ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide E-Book

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

A primer on GRC and an exam guide for the most recent and rigorous IT risk certification

Shobhit Mehta

BIRMINGHAM—MUMBAI

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Senior Editor: Shruti Menon

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Project Manager: Prajakta Naik

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Vijay Kamble

Marketing Coordinator: Marylou De Mello

First published: August 2023

Production reference: 1100823

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80323-690-2

www.packtpub.com

To my father, Madan, my mother, Asha, and my brother, Pinkesh, for prioritizing my education above everything else and instilling the value of discipline in me at an early age.

To my dearest wife, Dimple, for being a constant source of inspiration and my guiding light since the day I met her, and our four-legged companion, Audrey, for staying by my side on those late-night writing sprees.

Foreword

In my role as a security leader for the last five years, my top priority has been to protect my organization from cyber threats and attacks. To do this, I need to present cyber threats as key business risks to senior management and the board in a simple and effective way. Hence, it is essential to understand cyber risks and learn the art of communicating the risks that could manifest to get funding and support for the cybersecurity program.

Unfortunately, cyber risk management is underrepresented in the cybersecurity community. If you read about cybersecurity on Medium and other blogging platforms, you will find very detailed and helpful articles on the technical side of the field. On the other hand, there are very few blogs of the same caliber on Governance, Risk, and Compliance (GRC) and risk management. As a result, few professionals aspire to work in this domain. Shobhit aims to help simplify this field with this book. It serves as a comprehensive guide to both the principles and practicalities of GRC and the Certified in Risk and Information Systems Control (CRISC) certification.

I have been a regular reader of his blog GRC Musings for a long time (one of the only blogs to come under the category I mentioned before) and he brings the same clarity and thought to this book. He has distilled his learnings to help security practitioners better understand risk management and enable them to better support their organizations and upskill themselves by explaining how one can study and prepare for the CRISC certification. These topics will be especially important for aspiring GRC and risk management professionals, helping them to become well-rounded practitioners.

For anyone who wishes to be an authority on risk management, CRISC is a must. While there is ISACA’s reference manual, this book fills the gap by making the subject interesting and engaging. Shobhit simplifies the jargon and helps readers understand risk management with relevant examples.

While in my first CISO role, I overheard a senior CXO equate cybersecurity to rocket science. He advised his peers to leave it to the subject matter experts. Cybersecurity today is a business risk, and to get the required support, we need to abstract the technical details and communicate why we need it. CISOs have to focus on understanding the business and the associated risks. They have to identify the potential threats and threat actors and understand the regulatory and legal landscape. Most of this comes under the GRC side of a security program. Having an effective GRC department, regardless of size, will help a CISO hit the ground running.

I would recommend this book to both aspiring GRC and risk management professionals. This will help them get a well-rounded overview of the entire GRC and risk management area. For those on the technical side, the book is a good introduction to risk management. It will help them develop as versatile security professionals and future cyber leaders.

Besides his expertise in cybersecurity, Shobhit is also an avid long-distance runner. He brings the same discipline to this book as in running – it is well-researched, meticulous, and an engrossing read. For those who love running to be fit, it is always enjoyable to go on a long run despite the pain and hard work. Shobhit’s book provides a similar experience that will enrich your cybersecurity knowledge and help you grow in your career.

I am sure this book will help you in demystifying cybersecurity for management and the board while earning an important certification milestone in your cybersecurity career. Happy reading!

Vikas Yadav

CISO, Flipkart

Contributors

About the author

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments.

He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal.

He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, blog on GRCMusings, and present at industry conferences.

I want to thank Satish Joshi and Fahad Burney, who were patient with me for four years and taught me the importance of continuous learning and attention to detail.

I also want to thank Danielle Currier and Walid Sleiman, who believed in me more than I believed in myself.

I am grateful to have met and worked for Puneet Thapliyal and Ken Stineman. Without their constant support and appreciation, this book would not have seen the light of day.

