WELCOME

LET’S BREAK SOME

ICE
GETTING TO KNOW
EACH OTHER

Domain 1: Governance and Risk

 INT R O D UCT IO NS

• Name
• Title
• Company
• What are you looking to gain most from this
course?
• What do you see as your biggest challenge in the
fi eld of information security?

Domain 1: Governance and Risk

DOMAIN 1
 INT R O D UCT IO N

• This domain teaches students how:

o To align information security programs with business
models.
o To raise the maturity level of an information security
program.
o To build a personal CISO brand.
o To improve information security policies.
o To create hybrid risk management programs.
o To improve existing risk management programs.

Domain 1: Governance and Risk

 K NO WLED GE ASSUMPT IO NS

• Students are expected to have:

o Five years of domain experience.
o An understanding of Governance, Risk, and
Compliance (GRC) concepts.
o A familiarity of GRC vocabulary.
o An ability to create information security policies.
o A strong business and personal ethics compass.
o A working knowledge of risk management frameworks.
o An understanding of process maturity models.
o A working knowledge of the essential elements of risk
management.
Domain 1: Governance and Risk
 D EFINITIO NS

Risk
Governance Compliance Privacy
Management
Adherence to Laws, Conform to Stated Ensure Private Analyze, Assess, and
Regulations, and Requirements Information is Kept Treat Risk
Policies Secret

Domain 1: Governance and Risk

 GOVERNANCE AND
RISK MANAGEMENT
DOMAIN 1

Domain 1: Governance and Risk

 GOVER NANCE AND R ISK MANAGEMENT
1. Defi ne, Implement, Manage, and
DOMAI Maintain an InfoSec Governance
Program
N 2. Information Security Drivers
OUTLI 3. Establishing an Information
Security Management Structure
NE 4. Laws/Regulations/Standards as
Drivers of Organizational
Policy/Standards/Procedures
5. Managing an Enterprise
Information Security Compliance
Program
6. Introduction to Risk Management

Summary and Practice Questions

Domain 1: Governance and Risk
 1. DEFINE,
IMPLEMENT,
MANAGE AND
MAINTAIN AN
INFORMATION
SECURITY
GOVERNANCE
PROGRAM

Domain 1: Governance and Risk

 1 . D E F I N E , I M P L E M E N T, M A N A G E A N D M A I N TA I N A N
I N F O R M AT I O N S E C U R I T Y G OV E R N A N C E P R O G R A M

• A business driver is a condition, process,

requirement, or other concern that infl uences the
way in which an organization directs or manages
activities.
• The CISO must understand why an organization
exists and how it conducts business before the
process of developing information security
governance can begin.

Domain 1: Governance and Risk

 1.1 FORM OF BUSINESS ORGANIZATION

• The form of business organization, its hierarchical

structure, the industry in which it operates, and its
maturity all work together to infl uence corporate
governance in an organization.
Three most common structures used to organize a
business:

Proprietorsh Partnershi Corporatio

ip p n
Domain 1: Governance and Risk
 1 .1 FOR M OF B USINESS OR GANIZATIO N:
PR OPR IET OR SHIP

• A proprietorship, the simplest

form of ownership, exists
when a single individual owns
the organization.
• The proprietor defi nes the
mission, vision, and purpose
Proprietorsh
of the organization based on
ip his or her experience and
priorities.
• The power to make decisions
rests solely with this person.
Domain 1: Governance and Risk
 1 .1 FOR M OF B USINESS OR GANIZATIO N:
PART NER SHIP

• A partnership is an organization in
which two or more individuals share
the benefi ts and the responsibility
for liabilities related to the
operations of the organization.
• Partnerships allow owners to pool
their knowledge and experience.
Partnershi • Governance becomes more complex
p as the partnership increases
members.

Domain 1: Governance and Risk

 1 .1 FOR M O F B USINESS O R GANIZAT IO N:
COR PO R AT IO N

• Corporations exist as legal

entities that are legally separate
from the owners.
• Governance is directed because
owners and their representatives
(Board of Directors) maintain
the rules for running the
corporation within the articles of
Corporatio incorporation.
n • Shareholder value is the primary
force driving governance for
Domain 1: Governance and Risk corporations.
 1 .2 IND UST RY

• The industry in which an organization operates

aff ects corporate governance.
• Industries drive the subject of most decisions about
governance.
• A broad variety of industries exist—each with
industry-specifi c norms, requirements, and
regulations that drive governance decisions (such
as manufacturing, retail, and fi nancial services).

Domain 1: Governance and Risk

 1 .2 IND UST RY: AT TACK S

Top Targeted Industries

Retail Transportation Professional Finance & Manufacturing

11% 13% Service Insurance 10%
12% 19%

65%

Source: Bulletproof Annual Cyber Security Report 2020

Domain 1: Governance and Risk
 1 .3 OR GANIZATIO NAL MAT UR IT Y

• Maturity varies irrespective of the size of an

organization or the structure. The concept of maturity
typically can be mapped to models such as the
Capability Maturity Model Integration (CMMI).
• The goal of these models is to define the current state
of maturity and describe what an organization should do
to promote behaviors that facilitate improved
performance and maturity.

Domain 1: Governance and Risk

 1 .3 OR GANIZATIO NAL MAT UR IT Y: SCALE

Capability Maturity Model Integration (CMMI)

Ty p i c a l l y, o r g a n i z a t i o n s c a n n o t b e g i n t o r e a l i z e t h e b e n e fi t s o f m a p p i n g p r o c e s s e s
to organizational standards and achieving consistency across the enterprise until
CMMI Level 3.

Domain 1: Governance and Risk

 1 .3 OR GANIZATIO NAL MAT UR IT Y: STAT E

Reactive Attribute Proactive

Making money and short- Long-term returns and
Focus
term shareholder returns strategic thinking
Reacting to immediate Taking a preemptive
Priorities
Reactive problems approach

versus Control is centralized Control Control is localized

Reliance on instinct or
Proactive the experience of one Analysis
Focus on data to
improve processes
Organizations or more people
People valued as an
People counted as a cost Personnel
asset
Training is a benefit or Training is essential to
Training
perk success
Distrust between Leaders and personnel
management and Leadership collaborate and work
employees together

Domain 1: Governance and Risk

 2. INFORMATION
SECURITY DRIVERS

How does information security influence the direction and

management of activities in an organization?

Domain 1: Governance and Risk

 2 . INFO R MAT IO N SECUR IT Y D R IVER S

• Business drivers aff ect the decisions made in an

organization. Information security drivers are similar
because of their eff ect on the management and
operation of all levels of the organization.
• Alignment with the business compliance and privacy
needs are among the most important information
security drivers.

Domain 1: Governance and Risk

 2 . INFO R MAT IO N SECUR IT Y D R IVER S:
ALIGNM ENT

• Organizational alignment is one of the most

important drivers resulting in eff ective information
security governance.
• The CISO can achieve harmony and alignment
between the business and security by mapping
information security governance to the broader
organization’s governance model.

