CRISC Domain 2 Control Environment Assessment in Risk Management

1
learntorise
2
CONTROLS
Reduce or maintain risk at acceptable levels
Impor tance of Control Environment
Issues Poor maintenance, unsuitability, incorrect
configuration
CRISC DOMAIN 2
Ensure effectiveness Regular Review of
Controls Balance between technical,
managerial, and physical controls Example
Firewall
Requirements Training, procedures,
responsibilities, monitoring, testing
Implementation
of Technical Controls
Issues False sense of security, unidentified
vulnerabilities
www.infosectrain.com
3
CONTROL CATEGORIES
Preventive Inhibit attempts to Example
Encryption, user
authentication, vault-construction doors
violate security policy
Example Warning banners, rewards for arrest of
hackers
Deterrent Provide warnings that may dissuade
threat agents from attempting compromise.
CRISC DOMAIN 2
Directive Provide warnings that may dissuade
threat agents from attempting compromise.
Example Policies
Detective Provide warning of Example Audit
trails, IDSs,
violations or attempted violations of security
policy.
checksums
Corrective Remediate errors, Example Data
backups, error
omissions, unauthorized uses, and intrusions when
detected.
correction, automated failover
Compensating An alternate form of control that
corrects a deficiency or weakness in the control
structure.
Example Isolated network
segments, third-party challenge- response
mechanisms
www.infosectrain.com
4
ASSESSING CONTROL ENVIRONMENT
Evaluate risk culture and current risk management
program Determine the level and seriousness of
risk Inadequate controls Wrong controls used Contr
ols ignored or bypassed Poor maintenance
CRSIC DOMAIN 2
of controls Unreviewed logs or control data
Indicators of Serious Risk
Untested controls Unmanaged changes to controls
Physical access and alteration of
controls Inadequate
Approve changes Make changes
Monitor changes
segregation of duties
Analyze changes Report on changes
www.infosectrain.com
5
CAPABILITY MATURITY MODELS
Compare the state of the organizations risk
management to an established capability maturity
model. Purpose Evolutionary improvement from ad
hoc, immature processes to disciplined, mature
processes.
CRSIC DOMAIN 2
Defined, reliable processes. Consistent
follow-through. Continuous improvement. Benefits
Better incident prevention, detection, and
recovery. Well-structured risk management
procedures across all departments. Core risk
management principles, policies, procedures, and
standards.
www.infosectrain.com
6
Testing of BCPs and DRPs. Training of
staff. Involvement of risk principles
and personnel in IT projects. Gathering feedback
from users and stakeholders. Validating the risk
appetite and risk acceptance levels. Time to
detect/resolve a security incident.
Consistent application of policies and procedures.
CAPABILITY MATURITY MODELS Support of senior
management. Regular communication between
stakeholders. Existence of policies, procedures,
and standards.
Logging and monitoring of system activity.
Scheduled risk assessments and reviews.
Efficiency and effectiveness of risk management
practices.
Availability of a current BIA.
Regular review of logs.
www.infosectrain.com
Improvements
Key Elements of IT Risk Management Capability
CRSIC DOMAIN 2
7
Risk Management Support Identified risk supports
system requirements development, including
security requirements and strategy Characteristics
IT system designed, purchased, programmed,
developed, or constructed Risk Management
Support Risk supports security analyses, leading
to architecture and design trade-offs Characterist
ics System security features configured,
enabled, tested, and verified Risk Management
Support Supports implementation against
requirements risk decisions made before
operation Characteristics System performs its
functions periodic updates or changes to
hardware and software
Risk Management Support Periodic system
reauthorization, major changes reviewed for risk
management Characteristics Disposition of
information, hardware, and software Risk
Management Support Ensures proper disposal of
components, handles residual data, secures system
migration
SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) Characteristi
cs Need for IT system expressed
purpose and scope documented
or Maintenance
Phase 3 Implementation
Phase 2 Development or Acquisition
www.infosectrain.com
Phase 4 Operation
Phase 1 Initiation
Phase 5 Disposal
CRSIC DOMAIN 2
8
PROJECT MANAGEMENT CORE PRINCIPLES
Communication between team members and users
Regular review of project progress
Clear requirements
Proper oversight
User involvement
www.infosectrain.com
CRSIC DOMAIN 2
9
Scope creep New business priorities Poorly
understood initial requirements
Lack of leadership Accountability Oversight
COMMON CAUSES OF PROJECT FAILURE
Budget Suppliers Outsourcers Technology
Unrecognized symptoms of failure
Lack of coordination with suppliers
Trained staff
Poor resource management
Underestimated project complexity
Technology issues
Availability of a current BIA.
www.infosectrain.com
Unavailable resources
Changing requirements
CRSIC DOMAIN 2
10
Loss of competitive advantage
Contract or SLA violations
Inability to adjust to changing operational
environment
CONSEQUENCES OF PROJECT FAILURE
Damage to reputation
Decreased team morale
Indirect financial loss
Direct financial loss
www.infosectrain.com
CRSIC DOMAIN 2
11
critical assets Evaluate potential consequences
if threats are realized Initiate corrective
actions for risk mitigation and develop a
protection strategy Critical assets and the risk
to those assets Systematic, context-driven, and
self-directed evaluation Proactive security
posture with an organizational perspective
Identifies critical information assets Focuses
risk analysis on critical assets Considers
relationships among assets, threats, and
vulnerabilities Evaluate risk in an operational
context Creates practice-based protection
strategy and mitigation plans
OCTAVE RISK ASSESSMENT APPROACH Process-driven
methodology for information security risk
assessment and management Overview Helps
organizations understand, assess, and address
information security risk Develop qualitative
risk evaluation criteria based on operational
risk tolerances Identify assets critical to
the organization's mission Identify
vulnerabilities and threats to
Characteristics
www.infosectrain.com
Objectives
Focus
CRSIC DOMAIN 2
12
Determine "next steps" for implementation and
gain senior management approval
Identify network access paths and IT components
related to critical assets Determine the
resistance of components to network attacks
Establish risk to critical assets based on
gathered information
Establish technological vulnerabilities exposing
critical assets
Determine critical assets and current protection
measures Identify security requirements for each
critical asset
Decide on actions to address risk
Establish organizational vulnerabilities and
threat profiles
Create protection strategy and mitigation plans
OCTAVE RISK ASSESSMENT PHASES
Phase 3 Develop Security Strategy and Mitigation
Plans (Strategy and Plan Development)
Phase 2 Identify Infrastructure Vulnerabilities
(Technological Evaluation)
www.infosectrain.com
Phase 1 Build Asset- Based Threat
Profiles (Organizational Evaluation)
CRSIC DOMAIN 2
13
To Get More Insights Through Our FREE
Courses Workshops eBooks Checklists Mock
Tests
FOLLOW
FOUND THIS USEFUL?
SHARE
LIKE