Lastly, it goes without saying that I’m extremely grateful to the professional team at Packt, including Neha, Khushboo, Shagun, Nihar, Shruti, Prajakta, Prachi, Neil, and many others, without whom I wouldn’t have dared to start this book.

About the reviewer

Senjoy Joseph Panavelil is currently a Manager in the technology assurance audit practice with extensive experience in leading integrated financial statement audits and SOC 1/2 attestation engagements, performing gap analysis and SWIFT and FedLine assessments, and providing strategic recommendations for financial and banking services, retail markets, and technology industries. With a Master of Science graduate degree in information systems from the University of Florida, Senjoy is recognized for his expertise in identifying and mitigating IT risks for numerous clients, as well as his dynamic leadership skills and his ability to build trusted relationships. He enjoys using his analytical skills to work through challenging situations and come up with creative solutions.

Table of Contents

Preface

Part 1: Governance, Risk, and Compliance and CRISC

1

Governance, Risk, and Compliance

Governance, risk, and compliance

What is GRC?

Simplified relationship between GRC components

Key ingredients of a successful GRC program

GRC for cybersecurity professionals

Cybersecurity and information assurance

Importance of GRC for cybersecurity professionals

Implementing GRC using COBIT

COBIT and ITIL

A primer on cybersecurity domains and the NIST CSF

Importance of IT risk management

Summary

2

CRISC Practice Areas and the ISACA Mindset

CRISC exam outline

CRISC job practice areas

CRISC exam structure

CRISC certification requirements

The ISACA mindset

Additional material

Summary

Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management

3

Organizational Governance, Policies, and Risk Management

IT governance and risk

Key risk terminologies

The role of risk practitioners in IT governance

IT risk management

IT risk strategy

Risk management and business objectives

Organizational structure

RACI

Organizational culture

Policy documentation

Essential policies

Exception management

Organizational asset

Asset valuation

Summary

Review questions

Answers

4

The Three Lines of Defense and Cybersecurity

The 3LoD model

Responsibilities of 3LoD

3LoD and cybersecurity

Critical concepts for risk assessment and management

The risk profile

Risk appetite, tolerance, and capacity

Risk tolerance versus risk capacity

Risk appetite and business objectives

Risk acceptance

Summary

Review questions

Answers

5

Legal Requirements and the Ethics of Risk Management

Major laws for IT risk management

Ethics and risk management

Relationship between ethics and culture

How do ethics affect IT risk?

ISACA Code of Professional Ethics

Summary

Review questions

Answer

Part 3: IT Risk Assessment, Threat Management, and Risk Analysis

6

Risk Management Life Cycle

Comparing risk and IT risk

IT risk management life cycle

Requirements of risk assessment

Issues, events, incidents, and breaches

Correlating events and incidents

Summary

Review questions

Answers

7

Threat, Vulnerability, and Risk

Threat, vulnerability, and risk

The relationship between threats, vulnerabilities, and risk

Understanding threat modeling

Threat modeling methods

The importance of threat modeling

Vulnerability analysis

Tools for identifying vulnerabilities

Vulnerability management program

Summary

Review questions

Answers

8

Risk Assessment Concepts, Standards, and Frameworks

Risk assessment approaches

Which is the best approach?