Domain 1: Governance and Risk

 2 . INFO R MAT IO N SECUR IT Y D R IVER S: FACT O R S

• The CISO must understand the organization before

alignment can occur.
• A variety of factors infl uence business drivers, and
the CISO must understand the:
o Objectives of the business.
o Business processes supporting those objectives.
o Information and technology supporting business
operations.
o Threats that could disrupt operations.

Domain 1: Governance and Risk

 2 . INFO R MAT IO N SECUR IT Y D R IVER S:
VAR IAB LES

Complexity
Industry Can you name other drivers?
1. _____________________
Company 2. _____________________
Size
3. _____________________
4. _____________________
Technology

Regulations

Domain 1: Governance and Risk Management

 3 . ESTAB LISHING AN INFO R MAT IO N SECUR IT Y
MANAGEMENT ST R UCT UR E

3.1 Organizational structure:

• The hierarchical structure of an organization
usually relates to the form of business
organization.
• For example, the owner of a proprietorship often
acts as the CEO and the organizational chart
expands from this central fi gure to satisfy the
interests of the owner.
• The larger the organization the more complex the
reporting structure.
Domain 1: Governance and Risk
 3 .2 WHER E D OES T HE CISO FIT W ITHIN T HE
O R GANIZAT IONAL ST R UCT UR E?

• To whom should the CISO report? The vast majority of

CISOs either report directly or indirectly to the CIO.
• While this is the most common reporting structure,
arguments can be made that this may not be the most
effective placement of the CISO.

Domain 1: Governance and Risk

 3 .2 W HER E D O ES T HE CISO FIT W IT HIN T HE
O R GANIZAT IONAL ST R UCT UR E?

There is no CEO
standard that
COO CIO CFO CISO CRO C LO
establishes the
Operations Technology Finance Risk Legal
optimal
CISO CISO CISO CISO CISO
placement of a
CISO within the
organizational
hierarchy.

Domain 1: Governance and Risk

 3 .2 WHER E D OES T HE CISO FIT W ITHIN T HE
O R GANIZAT IONAL ST R UCT UR E?

Matrix (Multiple)

HR / Legal

Audit / Risk

CFO

IT Manager

Board

CIO / CTO

0% 10% 20% 30% 40% 50% 60%

Desired Current
Source: ClubCISO – 2019 Information Security Maturity Report
Domain 1: Governance and Risk
 3 .3 T HE EX ECUT IVE CISO

• CISOs who provide

The Executive leadership as corporate
executives are eff ective
CISO because they have the
advantage of elevated
infl uence within the
organization.

Domain 1: Governance and Risk

 3 .3 C -LEVEL AT T IT UD ES T OWAR D T HE CISO

• A ThreatTrack survey of
C-Level 200+ US-based C-suite-level
executives by data security
Attitudes fi rm ThreatTrack found:
toward the o 61% - CISOs would not be
successful outside of IS.
CISOCISO Grade
o 44% - CISOs should be
A - Excellent 23% accountable for data
B – Above Average 42% breaches.
C - Average 30% o 46% - CISOs should be
responsible for cybersecurity
purchases.
Source: ThreatTrack -
https://media.scmagazine.com/documents/89/threattrack_study_on_c
isos_22034.pdf
Domain 1: Governance and Risk
 3 .4 NO NEX ECUT IVE CISO
The nonexecutive CISO
Offi ce of the CISO
Domain 1: Governance and Risk
• It is not uncommon to
place the CISO in a
nonexecutive leadership
role.
• These individuals
typically focus only on
information security and
risk management
objectives rather than
infl uencing broader
business operations.
 4.
LAWS/REGULATION
S/ STANDARDS AS
DRIVERS OF
ORGANIZATION
POLICY/STANDARD
S/ PROCEDURES

Domain 1: Governance and Risk

4. L AW S / R E G U L AT I O N S / S TA N D A R D S A S D R I V E R S O F
O R G A N I Z AT I O N P O L I C Y / S TA N D A R D S / P R O C E D U R E S

• Many activities of a CISO involve dealing with

laws, regulations, and corporate standards. These
guiding articles drive the development of an
organization’s information security policies,
standards and procedures.
• Domain 2 describes the most common laws,
regulations and standards a CISO could encounter.

Domain 1: Governance and Risk

4. L AW S / R E G U L AT I O N S / S TA N D A R D S A S D R I V E R S O F
O R G A N I Z AT I O N P O L I C Y / S TA N D A R D S / P R O C E D U R E S

• Regulations – Written laws of industry standards

passed by legislative body or central authority
• Standards - Guidelines written by third-party
organization providing a framework and guidance
• Policies, Standards, and Procedures –
Internally develop governance documentation

Domain 1: Governance and Risk

 5. MANAGING AN
ENTERPRISE
INFORMATION
SECURITY
COMPLIANCE
PROGRAM
Domain 1: Governance and Risk
 5 . MANAGING AN ENT ER PR ISE INFO R MAT IO N
SECUR IT Y CO MPLIANCE PR OGR AM

The practical mechanism for supporting security and

privacy compliance with laws, regulations, standards,
and frameworks is via the information security
management program.

Domain 1: Governance and Risk

 5 . INFO R MAT IO N SECUR IT Y PO LICIES:
FR AMEWO R K

Table - Information Security Management System/Framework

Domain 1: Governance and Risk

 5 .1 SECUR IT Y POLICY

The security policy provides an executive statement of how

your company will implement information security
principles and technologies.
A security policy should include the following information:
o The extent everyone has a stake in the information security of the organization.
o The confidentiality and privacy of information.
o The principle of least access to information.
o The integrity of information.
o The availability of information.
o The balance of risk exposure with the cost of risk mitigation.
o The implementation of security measures.
o The classification of information.
o The importance of security awareness and information governance.
Domain 1: Governance and Risk
 5 .1. 1 NECESSIT Y O F A SECUR IT Y PO LICY

• A security policy can provide legal protection to an organization in as

much as it demonstrates an organization’s commitment to adhere to legal
and regulatory requirements (due care and diligence).
• Policies often fulfill regulatory requirements and standards that relate to
the security of digital information. A few of the more common ones
include:
o The Payment Card Industry (PCI) Data Security Standard (DSS).
o The Health Insurance Portability and Accountability Act (HIPAA).
o The Health Information Technology for Economic and Clinical Health (HITECH) Act.
o The Sarbanes-Oxley Act (SOX).
o The ISO family of security standards.
o The Graham–Leach–Bliley Act (GLBA).
o EU General Data Protection Regulation (GDPR).
Domain 1: Governance and Risk
 5 .1. 2 SECUR IT Y PO LICY CHALLENGES

• The process of writing a security policy can be difficult, time

consuming, and expensive. To be effective, a security policy must be
clearly written and consistent in content and with other
organizational policies.
• A security policy must be written so that it can be readily understood
by the target audience, which is clearly identified in the document.

