Note for Instructors:

Intended Use Notice

 These slides are not to be distributed
electronically to students.
 The only files that may be distributed
electronically are the CRISC 6th Edition
Handouts.
 The only files that may be printed are the
Handouts and the Practice Exam.
 Domain 1
IT Risk Identification
Domain 1
Identify the universe of IT risk to contribute
to the execution of the IT risk management
strategy in support of business objectives and
in alignment with the enterprise risk
management (ERM) strategy.

 The focus of Domain 1 is to identify risk

through the process of determining and
documenting risk within and surrounding an
enterprise.

3 ©Copyright 2015 ISACA. All rights reserved.

Learning Objectives
 The objective of this domain is to ensure that the
CRISC candidate has the knowledge necessary to:
– Identify relevant standards, frameworks and practices.
– Apply risk identification techniques.
– Distinguish between threats and vulnerabilities.
– Identify relevant stakeholders.
– Discuss risk scenario development tools and techniques.
– Explain the meaning of key risk management concepts, including risk
appetite and risk tolerance.
– Describe the key elements of a risk register.
– Contribute to the creation of a risk awareness program.

4 ©Copyright 2015 ISACA. All rights reserved.

On the CRISC Exam
 Domain 1 represents 27% of the questions on
the CRISC exam (approximately 41
questions).
 Domain 1 incorporates seven tasks related to
IT risk identification.

5 ©Copyright 2015 ISACA. All rights reserved.

Domain Tasks
 1.1 Collect and review information, including existing documentation, regarding
the organization’s internal and external business and IT environments to identify
potential impacts of IT risk to the organization’s business objectives and
operations.
 1.2 Identify potential threats and vulnerabilities to the organization’s people,
processes and technology to enable IT risk analysis.
 1.3 Develop a comprehensive set of IT risk scenarios based on available
information to determine the potential impact to business objectives and
operations.
 1.4 Identify key stakeholders for IT risk scenarios to help establish
accountability.
 1.5 Establish an IT risk register to help ensure that identified IT risk scenarios
are accounted for and incorporated into the enterprisewide risk profile.
 1.6 Identify risk appetite and tolerance defined by senior leadership and key
stakeholders to ensure alignment with business objectives.
 1.7 Collaborate in the development of a risk awareness program, and conduct
training to ensure that stakeholders understand risk and to promote a risk-aware
culture.
6 ©Copyright 2015 ISACA. All rights reserved.
Task 1.1

Collect and review information, including

existing documentation, regarding the
organization’s internal and external business
and IT environments to identify potential
impacts of IT risk to the organization’s
business objectives and operations.

7 ©Copyright 2015 ISACA. All rights reserved.

Focus on Task 1.1

Input: Process: Output:

Information from Collect, review Information useful in
internal and external information; identifying potential
sources reveal and identify impacts on business
assets objectives and
operations

8 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Asset Something of either tangible or intangible value that is worth
protecting, including people, information, infrastructure,
finances and reputation

Asset Determination of the worth, utility or importance of an asset

valuation

Threat Anything (e.g., object, substance, human) that is capable of

acting against an asset in a manner that can result in harm; a
potential cause of an unwanted incident

Vulnerability A weakness in the design, implementation, operation or

internal control of a process that could expose the system to
adverse threats from threat events

9 ©Copyright 2015 ISACA. All rights reserved.

On the CRISC Exam
 The exam questions are based on the CRISC
task statements.
 For each task statement, there are a number of
applicable knowledge statements.
 During this program, we will look at examples
of how each task connects to related
knowledge statements.
 As a study strategy, consider building your
own set of examples, too.

10 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.1 relate to each of the following knowledge statements?

Knowledge Statement Connection

1. Laws, regulations, standards The primary responsibility for compliance belongs to the
and compliance business owner, but the IT risk practitioner must possess an
requirements overall understanding of the requirements applicable to the
organization.

2. Industry trends and Rapid changes in technology must be considered when

emerging technologies defining the current risk universe.

3. Enterprise systems Every system used by the enterprise must be considered in

architecture (e.g., platforms, the risk universe.
networks, applications,
databases and operating
systems)

11 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task to Knowledge Statements
How does Task 1.1 relate to each of the following knowledge statements?

Knowledge Statement Connection

4. Business goals and Understanding business goals and objectives is

objectives fundamental to determining which assets are in scope.

5. Contractual requirements It is important to correlate enterprise assets (especially

with customers and third- information assets) with contracts/service providers.
party service providers

6.6 Threats and vulnerabilities A project will be directly impacted by the assets involved
related to project and and the degree of protections that are required to safeguard
program management the asset from known vulnerabilities and threats.

12 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task to Knowledge Statements
How does Task 1.1 relate to each of the following knowledge statements?

Knowledge Statement Connection

7. Methods to identify risk Identification starts with determining the assets associated
to the processes corresponding to the enterprise goals and
objectives.

9. Risk identification and Standards and frameworks provide a repeatable

classification standards, methodology for the identification and classification of risk
and frameworks associated to a given asset and aid in determining the
potential threat associated to known vulnerabilities.

14. Organizational structures Organizational structure, both within the risk management
function as well as in the enterprise overall, play a role in
how an organization goes about determining the assets and
what vulnerabilities exist and threats are possible.

13 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task to Knowledge Statements
How does Task 1.1 relate to each of the following knowledge statements?

Knowledge Statement Connection

15. Organizational culture, The culture, ethics and behavior of an organization have a
ethics and behavior significant impact on the enterprise’s risk management
capability.

