IT Risk Assessment

MODULE 2

Exam Relevance
This domain represents 20% of
the CRISC examination 22
(approximately 30 questions). 26

20
32

Domain 1 Domain 2
Domain 3 Domain 4

2
 Topics
Risk Events

Threat Modeling and Threat Landscape

Vulnerability and Control Deficiency Analysis

Risk Scenario Development

Risk Assessment Concepts, Standards and Frameworks

Risk Register

Risk Analysis Methodologies

Business Impact Analysis

Inherent, Residual and Current Risk

Learning Objectives
Define the types of risk events and threats an enterprise can
face.

Explain the risk identification process.

Identify threat modeling techniques.

Compile a threat profile using threat modeling techniques.

Describe the process and benefits of developing risk

scenarios.

4
 Learning Objectives
Explain the risk assessment process

Define common risk assessment standards and

frameworks.

Describe the value of the risk register to the enterprise.

Explain risk analysis methodologies and how they are used.

Illustrate the relationship between business impact analysis

and risk assessment.

Outline the effect of inherent and residual risk on the

enterprise.

Risk Identification

6
 Risk Identification Overview
Setting Context
Communication

Risk Reporting and

• Recognize and Risk Identification
Communication
understand any risk
jeopardizing the
enterprise objectives
• Identify loss event
scenarios impacting Risk Assessment
Risk Response enterprise mission or and Analysis
strategy

Risk Elements to Document

Consequences Vulnerabilities Impact

Threats Frequency

8
 Risk Events
Risk Events vs. Threat Events

Risk Events • Threats and risk come

in various forms and
• Discrete, specific occurrences that result in an originate from different
impact upon an enterprise or its assets actors.
• Differs from threat events • Risk events can impact
and act against specific
targeted assets or
intend to be broadly
Threat Events disruptive in execution.

• Describe the series of actions that may take place • Each element of risk
needs to be considered
• Often improperly categorized as risk individually and in
aggregate.

Review Question
Which of the following is MOST likely be addressed by risk
response?

A. Destruction of obsolete computer equipment

B. Theft of a smartphone from an office

C. Sanitization and reuse of a flash drive

D. Employee deletion of a file

10
 Common Risk Event Examples

Wildfires, hurricanes,
New regulations Loss of key personnel flood or other natural
disasters

Network intrusion by a Abuse of positional

Fire at data center Ransomware attack
cybercriminal authority

11

Risk Identification
Risk identification requires the documentation and analysis
Each element of risk must be considered
of the elements that comprise risk, such as:
individually and in aggregate.
Identification of risk depends on
• Consequences associated with specific assets
successful identification of assets, threats
to those assets and the vulnerabilities that
• Threats to those assets, normally requiring both intent
could be present that would allow an
(motivation) and capability
asset to be acted against.
• Vulnerabilities that a threat may attempt to exploit

• Frequency that a potential risk event may result in an

impact to the enterprise

• Potential harm that may result (loss event) against the

asset if the threat were successful

12
 Risk Factors Categories

Contextual factors Capability factors

The degree of control that an enterprise Critical to successful outcomes in

has over the respective factors. managing risk:
• Internal contextual factors: under • IT-related risk management
the control of the enterprise capabilities
• External contextual factors: • IT-related business or mission
outside of the control of the capabilities (or value management)
enterprise.

13

Risk Factors
Example: Virus has been
Threat Actors written to exploit system

The virus can gain Causes an impact to

Without a patch
access from the exploit the system (asset)

Threats Vulnerabilities Risk Assets

With a patch the vulnerability

is eliminated, which stops it
from impacting the system.

14
 Risk Assessment
Threat identification requires understanding the
Identify Threats motivation, strategy, and techniques of those who
perpetrate threats.

Risk analysis is modeling various threats against

Risk Analysis assets to estimate frequency and magnitude of
resulting impact to assets.

Risk evaluation is comparing the risk analysis against

Risk Evaluation given risk criteria (risk appetite, tolerance and capacity)
to determine the significance of the risk.

15

Review Question
Which of the following is the MOST important reason for conducting
periodic risk assessments?

A. Risk assessments are not always precise.

B. Reviewers can optimize and reduce the cost of controls.

C. Risk assessments demonstrate the value of risk management to

senior management.