Domain 1: Governance and Risk

 5 .2 PO LICY CO NT ENT

• Overview: Provides background information what the

policy defines.
• Purpose: Specifies why the policy is needed.
• Scope: Explains the boundaries of what must be done.
• Target audience: Describes who is responsible for acting
on the policy.
• Policies: This is the main section of the document and
provides statements as to what must be done.
• Definitions: Provides clarity of the terms used within the
policy.
• Version: Provides consistent history of the policy to
Domain 1: Governance and Risk
 5 .2 PO LICY CO NT ENT

• There are many general guidelines and practices that

are used to provide ideas as to how to create successful
information security policies. Generally, a security policy
should be:
o No longer than necessary.
o Written in common language.
o Consistent with applicable laws and regulations.
o Reasonable.
o Enforceable.

Domain 1: Governance and Risk

 5 .2. 1 T YPES O F PO LICIES

• Different organizations might need a different set of

policies for effective security management within their
specific environment.
• Some standard policies that are listed on the following
slides. Some companies may need all, while others may
require fewer.

Domain 1: Governance and Risk

 5 .2. 1 T YPES O F PO LICIES

• Acceptable Use
• Authentication • Network Security
• Asset Management • Outsourcing
Certain policies can • Backup • Password
be considered • Business • Physical Security
Continuity/Disaster • Remote Access
essential to security Recovery • Retention
management. • Confidential Data • Third Party Management
• Data Classification • VPN
• Encryption • Wireless Use
• Incident Response • Email
• Mobile Device • Guest Access
• Network Access

Domain 1: Governance and Risk

 5 .2. 2 PO LICY IMPLEMENTAT ION

• Once the security policy has been created, perhaps the

hardest part of the process is deploying it throughout an
organization.
• Too many well-intentioned projects lose focus in this phase, so
this step must be well planned and carefully managed.
• A security policy must be supported by the organization’s
senior management team. Without such support, the
implementation will likely fail.

Domain 1: Governance and Risk

 5 . 2. 3 SECUR IT Y R OLES AND R ESPO NSIB ILIT IES

• Traditionally the role of the CISO has been to develop,

implement, and maintain processes across the
enterprise to support the following objectives:
o Reduce risk in the IT environment.
o Establish and implement security policies and
procedures.
o Establish effective standards and controls.
o Respond to information systems incidents.

Domain 1: Governance and Risk

 5 .4 STAND AR D S AND B EST PR ACT ICES

• There are a variety of standards and leading practices –

each organization has unique challenges and focus.
• For instance, a healthcare company might focus on
maintaining patient privacy. That same approach might
not work well for a social network company focused on
sharing personal information between clients.
• If you are the first CISO at an organization you will
probably establish standards, frameworks, and best
practices for your company.

Domain 1: Governance and Risk

 5 .5 LEAD ER SHIP AND ET HIC S

• Leadership:
o An intangible quality that is very difficult to define. Most people will
know when they see it. There is a significant difference between a
manager and a leader.
• Ethics:
o Defines the moral principles that govern the behavior of a person or
group. Appropriate and ethical behavior is crucial for activities the
CISO conducts or directs within an organization.
o Because of the influence associated with the role of the CISO, the
behavior of the CISO greatly influences the character and behavior
of other people throughout the organization.
Domain 1: Governance and Risk
 5 .5 LEAD E R SHIP AND ET HIC S: FR AMEWO R K

A Seven-Question Framework for Ethical Decision

Making
The following framework for making ethical decisions
consists of seven questions that, in answering, will serve as
an aid to identify what is right.
When evaluating a decision, ask the following:
1. What decision alternatives are available?
2. What individuals or organizations have a stake in the outcome of my
decision?
3. Will an individual or an organization be harmed by any of the alternatives?
4. Which alternative will do the best with the least harm?
5. Would someone I respect find any of the alternatives objectionable?
After deciding on a course of action, but before acting, ask
the following:
D o m a i n 1 :6.
GoAm I acomfortable
vern nce and Risk with the decision I’ve made?
 5 .6 EC -COUNCIL CO D E O F ET HIC S

• EC-Council codifies the expectations for ethical behavior

by certification holders within the EC-Council Code of
Ethics.
• This code provides a minimum standard of CISO
behavior and at all levels of professionalism within the
security industry.
• This code expresses the consensus of the profession on
ethical issues and is a means to educate both the public
and those who are entering the field about the ethical
obligations of security professionals.
Domain 1: Governance and Risk
 5 .6 EC -COUNCIL CO D E O F ET HIC S
1. Keep private and confidential information gained in your
professional work.
2. Protect the intellectual property of others.
3. Disclose to appropriate persons or authorities’ potential
dangers to any ecommerce clients.
4. Provide service in your areas of competence, being honest
and forthright about any limitations of your experience and
education.
5. Never knowingly use software or process that is obtained or
retained either illegally or unethically.
6. Not to engage in deceptive financial practices.
7. Use the property of a client or employer only in ways
properly authorized.
8. Disclose to all concerned parties those conflicts of interest.
9. Ensure good management for any project you lead, including
effective procedures for promotion of quality and full
disclosure of risk.
10. Add to the knowledge of the e-commerce profession by
constant study, share the lessons of your experience.
Domain 1: Governance and Risk
11. Conduct oneself in the most ethical and competent
manner.
12. Ensure ethical conduct and professional care at all times.
13. Not to neither associate with malicious hackers nor
engage in any malicious activities.
14. Not to purposefully compromise or allow the client
organization’s systems to be compromised.
15. Ensure all penetration testing activities are authorized
and within legal limits.
16. Not to take part in any black hat activity or be associated
with any black hat community .
17. Not to be part of any underground hacking community .
18. Not to make inappropriate reference to the certification
or misleading use of certificates.
19. Not convicted in any felony or violated any law of the
land.
 6. INTRODUCTION
TO RISK
MANAGEMENT

Domain 1: Governance and Risk

 6 . INTR O D UCT IO N R ISK M ANAGEMENT

Risk management is the identification, assessment, and

prioritization of risks followed by a coordinated and
economical application of resources to minimize, monitor,
and control the probability and impact of adverse events.
Two of the most important concepts of risk management:
o Risk appetite – level of risk an organization is
willing to accept in pursuit of its objectives. Generally
subjective perspective.
o Risk tolerance – degree of loss an organization is
willing to withstand. Generally objective boundaries.

