exam: 20%
• Approximate Number of Questions: 30 (out of 150 total)
 Domain 2: IT Risk Assessments

Risk Events

Threat Modeling and Threat Landscape

Vulnerability and Control Deficiency Analysis

Risk Scenario Development

Risk Assessment Concepts, Standards, and Framework

Risk Register and Risk Analysis Methodologies

Business Impact Analysis and Risk Categories

 Domain 2 - Agenda

Risk Events

Threat Modeling and Threat Landscape

Vulnerability and Control Deficiency Analysis

Risk Scenario Development

Risk Assessment Concepts, Standards, and Framework

Risk Register and Risk Analysis Methodologies

Business Impact Analysis and Risk Categories

 Risk Management
The Risk Identification process seeks to:
• Improve confidence that the enterprise recognizes and understands any risk that could
jeopardize its objectives.
• Identify loss-event scenarios that may affect the enterprise’s mission and strategic objectives.
The risk practitioner should:
• Work closely with business process owners.
• Consult with the various information technology and cybersecurity functions.
• Understand how data and information are processed and handled.
Example types and categories of risk:
• Strategic, Operational, IT Risk, Cybersecurity, and Information Security
Process Steps:
• Setting Context. Risk Identification and Assessment
• Risk Analysis and Business Impact Evaluation.
• Risk Response
• Risk Reporting and Communication
 Risk Events
Risk Events - An Overview
Are discrete, specific occurrences that result in an impact upon an enterprise.
Differ from threat events, which describe a series of actions that may take place.
Threats and risks come in various forms and originate from different actors.

Examples of Risk Events

Common examples of risk events include:
• Regulations that impose new requirements on an enterprise
• Loss of key personnel
• Wildfires, hurricanes, flood, or other natural disasters that disrupt vital infrastructure
• Fires within facilities
• Network intrusions that result in data exfiltration
• Ransomware attack
• Abuse of positional authority
 Risk Events - 2
Elements of Risk Events
Risk identification requires the documentation and analysis of the elements that comprise risk, such
as:
• Consequences associated with specific assets
• Threats to those assets, normally requiring both intent (motivation) and capability
• Vulnerabilities that a threat may attempt to exploit
• Likelihood that a potential risk event may occur (loss event) against an asset within the environment
• The potential harm that may result (loss event) against the asset if the threat were successful
 Risk Factors
Risk is a combination of several factors that interact to cause damage to the assets of the enterprise.

Risk factors are classified into two major categories:

• Contextual Factors
• Capability Factors

Contextual factors:
• Can be internal or external.
• Differ by the degree of control that an enterprise has over the respective factors.

Internal contexts are under the control of the enterprise, although they may not always be easy to
change. Examples:
• Enterprise goals and objectives. Strategic importance of IT for the business
• Complexity of IT. Complexity of the entity and degree of change
• Change management capability. Operating model. Strategic priorities. Culture of the enterprise
• Financial capacity
 Risk Factors - 2
External contexts are factors outside of the enterprise’s control.

Examples include:
• Market and economic factors
• Rate of change in the market/product life cycle
• Industry and competition
• Geopolitical situation
• Regulatory environment
• Technology status and evolution
• The threat landscape
 Risk Factors - 3
Capability factors
Ability to perform IT related activities.
Are critical to successful outcomes in managing risk.
Are embedded in tools, techniques, methods, and frameworks to define and improve IT-related
activities.

Help answer these questions:

• To what extent is the enterprise mature in performing risk management? Examples:
• Risk governance * Risk management

• How robustly do IT-related capabilities support enterprise objectives while managing the risk that
can jeopardize objectives? Examples:
• Evaluate, direct and monitor (EDM)
• Align, plan and organize (APO)
• Build, acquire and implement (BAI)
• Deliver, service and support (DSS)
• Monitor, evaluate and assess (MEA)
 Threat Actors
A threat actor performs specific activities that result in an event (or action) occurring.

Threat actors may use one or many threat events to carry out their attacks against assets that fall within
their objectives, with each channel used to create the event known as a threat vector.

Threat Actors ➔ Threats ➔ Vulnerabilities ➔ Risk ➔ Assets

Cybercriminal (Threat Actor) ➔ Phishing Attack (Threat Event) ➔ Email Link (Threat Vector) ➔ Unpatched
Antivirus (Vulnerability) ➔ Data Breach (Risk) ➔ Customer Data (Asset)
 Quiz
Earlier, a discussion was held about an incident in which an IT business function was impacted by
a cyber-attack that brought down a server whose functionality was not recoverable under the
business continuity plan.
What risk-associated role did the business continuity plan play in this incident?

A. Threat Vector
B. Vulnerability
C. Asset
D. Threat Actor
 Quiz
Earlier, a discussion was held about an incident in which an IT business function was impacted by
a cyber-attack that brought down a server whose functionality was not recoverable under the
business continuity plan.
What risk-associated role did the business continuity plan play in this incident?

A. Threat Vector
B. Vulnerability
C. Asset
D. Threat Actor
 Risk Identification, Analysis and Evaluation
Risk Identification
The first step in countering a threat is identifying it, so that the threat may be managed before
any threat events occur.

In identifying a threat, an enterprise seeks to know its:

• Weaknesses
• Strengths
• Corresponding vulnerabilities
 Risk Identification, Analysis and Evaluation - 2
Risk Analysis
Risk analysis is the modeling of various threats against assets, estimating the probability of a
loss event occurring and the resulting impact on an asset.