Risk assessment methodologies

Risk assessment frameworks

Risk assessment techniques

Importance of a risk register

Summary

Review questions

Answers

9

Business Impact Analysis, and Inherent and Residual Risk

Differentiating between BIA and risk assessment

Key concepts related to BIA

Understanding types of risk

Summary

Review questions

Answers

Part 4: Risk Response, Reporting, Monitoring, and Ownership

10

Risk Response and Control Ownership

Risk response and monitoring

Risk owners and control owners

Risk response strategies

Risk optimization

Summary

Review questions

Answers

11

Third-Party Risk Management

The need for TPRM

Managing third-party risks

Upstream and downstream third parties

Responding to anomalies

Managing issues, findings, and exceptions

Summary

Review questions

Answers

12

Control Design and Implementation

Control categories

The relationship between control categories

Control design and selection

Control implementation

Control implementation techniques

Post-implementation reviews

Control testing and evaluation

Summary

Review questions

Answers

13

Log Aggregation, Risk and Control Monitoring, and Reporting

Log aggregation and analysis

Log sources

Log aggregation

SIEM

Risk and control monitoring

Types of control assessments

Risk and control reporting

Key indicators

Selecting key indicators

Summary

Review questions

Answers

Part 5: Information Technology, Security, and Privacy

14

Enterprise Architecture and Information Technology

Enterprise architecture

The CMM framework

Computer networks

Networking devices

Firewalls

Intrusion detection and prevention systems

The Domain Name System

Wireless networks

Virtual private networks

Cloud computing

Cloud computing service models

Cloud computing deployment models

Security considerations of cloud computing

Summary

Review questions

Answers

15

Enterprise Resiliency and Data Life Cycle Management

Enterprise resiliency

Business continuity and disaster recovery

Relationship between resiliency and the BCP

Recovery objectives

Data classification and labeling

Data life cycle management

Comparing data management and data governance

Summary

Review questions

Answers

16

The System Development Life Cycle and Emerging Technologies

Introducing the SDLC

Phases of the SDLC

Project risk and SDLC risk

System accreditation and certification

Emerging technologies

Bring your own device (BYOD)

Internet of Things

Artificial intelligence

Blockchain

Quantum computing

Summary

Review questions

Answers

17

Information Security and Privacy Principles

Fundamentals of information security

Access management

Encryption

Types of encryption

Hashing

Digital signatures

Certificates

Public key infrastructure

Security awareness training

Principles of data privacy

Comparing data security and data privacy

Summary

Review questions

Answers

Part 6: Practice Quizzes

18

Practice Quiz – Part 1

19

Practice Quiz – Part 2

Index

Other Books You May Enjoy

Preface

Welcome to this comprehensive guide to Certified in Risk and Information Systems Control (CRISC) by ISACA, the globally recognized authority on Information Technology (IT) governance and security. As organizations continue to rely more on technology to achieve their business objectives, it’s becoming increasingly important for IT professionals to have the skills and knowledge necessary to manage risks effectively. The CRISC certification is designed to help IT professionals develop the expertise needed to identify, evaluate, and mitigate risks related to information systems. The certification is highly valued by employers and is considered a prerequisite for many senior-level positions.

In addition to the professional benefits of earning the CRISC certification, certified professionals have demonstrated that they possess the skills and knowledge necessary to manage information system risks effectively. This knowledge and expertise can help them make more informed decisions and improve their job performance. Furthermore, CRISC-certified professionals are in high demand and can expect to earn a higher salary than their non-certified peers. According to a survey conducted by ISACA, CRISC is the #4 top-paying certification worldwide.

This book is designed to help you achieve the CRISC certification and prepare you for the challenges of managing risks within organizations. The book is divided into three sections to provide a complete and thorough understanding of the CRISC certification and its syllabus:

Whether you are a seasoned IT professional or just starting your career in IT, this book will provide you with the necessary tools and knowledge to pass the CRISC certification exam. We hope that this book will help you achieve your professional goals, improve your job performance, and take your career to the next level.

Who this book is for

This book is for professionals who are interested in obtaining the CRISC certification. The book provides a comprehensive guide to the CRISC certification and its syllabus, covering all four domains of the certification. The book is meant for professionals with differing levels of experience, from beginners to advanced practitioners.

This book is particularly relevant to professionals working in the areas of information security, risk management, and governance. It’s also beneficial for individuals who are responsible for managing risks related to information systems, including IT auditors, IT consultants, and IT managers. The CRISC certification requires a minimum of three years of relevant work experience, with at least one year of experience in two or more of the four CRISC domains. Therefore, this book is recommended for professionals with some level of experience in information systems and risk management.