Domain 1: Governance and Risk Management

 6 .1 R ISK MANAGEMENT: STAND AR D S

Domain 1: Governance and Risk

 6 .1 R ISK MANAGEMENT: STAND AR D S

• NIST SP 800-30 Rev. 1 | Guide for • ISO/IEC 27005:2018 | Information

Conducting Risk Assessments
• NIST SP 800-37 Rev. 2 | Risk
Management Framework for
Information Systems and Organizations:
A System Life Cycle Approach for
Security and Privacy
technology -- Security techniques --
Information security risk management
• ISO/IEC 31000:2018 | Risk management
– Guidelines, provides principles,
framework and a process for managing
risk

• NIST SP 800-39 | Managing Information

Security Risk: Organization, Mission,
and Information System View
Domain 1: Governance and Risk
 6 .2 R ISK MANAGEMENT: ESSENT IALS

Program Essentials Checklist

1. Understand the context of which risk is to be evaluated. 
2. Create a risk management policy. 
3. Personalize risk management terms including risk appetite, risk 
tolerance, etc.
4. Obtain executive buy-in on risk policy and terms. 
5. Understand and inventory the assets requiring protection. 
6. Assign risk to asset/data owners. 
7. Understand the threats most likely to affect the organization. 
8. Understand the vulnerabilities extant within the enterprise. 
9. Adopt an accepted risk management framework and/or 
standard.
10. Create a standardized risk assessment form to evaluate risks 
to the organization.
11. Create a risk register to track risk scores, risk treatment and 
residual risk.
12. Perform risk compliance monitoring, including third parties. 
13. Communicate risk treatment and risk management to 
D o m a i n 1 : G o v e rorganization.
nance and Risk
 6 .2 R ISK MANAGEMENT: ESSENT IALS

Managing
risks requires
the
identification,
analysis and
control of the
exposure to
risk. Source: "The
Essentials of Risk
Management”

Domain 1: Governance and Risk

 6 .3 WHER E R ISK R ESID ES

Risk Confluence Diagram

Domain 1: Governance and Risk Management

 6.4 RISK OWNERSHIP

• Risk ownership belongs to asset owners.

oData is an asset, so look to data owners as well.
• Assigning ownership can be political.
• CISOs don’t generally own risk.
o Exception is information security program
components.
• C I S O s d o n ’ t h a v e t h e a u t h o r i t y n o r re s p o n s i b i l i t y
f o r d e t e rm i n i n g w h i c h r i s k s w i l l b e t re a t e d a n d
which risks will be accepted.

Domain 1: Governance and Risk Management

 6.5 RISK ASSESSMENT TYPES

Domain 1: Governance and Risk

 6.6 RISK ASSESSMENT PROCESS

+ + + =
Asset Vector Threats + Vulnerability + Impacts Risk Residual
Treatment Risk

Identify Risk Treat

Domain 1: Governance and Risk

 6.7 RISK MANAGEMENT: CATEGORIES

The two primary categories of risk are as follows:

• Inherent Risk
Inherent risk defines the risk that exists before controls are
implemented. The organization must understand the potential
risk impact that exists before controls are implemented to
understand the value and effectiveness of the mitigation strategy.
 Residual Risk
The idea that some quantity of risk remains after controls are
applied is the most important idea about residual risk. Risk
mitigation exists to reduce risk to an acceptable level, but that
level is rarely zero unless the organization chooses avoidance as
the risk treatment strategy. Risk acceptance, therefore, applies as
a normal outcome of reducing risk to the lowest acceptable
D o m a i nresidual
1 : G o v e r n alevel.
nce and Risk
 6.8 RISK
TREATMENT

Domain 1: Governance and Risk

 6 .8 R ISK T R EAT MENT

• Risk treatment is the process of modifying risk.

• Risk treatment is how you specifically reduce risk
through the application of an action.
• The CISO supports the decision-making process by
identifying risks and recommending treatment options.
• The CISO may offer support related to risk treatment,
but the final decision of risk treatment belongs to the
business or asset owner.
• Risk treatment is a balance of constraints.

Domain 1: Governance and Risk Management

 6 .8 R ISK T R EAT MENT: PR O CESS

Risk
Assessment
Results

Satisfactory
Assessment
Risk Decision Point 1

Risk Treatment
Options

Risk
Assessment
Results

Satisfactory
Assessment
Risk Decision Point 2

Domain 1: Governance and Risk

 6 .9 R ISK MO D IFICAT ION

• Recommendation of controls to off set risk.

• Tradecraft of CISO: part art, part science
• Balance between risk management and security
operations
• No risk should be set at zero
• Multiple types modifi cations can be used

Domain 1: Governance and Risk

 6 .9 R ISK MO D IFICAT ION: CO NST R AINT S

Ease of
Ethical People Us e

Cultural Other
Financial Legal
Controls
Technical
Policy
Time

Balance

Domain 1: Governance and Risk

 6 .10 R ISK TR EAT MENT O PT IO NS

Risk Treatment Options

• Organizations have four

options for risk treatment.

Domain 1: Governance and Risk

 6 .10 R ISK TR EAT MENT: O PT IO NS

• 6.10.1 Risk modification or mitigation: most common

risk treatment option. An organization seeks to change risk
exposures or outcomes by applying security controls to a
process, system, or environment.
• 6.10.2 Risk retention or acceptance: occurs when an
organization acknowledges the existence of a risk and
deliberately chooses to not apply controls or additional
management of the risk.
• 6.10.3 Risk avoidance or elimination: risk treatment
option that occurs when an organization makes changes or
avoids an activity by removing the risk and eliminate its
D o m a i n 1effect
: G o v e r n aon the
nce a n d R iorganization.
sk
 6 .11 APPLYING CO MPENSAT ING CO NT R OLS T O
R ED UCE R ISK

• Next step when key controls cannot be applied.

• Must have valid technical, operational, or cost
constraints.
• Must meet the rigor an intent of key controls.
• In aggregate, must provide similar level of defense.

Domain 1: Governance and Risk

 6.12 RISK
CALCULATION
FORMULA

Domain 1: Governance and Risk

 6.12 RISK CALCULATION FORMULAS

• Many types of calculations exist.

• Not every risk can be invested in equally.
• Risk treatments should be commensurate with the
value of the assets at risk.
• Risk formulas allow CISOs and risk managers to
dimension risk.

Domain 1: Governance and Risk

 6.12 RISK CALCULATION FORMULA
• Asset Value (AV): The value you have determined
an asset to be worth.
• Exposure Factor (EF): The estimated percentage
of damage or impact that a realized threat would
have on the asset.
• Single Loss Expectancy (SLE): The projected loss
of a single event on an asset.
• Annual Rate if Occurrence (ARO): Estimated
number of times annually the threat would occur.
• Annualized Loss Expectancy (ALE): Projected loss
to the asset based on an annual estimate.
Domain 1: Governance and Risk
 6.12 RISK CALCULATION FORMULA: EXAMPLE

Domain 1: Governance and Risk

 6.13 RISK
MANAGEMENT
FRAMEWORKS

Domain 1: Governance and Risk

 6.13 RISK MANAGEMENT FRAMEWORKS

• Frameworks provide a broad overview, outline, or

skeleton of interlinked items which supports an
approach to a specifi c objective.
• They also serve as a guide that can be modifi ed as
required by adding or deleting items.
• The CISO should select the risk management framework
or approach that best supports the organization.
• Numerous frameworks exist to guide the processes of
identifying, treating, and monitoring information
security risks in an organization.

Domain 1: Governance and Risk Management

 6.13 RISK MANAGEMENT FRAMEWORKS:
CATEGORIES

• Cybersecurity Risk Management Frameworks.

• Enterprise Risk Management (ERM) Frameworks.
• Risk Assessment Methodologies.
• General Risk Management Frameworks.

