Risk Indentification Tutorial

1.1 Risk Indentification

Hello! Welcome to the domain Risk Identification of the Certified in Risk and Information Systems Control (CRISC®) Course offered by Simplilearn. Let us look at the objectives of this domain in the next screen.

1.2 Objectives

After completing this domain, you will be able to: List the task and knowledge statements that the CRISC® candidate is required to know Explain information security risk concepts Detail risk management standards and frameworks Explain threats, vulnerabilities, and risks related to people, processes, and technology, and Discuss risk scenario development tools and techniques Document risk management strategy Identify how to maintain a risk register List the principles of risk ownership and control, and Identify risk appetite and tolerance We shall look at risk identification task statements in the next screen.

1.7 Information Security Risk Concepts

Evaluating the impact of risk is an important concept in information security risk management. In order to evaluate the impact, it is necessary to first categorize the risks into levels. The risk practitioner, in cooperation with the business stakeholders, must determine the correct level of classification for the breach. ISO 27005 uses the levels of very low, low, medium, high and very high to evaluate the impact of a risk event. The determination of the impact of a compromise is important to know what controls are necessary to protect the system adequately. The level of impact guides the choice of response strategies taken by the organization depending on their tolerance for the risk. These include: Risk Acceptance Risk Avoidance Risk Mitigation Risk Transfer/ Sharing Let us look at the other information security risk concepts in the next screen.

1.8 Information Security Risk Concepts (contd)

By all means, in order to ensure that your business runs smoothly, you need to know the following information security risk concepts. These are: Confidentiality Integrity Authentication Availability Let’s first look at the information security risk concept of confidentiality in the next screen.

1.11 Information Security Risk Concepts: Availability

Alright then, let’s learn about information security risk concept of availability. Click each image to know more. Information is available when needed by authorized individuals. The risk practitioner can measure the availability through gap analysis, which means measuring what business requirements are and whether the enterprise is willing to ensure high availability. Service level agreements usually detail the expected levels of availability that is expected of a system. Business impact analysis will determine what the required levels of availability are. The desired level of availability should be agreed and then designed and implemented. Let us look at another important information security risk concept, that is, segregation of duties, in the next screen.

1.13 Information Security Risk Concepts: Authentication

Do you know what authentication means? Authentication is the process by which the system obtains from a user their claimed identity and credentials and validates it. Actually, authenticity is often associated with accountability and integrity. Authenticity is enhanced through a concept known as non-repudiation which implies that a person cannot refute claims to modifying of a piece of information. In fact, authentication measures could be of the following types: What you have – For example ATM cards and mobile phones Who you are – Say for instance, biometric information such as facial recognition or thumb print What you know – Some common examples are username, password, and PIN etc. and Where you are - Such us inside a corporate intranet, within a specific country, and so on. Next, let us look at information security risk concept of availability in the next screen.

1.16 Information Security Risk Concepts: Identity Management

You learned that identification is the first step of enforcing security. Identity management is an important concept in ensuring security. Identity management refers to the process of managing the identities of information systems. The guidelines for identity management are: Access should be limited to business use and based on least privilege that ensures that access is not granted to all users in the organization but those with business need Access must be removed when no longer needed such as when an employee exits the organization Temporary users should be managed well such as interns in the organization by setting an expiry period based on their contracts Permission should be defined based on job functions of users by ensuring that system administrators should not be allowed to carry out transactions if this is not part of their job descriptions, and Permission should be defined for third parties such as vendors who require access to the systems to carry out various activities Let us look at other information security risk concepts in the next screen.