The elements to be considered for risk analysis include:

• The context, criticality, and sensitivity of the system or process being reviewed
• Any dependencies or requirements of the system or process
• Operational procedures, configuration, and management tools in use
• The training of users and administrators
• Effectiveness of the controls and any monitoring capabilities
• The manner in which data and system components will ultimately be decommissioned
 Risk Identification, Analysis and Evaluation - 3
Risk Evaluation
Risk evaluation is the consideration of risk events identified within the analysis, viewed in the
context of the enterprise’s defined risk appetite, tolerance criteria, and capacity.

Evaluation should consider the entire risk environment and include:

• Threat event frequency
• Loss event frequency
• Impact/loss magnitude
• Risk appetite
• Risk tolerance criteria
• Risk capacity
 Methods of Risk Identification
Process of Risk Identification
1.Identify Assets
2.Identify Threats
3.Identify Existing Control
4.Identify Vulnerabilities
5.Identify Consequences → (Input for) → Risk Estimation Process

There are several possible sources for identification of risk:

Historical or evidence-based methods >> Audit or incident reports. Public media (e.g., newspapers,
television, etc.). Annual reports and press releases.
Systematic approaches (expert opinion) >> Vulnerability assessments. Review of business continuity
and disaster recovery plans. Interviews and workshops with managers, employees, customers,
suppliers, and auditors.
Inductive methods (theoretical analysis) >> Penetration testing
Existing taxonomy >> A risk library with indicative IT-related risks can be used as a starting point.
 Quiz
Earlier, a discussion took place about an incident in which an IT business function was
impacted by a cyber-attack that brought down a server whose functionality was not
recoverable under the business continuity plan.
What approach to risk identification would have best revealed this problem before the
incident occurred?

A. Historical methods
B. Penetration testing
C. Existing taxonomy
D. Systematic methods
 Quiz
Earlier, a discussion took place about an incident in which an IT business function was
impacted by a cyber-attack that brought down a server whose functionality was not
recoverable under the business continuity plan.
What approach to risk identification would have best revealed this problem before the
incident occurred?

A. Historical methods
B. Penetration testing
C. Existing taxonomy
D. Systematic methods
 Domain 2 - Agenda

Domain 2: IT Risk Assessments

Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development
Risk Assessment Concepts, Standards, and Framework
Risk Register and Risk Analysis Methodologies
Business Impact Analysis and Risk Categories
 Objectives
➢ List the different categories of threats.

➢ Describe the various sources for threat information.

➢ Explain internal threats, external threats, and emerging threats.

➢ Explain the importance of threat modeling, its uses, and impacts.

➢ Discuss the various threat modeling methods.

 Threat Landscape
An Overview
Threats are the action events that could occur and can act against an asset in a manner that can
result in harm. Threats can be external or internal, intentional or unintentional, and are
assessed relative to organization assets.

The different categories of threats include:

Physical / Natural events,

Loss of essential services and disturbance due to radiation (electromagnetic radiation, thermal radiation,
electromagnetic pulses)

Compromise / disclosures of information and Technical failures.

Improperly-defined business logic

Unauthorized actions

Compromise of functions
 Threat Landscape - 2
The risk practitioner should document all the threats by:

Using similar techniques to risk identification:

Including the cause of past failures
Audit reports
Media reports
Information from national Computer Emergency Response Teams (CERTs)
Security vendors
Communication with internal groups
Service providers
Product vendors
 Internal Threats
The typical malicious insider is a current or former employee, contractor, or another business
partner. Who has or had authorized access to an enterprise network, system or data, and
intentionally uses that access to perform harmful actions.

The organization should have controls in place effective from hiring selection through
termination:

➢ During Hiring

➢ During Employment

➢ During Termination
 Internal Threats - 2
During Hiring

During the hiring process, the HR manager should:

Review the qualifications and attitude of prospective employees.
Review the references and performance of background checks.
Get a nondisclosure agreement (NDA) signed.
Advise the prospective employees of the ethics and policies of the enterprise.

During Employment

Throughout employment, the employee should be:

Reminded of organizational policies and their responsibilities through awareness sessions
and management reviews.
Note: One of the best employee-based controls is to interact with employees to understand any
frustrations, complaints, or issues that they may be facing and to seek to resolve those issues.
 Internal Threats - 3
During Termination

At the end of employment, the HR manager should ensure that:

The employee has returned all organizational assets and uniforms.

The access to the systems, network, and facility has been revoked before the employee’s
departure.
 External Threats
Threats to information systems from outside the enterprise can originate from anywhere and
may take several forms.

The range of external threat actors includes:

Criminals
Hacktivists
Corporate spies
Thieves
Advanced persistent threats (APT)
 Emerging Threats
Compromised organizations have evidence of emergent threats in their logs well in advance,
but the evidence is not acted on/noticed.

Finding the interconnected traces requires advanced analytical and AI/ML systems for many
enterprises. Requires awareness of a variety of degradations in much smaller fractions of
seconds.

Indications of emerging threats:

An unusual activity on a system

Repeated alarms

Degraded system or network performance

New or excessive activity in logs

 Threat Modeling – An Overview
Threat modeling
An important part of the risk analysis process.
Examines the nature of the threat and potential threat scenarios.