Domain 1: Governance and Risk

 6.13 RISK MANAGEMENT FRAMEWORKS:
CATEGORIES

Domain 1: Governance and Risk

 6.13.1 ISO 27005

Domain 1: Governance and Risk

 1 6.3 .1 ISO 27 0 05

• International Organization for Standardization (ISO):

o 27005:2018 - Security Risk Management Guidelines.
o Systematic approach to Information Security Risk Management
(ISRM).
o Targeted toward CISOs, Chief Risk Officers an Auditors.
o Risk management must be continual and regularly reviewed.

Domain 1: Governance and Risk

 6 .13 .1 ISO 27 0 05 FR AMEWO R K

Risk
Risk Identification
Owner
Risk Analysis
Assets Threats

Vulnerabilities
Impacts Likelihood

Risk Formulas
Probability of Event
Estimation of Impact
Occurring
Risk Treatments
Domain 1: Governance and Risk
 1 6.3 .1 ISO 27 0 05 R ISK MANAGEMENT
WO R K FLO W

Domain 1: Governance and Risk

 6 .13 .2 ISO 27 0 05 : CO NTEX T ESTAB LISHMENT

• The requirements to establish context for information

security risk management are defined in Section 7 of ISO
27005.
• Inputs are gathered and evaluated when completing the
process of establishing context.
• The process of establishing context identifies the
conditions and boundaries of a risk assessment.
• This output includes the scope and boundaries of the risk
assessment, and identification of details of the
organization assets on which the risk assessment will be
performed.
Domain 1: Governance and Risk
 6 .13
• Input: .2assessment
Risk ISO 27 0 05 : R ISK
criteria ASSESSM
consisting ENT and
of the scope
boundaries.
• Action: Risks should be identified, quantified or qualitatively
described and prioritized against the risk evaluation criteria
and objectives relevant to the organization.
• Implementation Guidance: risk assessments quantitatively
or qualitatively describe the risk and enables treatment
prioritization.
• Workflow: Risk assessments consist of the following
activities:
o Risk identification.
o Risk analysis.
o Risk evaluation.
• Output: List of identified risks prioritized according to the
Domain 1: Governance and Risk
 6 .13 .3 ISO 27 0 05 : W OR K FLOW
• Risk assessment in ISO 27005 is a sequence of activities
that help an organization identify risks and determine their
potential impact. Each step builds upon the previous one to
produce the prioritized list of risks that affect the
organization.

Risk Risk
Risk Analysis
Identification Evaluation
Identification of: • Consequences List of Risks:
• Assets • Incident Likelihood • Information security
• Threats • Level of Risk properties - relevance
• Existing Controls Determination • Business Impact
• Vulnerabilities
• Consequences
Assessment of: Develop A Prioritized
ISO 27005 Risk Assessment Workflow
Domain 1: Governance and Risk
 1 6.3 .3 ISO 27 0 05 : R ISK ID ENTIFICAT ION

• Risk identifi cation determines what could happen

to cause a potential loss, and helps gain insight
into how, where, and why the loss may happen.
• Identifi cation evaluates assets, threats, existing
controls, vulnerabilities, and consequences to
create a list of scenarios that have consequences
mapped to assets and business processes.

Domain 1: Governance and Risk

 1 6.1 3 .3 ISO 2 7 00 5: R ISK ANALYSIS

Risk analysis produces a list of risks with their value

levels assigned by taking output from the risk
identifi cation as input for the following three
assessments:
1. Assessment of consequences: Assets identifi ed
during the risk assessment process are valued.
2. Assessment of incident likelihood: Potential of
occurrence and frequency of events.
3. Level of risk determination: Output from fi rst two
steps allow an organization to assign values that
communicate the results of a risk assessment.

Domain 1: Governance and Risk

 1 6.3 .3 ISO 27 0 05 : R ISK SCO R E TAB LE

The following table provides a sample of a risk scale from

0–8 by mapping likelihood to business impact in order to
generate the risk score:

Generic Level of Risk Determination Chart

Domain 1: Governance and Risk

 1 6.3 .3 2 70 05 : R ISK EVALUAT IO N

• Risk evaluation combines the list of risks with:

o Value levels assigned from the risk analysis phase.
o The risk evaluation criteria from the context establishment
phase.
o The risk acceptance criteria defined by the organization.
• This produces a prioritized list of risks with two important
considerations:
o Information security properties (CIA).
o The importance of the business process or activity supported by
a particular asset or set of assets.

Domain 1: Governance and Risk

 1 6.3 .4 ISO 27 0 05 : R ISK T R EAT MENT

The prioritized set of risks produced during the risk

assessment supports decisions for the risk treatment plan.
The plan is developed as part of the risk management
workflow in ISO 27005. The goal of risk treatment is to
manage unacceptable risks within the organization.
o Review prioritized list from the risk assessment.
o Verify that the risk assessment results are valid.
o Develop recommendations for risk treatment.

Domain 1: Governance and Risk

 1 6.3 .5 ISO 27 0 05 : R ISK ACCEPTANCE

• Occurs after risk treatment is applied.

• Residual risk drives risk acceptance.
• Control effectiveness influences risk acceptance.
• Risk acceptance is a formal process requiring recording.

Domain 1: Governance and Risk Management

 1 6.3 .6 ISO 27 0 05 : R ISK FEED B ACK

Assess and review the

risk management
program and processes to
achieve continuous
improvement.

Risk
Communica Risk
tion & Monitoring
Consultatio & Review
n

Monitor the risks and

initiate reassessment
when risks change.

Domain 1: Governance and Risk Management

 1 6.1 3 .7 ISO 2 7 00 5: R ISK CO MMUNICAT ION AND
CONSULTAT ION

• Communication is important throughout the risk

management process.
• This communication includes:
o Outcomes of assessments.
o Status reports.
o Assessment issues.
o General concerns.
• A risk communication plan should include insight about
the evolving nature of the risks influencing the risk
treatment strategy.
Domain 1: Governance and Risk
 1 6.3 .8 ISO 27 0 05 : R ISK MONIT O R ING AND
R EVIEW

Risk management feedback loop

• Monitor risk
• Review risk

Domain 1: Governance and Risk

 1 6.3 .9 ISO 27 0 05 : R ISK MONIT O R ING

Organizations should ensure the following are continually

monitored:
• New assets that have been included in the risk management
scope.
• Modification of asset values.
• New threats to the organization that have not been assessed.
• Possible new or increased vulnerabilities that could allow
threats to exploit those vulnerabilities.
• Old vulnerabilities that could be exposed to new or reemerging
threats.
• Increased consequence with assessed threats.
Domain 1: Governance and Risk
 1 6.3 .1 0 R ISK COMM UNICAT IO NS

• Provide assurance of outcome.