1.19 Risk Management Standards and Frameworks

To help organizations in implementing risk management in an effective and systematic way, a number of standards have been developed worldwide. These standards help in establishing a common view on frameworks, processes, and practice that are established by experts. The process of IT Risk Management should follow a structured methodology based on good practices and a desire to seek continuous improvement. By all means, the risk practitioner should review the current ri sk management practices in relation to process of identification, assessment response and monitoring. IT risk management practices may be based on international standards. The IT risk management program should be: Comprehensive Complete Auditable Justifiable Legal Monitored Enforced Up to date and Managed We shall learn about a few risk identification frameworks in the next few screens. Let’s first look at COBIT 5 as a framework for risk identification in the next screen.

1.20 COBIT 5 for Risk

Basically, risk is termed as the possibility of an event and its consequence. COBIT 5 for risk is associated with the use, ownership, operation, involvement, influence, and adoption of IT in an organization. You see, the Control Objectives for Information and related Technology or the COBIT framework examines effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives. Actually, COBIT principles include: Meeting stakeholder needs Applying a single integrated framework Covering the enterprise end to end, and Separating governance from management In the next screen, let us look at ISO/IEC 27001 framework, which is an ISO standard.

1.21 ISO/IEC 27001 Series

Do you know what ISO/IEC 27001 Series standards aim at? Basically, ISO standards aim to ensure that all relevant elements of security are addressed in an organizational security strategy. There are 14 areas of ISO/IEC 27001 identified by ISO that provide a useful framework to gauge comprehensiveness. These include: Security policy Asset management Physical and environmental security Access control Compliance Information security acquisition development and maintenance Cryptography Organizing information security Supplier relationships Communications security Information security incident management Business continuity management Human resource security, and Operations security Let us look at ISO 27005 risk identification frameworks in the next screen.

1.23 Risk Identification Frameworks

Well, there are various other risk identification frameworks that an organization can decide to adopt. Such frameworks include: ISO 31000:2009 Risk Management: Principles and Guidelines IEC 31010:2009 Risk Management: Risk Assessment Techniques ISO/IEC 27005:2011 Information Technology– Security Techniques: Information Security Risk Management NIST Special Publication 800-39: Managing Information Security Risk NIST Special Publication 800-30: Guide for Conducting Risk Assessments Let us now look at threats and vulnerabilities in the next screen.

1.25 Risk Factors

Risk, as you know, is a combination of factors that interact to cause damage to the assets of the organization. Typically, threat agents exploit vulnerabilities causing damage to assets. In managing threats, one should know the motivation, strategy, and technique of the attacker. Generally an organization needs to conduct a vulnerability analysis as well as identify information security gaps to manage the threat profile. The risk practitioner should identify threats, ensure that vulnerabilities are measured and carry out regular assessments. Risks can be technology-related or people or process related and it is important to consider all the risk types to ensure the threat factors are managed in protecting assets. Let us look at some other risk factors that a risk practitioner must evaluate in the next screen.

1.26 Risk Factors (contd.)

There could be various activities in a business where risks could be introduced in the environment. For example, inadequately trained people can introduce risk during operation of complex equipments. As such, the entire risk environment should be evaluated. This includes the following factors: • The context and sensitivity of the system or process • The operating effectiveness of the controls • The integration and requirements of the system or process • The training of the end users and system administrators • The completeness of the operational procedures, and training manuals, and • The decommissioning of data and systems. We shall look at the elements of risk in the next screen.

1.27 Elements of Risk

You learned about the risk factors that you need to consider while implementing a risk management process in your organization. Basically, the risk management process includes elements that involve risk identification, sourcing, measurement, evaluation, mitigation and monitoring risk. Documentation and analysis of the elements that comprise risk is important in risk identification. Risk can arise if the attacker has capability, opportunity and motivation. Risk is based on the value of the asset, the elements of threats and vulnerabilities, and the likelihood of threat exploiting vulnerability. Risk elements can occur individually or in aggregate. Let us look at the first element of risk that is value of assets in the next screen.