D. Business risk is subject to frequent change.

16
 The Risk Practitioner’s Role

1
Work closely with business process owners to ensure
understanding operations, including external dependencies and
assumptions

2 Determine the purpose, development, acquisition, implementation

and integration processes for the wide range of technologies used
by the enterprise

3
Understand the purpose, processing and handling of data and
information across the enterprise

17

Risk Practitioner Methods for Risk Identification

Historical - Evidence-Based Methods
2.1.2
• Audit or incident reports, press releases and annual reports
• Public media (newspapers, television)

Systematic Approaches
• Vulnerability assessments and review of business continuity and disaster recovery plans
• Interviews and workshops with managers, employees, customers, suppliers and auditors

Inductive Methods
• Team examines a process to determine the possible point of attack or compromise
• Penetration testing

Existing Taxonomy
• Commonly used in governance, risk and compliance (GRC) systems or risk assessment systems
• Support an integrated view of system covering all aspects and risk resources
18
 Changes in Risk Environment

Changes Monitor
• Enterprises and technologies • Vendor alerts
evolve • Reports from computer
• Threat actor focus on new emergency response
areas to attack teams (CERTs)
• New vulnerabilities discovered • Media stories
in systems and applications
• Changes in technology and
business practices

When a new issue arises, the risk practitioner should work with
the business and system owner to perform a threat analysis and
determine if and how the organization should respond.

19

Operational Integrity
Procedures for maintaining operational integrity
include, but not limited to:

Consistent and sustainable operations

Asset are contingent on:
Management
• Repeatable and defined procedures
Project Capacity & • Reducing interruptions/disruptions from
Planning & Performance
Management Planning staff turnover

Well-defined procedures provide a foundation

Patch Incident
for the enterprise to achieve their goals and
Management Management
objectives.

Change & Identity &

Configuration Access
Management Management
20
 Industry Trends

Impact Example Role

A failure by the IT When some A risk practitioner should

department to adapt to or telecommunications assess the maturity of the
support a new business providers switched to per IT department and the
model may result in second instead of per enterprise as a whole
substantial losses to the minute billing, it forced all toward monitoring and
enterprise. of the other providers to adapting to new market
change their systems trends.
quickly or lose a large
percentage of their A lack of flexibility or poor
customers. communication between
the business units and IT
can be a risk factor.

21

Forecasting Risk

Document:
Collect insights Apply what was
What went Learn from past
from previous discovered from
wrong. events and
incidents, audit the incident
How can the allow the same
reports and response
system be errors to repeat
failures process
protected?

Remember that no two incidents are identical. An impact of an event

may differ from the past event despite having similar characteristics.

22
 Threat Modeling and Threat Landscape

23

Threat Actors

Imaginative
Risk Practitioners
Threat Actors

Creative

Determined

24
 Internal Threats
• Inadequate training • Compromise system
Threat

• Key personnel
• Poor treatment • Release data
moves to another
• Not enough time to • Coerced to share
enterprise
perform job trade secrets

Causes business Exposes the

Risk

Leaves gaps in
impacts, intentional or enterprise to legal and
knowledge and skills
unintentional reputational risk

25

Employee Access Threats

The solution to this problem is proper
provisioning access, including principles such
Threat as need-to-know and least privilege.

Any system has trusted insiders, and

one of them choosing to violate
trust is difficult to predict
or prevent.
Many employees have access to
systems and data that far exceed their
actual job requirements, which can be
exploited in an attack. Solution

26
 Managing Employee Threats
Throughout Employment:
Upon Hire:
• Review organizational policies and
• Review the qualifications and
responsibilities through awareness sessions
attitude of prospective employees and regular management reviews
• Review and require signature of Hire
• Regularly interact with employees to
ethics and policies of the enterprise understand any frustrations, complaints or
and nondisclosure agreement
issues and to seek to resolve those issues
(NDA)
Employment Third Party:
Ending Employment:
• Vendor staff, business process outsourcing
• Ensure all organizational assets
staff or any other external individuals
are returned (ID badges,
equipment and uniforms) • Viewed as external threats
Termination
• Access to systems, network and • Usually have some internal access, higher
facility should be revoked knowledge and capabilities to potentially
immediately, prior to departure initiate a threat from within
27