This book is also helpful for professionals seeking to advance their careers in the IT industry. The CRISC certification is highly valued by employers and is considered a prerequisite for many senior-level positions. By earning the CRISC certification, professionals can demonstrate their expertise in managing information system risks and increase their job prospects. It’s a valuable resource that can help you achieve your professional goals, improve your job performance, and take your career to the next level.

What this book covers

Chapter 1, Governance, Risk, and Compliance, provides an introduction to GRC. This chapter includes all the lessons I learned later in my career but should have learned when I started.

Chapter 2, CRISC Practice Areas and the ISACA Mindset, provides a detailed description of the CRISC exam and practice areas. This chapter also includes my experience of attempting CRISC exams and understanding the ISACA mindset from both sides – as a candidate for the exam and also when I write questions for the official ISACA exam.

Chapter 3, Organizational Governance, Policies, and Risk Management, provides an introduction to organizational governance, strategy, structure, and culture. Governance is often confused with management, which is not true. This chapter continues from the lessons of Chapter 1.

Chapter 4, The Three Lines of Defense and Cybersecurity, provides an introduction to the concept of the three lines of defense and more importantly how you could draw the teachings from this model to develop your own cybersecurity program.

Chapter 5, Legal Requirements and the Ethics of Risk Management, provides an overview of major laws and regulations affecting IT risk. We will also learn about the importance of professional ethics in risk management and how it influences organizational culture.

Chapter 6, Risk Management Life Cycle, provides an introduction to the concept of risk, where you will learn how is it different from IT risk; take a deeper dive into the risk management life cycle; understand the requirements of risk assessments; learn the difference between issues, events, incidents, and breaches; and ultimately learn about how events and incidents are correlated. We will also learn how to choose different sets of controls (detective/corrective/preventive) to influence the inherent risk and optimize the residual risk.

Chapter 7, Threat, Vulnerability, and Risk, provides an introduction to the concepts of threat, vulnerability, and risk, helping you understand the relationships between each and teaching you about threat modeling and the threat landscape. We will also learn about vulnerability and control analysis, as well as vulnerability sources, and briefly touch on building a vulnerability management program.

Chapter 8, Risk Assessment Concepts, Standards, and Frameworks, builds on the knowledge from Chapter 7. We will learn about maintaining an effective risk register and how we can leverage already available industry risk catalogs to baseline the risk assessment program for an organization.

Chapter 9, Business Impact Analysis, and Inherent and Residual Risk, details the differences between Business Impact Analysis (BIA) and risk assessments. You will learn concepts related to BIA and the differences between inherent and residual risk, and finally, review how BIA can be used for business continuity and disaster recovery planning.

Chapter 10, Risk Response and Control Ownership, introduces the concept of risk response and monitoring and risk and control ownership, and details the risk response strategies – mitigate/accept/transfer/avoid.

Chapter 11, Third-Party Risk Management, introduces the concepts of third-party risk management and how to perform an effective third-party risk evaluation. We will also learn about issues, findings, exceptions, and how to manage them effectively.

Chapter 12, Control Design and Implementation, introduces the different types of controls, standards, frameworks, and methodologies for control design and selection and how to implement them effectively. We will also learn about several control techniques and methods to evaluate them effectively.

Chapter 13, Log Aggregation, Risk and Control Monitoring, and Reporting, provides a summary of the different methods of log sources, aggregation, and analysis. We will also learn about risk and control monitoring and reporting, and how to present them effectively.

Chapter 14, Enterprise Architecture and Information Technology, introduces the concept of enterprise architecture, the Capability Maturity Model, and IT operations, such as management and other network and technology concepts.

Chapter 15, Enterprise Resiliency and Data Life Cycle Management, provides a deep dive into the concepts of enterprise resiliency while building the foundations of a resilient architecture and data life cycle management.

Chapter 16, The System Development Life Cycle and Emerging Technologies, provides an understanding of the components of the software development life cycle and builds a foundational understanding of emerging technologies and the related security implications.

Chapter 17, Information Security and Privacy Principles, provides an understanding of information security and privacy principles, which secure the system and build trust with the users.