• Collect risk information.
• Share assessment results.
• Avoid or recue occurrence of breach.
• Support decision making.
• Obtain new security knowledge.
• Coordinate response plans.
• Shareholder responsibility
• Improve awareness.
Domain 1: Governance and Risk
 6.14 NIST SP 800-
37: RISK
MANAGEMENT
FRAMEWORK (RMF)

Domain 1: Governance and Risk

 6.14 NIST SP 800-37: OVERVIEW

N a t i o n a l I n s t i t u t e o f S t a n d a rd s a n d Te c h n o l o g y
( N I S T ) – S p e c i a l Pu b l i c a t i o n ( S P ) 8 0 0 - 3 7 R 2 R i s k
M a n a g e m e n t Fr a m e w o r k f o r I n f o rm a t i o n S y s t e m s
a n d O rg a n i z a t i o n s : A S y s t e m L i f e C y c l e :
o Life cycle for risk management.
o Ti e s o f n u m b e r o f N I S T r i s k a n d s e c u r i t y p u b l i c a t i o n s
together to manage risk.
 800-53 (Security and Privacy Controls for Information
Systems and Organizations)
 800-30 (Guide for Conducting Risk Assessments)
 800-39 (Managing Information Security Risk)
o A p p l i c a b l e t o a n y i n d u s t r y.
Domain 1: Governance and Risk Management
 16.14 NIST RISK MANAGEMENT FRAMEWORK
(RMF)
800-60 – IS Mapping
Architecture Organizationa
Description: Step 1: l Inputs:
• Reference Models Categorize • Laws
• Solution Architectures • Directives
• Business Processes 800-137 – Monitoring
Information System
800-53 – Control • Policies
• Information System Catalog • Goals &
Boundaries Step 6: Step 2: Objectives
Monitor Select • Resources
Security Controls Risk Security Controls • Supply Chain

800-53A – Assessing Management 800-18 – Security

Security Plans
Step 5: Framework Step 3:
Authorize Implement
Information Systems Security Controls
800-70 – Security
Checklist
Step 4:
Assess
Security Controls
NIST Risk Management Framework (RMF)

Domain 1: Governance and Risk

 6 .14 .1 T O 6 .14 .6 NIST SP 80 0- 37 : PR O CESS
OVER VIEW

• 16.14.1 - Step 1: Categorize the Information System – identifies the

security rating of the system, process, or service.
• 16.14.2 - Step 2: Select Security Controls – identifies appropriate
controls on the basis of the security rating defined in the categorization
step.
• 16.14.3 - Step 3: Implement Security Controls – defines process for
applying controls to the system. It provides a holistic approach to
information security and risk management .
• 16.14.4 - Step 4: Assess the Information System – evaluate the
effectiveness of controls applied to the environment.
• 16.14.5 - Step 5: Authorize the Information System – create list of
weaknesses and the proposed remediation plan to create a Plan of Actions
and Milestones (POAM).
• 16.14.6 - Step 6 : Monitor Security Controls – provides ongoing
Domain 1: Governance and Risk
 6 .15 NIST R ISK MANAGEMENT & ASSESSMENT

• Nist SP 800-37 – Risk Management Framework

(RMF)
• NIST SP 800-30 – Guide for Conducting risk
Assessments
• NIST SP 800-39 – Managing Information Security
Risk

Domain 1: Governance and Risk

6 .16 NIST SP 8 00 -3 7: MANAGEMENT HIER AR CHY

• Frame: Establish the

context of risk by
describing the
environment and
constraints of risk
decisions.
• Assess: Expose
threats and
vulnerabilities.
• Respond: Risk NIST Risk Management Hierarchy
treatment.
• Monitor: Continuous
Domain 1: Governance and Risk
 6 .17 NIST SP 8 00 -3 7: R ISK ASSESSMENT
PR OCE SS

Risk Assessment Process

Domain 1: Governance and Risk
 6.18 OTHER RISK
FRAMEWORKS

Domain 1: Governance and Risk

 6 .18 O T HER R ISK FR AMEW OR K S

• ISO and NIST are the

most common risk
frameworks;
however, others
exist:
o COBIT 5
o FAIR
o ITIL Risk Model
o OCTAVE
o TARA
o The Risk IT
Framework
• Not all frameworks
can be covered in
Domain 1: Governance and Risk
course.
 6 .18 .1 COB IT R ISK MANAGEMENT

• Control Objectives for Information and Related

Technology (COBIT 5).
• Published by ISACA.
• Not specifically designed for risk management;
however:
o COBIT does offer two perspectives on risk
Processes
Organizational
Structures
Culture, Ethics
& Behavior
Perspective
Perspective
management.
1:
Principles, Policies, and 2:
Frameworks
Services, Risk
Risk Function People, Skills,
Information
Infrastructure,
and
and Management
Competencies
Applications
Build a risk Define core risk
management governance
function using Risk and risk
Cobit enablers. management
Management processes
Program
Source: ISACA, COBIT 5 for Risk using Cobit
enablers.
Domain 1: Governance and Risk
 6 .18 .2 COSO ENT ER PR ISE R ISK MANAGEMENT
INT EGR AT ED FR AMEW OR K

Entity Objectives
• Enterprise Risk Management

Business Emphasis & Application

Integrated Framework.
• Published by the Committee

Components of ERM
of Sponsoring Organizations
of the Treadway Commission
(COSO) .
• Defines essential enterprise
risk management
components, discusses key
ERM principles and concepts, Source: Treadway Commission

suggests a common ERM

D o m a i n language.
1: Governance and Risk
 6 .18 .3 INFO R MAT IO N T ECHNO LO GY
INFR AST R UCT UR E LIB R ARY (IT IL)
• Information Technology Infrastructure
Library (ITIL):
o Owned by Axelos, a joint venture of Capita
and the UK Cabinet Office.
o Risk Management is not an officially defined
process.
o ITIL Risk Management is the process of
identifying, assessing, and prioritizing
potential business risks.
o Risk Management, in ITIL, is an integral part
of the Service Management Lifecycle.
• ITIL Risk Definition: “A possible event
that could cause harm or loss or
ITIL Risk Management Model
affect the ability to achieve
D o m a i n 1objectives.”
: Governance and Risk Management
6 .18 .4 FACT O R ANALYSIS O F INFO R MAT IO N R ISK
(FAIR )
• Factor Analysis of Information Risk
(FAIR):
o Published by FAIR Institute. Risk
o Quantitative approach.
o Considered a model. Loss Event Loss
• Value at Risk (VaR) framework for Frequency Magnitude
cybersecurity and operational risk. Threat
• International standard. Primary
Event
Loss
• A standard taxonomy Frequency
(classification) and ontology Vulnerabili Secondary
(relationship model) for ty Risk
information and operational risk. Source: FAIR Institute, FAIR Model

• Modeling construct for analyzing

complex risk scenarios.
Domain 1: Governance and Risk
6 .1 8 . 5 O P E RAT I ON AL LY C R I T I C A L T H R E AT, A SS E T,
A N D VU L N E RAB I L I T Y E VA LUAT I O N (O C TAV E )

• Operationally Critical Threat,

Asset, and Vulnerability
Evaluation (OCTAVE):
o Developed by Carnegie
Mellon University CERT
Coordination Center
o Asset centric and lean risk
assessment.
• Standardized approach to a
risk-driven and practice-
based information security Source: Carnegie Mellon University

evaluation.
D o m a•
i n Four
1 : G o v e phase,
r n a n c e a n d eight
Risk step
6 .18 .6 T HR EAT ASSESSMENT AND R EMED IAT IO N
ANALYSIS (TAR A)

• Threat Assessment and

Remediation Analysis (TARA):
o Published by MITRE Corporation.
o Catalog of attack vector and
countermeasure data.
o Like the Microsoft STRIDE threat
modeling system.
• Engineering methodology to
identify, prioritize, and respond to
cyber threats through the
application of countermeasures.
Source: TARA Methodology
Domain 1: Governance and Risk
 6 .18 .7 T HE R ISK IT FR AMEWO R K

• The Risk IT Framework:

o Published by ISACA.
o Complements COBIT 5.
• Designed for COBIT clients
to implement a risk
management program.
• Treats IT risk as a business
risk.