External Threat Actors

Nation-State Threat Actors
• Highly skilled
• Break into systems for military or economic purposes
• Criminals
• Hacktivists
Hacktivists
• Corporate spies
• Thieves • Varied skill set and motivations
• Advanced
persistent threats • Break into systems to publicly shame or humiliate enterprises
(APT)
APTs
• Highly skilled attackers persistent in their attempts to exploit
systems and networks
• Possess effective tools
• Sponsored by governments, organized crime or competitors
28
 Emerging Threats
Role of Risk Practitioner
Common Issue
Examples • Be alert to the emergence of
• Enterprises may have new technologies
• Unusual activity on a evidence of emergent
system threats in advance of • Prepare for introducing new
a compromise technologies
• Repeated alarms

• Degraded system or • Internet of things (IoT)

network performance • Example of a revolution in
Lack of Monitoring how enterprises view
• New or excessive and Response technology assets
activity in logs • Risk is self-evident
Threat Breach • May tempt the enterprise by
• Logging being promising to greatly reduce
disabled cost and refresh rate
29

Review Question
When a start-up company becomes popular, it suddenly is the target
of hackers. This is considered:

A. an emerging vulnerability.

B. a vulnerability event.

C. an emerging threat.

D. an environmental risk factor.

30
 Additional Sources for Threat Information
Interviews
Self-assessment

Media Reports
Third-party Assurance

Observation
User Feedback

Logs
Vendor Reports

31

Threat, Misuse- and Abuse-Case Modeling

Misuse-case Modeling
• Looks at a variety of possible errors,
mistakes, unintentional deviations Threat Attribution
from expected user behavior that a • Process used in attempt to identify threat actors
system may experience behind an attack and their motivations
• Catalog indicators of compromise (IOCs) and
indicators of attack (IOAs) to associate attack with a
Abuse-case Modeling threat actor
• Examines security and privacy • Balance with the strategy, goals and objectives of the
interactions of system, user, data organization
and stakeholders. • Consider purpose of establishing capabilities and
• Consider the complete interaction quality of data available
between a system and actor(s)
• The results of the interaction are
harmful to the system, users or
stakeholders in the system.

32
 Threat Scenario Components

Threat Modeling

• Used by risk practitioner,

systems designers,
developers and operators
• Helps to build systems with
attention to defensive
controls built-in security
features and proper
placement within a strategy
of overlapping defenses
• Deters or prevents system Threat
failures Scenario

33

Threat Model Methods

Combine to create a robust May be not be Abstract or Focus on risk or
view of potential threats comprehensive people-centric privacy concerns

MODEL BENEFITS
STRIDE (Spoofing identity, Tampering with • Helps identify relevant mitigating techniques
data, Repudiation, Information disclosure, • Most mature
Denial of service, Elevation of privilege) • Easy to use but time consuming
PASTA (Process for Attack Simulation and • Helps identify relevant mitigating techniques
Threat Analysis) • Directly contributes to risk management
• Encourages collaboration among stakeholders
• Contains built-in prioritization of threat mitigation
• Laborious, but has rich documentation
LINDDUN (Linkability, Identifiability, • Helps identify relevant mitigating techniques
Nonrepudiation, Detectability, Disclosure of • Contains built-in prioritization of threat mitigation
information, Unawareness, Noncompliance) • Can be labor intensive and time consuming
Attack Trees • Helps identify relevant mitigating techniques
• Has consistent results when repeated
• Easy to use if a thorough understanding of the system is already in place
34
 Vulnerability and Control Deficiency Analysis

35

Vulnerability and Control Deficiency Analysis

Vulnerabilities are weaknesses, gaps in an

enterprise’s people, processes or technologies that
provide an opportunity for a threat actor to exploit, NIST Special Publication 800-30
creating consequences that may impact the enterprise. Revision 1: Guide to Conducting
Risk Assessments provides a list of
vulnerabilities to consider with
Many vulnerabilities are system conditions that must be predisposing conditions that may
identified to be addressed. The purpose of vulnerability lead to the rapid or unpredictable
identification is to find problems before an adversary emergence of new vulnerabilities.
finds and exploits them. An enterprise should conduct
regular vulnerability assessments and penetration tests
to identify, validate and classify its vulnerabilities. Where
vulnerabilities exist, there is a potential for risk.