1.28 Assets

Right then, let’s see what assets mean? Assets are things of value that need to be protected. They can either be tangible or intangible value that is worth protecting. There are many examples of assets. They are: • Reputation • Information • Brand • Intellectual property • Facilities • Furniture and equipment • Cash • Stock held for sale • Research, and • People, also known as human resources or human capital Asset valuation is an important element in determining risk treatment of identified assets. Let us look at factors that help to determine the value of assets in the next screen.

1.29 Assets (contd.)

Confidentiality, integrity and availability, is also referred to as CIA. CIA model is formulated to guide policies for information security within an organization and can be used to determine the asset value. The factors to consider in determining the value of an asset are: • Fines and penalties for legal and regulatory noncompliance • Impact on business processes • Reputational damage to the organizational brand • Repair costs and maintenance to assets • Effect on third parties • Injury to the organization’s employees • Privacy violation • Breach of contracts, and • Loss of competitive advantage Alright, now, let us look at the next element of risk, that is threats, in the next screen.

1.30 Threats

In the context of information security, threats are any adverse events that may cause harm to an organization’s assets, operations or personnel. Threats can be environmental such as natural disasters like flood, technical such as electrical failure, or man-made such as political instability. Threat management involves the identification, response, and monitoring of any possible dangers. The risk practitioner may create a threat assessment report to document the results of the threat analysis. We shall continue to look at how threats arise in the next screen.

1.31 Threats (contd.)

Did you now understand what threats are and what are the types of threat? By all means, threats can be accidental, intentional, or even as a result of natural acts. Information regarding threats could be obtained from the following sources: • Security companies • Internal and external audits • Technology vendors and service providers • Assessments • Media publications • Government notices, and • User feedback Finally, let us look at the third element of risk, namely, vulnerabilities in the next screen.

1.32 Vulnerabilities

1.34 Vulnerabilities Assessment

Vulnerability assessment is a careful examination of a target environment to discover any potential points of compromise or weakness. It may be a manual process or automated that involves identifying and prioritizing issues. The factors that affect vulnerabilities include: Network vulnerabilities Poor physical access controls such as buildings and offices Insecure applications Poorly designed or implemented web-facing services Disruption to utilities such as power and telecommunications Unreliable supply chain Untrained personnel that include human resources Inefficient processes such as change control and incident handling, and Poorly maintained or old equipment Let us look at penetration testing that is a report to see how security is breached in the next screen.

1.35 Penetration Testing

A report of vulnerability assessments is followed with penetration testing. A penetration test is a process that evaluates the security of an IT infrastructure. It is a targeted test or an attack vector commonly used by an attacker. The test validates whether an identified vulnerability is a true weakness or it is a false positive, and can be conducted by an internal or external team. Let us now learn about the types of penetration testing in the next screen.

1.36 Penetration Testing (contd.)

1.39 Benefits of Using Risk Scenarios

You learned the components of risk scenarios. Let’s look at some benefits of using risk scenarios. They are: Risk scenarios provide a tool to facilitate communication in risk management. They allow for a narrative to be instructed that can communicate a relatable story to inspire stakeholders to take action. A scenario provides a realistic or a practical view of risk that is more aligned with business objectives, emerging threats, and historical events. The use of risk scenarios can enhance the risk management effort by helping the risk team to understand and explain risk to the business process owners and other stakeholders, and The risk scenario provides valuable information to the subsequent steps in the risk management process in the organization. Let’s learn about risk scenario development according to COBIT 5 in the next screen.

1.40 Risk Scenario Development Tools and Techniques

Risk scenarios using COBIT 5 for risk guides the development of IT-related risk scenarios and also provides a guidance to use COBIT 5 for risk to resolve issues. According to COBIT 5 for Risk, a risk scenario is: A description of a possible event that will have an uncertain impact (whether positive or negative) on the achievement of the enterprise's objectives. Each scenario should be based on an identified risk, and each risk should be identified in one or more a scenarios. Each scenario is used to document the level of risk associated with the scenario in relation to the business objectives or operations that would be impacted by the risk event. Describes a potential risk event and document the areas that may be affected by the risk event such as system failure, loss of key personnel, theft, network outages, power failures, natural disasters and so on, and Helps facilitate communication in risk management. We shall continue to look at risk scenario development according to COBIT 5 in the next screen.