Note: Missing in BOK.

Source: ISACA, The Risk IT Framework
Domain 1: Governance and Risk Management
 6.19 RISK
MANAGEMENT
POLICIES AND
PROCESSES

Domain 1: Governance and Risk

 6 .19 R ISK MANAGEMENT PO LICIES AND
PR OCED UR ES

• In order to have a consistent and repeatable risk

management program, documentation is tantamount to
an effective program:
o Policies.
o Procedures.
o Processes.
• Unique aspects of risk management policies:
o Risk appetite.
o Risk tolerance.
o Risk ownership.
o Risk algorithms.
D o m a i n 1 :oG o v
Risk
e r n a n cmodel.
e and Risk Management
 6.20 RISK
MANAGEMENT
LIFECYCLE

Domain 1: Governance and Risk

 6 .20 R ISK MANAGEMENT LIFECYCLE

• Effective risk
management includes an
articulated lifecycle.
• Ensures risk is managed
in a continuous and
methodical manner.
• Closed loop lifecycle.

Risk Management Lifecycle. (By Tari Schreider, licensed under a Creative Commons Attribution-
NonCommercial-NoDerivatives 4.0 International License)
Domain 1: Governance and Risk
 6 .20 R ISK MANAGEMENT LIFECYCLE

• Risk assessment
o Quantitative
o Qualitative
o Hybrid
• Risk registry
• Risk treatment
• Rik acceptance
• Risk monitoring
• Risk reporting

Domain 1: Governance and Risk Management

 6.21 RISK
MANAGEMENT
PROGRAM
IMPLEMENTATION
USE CASE

Domain 1: Governance and Risk

 6 .21 R ISK MANAGEMENT PR O GR AM
IM PLEMENTAT ION USE CASE

1 2 3 4 5
Identification
Identification Identification
Identification Identification of
of Existing of
of Assets of Threats Consequence
Controls Vulnerabilities
s

ISO 27005 Example of program implementation.

Domain 1: Governance and Risk

 6 .21 ST EP 1 : ID ENT IFICAT IO N O F ASSET S

• Attack surface:
o Assets – anything of value.
• Asset inventory:
o Defines scope of risk management program.
• Asset owners = risk owners.
• Shadow IT assets.

Domain 1: Governance and Risk

 6 .21 ST EP 1 : ID ENT IFICAT IO N O F ASSET S

• Hackers look at
organizations as
something that can be
exploited, an attack
surface.
• Assets can be tangible
and intangible.
• You can’t protect what
you can’t see.
Attack Surface Model™. (By Tari Schreider, licensed under a Creative Commons Attribution-
NonCommercial-NoDerivatives 4.0 International License)
Domain 1: Governance and Risk
 6 .2 1 ST EP 2 : ID ENT IFICAT IO N O F T HR EAT S

• Threats need to be
vetted.
• Threat sources are
registered in the risk
register.
• You can’t protect what
you can’t see.
• Supply chain
represents threats.
• Discussed further in
Domain 3. Source: ISO 27005 Annex C - Examples of Typical
Threats
Key; A = Accidental – D = Deliberate – E =
Domain 1: Governance and Risk Environmental
 6 .21 ST EP 3 : ID ENT IFICAT IO N O F EX IST ING
CONT R O LS

• Take stock of existing controls to understand how

they provide current levels of protection.
o Controls generally buried in policies, procedures,
standards, etc.
• Eliminate duplicate controls.
• Create a controls inventory, link with risk register.
• Covered further in Domain 2.

Domain 1: Governance and Risk Management

 6 .21 ST EP 4 : ID ENT IFICAT IO N O F
VULNER AB ILIT IES

• Vulnerabilities are
weaknesses in an
attack surface.
• Vulnerabilities
represent exploit
potential.
• Vulnerability
database
integrates with risk
register.
• Discussed further in
Domain 3. Source: ISO 27005 Annex D - Examples of Vulnerabilities
Domain 1: Governance and Risk
 6 .21 ST EP 5 : ID ENT IFICAT IO N O F
CONSEQ UENCES

• Determine adverse outcomes related to loss of:

o Confidentiality
o Integrity.
o Availability.
• Categorize consequences:
o Financial loss.
o Personnel impact.
o Opportunity loss.
o Reputation loss.
o Goodwill loss.

Domain 1: Governance and Risk

 6 .22 R ISK MANAGEMENT PR O GR AM R EVIEW

• Risk management programs are messy, never perfect

wrought with politics and constraints.
• CISOs need a tough outer shell to accept program
criticisms.
• Adopt a continuous improvement process to evolve the risk
management program.

Domain 1: Governance and Risk

 6 .23 CO NCLUSIO N

• Understand organizational risk.

• Risk management, control selection, and continuous
assessment fundamental to protection organizational
assets.
• Risk treatments must be commensurate with the value of
the assets at risk.
• Select the proper framework to manage risk.
• CISOs primary role is to reduce operational risk.

Domain 1: Governance and Risk

 DOMAIN 1
END

Domain 1: Governance and Risk

 DOMAIN 1 SUMMARY

Domain 1: Governance and Risk

 D OMAIN 1 : GENER AL

• This domain is concerned with the identification,

reduction, and management of risk to an organization.
• Aligning an information security program to an
organization’s business model is crucial to its
effectiveness.
• The CISO is the voice of reason that helps an organization
balance risk and reward to achieve business goals while
minimizing operational risk.
• The CISO must understand the weaknesses of an
organization’s technology infrastructure and apply proper
risk treatments.
• CISOs must ensure a standardized risk assessment and
D o m a i n scoring
1 : G o v e r n a nmethodology
ce and Risk is used.
 D OMAIN 1 : B USINESS D R IVER S

• Information security programs are heavily influenced by

business drivers.
• A busines driver is a condition, process,
requirement, or other concern that infl uences the
way in which an organization directs or manages
activities.
• Key business drivers include organizational structure,
industry, and overall maturity.
• IS programs find it difficult to evolve significantly past the
maturity of the organization it protects.
• IS programs need to achieve at least a maturity level of 3
before real improvements can be made.
Domain 1: Governance and Risk
 D OMAIN 1 : INFOR M AT ION SECUR IT Y D R IVER S

• Information security drivers are like business

drivers because of their eff ect on the management
and operation of all levels of the IS program.
• CISOs must understand the business drivers in
order to identify corresponding security drivers.
• Who a CISO reports, can be a signifi cant driver to
an IS program.
• Compliance requirements shape the focus and
investment in IS programs.