36
 Cloud Computing Advantages and Concerns

Services feature redundancy, Outsourcing data processing

automatic failover and SLAs that does not remove the liability of
guarantee uptime in excess of the outsourcing organization to
99.9 percent through an on- ensure proper data protection.
demand pricing structure.

Provides better protection but Decisions about using cloud

also a high value target for services should be made by
motivated threat actors. Visibility senior management, advised by
into cloud provider operations details from the risk practitioner.
may be limited.

37

Cloud Deployment and Service Models

Private
IaaS

PaaS
Hybrid Public

SaaS

Community

38
 Cloud Environment Migration Considerations
Migration to a cloud environment needs to be carefully weighed and considered in the
context of an enterprise’s strategic goals and objectives.

Reduced visibility and control Data deletion is incomplete

Self-service can lead to
unauthorized use and abuse Credentials stolen or compromised

Provider with privileged insiders Vendor lock-in

Application programming interfaces
Increased complexity strains IT staff
(APIs) can be compromised
Separation between multiple Insufficient due diligence
tenants fails

39

Big Data Concerns

Analyze structured and unstructured data
to help make better business decisions
and increase competitive advantage ISACA Guidance:

Risk can be incurred either through Technical and operational risk should
adoption or non-adoption of these consider that certain data elements may
capabilities be governed by regulatory or contractual
requirements and that data elements
may need to be centralized in one place
Changes in analytics capabilities can so that the data can be analyzed. In
introduce technical and operational some cases, this centralization can
risk compound technical risk.

Weigh benefits of leveraging big data

against enterprise maturity, governance
and management of data
40
 Big Data Challenges

Siloed
Use of data Requests for Quality
Poorly Evolving departments Lack of
by multiple change and problems
defined data regulatory and skilled data
enterprise workflow from data
ownership requirements enterprise analysis staff
departments changes deluge
structures

41

Gap Analysis
A gap analysis is based on the comparison of a current state or condition and the
desired state or condition, with the difference between the two states being a gap.

Series of projects to move from current to desired state

0% 100%

Current State Desired State

42
 Review Question
Which of the following choices BEST helps identify information
systems control deficiencies?

A. Gap analysis

B. The current IT risk profile

C. The IT controls framework

D. Countermeasure analysis

Vulnerability Assessment
• A process of identifying and classifying vulnerabilities
• Provides a careful examination of a target environment to
discover any potential points of compromise or weakness

Network Poor physical Insecure Poorly built web-

vulnerabilities asset controls applications facing services

Old or poorly
Disruption to Unreliable supply Untrained Inefficient maintained
utilities chain personnel (HR) processes equipment

44
 Root Cause Analysis
Root cause analysis is a process of diagnosis to establish the origins of events to learn
lessons from consequences.

Risk Response

The risk practitioner

examines the root cause Conditions against which
of an incident to discover action must be taken to
the conditions and factors prevent the problem from
leading to an event, rather recurring.
than reacting to the
symptoms of the problem. Actions taken are often
from lessons learned.

Examine Root Cause

45

Root Cause Analysis Example

Root cause analysis

Risk practitioner should They may discover the
Business process finds examines the reasons
examine why the users procedure is outdated,
that users are not why a problem exists or a
are not compliant before flawed or unworkable
compliant with the breach has occurred and
recommending when aligned with the
procedures and policies in seeks to identify and
enforcement of the objectives of the
place. resolve these underlying
procedure enterprise.
issues.

46
 Root Cause Analysis
Implementation

Premortem - Facilitated workshop to simulate a project

failure. When correctly facilitated, can produce insightful,
collaborative and valuable perspectives on risk.

Risk event may be the result of coinciding events—several

issues that act in combination to create what appears to be
a single result.