16. Organizational assets (e.g., The asset inventory should include people, processes and
people, technology, data, technology. Processes and technology may be either
trademarks, intellectual tangible or intangible.
property) and business
processes, including enterprise
risk management (ERM)

17. Organizational policies and Managerial assets/controls include company policies and
standards standard operating procedures.

14 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
A Structured Methodology
 The process of IT risk management should follow a structured
methodology based on good practices and a desire to seek
continuous improvement.
 When beginning a risk management effort, the risk
practitioner should review the current risk management
practices of the organization in relation to the processes of risk
identification, assessment, response and monitoring.
 Use of good practices can assist in the development of a
consistent, enterprisewide risk management program.

15 ©Copyright 2015 ISACA. All rights reserved.

Risk Identification Process

Source: CRISC Review Manual 6th Edition, figure 1.24

16 ©Copyright 2015 ISACA. All rights reserved.

Information Sources
 A variety of information sources aid in the identification of
assets, vulnerabilities and threats, as follows:
Sources for Threat Information

• Service providers • Product vendors

• Threat monitoring agencies • Government publications
• Security companies • Assessments
• Audits • Users
• Management • Human resources
• Business continuity • Media
• Finance

• Insurance companies

Source: CRISC Review Manual 6th Edition, figure 1.11

17 ©Copyright 2015 ISACA. All rights reserved.

Identify Assets
 IT risk management is concerned with the shielding
of assets from threats.
 An asset is something of either tangible or intangible
value that is worth protecting.
 Examples of assets include the following:

Information Brand and reputation

18 ©Copyright 2015 ISACA. All rights reserved.

Asset Valuation
 Asset valuation is subject to many factors,
including the value to both the business and to
the business's competitors.
 An asset may be valued according to:
– What another person or company would pay for it
– Its measure of criticality or value to the enterprise
– The impact of its loss on confidentiality, integrity
and availability (CIA)
– Another quantitative or monetary value

19 ©Copyright 2015 ISACA. All rights reserved.

Identify Threats
 A threat is anything that is capable of acting against an asset
in a manner that can result in harm.
 Generally, threats can be divided into several categories,
including:
– Physical
– Natural events
– Loss of essential services
– Disturbance due to radiation
– Compromise of information
– Technical failures
– Unauthorized actions
– Compromise of functions
 Threats may be internal, external and emerging. They may be
intentional or unintentional.
20 ©Copyright 2015 ISACA. All rights reserved.
Internal Threats
 Personnel can be a source of internal threats,
because people can:
– Make errors.
– Be intentionally or unintentionally negligent.
– Commit theft.
– Use new technologies that introduce security
issues.
– Disclose proprietary information.
– Depart with key skills or information.

21 ©Copyright 2015 ISACA. All rights reserved.

 External Threats
 A wide range of external threats may present
risk to an enterprise, including:

Theft Sabotage Terrorism Espionage

Criminal Software Hardware Mechanica

acts errors flaws l failures

Lost Data Facility Fire or

assets corruption breakdowns flooding

Supply chain Industrial Disease Seismic

22 ©Copyright 2015 ISACA. All rights reserved.
interruption
Emerging Threats
 This category focuses on threats that are new
or newly introduced to the operating
environment. New technologies are often a
threat source.
 Indications for emerging threats may include:
– Unusual activity on a system
– Repeated alarms
– Slow system or network performance
– New or excessive activity in logs

23 ©Copyright 2015 ISACA. All rights reserved.

Identify Vulnerabilities
 A vulnerability is a weakness in the design, implementation, operation
or internal control of a process that could expose the system to adverse
threats from threat events.
 Vulnerabilities may include:
– Network misconfiguration, poor architecture or traffic interception
– Lack of physical security
– Applications, especially web applications
– Power failures or surges
– Supply chain dysfunctions
– Inconsistent process management
– Lack of governance, failure to comply with regulations
– Equipment inadequacy or failure
– Cloud computing
– Big data adoption or avoidance
24 ©Copyright 2015 ISACA. All rights reserved.
In the Big Picture
 Each task in the four domains contributes to the big picture of IT risk
management and governance. The following shows one such connection. Can
you think of others?

Task 1.1 The Big Picture

Collect and review information, including
existing documentation, regarding the
organization’s internal and external
business and IT environments to identify
potential impacts of IT risk to the
organization’s business objectives and
operations.
The foundation of IT risk
management is an
understanding of the context
in which its activities take
place.

25 ©Copyright 2015 ISACA. All rights reserved.

Task 1.1 Activity
 Consider one critical business process with
which you are familiar.
 Write down the assets affiliated with this
process.

26 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 An enterprise expanded operations into Europe,
Asia and Latin America. The enterprise has a
single-version, multiple-language employee
handbook last updated three years ago. Which of
the following is of MOST concern?
A. The handbook may not have been correctly translated
into all languages.
B. Newer policies may not be included in the handbook.
C. Expired policies may be included in the handbook.
D. The handbook may violate local laws and regulations.
27 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Which of the following is the BEST approach
when conducting an IT risk awareness
campaign?
A. Provide technical details on exploits.
B. Provide common messages tailored for different
groups.
C. Target system administrators and help desk staff.
D. Target senior managers and business process
owners.

28 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.2

Identify potential threats and vulnerabilities

to the organization’s people, processes and
technology to enable IT risk analysis.

29 ©Copyright 2015 ISACA. All rights reserved.

Task 1.2 Process

Input: Process: Output:

Information about Identify potential Information for IT
people, processes threats and risk analysis
and technology vulnerabilities

30 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Risk The combination of the probability of an event and its
consequence

Risk factors A condition that can influence the frequency and magnitude
and, ultimately, the business impact of IT-related events or
scenarios

Risk The circumstances, objects or conditions surrounding assets

environment

31 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.2 relate to each of the following knowledge statements?