Domain 1: Governance and Risk

 D OMAIN 1 : PO LICIES

• Developing information security policies is one of the

fi rst steps in developing an IS program.
• CISOs will benefi t from leveraging a policy framework.
• Policies should be tailored to the audience with
content appropriate to their roles and responsibilities.
• Many regulations require the development,
dissemination, and acknowledgement of IS polices.
• The process of writing a security policy can be difficult, time
consuming, and expensive.
• A security policy must be supported by the organization’s
senior management team to be successful.
Domain 1: Governance and Risk
 D OMAIN 1 : ET HIC S

• Ethics defines the moral principles that govern the

behavior of a person or group.
• Appropriate and ethical behavior is crucial for the
activities the CISO conducts or directs within an
organization.
• Follow the “would my parents be proud of me” rule when
faced with making an ethical-based decision.
• EC-Council Code of Ethics codifies the expectations for
ethical behavior by C|CISO certification holders.

Domain 1: Governance and Risk

 D OMAIN 1 : R ISK MANAGEMENT

• Risk management is the identification, assessment, and

prioritization of risks.
• Risk is a product of the impact that threats can have on
vulnerabilities in the IT infrastructure.
• CISOs will need to identify their organization’s risk
appetite and risk tolerance.
• The two most widely used risk standards are ISO 27005
and NIST SP 800-37.
• CISOs should assess their current risk program following
the Risk Essentials Framework.
• CISOs do not own risk, asset owners' own risk.

Domain 1: Governance and Risk

 D OMAIN 1 : R ISK MANAGEMENT - CONT INUED

• Quantitative risk assessments are based on numerical

equations.
• Qualitative risk assessments use ranges or categories.
• Hybrid risk assessments are generally used.
• CISOs need to understand the difference between inherent
and treated risk.
• No risk can be zero.
• Residual risk is what is left after the application of risk
treatment.

Domain 1: Governance and Risk

 D OMAIN 1 : R ISK T R EAT MENT

• Once risk is identified it must be treated.

o Risk modification or mitigation
o Risk retention or acceptance
o Risk sharing or transfer (insurance)
o Risk avoidance or elimination
 Risk treatments are driven by constraints typically cost,
time, and effort.

Domain 1: Governance and Risk

 D OMAIN 1 : CALCULAT ION FO R MULAS

• Risk calculations have common aspects to scoring and

ranking risk:
o Asset Value (AV): The value you have determined an
asset to be worth.
o Exposure Factor (EF): The estimated percentage of
damage or impact that a realized threat would have on
the asset.
o Single Loss Expectancy (SLE): The projected loss of a
single event on an asset.
o Annual Rate if Occurrence (ARO): Estimated number of
times annually the threat would occur.
o Annualized Loss Expectancy (ALE): Projected loss to the
Domain 1 : Gasset
o v e r n a n c based
e a n d R i s kon an annual estimate.
 D OMAIN 1 : R ISK MANAGEMENT FR AMEW OR K S

• The CISO should select the risk management

framework or approach that best supports the
organization.
• Numerous frameworks exist to guide the processes
of identifying, treating, and monitoring information
security risks in an organization:
o Cybersecurity Risk Management Frameworks.
o Enterprise Risk Management (ERM) Frameworks.
o Risk Assessment Methodologies.
o General Risk Management Frameworks.
Domain 1: Governance and Risk
 D OMAIN 1 : R ISK MANAGEMENT FR AMEW OR K S -
CONT INUED

• The most widely used risk frameworks include:

o ISO/IEC 27005.
o NIST SP 800-37.
o Factor Analysis of Information Risk (FAIR)
• Second tier risk frameworks include:
o COSO ERM Integrated Framework.
o Threat Assessment and Remediation Analysis (TARA).
o ISACA Risk IT Framework.

Domain 1: Governance and Risk

 D OMAIN 1 : R ISK MANAGEMENT PR O GR AM
IMPLEMENTAT ION

• Example risk program implementation (ISO/IEC 27005):

1. Identifi cation of assets.
2. Identifi cation of threats.
3. Identifi cation of existing controls.
4. Identifi cations of vulnerabilities.
5. Identifi cation of consequences.

Domain 1: Governance and Risk

 D OMAIN 1 : R ISK MANAGEMENT LIFECYCLE

• Effective risk management includes an articulated

lifecycle.
1. Risk assessment.
2. Risk registry.
3. Risk Treatment.
4. Risk acceptance.
5. Risk monitoring.
6. Risk reporting.

Domain 1: Governance and Risk

 DOMAIN 1
PRACTICE
QUESTIONS
 PR ACT ICE Q UEST IONS
1. An organization
recently
implemented a risk
A. The organization uses a
management quantitative process to measure
program to risk.
measure the risk of B. The organization uses a qualitative
IT projects. Which process to measure risk.
of the following C. The organization’s risk tolerance is
cases would this high.
organization be D. The organization’s risk tolerance is
MORE willing to low.
accept vs.
mitigate risk?
omain 1: Governance & Risk Management
 PR ACT ICE Q UEST IONS
2. An organization is
looking for a
framework to measure A. Payment Card Industry Data
the efficiency and Security Standards (PCI-DSS).
effectiveness of their
Information Security B. Control Objectives for
Management System Information Technology
(ISMS). (COBIT).
Which of the C. International Organization for
following Standardizations (ISO) – 27004.
international D. International Organization for
standards can BEST Standardizations (ISO) – 27005.
assist this
o m a i norganization?
1: Governance & Risk Management
 PR ACT ICE Q UEST IONS

A. Compliance to Payment Card

3. A global healthcare Industry (PCI) Data Security
company is concerned
Standard.
about protecting
confidential B. Compliance to privacy laws and
information. regulations for each country
Which of the where they operate.
following is of
MOST concern to C. Conformance to local
this organization? employment laws for each
country where they operate.
omain 1: Governance & Risk Management D. Alignment to International
 PR ACT ICE Q UEST IONS

4. A retail company is A. Payment Card Industry Data

working on defining a Security Standards (PCI-DSS).
compliance
management process. B. Information Technology
Infrastructure Library (ITIL).
Which of the C. International Organization for
following are MOST Standardization (ISO) standards.
likely to be D. National Institute for Standards
included? and Technology (NIST) standards.

omain 1: Governance & Risk Management

 PR ACT ICE Q UEST IONS
5. An organization is
looking to implement
a consistent Disaster A. International Organization for
Recovery and Standardizations – 27005
Business Continuity (ISO-27005).
Process across all its B. International Organization for
business units. Standardizations – 22301
Which of the (ISO-22301).
following
C. Information Technology
standards and
guidelines can Infrastructure Library (ITIL).
BEST address this D. Payment Card Industry Data
organization’s Security Standards (PCI-DSS).
o m a i n need?
1: Governance & Risk Management