Components of a threat scenario:

Actor: Internal (staff, contractor), External (competitor, hacktivist, criminal, market), Regulator,
Vendor and Nature.
Threat Type: Malicious, Accidental, Error, Failure, Flood and External requirement.
Event: Disclosure, Interruption, Modification, Theft, Destruction, Ineffective design, Ineffective
execution, External business drivers, Inappropriate use.
Asset/Resource: People and skills, Organizational structures, Process, Facilities, IT infrastructure,
Information, Applications.
 Uses of Threat Modeling
The threat agent will often try different tools, probe for vulnerabilities, and try both technical and
nontechnical approaches while seeking to compromise a system.

Threat modeling helps to build systems with attention to defensive controls, built-in security
features, and proper placement within a strategy of overlapping defenses.

Threat modeling is done by mapping the potential methods, approaches, steps, and techniques
used by an adversary to perpetrate an attack.

The risk practitioner must think of as many of these methods and approaches as possible so
that adequate controls can be designed to meet the possible threats.
 Impacts of Threat Modeling
To prevent threats from taking advantage, various threat-modeling methods can steer appropriate
responses.
▪ General Impact

▪ High-level Answers

General Impact
In general, threat modeling will:
• Create an abstraction of the system.
• Profile attackers, including goals, methods, and attacker skills.
• Create a catalog of potential threats.
 Impacts of Threat Modeling - 2
High-level Answers
Threat modeling will provide high-level answers to basic questions:
• How often will a threat actor encounter assets at the vendor location?
• What is the danger of discovery posed to that threat actor while it is attempting to compromise those
assets?
• What perceived value may enterprise data at the third party hold for an adversary?
• What skills does an adversary need to succeed in compromising vendor systems and accessing
enterprise data?
• How much time does an adversary need to compromise systems and access data?
• What resources and materials does the adversary need?
• What level of effort is required overall from the threat actor to compromise the vendor?
 Threat Modeling Methods
Several threat-modeling methods can be combined to create a more robust and well-rounded view of
potential threats.

Methods:
• STRIDE
• PASTA
• LINDDUN
• Attack Trees
• PnG
• Trike
• VAST
 Threat Modeling Methods - 2
STRIDE (Spoofing identity, Tampering with data, Repudiation, Information Disclosure, Denial of Service,
Elevation of Privilege)
➢ Evaluates the system detail design
➢ Models the in-place system
➢ Identifies system entities, events, and the boundaries of the system by building data-flow diagrams
(DFDs)

PASTA (Process for Attack Simulation and Threat Analysis)

➢ A risk-centric threat-modeling framework
➢ Contains seven stages, each with multiple activities
➢ Brings business objectives and technical requirements together
 Threat Modeling Methods - 3
LINDDUN (Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information,
Unawareness, Noncompliance)
➢ Focuses on privacy concerns and can be used for data security
➢ Starts with a DFD (Data Flow Diagram) of the system
➢ Defines the system’s data flows, data stores, processes, and external entities
➢ Identifies a threat’s applicability to the system
➢ Builds threat trees by analyzing the model elements from the perspective of threat categories

Attack Trees
➢ Depicts attacks on a system in tree form
➢ Has the goal for the attack in the tree root and the methods to achieve that goal in the leaves
➢ Represents each goal as a separate tree
 Threat Modeling Methods - 4
PnG (Persona non Grata)
➢ Focuses on the motivations and skills of human attackers. Characterizes users as archetypes that can
misuse the system.
➢ Forces analysts to view the system from an unintended-use point of view.
➢ Works well with the Agile approach, which uses personas.
➢ Note: These personas have the advantage of being believable adversaries who can be considered
across multiple scenarios. They can be paired to help evaluate more complex attacks.

Trike
➢ Is a security audit framework
➢ Uses threat modeling as a technique from a risk management and defensive perspective
➢ Starts with defining a system and building a model using the system’s actors, assets, intended actions,
and rules
➢ Creates an actor-asset-action matrix by representing the assets as columns and the actors as rows
 Threat Modeling Methods - 5
VAST (Visual, Agile, and Simple Threat)
➢ Is based on ThreatModeler, an automated threat-modeling platform
➢ Requires the creation of:
➢Application threat models representing the architectural point of view
➢Operational threat models representing the attacker’s point of view
➢ Allows for the integration of VAST into the organization’s development and DevOps life cycles
 Domain 2 - Agenda

Domain 2: IT Risk Assessments

Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development
Risk Assessment Concepts, Standards, and Framework
Risk Register and Risk Analysis Methodologies
Business Impact Analysis and Risk Categories
 Objectives
➢ Explain the vulnerabilities in an organization.

➢ Explain the sources of vulnerabilities and their impact.

➢ Explain gap analysis.

➢ Elaborate vulnerability assessment and penetration testing.

➢ Explain root cause analysis.

 Vulnerability
Vulnerability — An Overview
Vulnerabilities are weaknesses, gaps, or holes in an enterprise’s people, processes, or technologies that
provide an opportunity for a threat actor to exploit, which create consequences that may impact the
enterprise.
➢ Many vulnerabilities are conditions that exist in systems and must be identified so that they can be
addressed.
➢ The purpose of vulnerability identification is to find the problems before they are found by an
adversary and exploited.
➢ An enterprise should conduct regular vulnerability assessments and penetration tests to identify,
validate, and classify its vulnerabilities.
➢ Where vulnerabilities exist, there is a potential for risk.