Knowledge Statement Connection

6.1 Threats and vulnerabilities Each business process presents a certain level of risk.
related to business Proper identification of potential threats and vulnerabilities
processes and initiatives is the foundation to managing risk to an acceptable level.

6.2 Threats and vulnerabilities An enterprise must identify potential threats and
related to third-party vulnerabilities introduced through relationships with all
management third parties. This has become especially important given
the continued growth of outsourcing and off-shoring, along
with the increased scrutiny being placed on third parties by
regulators.

6.3 Threats and vulnerabilities Data classification is foundational to data protection and
related to data management determination of the best protection is based on a solid data
management program.

32 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task to Knowledge Statements
How does Task 1.2 relate to each of the following knowledge statements?

Knowledge Statement Connection

6.4 Threats and vulnerabilities To ensure that vulnerabilities and threats are properly
related to hardware, identified, it is critical for an organization to have a
software and appliances complete asset inventory mapping hardware, software and
appliances of the enterprise.
6.5 Threats and vulnerabilities The SDLC should be reviewed periodically to ensure it
related to the system properly addresses currently deployed and predicted
development life cycle technologies, clearly describes the expectations for all
human resources and accomplishes business process
(SDLC)
objectives.

6.6 Threats and vulnerabilities Every project schedule should contain work breakdown
related to project and sections (WBS) to ensure that project-related
program management vulnerabilities and threats are identified and assessed.

33 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task to Knowledge Statements
How does Task 1.2 relate to each of the following knowledge statements?

Knowledge Statement Connection

6.7 Threats and vulnerabilities Proper proactive identification of potential threats and
related to business vulnerabilities aids the Incident Response, Continuity and
continuity and disaster Recovery Teams in keeping their programs up to date so
they may more quickly respond should an event occur.
recovery management
(DRM)

6.9 Threats and vulnerabilities Having a process in place to assess emerging technologies
related to emerging to identify threats and vulnerabilities before the
technologies organization invests in their deployment is key to
providing more secure solutions.

34 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
The Risk Environment
 An enterprise needs to know its own weaknesses, strengths,
vulnerabilities and the gaps in the security fabric.
 To determine this, the entire risk environment must be evaluated.
Elements to consider include the following:
– The context, criticality and sensitivity of the system or process being
reviewed
– The dependencies and requirements of the system or process being reviewed
– The operational procedures, configuration and management of the system or
technology
– The training of the users and administrators
– The effectiveness of the controls and monitoring of the system or business
process
– The manner in which data and system components are decommissioned

35 ©Copyright 2015 ISACA. All rights reserved.

Identification Methods
 Risk may be identified through a variety of methods.
These include the following:
– Historical- or evidence-based methods, such as review of
historical events, for example, the use of checklists and
the reviews of past issues or compromise
– Systematic approaches (expert opinion), where a risk
team examines and questions a business process in a
systematic manner to determine the potential points of
failure
– Inductive methods (theoretical analysis), where a team
examines a process to determine the possible point of
attack or compromise
36 ©Copyright 2015 ISACA. All rights reserved.
Elements of Risk
 Risk identification requires the documentation
and analysis of the elements that comprise
risk:
– Consequences associated with specific assets
– A threat to those assets, requiring both intent
(motivation) and capability
– Vulnerability specific to the threat
 Each of the elements of risk must be
considered both individually and in aggregate.

37 ©Copyright 2015 ISACA. All rights reserved.

Factors in Attack Likelihood

 The likelihood
or probability
of an attack
is influenced by the
following:
– The attacker’s
level of
motivation
– The skills and
tools available to
an attacker
– The presence of a
vulnerability

Source: CRISC Review Manual 6th Edition, figure 1.18

38 ©Copyright 2015 ISACA. All rights reserved.

Organizational Assets
 For most enterprises, the most valuable asset is either
people or information.
 risk associated with these assets include:
– People – Loss of key employees and their associated knowledge
and expertise
– Technology – Loss of information and functionality due to old,
out-of-date or insecurely decommissioned equipment
– Data – Destruction, loss or modification of critical data
– Trademarks and Intellectual Property – Improper use,
disclosure or duplication of proprietary information and service
marks
– Business Processes – Inefficient or outdated processes
39 ©Copyright 2015 ISACA. All rights reserved.
Focus On: Interviews
 One opportunity for information gathering that
should be considered is interviews with
enterprise staff.
 This activity may present some challenges that
the risk practitioner should be aware of,
including the following:
– Exaggeration: Everyone wants their department to
be seen as critical and essential.
– Inaccuracies: People may not correctly understand
the overall business process or dependencies
between departments.
40 ©Copyright 2015 ISACA. All rights reserved.
Interviewing Tips
 Practices helpful in ensuring successful
informational interviewing include the following:
– Conduct interviews at all levels to ensure a
comprehensive understanding of the enterprise.
– Designate a specific length for the interview and avoid
going longer.
– Prepare questions and provide them to the interviewee
in advance.
– Ask that any supporting documentation or data be
ready at the time of the interview.
– Encourage interviewees to be open in their discussion
with you.
41 ©Copyright 2015 ISACA. All rights reserved.
Focus On: Testing
 False positives may occur during vulnerability identification.
To validate a vulnerability, a penetration test can be performed.
 A penetration test is a targeted attack simulation that:
– Is focused on a potential vulnerabilities
– Uses threat vectors commonly used by attackers
– Employs same tools as would be used by attackers
– Creatively attempts to ensure many attack vectors are tested
 Types of penetration tests include:
– Full-knowledge test – Testing team is familiar with the
infrastructure being tested.
– Zero-knowledge test – Testing team is in the position of an external
hacker, with no knowledge of the infrastructure under attack.
42 ©Copyright 2015 ISACA. All rights reserved.
In the Big Picture

Task 1.2 The Big Picture

Identify potential threats and One benefit of IT risk
management is its
vulnerabilities to the
emphasis on the
organization’s people, processes protection of enterprise
and technology to enable IT risk assets and the minimizing
analysis. of loss.

43 ©Copyright 2015 ISACA. All rights reserved.

Task 1.2 Activity
 Using the list you created in the previous task,
add vulnerabilities. Include regulatory
requirements on your list.

44 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 The likelihood of an attack being launched
against an enterprise is MOST dependent
upon:
A. The skill and motivation of the potential attacker.
B. The frequency that monitoring systems are
reviewed.
C. The ability to respond quickly to any incident.
D. The effectiveness of the controls.

45 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Risk scenarios should be created
PRIMARILY based on which of the
following?
A. Input from senior management
B. Previous security incidents
C. Threats that the enterprise faces
D. Results of the risk analysis

46 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.3

Develop a comprehensive set of IT risk

scenarios based on available information to
determine the potential impact to business
objectives and operations.

47 ©Copyright 2015 ISACA. All rights reserved.

Task 1.3 Process

Input: Process: Output:

Information Analyze risk A comprehensive set
gathered in Tasks scenario elements of IT risk scenarios
1.1 and 1.2 to build profile of
a potential event

48 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Risk scenario The tangible and assessable representation of risk; one of the
key information items needed to identify, analyze and respond
to risk

Event Something that occurs at a certain place and time

Top down A method of risk scenario development focused on events that

approach may impact business goals

Bottom up A method of risk scenario development based on descriptions

approach of risk events specific to individual enterprises

49 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.3 relate to each of the following knowledge statements?

Knowledge Statement Connection

8. Risk scenario development A scenario describes the consequences of a given threat
tools and techniques exploiting a vulnerability related to one or more critical
assets. All scenarios must identify the actors, contain a
threat type, event, impacted resource(s) and timing.

24. Characteristics of inherent Inherent risk is the risk by design of a given process or
and residual risk technology. Current risk is the risk of an adverse event
occurring despite the current controls in place

28. Information security
concepts and principles,
including confidentiality,
integrity and availability of
information
Risk scenarios must consider the impacts to a given asset
should the requirements of confidentiality (excessive or
inappropriate access), integrity (unapproved or
inappropriate alteration or removal) and/or availability
(unscheduled downtime, system lockouts or failures)
cannot be met.

50 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
The Risk Scenario
 A risk scenario is a description of a possible
event whose occurrence will have an uncertain
impact on the achievement of the enterprise’s
objectives.
 Risk scenario development provides a way of
conceptualizing risk useful in the process of risk
identification.
 Risk scenarios are also used to document risk in
relation to business objectives or operations
impacted by events, making them useful as the
basis for quantitative risk assessment.
51 ©Copyright 2015 ISACA. All rights reserved.
Risk Scenario Structure

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 36

52 ©Copyright 2015 ISACA. All rights reserved.

Deriving the Risk Scenario
 Risk scenarios may be derived via two different
mechanisms:
– Top-down approach: From the overall business
objectives, an analysis of the most relevant and
probable IT risk scenarios impacting the business
objectives is performed. If the impact criteria are
well aligned with the real value drivers of the
enterprise, relevant risk scenarios will be developed.
– Bottom-up approach: A list of generic scenarios is
used to define a set of more concrete and customized
scenarios, which are then applied to the individual
enterprise situation.
53 ©Copyright 2015 ISACA. All rights reserved.
Developing the Risk Scenario
 Risk scenario development is based on:
– Describing a potential risk event
– Documenting the factors and areas that may be
affected by the risk event
 Each scenario should be related to a business
objective or impact.
 Effective scenarios must focus on real and
relevant potential risk events.

54 ©Copyright 2015 ISACA. All rights reserved.

Risk Scenario Overview

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 34

55 ©Copyright 2015 ISACA. All rights reserved.

In the Big Picture

Task 1.3 The Big Picture

Develop a comprehensive set of IT risk management is
IT risk scenarios based on closely linked to
available information to determine business continuity.
the potential impact to business Risk scenarios examine
objectives and operations. issues before they
become continuity
issues.

56 ©Copyright 2015 ISACA. All rights reserved.

Task 1.3 Activity
 Build a risk scenario associated with the
process you developed in the previous two
tasks.

57 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 When developing IT-related risk scenarios
with a top-down approach, it is MOST
important to identify the:
A. Information system environment
B. Business objectives
C. Hypothetical risk scenarios
D. External risk scenarios

58 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Risk scenarios enable the risk assessment
process because they:
A. cover a wide range of potential risk.
B. minimize the need for quantitative risk analysis
techniques.
C. segregate IT risk from business risk for easier risk
analysis.
D. help estimate the frequency and impact of risk.

59 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.4

Identify key stakeholders for IT risk scenarios

to help establish accountability.

60 ©Copyright 2015 ISACA. All rights reserved.

Focus on Task 1.4

Input: Process: Output:

Information Identify key Clear lines of
gathered in Tasks stakeholders for IT accountability
1.1 and 1.2 risk scenarios

61 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Stakeholder Anyone who has a responsibility for, an expectation from or
some other interest in the enterprise; examples include
shareholders, users, government, suppliers, customers and the
public
Risk owner The person in whom the organization has invested the
authority and accountability for making risk-based decisions
and who owns the loss associated with a realized risk
scenario; this individual may not be responsible for the
implementation of risk treatment
Data owner The individual(s), normally a manager or director, who has
responsibility for the integrity, accurate reporting and use of
computerized data

62 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.4 relate to each of the following knowledge statements?

