Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

By : Shobhit Mehta
5 (1)
Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

5 (1)
By: Shobhit Mehta

Overview of this book

For beginners and experienced IT risk professionals alike, acing the ISACA CRISC exam is no mean feat, and the application of this advanced skillset in your daily work poses a challenge. The ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is a comprehensive guide to CRISC certification and beyond that’ll help you to approach these daunting challenges with its step-by-step coverage of all aspects of the exam content and develop a highly sought-after skillset in the process. This book is divided into six sections, with each section equipped with everything you need to get to grips with the domains covered in the exam. There’ll be no surprises on exam day – from GRC to ethical risk management, third-party security concerns to the ins and outs of control design, and IDS/IPS to the SDLC, no stone is left unturned in this book’s systematic design covering all the topics so that you can sit for the exam with confidence. What’s more, there are chapter-end self-assessment questions for you to test all that you’ve learned, as well as two book-end practice quizzes to really give you a leg up. By the end of this CRISC exam study guide, you’ll not just have what it takes to breeze through the certification process, but will also be equipped with an invaluable resource to accompany you on your career path.

Related Content you might be interested in

Current Title:

Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Small book image
Information Security Handbook
Darren Death
Oct, 2023 | 370 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Governance, Risk, and Compliance and CRISC
Part 1: Governance, Risk, and Compliance and CRISC
Free Chapter
2
Chapter 1: Governance, Risk, and Compliance
Chapter 1: Governance, Risk, and Compliance
Governance, risk, and compliance
GRC for cybersecurity professionals
Importance of GRC for cybersecurity professionals
A primer on cybersecurity domains and the NIST CSF
Importance of IT risk management
Summary
3
Chapter 2: CRISC Practice Areas and the ISACA Mindset
Chapter 2: CRISC Practice Areas and the ISACA Mindset
CRISC exam outline
CRISC job practice areas
CRISC exam structure
CRISC certification requirements
The ISACA mindset
Additional material
Summary
4
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
5
Chapter 3: Organizational Governance, Policies, and Risk Management
Chapter 3: Organizational Governance, Policies, and Risk Management
IT governance and risk
IT risk management
Organizational structure
Organizational culture
Policy documentation
Organizational asset
Summary
Review questions
Answers
6
Chapter 4: The Three Lines of Defense and Cybersecurity
Chapter 4: The Three Lines of Defense and Cybersecurity
The 3LoD model
3LoD and cybersecurity
Critical concepts for risk assessment and management
Risk tolerance versus risk capacity
Risk appetite and business objectives
Summary
Review questions
Answers
7
Chapter 5: Legal Requirements and the Ethics of Risk Management
Chapter 5: Legal Requirements and the Ethics of Risk Management
Major laws for IT risk management
Ethics and risk management
How do ethics affect IT risk?
ISACA Code of Professional Ethics
Summary
Review questions
Answer
8
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
9
Chapter 6: Risk Management Life Cycle
Chapter 6: Risk Management Life Cycle
Comparing risk and IT risk
IT risk management life cycle
Requirements of risk assessment
Issues, events, incidents, and breaches
Correlating events and incidents
Summary
Review questions
Answers
10
Chapter 7: Threat, Vulnerability, and Risk
Chapter 7: Threat, Vulnerability, and Risk
Threat, vulnerability, and risk
The relationship between threats, vulnerabilities, and risk
Understanding threat modeling
Vulnerability analysis
Tools for identifying vulnerabilities
Vulnerability management program
Summary
Review questions
Answers
11
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Risk assessment approaches
Risk assessment methodologies
Risk assessment frameworks
Risk assessment techniques
Importance of a risk register
Summary
Review questions
Answers
12
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Differentiating between BIA and risk assessment
Key concepts related to BIA
Understanding types of risk
Summary
Review questions
Answers
13
Part 4: Risk Response, Reporting, Monitoring, and Ownership
Part 4: Risk Response, Reporting, Monitoring, and Ownership
14
Chapter 10: Risk Response and Control Ownership
Chapter 10: Risk Response and Control Ownership
Risk response and monitoring
Risk owners and control owners
Risk response strategies
Risk optimization
Summary
Review questions
Answers
15
Chapter 11: Third-Party Risk Management
Chapter 11: Third-Party Risk Management
The need for TPRM
Managing third-party risks
Upstream and downstream third parties
Responding to anomalies
Summary
Review questions
Answers
16
Chapter 12: Control Design and Implementation
Chapter 12: Control Design and Implementation
Control categories
Control design and selection
Control implementation
Control testing and evaluation
Summary
Review questions
Answers
17
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Log aggregation and analysis
SIEM
Risk and control monitoring
Risk and control reporting
Key indicators
Summary
Review questions
Answers
18
Part 5: Information Technology, Security, and Privacy
Part 5: Information Technology, Security, and Privacy
19
Chapter 14: Enterprise Architecture and Information Technology
Chapter 14: Enterprise Architecture and Information Technology
Enterprise architecture
The CMM framework
Computer networks
Networking devices
Firewalls
Intrusion detection and prevention systems
The Domain Name System
Wireless networks
Virtual private networks
Cloud computing
Summary
Review questions
Answers
20
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Enterprise resiliency
Business continuity and disaster recovery
Recovery objectives
Data classification and labeling
Data life cycle management
Summary
Review questions
Answers
21
Chapter 16: The System Development Life Cycle and Emerging Technologies
Chapter 16: The System Development Life Cycle and Emerging Technologies
Introducing the SDLC
Project risk and SDLC risk
System accreditation and certification
Emerging technologies
Summary
Review questions
Answers
22
Chapter 17: Information Security and Privacy Principles
Chapter 17: Information Security and Privacy Principles
Fundamentals of information security
Access management
Encryption
Hashing
Digital signatures
Certificates
Public key infrastructure
Security awareness training
Principles of data privacy
Comparing data security and data privacy
Summary
Review questions
Answers
23
Part 6: Practice Quizzes
Part 6: Practice Quizzes
24
Chapter 18: Practice Quiz – Part 1
Chapter 18: Practice Quiz – Part 1
25
Chapter 19: Practice Quiz – Part 2
Chapter 19: Practice Quiz – Part 2
26
Index
Index
Why subscribe?
27
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

GRC for cybersecurity professionals

In this section, we’ll learn about cybersecurity, information assurance, and the difference between these two concepts.

Cybersecurity and information assurance

For non-cybersecurity professionals, the word cybersecurity is synonymous with hacking, but in reality, this could not be further from the truth.

There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.

Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.

In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.

The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.

Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.

As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.

As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.

So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.

Previous Section
End of Section 3
Next Section