1.41 Risk Scenario Development Tools and Techniques (contd.)

Other than the earlier mentioned tools and techniques, there are some risk scenario development tools and techniques you must be aware of. These are The development of the risk scenarios is an art thus it requires creativity, thought, questioning, and consultation. The development of risk scenarios is based on describing a potential risk event and documenting the factors and areas that may be affected by the risk event, and Risk events may include system failure, loss of key personnel, theft, network outages, power failures, natural disasters, or any other situation that could affect business operations and mission. In the next screen, let’s learn about a few other risk scenario development tools and techniques.

1.44 Risk Communication, Awareness, and Culture

Risk Communication, Awareness, and Culture are integral aspects of risk. Let’s learn about Risk Communication, Awareness, and Culture. Risk awareness is required since risk is an integral part of the business. The awareness program ensures that: All the IT risk issues should be identifiable All risks are known risks and can be understood, and The organization recognizes and uses the means to manage risk Let’s look at risk awareness program in the next screen.

1.45 The Risk Awareness Program

A risk awareness program is important in the context of IT security in a business. A risk awareness program creates an understanding of risk, risk factors, and the various types of risk that an organization faces. An awareness program should be tailored to the needs of the individual groups within an organization and deliver content suitable for that group. It also serves to mitigate some of the biggest organizational risk and achieve the most cost-effective improvement in risk and security. This can generally be achieved by educating an organization’s staff in required procedures and policy compliance, as well as ensuring that staff can identify and understand the risk that threatens the organization. The risk practitioner must also understand the organization’s structure and culture, as well as the types of communication that are most effective to develop awareness, and training programs that will be effective in the environment. Let’s continue to discuss about risk awareness program in the next screen.

1.47 Risk Management Strategy

In addition to increasing the level of risk awareness, it is important to adopt an adequate risk management strategy. The underlying importance of risk management in relation to business goals and strategy is to ensure that the risk is closely aligned with and integrated into the strategy, vision, and direction of the organization. To do so, the risk practitioner should seek to: Understand the business and listen to the strategy Proactively seek out ways to secure new technologies and business processes Build relationships and communication infrastructure to weave risk management into each business process and no project Be aware of and mitigate the risk of change Work to create a culture that encourages the participation of risk management into business processes The best way to understand the goals and objectives of the organization is to communicate with the senior management.   Let us look at the Organizational Structures and Impact on Risk in the next screen.

1.48 Organizational Structures and Impact on Risk

In addition to understanding the goals of the organization and communicating with the management, the security practitioner must also understand the factors on which the effectiveness of risk management depends. Let’s now learn about these factors. The effectiveness of the risk management effort is often influenced by the positioning of the risk management within the organizational structure. The size and diversity of the organization is a key factor in managing risk. The organization of the risk management group should follow the same model and the organization of the business continuity management team, and The four main types of roles that are involved in the risk management process are the individuals accountable for the risk management effort, the individuals responsible for managing the risk, the individuals who provide support and assistance to the risk management effort (consulted), and the individuals who evaluate or monitor the effectiveness of the risk management effort (informed). These roles form the basis of the RACI model. Let us look at the RACI Model in the next screen.

1.50 Organizational Culture, Ethics and Behavior, and the Impact on Risk

Let’s now learn about organizational culture, ethics and behavior, and their impact on risk. All employees of an organization should be aware of the risk culture that should encourage honesty and openness and in turn, reduce the risk of theft, inappropriate actions, or attacks. An organization should have a subculture in a department that is different from the organizational culture. Risk is often impacted by the ethics of the personnel of the organization while ethics applies to how people believe that they have been treated. Let’s continue to learn about organizational culture, ethics and behavior, and the impact on risk in the following screen.