Knowledge Statement Connection

15. Organizational culture, An organization’s culture, ethics and behavior will have a
ethics and behavior significant impact on the quality and usefulness of risk
activities.

23. Principles of risk and Each risk scenario should be assigned to a risk owner to
control ownership make sure the scenario is thoroughly analyzed.

36. IT risk management best Using risk management practices like risk scenarios bring
practices clarity to the risk management process. The effectiveness
of practices such as the development of risk scenarios
relies on participation by all the parties that engage in a
given process under review.

63 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Stakeholder Roles
 Defining the roles of stakeholders involved in risk
management aids in creating a foundation for risk
management across the enterprise.
 Individuals involved in the risk management process
may fill one of four roles, referred to with the acronym
“RACI.” A given stakeholder may be designated as
follows:
– Responsible for managing the risk
– Accountable for the risk management effort
– Consulted to provide support and assistance to the risk
management effort
– Informed so they may evaluate or monitor the effectiveness
of the risk management effort
64 ©Copyright 2015 ISACA. All rights reserved.
Who Owns Risk?
 Ownership of risk is the responsibility of the owners of
the assets, which, in most cases is senior management.
 Management must often evaluate and accept risk when
they make a decision to:
– Invest.
– Take on a new line of business.
– Develop a new product.
– Open a new office.
– Hire a new employee.
– Invest in new hardware or software.
– Upgrade existing applications.
– Implement new controls.
65 ©Copyright 2015 ISACA. All rights reserved.
The RACI Model
 The purposes of the RACI model are to clearly
show:
– The relationships between the various stakeholders
– The interaction between the stakeholders
– The roles that each stakeholder plays in the
successful completion of the risk management
effort

66 ©Copyright 2015 ISACA. All rights reserved.

RACI Designations

R – Responsible

• The stakeholder role defined as “Responsible” is described as follows:

• This is the person(s) tasked with getting the job done.
• This is the role of the person(s) performing the actual work effort to meet a stated
objective.

A – Accountable

• The stakeholder role defined as “Accountable” is described as follows:

• The person is accountable (liable, answerable) for the completion of the task.
• He/she is responsible for the oversight and management of the person(s) responsible for performing the work effort.
• He/she may also play a role in the project and bear the responsibility for project success or failure.
• In order to be effective, accountability should be with a sole role or person.

67 ©Copyright 2015 ISACA. All rights reserved.

RACI Designations (cont’d)

C – Consulted

• The stakeholder role defined as “Consulted” is described as follows:

• This are the people consulted as a part of the project.
• They may provide input data, advice, feedback or approvals.
• Consulted personnel may be from other departments, from all layers of the organization, from external
sources or from regulators.

I – Informed

• The stakeholder role defined as “Informed” is described as follows:

• This is the person(s) who are informed of the status, achievement and/or deliverables of the task.
• The person(s) who may be interested but who are often not directly responsible for the work effort.

68 ©Copyright 2015 ISACA. All rights reserved.

Example RACI Chart
Steering
Senior Department Risk
Task Committee
Management Managers Practitioner
(Chair)

Collect risk
I A C R
data

Deliver the
I A I R
risk report

Prioritize risk
A I R C
response

Monitor risk I A R C

69 ©Copyright 2015 ISACA. All rights reserved.

In the Big Picture

Task 1.4
Identify key stakeholders
The Big Picture
for IT risk scenarios to help Effective risk
establish accountability. governance
ensures that risk
management practices
are fully embedded in
the enterprise.

70 ©Copyright 2015 ISACA. All rights reserved.

Task 1.4 Activity
 Based on the prior activities, build a RACI
chart of the individuals participating in the
assessment exercise.
Role 1 Role 2 Role 3 Role 4

Activity 1
Activity 2
Activity 3
Activity 4
Activity 5

71 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Which of the following activities provides the
BEST basis for establishing risk ownership?
A. Documenting interdependencies between
departments
B. Mapping identified risk to a specific business
process
C. Referring to available RACI charts
D. Distributing risk equally among all asset owners

72 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Which of the following is MOST important
for effective risk management?
A. Assignment of risk owners to identified risk
B. Ensuring compliance with regulatory
requirements
C. Integration of risk management into operational
processes
D. Implementation of a risk avoidance strategy

73 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.5

Establish an IT risk register to help ensure

that identified IT risk scenarios are accounted
for and incorporated into the enterprisewide
risk profile.

74 ©Copyright 2015 ISACA. All rights reserved.

Focus on Task 1.5

Input: Process: Output:

Information from risk Establish and A single document
identified in audits maintain an IT risk resource for risk
vulnerability assessments, register
penetration tests, incident assessment
reports, process reviews
and management input

75 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Risk A listing of all risks identified for the enterprise
register
Risk A metric capable of showing that the enterprise is
indicators subject to, or has a high probability of being subject
to, a risk that exceeds the defined risk appetite

76 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.5 relate to each of the following knowledge statements?

Knowledge Statement Connection

7. Methods to identify risk Several sources that can aid in risk identification include:
vendor documents, industry bulletins, policy and procedure
review, press releases, breach and vulnerability reporting
services, and many more.

9. Risk identification and Standards and frameworks are adopted by organizations to

classification standards, bring repeatability and credibility to the risk identification
and frameworks and classification process.