Chapter 18, Practice Quiz – Part 1, contains 100 review questions with a detailed explanation of each written from my experience of working with ISACA for many years.

Chapter 19, Practice Quiz – Part 2, contains additional 100 questions to solidify your understanding and ultimately set you up for success!

To get the most out of this book

To get the most out of this book, I recommend that you start with the primer section of the book, which covers the fundamentals of GRC, CRISC practice areas, and the ISACA mindset. Familiarity with industry standards and frameworks, such as Control Objectives for Information and Related Technologies (COBIT), ISO 27001, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is also beneficial, but not required. Additionally, we recommend that you review the CRISC certification exam syllabus before diving into the core content of the book. This will help you understand the exam objectives and the topics that will be covered in the certification exam.

As you work through the book, we encourage you to take notes, complete the review exercises at the end of each chapter, and refer back to the relevant sections when necessary. I also recommend that you take the practice quizzes at the end of the book to test your knowledge and pay equal attention to the explanation for correct and incorrect answers. By following these recommendations, you will be able to maximize your learning experience and effectively prepare for the CRISC certification exam.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You can find the IP address of any website by using the ping command.”

Bold: Indicates a new term, an important word, or words that you see onscreen. Here is an example: “Risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content..

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803236902

Part 1: Governance, Risk, and Compliance and CRISC

In this part, you will get an overview of governance, risk, and compliance and how it fits into the wider gamut of information security. You will learn about the importance of IT risk management. In addition, you will learn about the CRISC exam practice areas, the types of questions you could expect, and the mindset required for ISACA certification exams.

This part has the following chapters:

1

Governance, Risk, and Compliance

Dear reader, I have been in your place, thinking about which certification I should go for first. Should I begin with CISM? It seems to be the most widely recognized. Alternatively, should I consider CISA? However, I am not an auditor, so is it really necessary for me? What about CISSP? It seems rather challenging for someone trying to get certified for the first time. Finally, what about CRISC? It doesn’t appear to be the most relevant for the job responsibilities in the expanding realm of IT risk management.

Congratulations! Now that you have decided on the CRISC, you have taken the most important step of deciding on your certification and are embarking on the first stage of the journey of your career growth. However, what about the study material? Should I buy the official review manual? It appears to be very dull. Should I explore technical forums or communities for more advice and hacks? Alternatively, should I conduct a search using the hashtag CRISC (#CRISC) to see if there's a one-stop blog with all the resources needed to pass the exam in one convenient location?

As I look back on all this certification preparation and reference material, I realize that the majority of them missed a key point – what is the practical application of the knowledge I will acquire as I read this book and attain the certification? If I zoom out a little, why is governance, risk, and compliance (GRC) required in an organization when the sole aim of cybersecurity is to prevent companies from attackers? Also, what is GRC in the first place?

This chapter aims to answer all these questions so that when you pass your CRISC with flying colors and boast about your certification, you don’t have to worry about recalling the basic concepts of GRC and have a solid foundation of IT risk management.

In this chapter, we will cover the following topics:

Important note

The content of this chapter is not directly related to the exam syllabus, but it is important to understand the concepts of GRC before learning about IT risk management and its implementation for the CRISC exam.

The hope is that this chapter will provide you with enough understanding that you can differentiate between all domains of cybersecurity and can continue your journey well beyond the CRISC certification.

Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.

GRC for cybersecurity professionals

In this section, we’ll learn about cybersecurity, information assurance, and the difference between these two concepts.

Cybersecurity and information assurance

For non-cybersecurity professionals, the word cybersecurity is synonymous with hacking, but in reality, this could not be further from the truth.

There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.

Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.

In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.

The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.

Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.

As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.

As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.

So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.

Importance of GRC for cybersecurity professionals

As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.

With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.