1.51 Organizational Culture, Ethics and Behavior, and the Impact on Risk (contd.)

There are some examples of risk that the management must evaluate and accept for deciding whether to: Invest in new controls and implement them Take on a new line of business Open a new office Develop a new product and upgrade existing applications Invest in new hardware or software, and Hire a new employee In addition, the management must ensure that they comply with the laws, regulations, standards, and compliance requirements. Let’s learn about these requirements in the next screen.

1.54 Establishing an Enterprise Risk Management Approach

Do you know what Risk management means? Risk management is an enterprise wide activity, and it is usually best to develop a standard and a structured approach that can be applied to the entire enterprise. A critical part of establishing the risk management process is the development and approval of a risk management policy. Policies should include a statement relating to the reasoning or rationale behind the approach to accepting or mitigating risk, setting the accountability for risk, and a commitment to continuous improvement of the risk environment. The risk practitioner must be sensitive to local departmental cultures, priorities, regulations, goals and restraints before recommending a risk management approach or framework, and Learn now learn about the purpose of a risk register in the next screen.

1.55 Risk Register

The risk register shows the severity, potential impact of a risk, identifies the risk owner, disposition, and current status of the risk. The IT risk register is a simple listing of all known risks. What is the purpose a risk register? The purpose of a risk register is to consolidate all information about risk into one central repository. Next, you will learn about the utility of a risk register.

1.60 Risk Appetite and Tolerance

Risk Appetite and tolerance is also referred to as risk capacity. It is defined as the objective amount of loss an enterprise can tolerate without risking its continued existence. Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. Risk tolerance can be defined using IT process metrics or adherence to defined IT procedures and policies, which are a translation of the IT goals that need to be achieved. It can also be defined at the enterprise level and reflected in the policies created by senior management. The most important aspect of monitoring risk tolerances is to create a risk-aware culture. Let us learn about risk acceptance in the next screen.

1.61 Risk Acceptance

The risk practitioner should seek to know the risk appetite and acceptance level of the senior management team on behalf of the organization. Risk acceptance ensures that residual risk which is the risk that remains after the implementation of risk treatment controls is explicitly accepted by the management team that can accept risk on behalf of the organization. The variation in risk appetite between different departments in the organization is a challenge. We shall look at the criteria for risk acceptance in the next screen.

1.62 Risk Acceptance (contd.)

Some of the criteria for risk acceptance include: • The risk-versus-reward incentive that management is willing to consider • The cost-benefit analysis of a control option • Consideration of the availability of mitigating controls, and • The needs of regulation The management should document and sign off on the reasons for the acceptance decision when the risk exceeds the accepted residual risk levels. A few questions will be presented in the following screens. Select the correct option and click Submit to see the feedback.

1.64 Summary

Here is a quick recap of what we have learned in this domain: IT risk is defined by ISACA’s Risk IT as business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. Risk is based on the value of the asset, threats, vulnerabilities, and the likelihood of threat exploiting vulnerability An asset is something of value that needs to be protected. It can either be tangible or intangible. Threats are any adverse events that may cause harm to an organization’s assets, operations or personnel. Vulnerabilities are weaknesses in a system, technology, process, people, or control that can be exploited and result in exposure. Let us continue with the recap in the next screen.

1.65 Summary (contd.)

Segregation of duties (SoD) also known as separation of duties is the principle of ensuring that no one person controls an entire transaction processing and an individual is typically involved in initiating a transaction while another typically a supervisor is involved in approving and or completing the transaction. A risk awareness program is necessary to help understand risk, risk factors, and the various types of risk that an organization faces. A risk register helps to consolidate all information about risk into one central repository. Let us continue with the recap in the next screen.

1.66 Conclusion

This concludes the domain on Risk Identification. The next domain will focus on Risk Assessment.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*