➢ NIST SP800-30 R1> Guide to Conducting Risk Assessments provides a list of vulnerabilities to
consider along with “predisposing conditions” that may lead to the rapid or unpredictable emergence
of new vulnerabilities.
 Sources of Vulnerabilities
Vulnerabilities can be found in most places within and external to the enterprise.
• Network Vulnerabilities
• Physical Access
• Applications and Web-facing Services
• Utilities
• Supply Chain
• Equipment
• Cloud Computing
• Big Data
 Sources of Vulnerabilities - 2
Network Vulnerabilities
These are often related to misconfiguration of equipment, poor architecture, or traffic interception.
Misconfiguration is a common problem with network equipment that is not properly installed, operated,
or maintained.

Physical Access
Threat actors that are able to gain physical access to systems have the potential to bypass nearly every
other type of control.
With access to server rooms, network cabling, information systems equipment, and buildings, an
attacker can:
• Circumvent passwords
• Install skimmers to steal data
• Use network taps to intercept data communications
• Take logical ownership of systems or devices
 Sources of Vulnerabilities - 3
Application Vulnerabilities
Applications in general, and web applications in particular, are among the most common entry points
currently used by attackers.
Many applications are written to support business functions without properly considering security or
privacy requirements.

They may be vulnerable to:

• Injection attacks
• Broken authentication
• Sensitive data exposure
• Broken access controls
• Security misconfigurations
• And other common vulnerabilities
• Applications may also be vulnerable due to poor architecture.
 Sources of Vulnerabilities - 4
Utilities
Information systems rely on controlled environmental conditions, including clean and steady power and
controls over humidity and temperature.

Supply Chain
Many enterprises rely on products, services, raw materials, and supplies that originate from various
suppliers from across the globe, and any interruption in the supply chain may affect their ability to
function.

Equipment
As equipment ages, it becomes less efficient and potentially unable to support business functions.
There are multiple threats that older equipment can pose to enterprises, and each needs to be
investigated and evaluated in the full context of the business value provided and benefits yielded.
 Sources of Vulnerabilities - 5
Cloud Computing
Outsourcing of application hosting and data processing has been growing in popularity for decades.
Cloud computing offers many business advantages, but both the organization and the risk practitioner
should recognize that outsourcing data processing does not eliminate the responsibility of the
outsourcing organization to ensure proper data protection.

Big Data
Advances in the capability to perform analysis of data from various sources of structured and
unstructured data allow enterprises to make better business decisions and increase competitive
advantage.
This change in analytics capabilities dealing with big data can introduce risk, and organizations should
understand that risk can arise both from adopting or not adopting these capabilities.
 Gap Analysis
By documenting the desired state or condition of risk that management wants to reach, and then
carefully analyzing the current condition, the risk practitioner can identify the existence of a gap
and what actions are needed to close it.

Gap analysis can be an iterative process used to:

• Identify deliverables
• Plan projects
• Establish milestones

By using gap analysis with milestones, the organization can execute projects in a logical sequence,
accounting for interdependencies.
 Quiz
What task should a risk practitioner do in order to identify vulnerabilities within the enterprise?

A. Perform a network vulnerability assessment.

B. Scan internet-facing applications for misconfigurations.

C. Perform a vulnerability assessment which looks at people, processes, and technologies.

D. Interview business unit leaders to identify where perceived weaknesses are within their business
units.
 Quiz
What task should a risk practitioner do in order to identify vulnerabilities within the enterprise?

A. Perform a network vulnerability assessment.

B. Scan internet-facing applications for misconfigurations.

C. Perform a vulnerability assessment which looks at people, processes, and technologies.

D. Interview business unit leaders to identify where perceived weaknesses are within their business
units.
 Vulnerability Assessment and Penetration Testing
Vulnerability Assessment
A vulnerability assessment is a careful examination of a target environment to discover any potential
points of compromise or weakness.

Penetration Testing
To validate the results of a vulnerability assessment, the organization may conduct a penetration test
against a potential vulnerability or attack vector.

A penetration test can be focused not only on logical vulnerabilities, such as networks, but also
include: People, Processes, Physical assets, Wireless, and Third Parties,

Most enterprises mistakenly believe that penetration testing to network and applications covers all
risks, while in reality, it often only addresses one-third of vulnerabilities within the enterprise.
 Vulnerability Assessment and Penetration Testing - 2
Vulnerability Assessment
Vulnerabilities that may be identified by an assessment include:
Network vulnerabilities, Poor physical access controls (e.g., buildings, offices)
Insecure applications, Poorly designed or implemented web-facing services
Disruption to utilities (e.g., power, telecommunications), Unreliable supply chain, Untrained personnel
Inefficient or ineffective processes (e.g., change control, incident handling), Poorly maintained or old
equipment

Vulnerability assessments may:

• Contain inaccurate data, such as false positives that indicate a vulnerability where none exists.
• Miss the identification of vulnerabilities that require a sequence of chained techniques to exploit.
➢ Automated vulnerability assessments (e.g. network, application) – Use credentialed account to
reduce false positives.
➢ Ran without credentials – Attempt elicit responses from systems and correlate to determine if there is
a vulnerability present.
➢ Ran with credential – Direct query from the system to report on identified versions, configuration, and
permission settings.
 Vulnerability Assessment and Penetration Testing - 3
Vulnerability Assessment
Vulnerabilities that may be identified by an assessment include:
Network vulnerabilities, Poor physical access controls (e.g., buildings, offices)
Insecure applications, Poorly designed or implemented web-facing services
Disruption to utilities (e.g., power, telecommunications), Unreliable supply chain, Untrained personnel
Inefficient or ineffective processes (e.g., change control, incident handling), Poorly maintained or old
equipment

Vulnerability assessments may:

• Contain inaccurate data, such as false positives that indicate a vulnerability where none exists.
• Miss the identification of vulnerabilities that require a sequence of chained techniques to exploit.
➢ Automated vulnerability assessments (e.g. network, application) – Use credentialed account to
reduce false positives.
➢ Ran without credentials – Attempt elicit responses from systems and correlate to determine if there is
a vulnerability present.
➢ Ran with credential – Direct query from the system to report on identified versions, configuration, and
permission settings.
 Vulnerability Assessment and Penetration Testing - 4
Penetration Testing
➢ Penetration testing can use the same sort of tools as those used by a real adversary, which can help
to establish the extent to which an identified vulnerability is a true weakness.

➢ There are different types of penetration tests that can be performed, based upon the enterprise’s
appetite and end goals, which should dictate the approach that is employed in carrying out a
penetration test.

➢ Penetration tests may be conducted by either internal or external teams or hybrid, and rules vary
from full knowledge of the environment to zero-knowledge tests in which the testing team has no
knowledge of the environment being attacked.
 Root Cause Analysis
Definition:
The process of discovering the source of problems and faults that lead to the incident occurring, in
order to identify appropriate solutions.
This requires identifying the original cause of the issue, where processes or systems failed.

Purpose:
The actions that an enterprise takes in response to risk are often based on the lessons learned from
previous events.

Objectives:
Root cause analysis examines the reasons that lead to the problem or why a breach has occurred and
seeks to identify and resolve these underlying issues.
 Root Cause Analysis - 2
A prudent risk practitioner examines the root cause of an incident to discover the conditions and
factors that led to the event, rather than reacting to the symptoms of the problem.

One implementation of root cause analysis is a pre-mortem — a facilitated workshop where the group
is told to pretend that the project has failed and discuss why it has failed.

In many cases, a risk event may be the result of coinciding events — several issues that act in
combination to create what appear to be a single result.
The risk practitioner can use root cause analysis as a means of identifying coinciding events, which
cannot be traced to a single common cause.
 Quiz
An enterprise’s monthly automated vulnerability assessment was run and yielded several
hundred findings associated with a number of internally developed, critical business web-based
applications. Historically, these applications have had very few findings from assessments.
What will be the MOST likely reason for this occurrence?

A. All of the platforms scanned went end-of-life, end-of-support since the last assessment was
conducted.

B. An uncredentialed account was used, resulting in a high number of false positives be reported.

C. A new vulnerability was discovered by the vendor.

D. A new zero-day exploit with the OS was discovered since the last assessment.
 Quiz
An enterprise’s monthly automated vulnerability assessment was run and yielded several
hundred findings associated with a number of internally developed, critical business web-based
applications. Historically, these applications have had very few findings from assessments.
What will be the MOST likely reason for this occurrence?

A. All of the platforms scanned went end-of-life, end-of-support since the last assessment was
conducted.

B. An uncredentialed account was used, resulting in a high number of false positives be reported.

C. A new vulnerability was discovered by the vendor.

D. A new zero-day exploit with the OS was discovered since the last assessment.
 Domain 2 - Agenda

Domain 2: IT Risk Assessments

Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development
Risk Assessment Concepts, Standards, and Framework
Risk Register and Risk Analysis Methodologies
Business Impact Analysis and Risk Categories
 Objectives
➢ Explain the importance of risk scenario development.

➢ Discuss the benefits of using risk scenarios.

➢ Differentiate between the bottom-up and top-down approaches to develop risk scenarios.

➢ Identify what is needed to develop risk scenarios.

➢ Discuss the risk scenario technique focus areas.

➢ Identify the risk scenario analysis models.

 Risk scenarios
Describe a possible threat event whose occurrence will have an uncertain impact to
organization objectivities.
➢ It helps determine the likelihood and the impact of unexpected incidents
➢ Facilitate conceptualizing risk that can assist in risk identification.
➢ Help in documenting risks concerning business objectives or operations impacted by events.

Key Benefits:
Developing risk scenarios provides a means of gathering and framing information used in
subsequent steps of the risk management process:
1.Risk scenarios facilitate communication associated with risk management.
2.The use of risk scenarios can help the risk team to understand and explain risk.
3.A well-developed scenario provides a realistic and practical view of risk.
 Risk Scenarios Components
A risk scenario is a description of an IT-related risk event that can lead to a business impact.

Components to Develop Risk Scenarios:

Actor/Threat Community
The internal or external party or entity that generates the threat.

Intent/Motivation
The nature of the threat event:
Malicious or accidental, A natural event or An equipment or process failure

Threat Event
Attempts by a threat actor that may, if successful, result in security events such as:
Disclosure of information, Interruption of a system or project, Theft, Improper modification of
data or a process and Inappropriate use of resources.
 Risk Scenarios Components - 2
Asset and Resource

The entity affected by the risk event:

People, Organizational structure, IT processes, Physical infrastructure, IT infrastructure,

Information and Applications

Effect

Impact of the occurrence of a threat:

How much loss would the enterprise feel as a result of a risk scenario being realized?

What primary (direct) and secondary (indirect) losses could be experienced if a risk scenario were
realized?
 Risk Scenarios Components - 3
Timing

The estimated frequency of the occurrence of the threat event:

How often are the threat agent and asset in contact?

How often does a threat agent act against an asset?

How often is the threat agent successful in overcoming existing controls?

How often are the controls successful in preventing a successful action?