10. Risk events/incident
concepts (e.g., contributing
conditions, lessons learned,
loss result)
When building risk scenarios, one must not only consider a
single asset being impacted by a single event, but also
cascading and considering incidents. Include these
complex scenarios in the risk register.

77 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
The Risk Register
 A risk register is a listing of all risk identified
for the enterprise.
 The risk register records:
– All known risk
– Priorities of risk
– Likelihood of risk
– Potential risk impact
– Status of the risk mitigation plans
– Contingency plans
– Ownership of risk
78 ©Copyright 2015 ISACA. All rights reserved.
Risk Register Purpose
 The purpose of a risk register is to consolidate
risk data into one place and permit the tracking
of risk.
 The risk register allows management to refer
to a single document to do the following:
– Gain insight into the outstanding risk issues.
– Learn about the status of risk mitigation efforts.
– Become aware of the emergence of newly
identified and documented risk.

79 ©Copyright 2015 ISACA. All rights reserved.

Sources of Information

The risk register • Risk identified in audits

contains all risk • Vulnerability assessments
detected by various • Penetration tests
departments or • Incident reports
activities of the • Process reviews
organization, • Management input
including the • Risk scenario creation
following: • Security assessments

80 ©Copyright 2015 ISACA. All rights reserved.

Risk Register Example
Part I—Summary Data
Risk statement
Risk owner
Date of last risk assessment
Due date for update of risk assessment
Risk category Strategic Project Delivery Operational
Risk classification Low Medium High Very High
Risk response Accept Transfer Mitigate Avoid

Part II—Risk Description

Title
High-level scenario
Detailed scenario description—Scenario Actor
components
Threat Type
Event
Asset/Resource
Timing
Other scenario information

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 62

81 ©Copyright 2015 ISACA. All rights reserved.

Risk Register Example (cont’d)
Part III—Risk Analysis Results
Frequency of scenario (number of 0 1 2 3 4 5
times per year)
N ≤ 0.01 0.01 < N ≤ 0.1 0.1 < N ≤ 1 1 < N ≤ 10 10 < N ≤ 100 100 < N
Comments on frequency
Impact scenario of business 0 1 2 3 4 5
1. Productivity Revenue Loss Over One year
Impact rating I ≤ 0.1% 0.1% <I ≤ 1% 1% <I ≤ 3% 3% <I ≤ 5% 5% <I ≤ 10% 10% < I
Detailed description of impact
2. Cost of response Expenses Associated With Managing the Loss Event
Impact rating I ≤ 10K$ 10K$ < I ≤ 100K$ < I ≤ 1M$ < I ≤ 10M$ 10M$ < I ≤ 100M$ < I
100K$ 1M$ 100M$
Detailed description of impact
3. Competitive advantage Drop-in Customer Satisfaction Ratings
Impact rating I ≤ 0.5 0.5 < I ≤ 1 1 < I ≤ 1.5 1.5 < I ≤ 2 2 < I ≤ 2.5 2.5 < I
Detailed description of impact
4. Legal Regulatory Compliance—Fines
Impact rating None < 1M$ < 10M$ < 100M$ < 1B$ > 1B$
Detailed description of impact
Overall impact rating (average of four impact ratings)
Overall rating of risk (obtained by combining frequency and impact ratings on risk map) Low Medium High Very High

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 62

82 ©Copyright 2015 ISACA. All rights reserved.

Risk Register Example (cont’d)
Part IV—Risk Response
Risk response for this risk Accept Transfer Mitigate Avoid
Justification
Detailed description of response (NOT in case of Response Action Completed Action Plan
ACCEPT)
1.
2.
3.
4.
5.
6.
Overall status of risk action plan
Major issues with risk action plan
Overall status of completed responses
Major issues with completed responses

Part V—Risk Indicators

Key risk indicators for this risk 1.
2.
3.
4.

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 62

83 ©Copyright 2015 ISACA. All rights reserved.

In the Big Picture

Task 1.5
Establish an IT risk register to The Big Picture
help ensure that identified IT risk The IT risk management
function benefits from
scenarios are accounted for and continuous improvement.
incorporated into the The risk register documents
enterprisewide risk profile. current knowledge about an
identified risk, useful for
future consideration.

84 ©Copyright 2015 ISACA. All rights reserved.

Task 1.5 Activity
 Based on information from earlier activities,
complete Parts I and II of the risk register.
Part I—Summary Data
Risk statement

Risk owner

Date of last risk assessment

Due date for update of risk assessment

Risk category Strategic Project Delivery Operational

Risk classification Low Medium High Very High

Risk response Accept Transfer Mitigate Avoid

Part II—Risk Description

Title
High-level scenario
Detailed scenario description—Scenario Actor
components
Threat Type

Event

Asset/Resource

Timing

Other scenario information

85 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Which of the following statements BEST
describes the value of a risk register?
A. It captures the risk inventory.
B. It drives the risk response plan.
C. It is a risk reporting tool.
D. It lists internal risk and external risk.

86 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Which of the following information in the risk
register BEST helps in developing proper risk
scenarios? A list of:
A. potential threats to assets.
B. residual risk on individual assets.
C. accepted risk.
D. security incidents.

87 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.6

Identify risk appetite and tolerance defined

by senior leadership and key stakeholders to
ensure alignment with business objectives.

88 ©Copyright 2015 ISACA. All rights reserved.