The following table shows the importance of implementing an overarching GRC framework for an organization in detail:

Non-GRC

Effective GRC

Lack of effective oversight

Effective oversight across all departments

Focus on achieving results only

Achieving results with integrity and ethics

Organizational and functional silos

Integrated decision-making

Lack of visibility

Shared technology, services, and vocabulary

Disjointed strategy

Integrated strategy

Duplication of efforts

Create-once, use-multiple

High costs

Optimized costs

Inefficient efforts

Efficient efforts

Lack of integrity

Culture of integrity

Wasted information

Shared and common knowledge

Fragmented information

Continuous flow of information

Table 1.1 – Importance of a GRC framework

In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.

Implementing GRC using COBIT

Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.

ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.

The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.

There are four publications under the COBIT 2019 framework:

COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:

The following figure shows the five domains and 40 COBIT Core processes:

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Important note

Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.

COBIT and ITIL

This section would not be complete without understanding the relationship between COBIT and ITIL.

ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.

ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.

On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.

The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.

A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.

In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.

A primer on cybersecurity domains and the NIST CSF

There are many, many ways to think about cybersecurity domains and this could very well be a book in itself. The purpose of this section is to provide an overview of common cybersecurity domains and what they entail.

For the sake of simplicity and aligning it with a common industry standard, this section is aligned with the NIST CSF.

The NIST CSF divides the cybersecurity domain into five main categories, namely, Identify, Protect, Detect, Respond, and Recover:

This activity is important for prioritizing the organization’s efforts and resources in consistency with its overall risk management strategy and business goals. This function stresses the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. The activities in Identify include the following:

The following figure summarizes the NIST CSF functions:

Figure 1.3 – Simplified NIST CSF functions

Each of these domains is further segregated into multiple subdomains that are outside the scope of this book. I highly encourage you to familiarize yourself with the NIST CSF subdomains and their relationship with COBIT.

Important note

COBIT has custom frameworks for several specific use cases, including a framework for implementing the NIST CSF. A set of such publications can be found on the ISACA website at https://www.isaca.org/resources/cobit.

Importance of IT risk management

Now that we’ve discussed a fair bit about GRC, the domains of cybersecurity, and the NIST CSF, it is important to understand the implications of IT risk management for an organization.

In an enterprise risk management function, there can be a myriad of risks such as strategic risk, environmental risk, market risk, credit risk, operational risk, compliance risk, reputational risk, and more.

All the preceding risks can be impacted by IT risks in three major ways:

All the preceding impacts have cascading effects on other areas of the organization. An overarching governance framework implementation can prevent these risks from materializing.

Summary

At the beginning of this chapter, we learned that governance is the guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not eliminate) the risk and comply with external and internal compliance obligations. Then, we looked at the key ingredients of a successful GRC program, including sponsorship, stewardship, monitoring, and reporting. We concluded this chapter by understanding the ISACA COBIT framework for a GRC program implementation and its relationship with ITIL and providing a primer on cybersecurity domains and the NIST CSF. Now, you should be well equipped to start conversations regarding a GRC program implementation and speak about its value with the senior leaders in your organization.

In the next chapter, we will switch gears and learn about the CRISC practice areas and the ISACA mindset to answer the CRISC exam questions.

2

CRISC Practice Areas and the ISACA Mindset

If the previous chapter was all about learning about governance, risk, and compliance, and why they are required, this chapter will focus on preparing you for the main goal of this book – to pass the ISACA Certified in Risk and Information Systems Control (CRISC) exam.

The CRISC certification aims to advance your career by helping you understand the impact of IT risk and how it relates to your organization. The CRISC certification demonstrates the holder’s ability to identify and evaluate IT risk, propose strategies to mitigate risk optimally, and help the enterprise accomplish its business objectives.

The ISACA website (https://www.isaca.org/credentialing/crisc) provides an apt description of the certification: The CRISC certification validates your experience in building a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize, and respond to risks. This enhances benefits realization and delivers optimal value to stakeholders.

Since its inception in 2010, more than 30,000 professionals worldwide have earned the CRISC credential. The CRISC credential enables an IT risk manager to showcase their competence and ability to design, implement, monitor, and maintain effective risk-based information systems controls.

In addition to the preceding attributes, the CRISC certification also does the following: