CRISC Domain 4

1
learntorise
2
INTERNAL DATA SOURCES
Prior risk assessments Project documents (risk
logs, lessons learned) Tickets from change,
problem, release, con?guration, asset, and
incident management systems Audit and incident
reports
CRISC DOMAIN 4
User feedback and observation Interviews with
management Security and test reports Event and
activity logs
www.infosectrain.com
3
LOGS
Capture and store data for analysis
CRISC DOMAIN 4
Identify security violations and assist in
forensics
Alert to malicious activity
Trade-off between speed, detail, and utility
Time synchronization of log entries Examples IDS/
IPS logging
www.infosectrain.com
4
SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
Capture data from multiple sources
SMART CRITERIA
Analyze system, application, and network activity
Detect attacks in progress
Highlight relationships among activities
Examples
Correlation based on type, timing, sequence
www.infosectrain.com
5
INTEGRATED TEST FACILITIES (ITF)
CRISC DOMAIN 4
Test data through production systems
Observe the operation of production systems
Examples
Fictitious customers or transactions
www.infosectrain.com
6
EXTERNAL SOURCES OF INFORMATION
Media reports CERT/CIRT advisories Security
company reports
CRISC DOMAIN 4
Regulatory bodies Peer organizations Verizon
Data Breach Investigations report Examples Gover
nment cybersecurity monitoring services
www.infosectrain.com
7
CONTROL ASSESSMENT TYPES
EFFECTIVE CONTROL MONITORING
Ensure data accuracy and completeness
Prefer data retrieved directly by risk
practitioner
Encourage local ownership of risk and control
monitoring
www.infosectrain.com
8
IS AUDIT
Independent and objective review of control
environment
CRISC DOMAIN 4
Align risk management program with audit program
Update risk action plans and risk register
Enhance controls
Review of access control policies Examples Examin
ation of incident response plans
www.infosectrain.com
9
VULNERABILITY ASSESSMENT
Methodical review of security Scope ranges from
single system to entire business process Inform
management of risk management effectiveness Recom
mend new controls
CRISC DOMAIN 4
Understand existing security controls Use tools
for automation or supplementation Regular and
rigorous assessment Scanning for open
ports Examples Checking for outdated software
www.infosectrain.com
10
PENETRATION TESTING
Targeted attempt to break into an
environment Validate vulnerability assessment
(white hat) Test systems believed to be secure
(black hat)
CRISC DOMAIN 4
Use same tools as malicious hackers Management
approval and oversight required Attempting to
exploit a known vulnerability Examples Social
engineering attacks
www.infosectrain.com
11
THIRD-PARTY ASSURANCE
Earn customer and shareholder con?dence
CRISC DOMAIN 4
External IS audit or compliance certi?cation
Evaluate processes and validate compliance
SSAE 16 for third-party service suppliers
ISO/IEC 27001 certi?cation Examples PCI DSS
compliance audit
www.infosectrain.com
12
MATURITY MODEL ASSESSMENT AND IMPROVEMENT
TECHNIQUES
Commitment to continuous improvement Prevent,
detect, and respond to security events and risk
scenarios Learning from past events Mature risk
management program Develop skills, tools, and
team Consistency in risk identi?cation,
assessment, mitigation, and monitoring Level 0
Unde?ned and ad hoc activities Level 1 Performed
- Process achieves its purpose
CRISC DOMAIN 4
Level 2 Managed - Process is planned,
monitored, and adjusted
Capability Maturity Model (CMM)
Level 3 Established - Process is de?ned and
capable of achieving outcomes Level 4
Predictable - Process operates within de?ned
limits Level 5 Optimized - Process is
continuously improved
www.infosectrain.com
13
FOUND THIS USEFUL?
To Get More Insights
Through Our FREE
Courses Workshops eBooks Checklists Mock
Tests
LIKE
FOLLOW
SHARE