Focus on Task 1.6

Input: Process: Output:

Information gathered Identify enterprise A risk approach
from senior leadership risk appetite and consistent with
and key stakeholders tolerance business objectives

89 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Risk appetite The amount of risk, on a broad level, that an entity is willing to
accept in pursuit of its mission

Risk capacity The objective amount of loss an enterprise can tolerate without
risking its continued existence

Risk tolerance The acceptable level of variation that management is willing to allow
for any particular risk as the enterprise pursues its objectives

Enterprise The translation of the enterprise's mission from a statement of

goals intention into performance targets and results

Enterprise A further development of the enterprise goals into tactical targets and
objectives desired results and outcomes

90 ©Copyright 2015 ISACA. All rights reserved.

Task to Knowledge Statements
How does Task 1.6 relate to each of the following knowledge statements?

Knowledge Statement Connection

4. Business goals and Senior leadership and key stakeholders will determine the
objectives specific tolerance toward risk for a given process or asset.

12. Risk appetite and tolerance
Risk appetite is the amount of risk a company is willing to
achieve in pursuit of reaching its organizational goals. Risk
tolerance, determined by the risk owner, is the acceptable
degree of variation that an organization may accept for a
particular asset at a particular point in time.

24. Characteristics of inherent Residual risk is the risk remaining after mitigation and is
and residual risk the risk upon which management will base final risk
acceptance.

91 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Risk Appetite
 In an organization, risk appetite is used in the
following ways:
– It is defined and communicated by senior
management.
– It serves to set the boundary around satisfactory
levels of risk.
– It is translated into standards and policies designed
to ensure that the risk level is contained within the
boundaries set by the risk appetite.

92 ©Copyright 2015 ISACA. All rights reserved.

Risk Tolerance
 Risk tolerance levels are defined as acceptable
level of variation that management is willing
to allow for any particular risk as the
enterprise pursues its objectives
 Risk tolerance is:
– Defined and communicated by senior
management.
– Subject to change over time and circumstances, so
adjustment may be required.

93 ©Copyright 2015 ISACA. All rights reserved.

In the Big Picture

Task 1.6
Identify risk appetite and tolerance The Big Picture
defined by senior leadership and Effective IT risk
key stakeholders to ensure management maintains
alignment with business a focus on enterprise
objectives. mission, goals and
objectives.

94 ©Copyright 2015 ISACA. All rights reserved.

Task 1.6 Discussion
 Describe your organization's risk appetite and
risk tolerance positions.
 Are these in writing?
 What are the enterprise objectives for your
company? How did you learn these?

95 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 It is MOST important that risk appetite be
aligned with business objectives to ensure that:
A. resources are directed toward areas of low risk
tolerance.
B. major risk is identified and eliminated.
C. IT and business goals are aligned.
D. the risk strategy is adequately communicated.

96 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Discussion Question
 Who is accountable for business risk related to
IT?
A. The chief information officer (CIO)
B. The chief financial officer (CFO)
C. Users of IT services—the business
D. The chief architect

97 ©Copyright
©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Task 1.7

Collaborate in the development of a risk

awareness program, and conduct training to
ensure that stakeholders understand risk and
to promote a risk-aware culture.

98 ©Copyright 2015 ISACA. All rights reserved.

Focus on Task 1.7

Input: Process: Output:

Understanding of Develop and Enterprisewide
stakeholder conduct training to understanding of the
information needs ensure a risk- importance of risk-
aware culture awareness

99 ©Copyright 2015 ISACA. All rights reserved.

Key Terms
Key Term Definition
Risk Knowledge of information security policies, standards and
awareness procedures

Risk aware An enterprisewide outlook that ensures understanding and

culture application of security policies and actions

Risk Education of an organization's staff, designed to instill risk

awareness awareness
training

10 ©Copyright 2015 ISACA. All rights reserved.

 Task to Knowledge Statements
How does Task 1.7 relate to each of the following knowledge statements?

Knowledge Statement Connection

1. Laws, regulations, The need for developing and executing a risk awareness
standards and compliance program and conducting risk awareness training are spelled
requirements out in several laws, regulations, standards and compliance
requirements throughout the world.

15. Organizational culture, An organization’s culture, ethics and behavior toward risk
ethics and behavior taking, compliance and negative events needs to be
factored into how the risk awareness program is built,
marketed, delivered and managed over time.

31. Requirements, principles, Training components should be customized based on what

and practices for educating a person’s role will be regarding risk identification,
and training on risk and assessment and response.
control activities

101 ©Copyright
10 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Risk Awareness
 Knowledge of information security policies, standards and
procedures across the enterprise builds a risk-aware culture.
 Awareness is a powerful tool in creating the culture, forming
ethics and influencing the behavior of the members of an
organization.
 In a risk-aware culture, the following is likely to occur:
– Components of risk will be discussed openly
– Acceptable levels of risk will be better understood and
maintained
– All levels within an enterprise will be aware of how to respond to
adverse events

10 ©Copyright 2015 ISACA. All rights reserved.

Risk Awareness Program
 The purpose of a risk awareness program is to
create an understanding of:
– Risk
– Risk factors
– The variety of risks faced by the enterprise

10 ©Copyright 2015 ISACA. All rights reserved.

Program Good Practice
 The risk awareness program should:
– Incorporate understanding of the organizations structure
and culture.
– Be tailored to the needs of individual groups within the
organization.
– Deliver content suitable for each group.
– Avoid disclosure of current vulnerabilities or ongoing
investigations.

10 ©Copyright 2015 ISACA. All rights reserved.

Executive Responsibility
 To create a risk-aware culture, board members and
business executives must:
– Set direction.
– Communicate risk-aware decision making.
– Reward effective risk management behaviors.

10 ©Copyright 2015 ISACA. All rights reserved.