The risk practitioner can use root cause analysis as

a means of identifying coinciding events, which
cannot be traced to a single common cause.
47 47

Risk Scenario Development

48
 Risk Scenarios
Tangible and assessable representation of risk:
Conceptualize
risk
• Describe a potential risk event with an
uncertain impact on the enterprise (positive
or negative)

• Document the factors and areas that may be

Document
affected by the risk event risk

• Should be related to a business objective or

impact

• Identified risk should be included in one or Describe

more scenarios potential risk
events
• Effective scenarios are based on real and
relevant potential events
49

Risk Scenario Development

Effective Scenarios Example Risk Events:

• System failure

• Loss of key personnel

Imagination
• Theft

• Network outages

• Power failures
Previous Events
• Natural disasters

• Situations impacting enterprise operations

50
 Risk Scenario Benefits

Facilitate communication

Gathering information

Inspire action

Framing information

Realistic view of risk

51

Risk Scenario Approaches

Top Down
• Understanding business goals
• How a risk event impacts those
goals

Bottom Up
• Describing risk events specific to
individual enterprise situations
• Cyberthreat and vulnerability

52
 Review Question
Risk scenarios should be created PRIMARILY based on which of the
following?

A. Input from senior management

B. Previous security incidents

C. Threats that the enterprise faces

D. Results of the risk analysis

53

I&T Risk Scenario Development

Event
• Disclosure
• Interruption
• Modification
Threat Type
• Theft
• Malicious
• Destruction Asset/Resource
• External
• Ineffective design • People &
• Failure
• Ineffective execution organization
• Natural
• Rules and regulations • Process
• External requirement
• Inappropriate use • Infrastructure
(facilities)
• IT infrastructure
• Information
Actor Risk • Applications
• Internal Scenario
• External
54
 Analyzing Risk Scenarios
Quick detection and action toward risk is critical to contain the impact:

FAIR Model HARM Model

Decomposes the major components that • Entire methodology built on the OpenFAIR
comprise risk into smaller, manageable model
components that all for analysis to be performed. • Accounts for loss magnitudes at a discrete
Includes elements related to: level
• Loss Event Frequency • Factors in control objective maturity as a
• Loss Magnitude method to account for potential reductions in
overall loss magnitude estimations

55

FAIR

Source: FAIR Institute: ISACA CRISC Review Manual, page 114

 HARM

Source: Rubicon Advisory Group: ISACA CRISC Review Manual, page 115

Review Question
An enterprise learns of a security breach at another entity using
similar network technology. The MOST important action for a risk
practitioner is to:

A. assess the likelihood of the incident occurring at the risk

practitioner’s enterprise.

B. discontinue the use of the vulnerable technology.

C. report to senior management that the enterprise is not affected.

D. remind staff that no similar security breaches have taken place.

58
Review Question
Risk scenarios are analyzed to determine the:

A. strength of controls.

B. likelihood and impact.

C. current risk profile.

D. scenario root cause.

Break
 Risk Assessment Concepts, Standards and
Frameworks

61

Risk Assessment Overview

IT Risk
Process used to identify and evaluate risk and its potential Identification
effects including:

• Critical functions necessary for an enterprise

to continue business operations
• Risk associated with each of the critical
functions Risk and
Control IT Risk
• Controls in place to reduce exposure and Monitoring and Assessment
their cost Reporting
• Prioritization of the risk based on their
likelihood and potential impact
• Relationship between the risk and the
enterprise risk appetite and tolerance
• Generates information used to respond to
risk appropriately while considering cost Risk Response
and Mitigation

62
 Risk Assessment Techniques:
Concepts, Standards and Frameworks

Many methods exist and vary in complexity

• Bayesian • Markov
• Brainstorming/ • Monte-Carlo
structured interview • Preliminary hazard Choice should follow best fit for enterprise,
• Business impact • Root cause unless otherwise mandated or regulated
• Cause-and-effect • Scenario
• Delphi • Structured what if Essential to identify as much significant risk
• Fault tree (SWIFT) as possible

Results must identify relative risk rating of

assets and processes

63

I&T-Related Risk Ranking

Impact Components Outcome

Considers the various Recognition of threats, Together, these indicate

dependencies of the qualities and capabilities the level of risk associated
affected IT system of a threat source with a threat.

After risk is determined, it Recognition of the severity

should be ranked to direct of a vulnerability
risk response effort
Likelihood of attack
Most often measured by success when considering
the impact of an IT-related effectiveness of controls
problem on services the IT
system supports Impact of a successful
attack on the enterprise
64
 Closing the Risk Assessment Process
Used to determine the appropriate response to address risks, given their probability and potential
effects in context of the enterprise’s risk appetite, tolerance, and capacity, which consider:

1 3

Efficiency of the Exposure of the Implementation Effectiveness of

response risk at present capability the response

2 4

65

Risk Map
An expression of risk evaluated using well-
defined and non-ambiguous impact criteria

Used to consider risk scenarios in context of

the organization’s defined risk appetite and
criteria used for risk tolerance.

Initial maps may be useful to develop trends

or common profiles for which risk response
activities

Provides a quick prioritization triage exercise

but may not give management enough
information to act

Becomes more useful when it is combined

with the different zones of risk appetite

66
 Risk Owner

Each risk must be linked to an individual who owns the risk, according to
their job responsibilities and duties.

Person the enterprise invests the authority and accountability to make

risk-based decisions and owns the loss associated with a realized risk
scenario.

To ensure accountability, the ownership of risk must be with an individual,

not with a department or the enterprise as a whole.

67

Risk Assessment Documentation

Indicate Advise Provide Document Communicate

Indicate gaps
Advise whether Provide guidance
between current Communicate
these gaps are to judge the Document the
risk environment results of risk
within acceptable severity of the process used
and desired state assessment
levels identified issue
of I&T-related risk

68
 Addressing Risk Exclusions

All I&T-related risk should be evaluated or intentionally

bypassed. Some I&T-related risk events apply only to
enterprises that meet certain criteria.

Include any intentionally bypassed risk in the report.

Each documented risk should be reevaluated based on

current risk landscape. New types of risk can be
discovered or overlooked sources may become relevant.

69

Risk Assessment Report

• Objectives of the risk assessment process
• Scope and description of the area subject to assessment
• External context and factors affecting risk
• Internal factors or limitations affecting risk assessment
• Risk assessment criteria and methodology used
• Resources and references used
• Identification of risk, threats and vulnerabilities
• Assumptions used in the risk assessment
• Potential of unknown factors affecting assessment
• Results of risk assessment
• Recommendations and conclusions
70
 Risk Register

71

Why a Risk Register?

A list of risk that is identified, analyzed and prioritized

Consolidate and track all information about risk into

one central repository

Obtain status of risk management process from a

single source

Better manage, report and coordinate on risk

Reviewed and updated regularly to add or remove risk

72
 Review Question
Which of the following statements BEST describes the value of a risk
register?

A. It captures the risk inventory.

B. It drives the risk response plan.

C. It is a risk reporting tool.

D. It lists internal risk and external risk.

Risk Register Insights

Outstanding risk issues

Status of risk mitigation efforts

Emergence of newly identified risk

74
 Review Question
If risk has been identified, but not yet mitigated, the enterprise would:

A. record and mitigate serious risk and disregard low-level risk.

B. obtain management commitment to mitigate all identified risk

within a reasonable time frame.

C. document identified risk in the risk register and maintain the

remediation status.

D. conduct an annual risk assessment, but disregard previous

assessments to prevent risk bias.

75

Risk Analysis Methodologies

76
 Risk Analysis Methodologies

Qualitative Hybrid

Scenarios or Combination of
Quantitative
situations approaches

Statistics and data

77

Review Question
The board of directors wants to know the financial impact of specific,
individual risk scenarios. What type of approach is BEST suited to
fulfill this requirement?

A. Delphi method

B. Quantitative analysis

C. Qualitative analysis

D. Financial risk modeling

78
 Review Question
The MOST significant drawback of using quantitative risk analysis
instead of qualitative risk analysis is the:

A. lower objectivity.

B. greater reliance on expertise.

C. less management buy-in.

D. higher cost.

Business Impact Analysis

80
 Business Impact Analysis

Establish business continuity Determines

Establishes
requirements and determine impact of
the
losing support
organizational resilience of any escalation of
loss over time
resource
Process to determine the impact
of losing the support of any
resource: Identifies the Prioritizes the
minimum recovery of
• Identifying initial impact resources processes and
• Provide reliable data to needed to the supporting
enable decision-making recover system.

81

BIA Outcomes
Enabling: Defining:

• Prioritize business defined critical • Activities and resources required to

services achieve enterprise strategy
• Determine how business critical • What needs to be protected and order
services should be protected of recovery following an incident
• Define the acceptable levels of • Recovery timeframes to inform when
diminished operation before services need to be recovered
impacting strategic priorities
• Recommendations of reasonable and
• Enable organization to achieve its appropriate risk response
goal and objectives
• Guide senior management to select
appropriate treatment and recovery
strategies
82
 Business Continuity and Organizational
Resiliency

Enterprises have a variety

of separate business
functions, each focused
on delivering a specific
service back to the
organization.

BIA classifies business

activities and resources
needed to deliver the
most essential enterprise
services
Document key processes Uncover previously unknown factors

83

Review Question
The GREATEST advantage in performing a business impact analysis
is that it:

A. does not have to be updated because the impact will not change.

B. promotes continuity awareness in the enterprise.

C. requires only qualitative estimates.

D. eliminates the need for risk analysis.

84
 BIA Resources
The BIA should also capture all the resources needed Data collect effort that provides other key benefits
to continue operations while in a diminished capacity. including:

Identified
Defined Documented Uncovered Validated
controls, threats,
weaknesses and recovery recovery team/staffing contact
gaps objectives methods requirements information
85

Business Impact Analysis and Risk Assessment

BIA and risk assessment are similar in nature. However, there are a few key distinctions:

Used to establish requirements for Focuses on understanding:

business continuity efforts: • Threats faced by an enterprise
• Identifying resource dependencies, • Establishes frequency and impact
• Tracing requirements to impacts associated with identified threats
• Justifying investments associated • How to respond to the risk, (goal to
with the disruption of services decrease residual risk to an
acceptable level)

Business Impact Analysis Risk Assessment

86
 Review Question
The MOST effective starting point to determine whether an IT system
continues to meet the enterprise’s business objectives is to conduct
interviews with:

A. executive management.

B. IT management.

C. business process owners.

D. external auditors.

87

Beyond Business Impact

Incident Disaster
Impact Recovery
Resiliency
Planning

88
 Additional Business Impact Areas

Strategic Investment Regulatory and Contractual Obligations

• Understanding how, when and where to invest • Requires enterprises to ensure and maintain a
• BIA deliverables can help promote understanding certain level of availability of specific services
beyond financial impact including organizational, • BIA process used to identify potential gaps in
reputational and brand impacts requirements
• Enables businesses to develop business cases and • Ensures senior management has sufficient details to
justification for investments meet required obligations
• Identify and implement appropriate capabilities to • Enable appropriate level of planning and
meet recovery objectives preparation prior to incidents

89

Review Question
Which of the following BEST facilitates cost-effective risk response?

A. Prioritizing and addressing risk according to the risk management

strategy

B. Mitigating risk on the basis of risk likelihood and magnitude of

impact

C. Performing countermeasure analysis for each of the controls

deployed

D. Selecting controls that are at zero or near-zero costs

90
 Inherent, Residual and Current Risk

91

Inherent, Residual and Current Risk

Risk is unavoidable in business. Risk is inherent in an enterprise. Some business processes may
have a higher level of risk than others, and the degree of risk varies from one activity, product or
service to another. The risk practitioner should understand risk and be able to assess and respond
to any risk that lies outside the organizational risk appetite in a way that reduces it to an
acceptable level.
92
 Risk States

1 2 3 4

Risk
Inherent Current Residual
Transfer

Share risk with

Risk state without Remaining risk another entity
Point in time risk
any actions taken after response
(e.g., insurance)

93

Inherent, Current and Residual Risk

Risk without Inherent risk

adding in any minus existing
risk response responses
Risk left after all
Inherent Current Residual
Risk risk responses are
Risk Risk
applied

94
 Review Question
Which of the following is the PRIMARY objective of a risk
management program?

A. Maintain residual risk at an acceptable level

B. Implement preventive controls for every threat

C. Remove all identified risk

D. Reduce inherent risk to zero

95

Review Question
Which of the following is the BEST way to ensure that an accurate
risk register is maintained over time?

A. Monitor key risk indicators and record the findings in the risk
register.

B. Publish the risk register centrally with workflow features that

periodically poll risk assessors.

C. Distribute the risk register to business process owners for review

and updating.

D. Use audit personnel to perform regular audits and to maintain the

risk register.

96
 Summary
Risk Events
Threat Modeling and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Scenario Development
Risk Assessment Concepts, Standards and Frameworks
Risk Register
Risk Analysis Methodologies
Business Impact Analysis
Inherent and Residual Risk
97

Preparing for Session Three

• Complete session two activities
• Review session three pre-work
• Study and answer session three questions

98