 Risk Scenario Development Approaches
Risk scenarios can be developed from a top-down perspective driven by business goals or from
a bottom-up perspective originating from hypothetical or historical scenarios.
➢ Top-down Approach
➢ Bottom-up Approach

The Top-down Approach

➢ Is based on understanding business goals and the impact of risk events on those goals.
➢ Develops scenarios to examine the relationship between the risk event and the business
goals.
➢ Relates each risk scenario directly to the business and helps to educate senior managers
on effective risk measurement.
➢ Is broad-based and suited to the general risk management of the company.
➢ Deals with the goals that senior managers have already identified as important.
 Risk Scenario Development Approaches - 2
The Bottom-up Approach
➢ Is based on describing risk events that are specific to individual enterprise situations,
typically hypothetical or historical situations.
➢ Starts with one or more generic risk scenarios, then gets refined to meet individual
organizational needs.
➢ Identifies scenarios that are highly dependent on the specific technical workings of a
process or system.
➢ May not be able to maintain management interest due to its focus on highly specialized,
technical scenarios.
 Risk Scenario Key Focus Areas
➢ Deduce complex scenarios from simple scenarios by showing impact and dependencies.
➢ Maintain currency of risk scenarios and risk factors.
➢ Use generic scenarios as a starting point and build more detail where and when required.
➢ Ensure that risk taxonomy reflects business reality and complexity.
➢ Use generic risk scenario structures to simplify risk reporting.
➢ Use the risk scenario-building process to obtain buy-in.
➢ Involve the first line of defense in the scenario-building process.
➢ Consider common scenarios, do not focus only on rare and extreme scenarios.
 Quiz
Ali recommends a bottom-up approach to developing risk scenarios as a way of helping his
company avoid the impacts experienced by the large IT firm mentioned earlier.
Which of the following is most accurate about bottom-up development?

A. Bottom-up development focuses on organizational goals.

B. Aggregate risk is better presented from the bottom-up perspective.

C. Senior management tends to more easily accept bottom-up scenarios.

D. Complex technical scenarios are best developed from the bottom-up.

 Quiz
Ali recommends a bottom-up approach to developing risk scenarios as a way of helping his
company avoid the impacts experienced by the large IT firm mentioned earlier.
Which of the following is most accurate about bottom-up development?

A. Bottom-up development focuses on organizational goals.

B. Aggregate risk is better presented from the bottom-up perspective.

C. Senior management tends to more easily accept bottom-up scenarios.

D. Complex technical scenarios are best developed from the bottom-up.

 Analyzing Risk Scenarios
Risk Assessments:
Identify those items or areas that pose the highest risk, vulnerability, or exposure to the
enterprise for inclusion in the Information Systems (IS) annual audit plan.

Risk scenarios development is part of risk analysis process, which consists:

Risk Identification
Risk scenarios are developed to identify potential risk events.

Risk Analysis
The frequency and magnitude of IT risk scenarios are estimated.

Risk Evaluation
The levels of risk are compared according to risk evaluation criteria and risk acceptance criteria.
 Analyzing Risk Scenarios - 2
Analyzing Risk Scenarios is Important Because:
➢ The impact of a risk event is hard to calculate with precision due to the many factors that affect
the outcome of the event.

➢ If an event is detected quickly and appropriate measures are taken to contain it, the impact
may be minimized, and recovery can be relatively quick.

➢ However, if the enterprise fails to detect the incident promptly, the same event could cause
significant damage and result in much higher recovery costs.

There are two models used for risk scenarios analysis:

➢ FAIR Model - Factor Analysis of Information Risk
➢ HARM Model – Holistic Approach to Risk Management RISK

Both FAIR and HARM leverage Monte Carlo engines that allow for a number of simulations to
be performed and map qualitative statements to quantitative values.
 FAIR Model - Factor Analysis of Information Risk
Which decomposes the major
components that comprise risk into
smaller, manageable components
ready to be analyzed.

It helps convert qualitative risks (like

“high,” “medium,” or “low”) into
quantitative values (like cost in
dollars).
 HARM – Holistic Approach to Risk Management RISK
The Holistic Approach to Risk
Management (HARM) is an entire
methodology that is built on the
OpenFAlR model and is similar in
nature, but accounts for loss
magnitudes at a discrete level and
factors in control objective maturity
as a method to account for potential
reductions in overall loss magnitude
estimations.

It is better for organizations with more

complex environments.
 Quiz
Amin is asked by his manager to explain how risk scenarios relate to overall risk
assessment. What should he tell his manager?

A. Risk scenarios are part of risk response.

B. Risk scenarios are part of risk analysis.

C. Risk scenarios are part of risk identification.

D. Risk scenarios are part of risk reporting.

 Quiz
Amin is asked by his manager to explain how risk scenarios relate to overall risk
assessment. What should he tell his manager?

A. Risk scenarios are part of risk response.

B. Risk scenarios are part of risk analysis.

C. Risk scenarios are part of risk identification.

D. Risk scenarios are part of risk reporting.

 Domain 2 - Agenda

Domain 2: IT Risk Assessments

Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development

Risk Assessment Concepts, Standards, and Framework

Risk Register and Risk Analysis Methodologies
Business Impact Analysis and Risk Categories
 Objectives
➢ Explain the risk assessment process.

➢ Explain the risk ranking process.

➢ Describe the risk maps.

➢ Explain how to address risk exclusions.

➢ Elaborate on various techniques used in risk assessments.

➢ Explain the risk ownership and accountability.

➢ Elaborate on documenting the risk assessments process.

 Risk Assessment and its Techniques
IT risk is a subset of enterprise risk.

Assessments of IT risk must consider the dependencies on the affected IT system, such as:
• Other systems
• Departments
• Business partner
• Users

IT Risk Management Life Cycle:

1.IT Risk Identification
2.IT Risk Assessment
3.Risk Response and Mitigation
4.Risk and Control Monitoring and Reporting
 Risk Assessment and its Techniques - 2
Elements Evaluated in Risk Assessment:
➢ Critical functions necessary to continue business operations

➢ Risk associated with each of the critical functions

➢ Controls in place to reduce exposure and cost

➢ Prioritize risk based on the likelihood and potential impact

➢ Relationship between the risk and the enterprise risk appetite and tolerance
 Risk Assessment and its Techniques - 3
A consistent risk assessment technique should be used whenever the goal is to produce results
that can be compared over time.

Some risk assessment techniques that may be valuable include:

➢ Bayesian analysis
➢ Bow tie analysis
➢ Brainstorming / structured interview
➢ Cause and consequence analysis
➢ Cause-and-effect analysis
 Risk Ranking and Risk Maps
The risk practitioner uses the results of risk assessment to place risk in an order that can be
used to direct the risk response effort.
Click each tab to learn more.
• Risk Ranking
• Risk Maps

Risk Ranking
Risk ranking is derived from a combination of all the components of risk including the:
• Recognition of the threats
• Characteristics and capabilities of a threat source
• Severity of a vulnerability
• Likelihood of attack success when considering effectiveness of controls
• Impact to the organization of a successful attack
 Risk Ranking and Risk Maps - 2
Risk Maps
A Risk Map is a (graphic) tool for ranking and displaying risk by defined ranges for frequency and
magnitude.
Example Risk Map with Risk Appetite:
• This is the risk capacity
• Reduction of risk severity
 Risk Ownership and Accountability
➢ To ensure accountability, the ownership of risk must be with an individual, not with a
department or the enterprise as a whole.

➢ Individuals own the risk according to their job responsibilities and duties.

➢ The risk owner is responsible for making the decision of what the best response is to the
identified risk and must be at a level in the enterprise where they are authorized to make
decisions on behalf of the enterprise and can be held accountable for those decisions.
 Quiz
Ali has prepared a preliminary risk map and is preparing for a discussion with
management. In the moderate impact / moderate frequency box, he notices that the
risks primarily relate to HR, while Engineering is a risk owner for the majority of items in
the high- and medium-impact boxes with very low frequency. In medium- and high-
frequency boxes with high impact, he sees entries owned by the Research teams. The
Legal department has a cluster of entries in low frequency / low impact and another in
high likelihood / high impact.
Which groups are most likely to be outside of management’s risk appetite, and why?

A. HR and Legal, because they trend from low to high impact and low to high frequency
B. Engineering and Legal, because they have clusters trending upward in the low frequency
category
C. Research and Engineering, because they have entries across high impact
D. Legal and Research, because they each have a cluster of entries that are high impact, high
frequency
 Quiz
Ali has prepared a preliminary risk map and is preparing for a discussion with
management. In the moderate impact / moderate frequency box, he notices that the
risks primarily relate to HR, while Engineering is a risk owner for the majority of items in
the high- and medium-impact boxes with very low frequency. In medium- and high-
frequency boxes with high impact, he sees entries owned by the Research teams. The
Legal department has a cluster of entries in low frequency / low impact and another in
high likelihood / high impact.
Which groups are most likely to be outside of management’s risk appetite, and why?

A. HR and Legal, because they trend from low to high impact and low to high frequency
B. Engineering and Legal, because they have clusters trending upward in the low frequency
category
C. Research and Engineering, because they have entries across high impact
D. Legal and Research, because they each have a cluster of entries that are high impact,
high frequency
 Documenting Risk Assessments
At the conclusion of the IT risk assessment phase, the risk practitioner compiles the results of the
risk assessment into a comprehensive report for senior management.

Purpose
The risk assessment report:
• Indicates any gaps between the current risk environment and the desired state of IT risk
• Advises whether these gaps are within acceptable levels
• Provides some basis on which to judge the severity of the identified issue
 Documenting Risk Assessments - 2
Process
The risk assessment when performed in a consistent manner:
• Supports future risk assessment efforts
• Provides predictable results
• Documents all risk in the report including issues that may already have been addressed
Risk Assessment Report Components
Key sections in a risk assessment report:
• Objectives of the risk assessment process
• Scope and description of the area subject to assessment
• External context and factors affecting risk
• Internal factors or limitations affecting risk assessment
• Risk assessment methodology used
• Identification of risk, threats and vulnerabilities
• Results of risk assessment
• Recommendations and conclusions
 Documenting Risk Assessments - 3
Best Practices
The risk practitioner should ensure that the report is:
• Clear, concise, and accurate
• Free from terminology that could be misunderstood or is subject to misinterpretation
 Addressing Risk Exclusions
The risk practitioner should ensure that all IT risk is:
• Either evaluated
• Intentionally excluded

• Some IT risk events apply only to enterprises that meet particular criteria.For instance, not all
regions are subject to the same natural disasters.

• Intentionally excluded risk must be documented with proper justification behind the exclusion.

• The risk practitioner should re-evaluate each documented risk to ensure that it was identified
and assessed accurately based on the current risk landscape.
 Quiz
Sara is preparing a report on her assessment of the company’s energy sector risks.
What is the most important reason to conduct risk assessments in a consistent, structured
manner?

A. To provide some basis on which to judge the severity of identified issues.

B. To provide predictable, repeatable results that support future assessments.

C. To identify instances in which the risk appetite may have been exceeded.

D. To recommend courses of remedial action to senior management.

 Quiz
Sara is preparing a report on her assessment of the company’s energy sector risks.
What is the most important reason to conduct risk assessments in a consistent, structured
manner?

A. To provide some basis on which to judge the severity of identified issues.

B. To provide predictable, repeatable results that support future assessments.

C. To identify instances in which the risk appetite may have been exceeded.

D. To recommend courses of remedial action to senior management.

 Domain 2 - Agenda

Domain 2: IT Risk Assessments

Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development

Risk Assessment Concepts, Standards, and Framework

Risk Register and Risk Analysis Methodologies
Business Impact Analysis and Risk Categories
 Objectives
➢ Explain the purpose of a risk register.

➢ Maintain the IT risk register.

➢ Explain the different types of risk analysis methodologies:

➢ Quantitative risk assessment

➢Qualitative risk assessment

➢Semiquantitative/hybrid risk assessment

➢ Conduct a risk assessment by analyzing IT risk scenarios based on their likelihood and impact.
 Risk Register
A risk register:
• Consolidates risk data into one place.
• Enables the tracking of risk.

Entries in the risk register:

• Show the severity, source, and potential impact of a risk.
• Identify the risk owner, the current status, and disposition of the risk.
 Risk Analysis Methodologies
Risk analysis methodologies:
• Quantitative risk assessment
• Qualitative risk assessment
• Semiquantitative/hybrid risk assessment
 Quantitative Risk Assessment
• Leverage numerical calculations.
• Use common mathematical models to simulate potential outcomes.
• Often represented in monetary values.
• More accurate.
• Suitable for cost-benefit analysis.

Where quantitative risk assessment is desirable, the risk practitioner may seek to approximate
probability using calibrated estimates in addition to quality empirical or historical data to model,
simulate and calculate a likelihood over an entire population.

Quantitative risk assessment becomes progressively more useful as risk can be communicated
using business-aligned methods.

The value of risk used in quantitative risk assessment is often calculated on an annual basis in
order to align the process with the natural cycle for calculating budgets.
 Quiz
The board of directors wants to know the financial impact of specific, individual risk
scenarios.
What type of approach/analysis is BEST suited to fulfill this requirement?

A. Delphi method
B. Quantitative analysis
C. Qualitative analysis
D. Financial risk modeling
 Quiz
The board of directors wants to know the financial impact of specific, individual risk
scenarios.
What type of approach/analysis is BEST suited to fulfill this requirement?

A. Delphi method
B. Quantitative analysis
C. Qualitative analysis
D. Financial risk modeling
 Qualitative Risk Assessment
Qualitative risk assessments are usually based on scenarios or descriptions of situations that
either have occurred or may occur.
The intention of these scenarios is to elicit feedback from multiple stakeholders such as:
• Departments
• Customers
• Management

Scenarios under qualitative risk assessment may be based on:

Threats
Vulnerabilities
Assets
 Threats
A threat-based scenario examines a risk event on the basis of:
• Internal or external threat actors
• Threat types (e.g., malicious, failure, or new regulations)
• Events (e.g., disclosure, theft, destruction)
• Asset (e.g., people, application, buildings)
 Vulnerabilities
A vulnerability-based approach:
• Examines the organization’s known vulnerabilities.
• Attempts to anticipate threats that could exploit those vulnerabilities, projecting from the
consequences and magnitude of impact.
• Provides valuable findings that can be further assessed by carrying out penetration testing.
 Asset
An asset approach is based on:
• The identification of critical and sensitive assets.
• The potential ways that these assets could be damaged typically by attacking:
○ Confidentiality
○ Integrity
○ Availability
 Results of Qualitative Risk Assessment
Qualitative risk assessment assigns values on:
• A comparative basis — High, Medium, and Low
• An ordinal basis — A scale of 1 to 10
The assignment of qualitative values relies heavily on experience and expert knowledge, resulting
in subjective findings. It also requires ensuring that each value is consistent across all
stakeholders to ensure proper context and comparison.
• The relative values offered by a qualitative process can typically be used to order response
actions in terms of perceived importance.

The results of a qualitative risk assessment:

▪ Compares the likelihood of a risk event with its impact to the enterprise.
▪ Identifies risk that is highly likely and has a high level of impact as an area of immediate
concern.
▪ Represents risk that has a lower likelihood or a lower level of exposure as a lower level of
priority for risk response.
 Results of Qualitative Risk Assessment
Qualitative risk assessment assigns values on:
• A comparative basis — High, Medium, and Low
• An ordinal basis — A scale of 1 to 10
The assignment of qualitative values relies heavily on experience and expert knowledge, resulting
in subjective findings. It also requires ensuring that each value is consistent across all
stakeholders to ensure proper context and comparison.
• The relative values offered by a qualitative process can typically be used to order response
actions in terms of perceived importance.

The results of a qualitative risk assessment:

▪ Compares the likelihood of a risk event with its impact to the enterprise.
▪ Identifies risk that is highly likely and has a high level of impact as an area of immediate
concern.
▪ Represents risk that has a lower likelihood or a lower level of exposure as a lower level of
priority for risk response.