Raising Risk Awareness
 Risk awareness is also important at the managerial level.
 At the middle management level, risk awareness training
should emphasize the importance of:
– Strong oversight of staff activities with respect to risk
– Staff compliance with the security policies and practices
 At the senior management level, risk awareness training
should:
– Highlight liability, reminding senior managers that they are the
ones who “own” the risk.
– Emphasize the need for compliance, due care and due diligence.
– Encourage the creation of a risk-aware tone and culture through
policy and good practice.
10 ©Copyright 2015 ISACA. All rights reserved.
In the Big Picture

Task 1.7
Collaborate in the The Big Picture
development of a risk awareness A key objective of risk
program, and conduct training to governance is the
ensure that stakeholders integration of risk
understand risk and to promote a management across the
risk-aware culture. enterprise.

107 ©Copyright 2015 ISACA. All rights reserved.

 Task 1.7 Discussion
 What does your company currently do
regarding risk awareness training?
 Where may opportunities lie in the future?

108 ©Copyright
10 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
 Discussion Question
 Which of the following is a PRIMARY
consideration when developing an IT risk
awareness program?
A. Why technology risk is owned by IT
B. How technology risk can impact each attendee’s
area of business
C. How business process owners can transfer
technology risk
D. Why technology risk is more difficult to manage
compared to other risk

109 ©Copyright
10 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
 Discussion Question
 Which of the following is the GREATEST
benefit of a risk-aware culture?
A. Issues are escalated when suspicious activity is
noticed.
B. Controls are double-checked to anticipate any
issues.
C. Individuals communicate with peers for
knowledge sharing.
D. Employees are self-motivated to learn about costs
and benefits.

110 ©Copyright
11 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
Learning Objective 1

Identify relevant standards,

frameworks and practices.
 The IT risk management program should be:
– Thorough, detailed and complete
– Auditable, justifiable and in compliance with
regulations
– Monitored and enforced
– Current with changing business processes,
technologies and laws
– Adequately resourced, with oversight and support
11 ©Copyright 2015 ISACA. All rights reserved.
Learning Objective 2

Apply risk identification techniques.

 Risk identification depends upon gathering
information across a variety of environments,
methods and resources, including the
following:
– Internal and external operating environments
– Historical, systemic and inductive methods
– Internal reports, public media, vulnerability testing
and interviews

11 ©Copyright 2015 ISACA. All rights reserved.

Learning Objective 3

Distinguish between threats and

vulnerabilities.
 Threats are defined as anything that is capable of acting
against an asset in a manner that can result in harm.
 Vulnerabilities are defined as a weakness in the design,
implementation, operation or internal control of a process
that could expose the system to adverse threats from
threat events.
 Vulnerabilities are the open door that threats walk
through.
11 ©Copyright 2015 ISACA. All rights reserved.
Learning Objective 4

Identify relevant stakeholders.

 Risk communication removes the uncertainty
and doubts concerning risk management.
 If risk is to be managed and mitigated, it must
first be discussed and effectively
communicated in an appropriate level to the
various stakeholders and personnel throughout
the organization.
 A system such as a RACI chart allows
systematic planning for such communication.
11 ©Copyright 2015 ISACA. All rights reserved.
Learning Objective 5

Discuss risk scenario development tools and

techniques.
 A risk scenario is a description of a possible event that, when occurring,
will have an uncertain impact on the achievement of the enterprise’s
objectives.
 Each scenario should be based on an identified risk, and each risk
should be identified in one or more scenarios.
 Each scenario is used to document the level of risk associated with the
scenario in relation to the business objectives or operations that would
be impacted by the risk event.
 The development of the risk scenarios is an art. It requires creativity,
thought, consultation and questioning.
11 ©Copyright 2015 ISACA. All rights reserved.
Learning Objective 6

Explain the meaning of key risk management

concepts, including risk appetite and risk
tolerance.
 Risk appetite – The amount of risk, on a broad level, that
an entity is willing to accept in pursuit of its mission
 Risk capacity – The objective amount of loss an
enterprise can tolerate without risking its continued
existence
 Risk tolerance – The acceptable level of variation that
management is willing to allow for any particular risk as
the enterprise pursues its objectives
11 ©Copyright 2015 ISACA. All rights reserved.
Learning Objective 7

Describe the key elements of a risk

register.
 The risk register includes four parts, as
follows:
– Part I – Summary Data
– Part II – Risk Description
– Part III – Risk Analysis Results and Risk Response
– Part IV – Risk Indicators

11 ©Copyright 2015 ISACA. All rights reserved.

Learning Objective 8

Contribute to the creation of a risk

awareness program.
 Awareness education and training can serve to mitigate some of the
biggest organizational risk and achieve the most cost-effective
improvement in risk and security.
 A risk awareness program creates an understanding of risk, risk factors
and the various types of risk that an organization faces.
 An awareness program should be tailored to the needs of the individual
groups within an organization and deliver content suitable for that group.
 A risk awareness program should NOT disclose vulnerabilities or
ongoing investigations except where the problem has already been
addressed.
11 ©Copyright 2015 ISACA. All rights reserved.
 Discussion Question
 Which of the following is the MOST
important information to include in a risk
management strategic plan?
A. Risk management staffing requirements
B. The risk management mission statement
C. Risk mitigation investment plans
D. The current state and desired future state

119 ©Copyright
11 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.
 Discussion Question
 Which of the following is MOST important to
determine when defining risk management
strategies?
A. Risk assessment criteria
B. IT architecture complexity
C. An enterprise disaster recovery plan (DRP)
D. Organizational objectives

120 ©Copyright
12 ©Copyright
20152015
ISACA.
ISACA.
All rights
All rights
reserved.
reserved.