Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

By : Shobhit Mehta
5 (1)
Book Image

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

5 (1)
By: Shobhit Mehta

Overview of this book

For beginners and experienced IT risk professionals alike, acing the ISACA CRISC exam is no mean feat, and the application of this advanced skillset in your daily work poses a challenge. The ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is a comprehensive guide to CRISC certification and beyond that’ll help you to approach these daunting challenges with its step-by-step coverage of all aspects of the exam content and develop a highly sought-after skillset in the process. This book is divided into six sections, with each section equipped with everything you need to get to grips with the domains covered in the exam. There’ll be no surprises on exam day – from GRC to ethical risk management, third-party security concerns to the ins and outs of control design, and IDS/IPS to the SDLC, no stone is left unturned in this book’s systematic design covering all the topics so that you can sit for the exam with confidence. What’s more, there are chapter-end self-assessment questions for you to test all that you’ve learned, as well as two book-end practice quizzes to really give you a leg up. By the end of this CRISC exam study guide, you’ll not just have what it takes to breeze through the certification process, but will also be equipped with an invaluable resource to accompany you on your career path.

Related Content you might be interested in

Current Title:

Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Small book image
Information Security Handbook
Darren Death
Oct, 2023 | 370 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Governance, Risk, and Compliance and CRISC
Part 1: Governance, Risk, and Compliance and CRISC
Free Chapter
2
Chapter 1: Governance, Risk, and Compliance
Chapter 1: Governance, Risk, and Compliance
Governance, risk, and compliance
GRC for cybersecurity professionals
Importance of GRC for cybersecurity professionals
A primer on cybersecurity domains and the NIST CSF
Importance of IT risk management
Summary
3
Chapter 2: CRISC Practice Areas and the ISACA Mindset
Chapter 2: CRISC Practice Areas and the ISACA Mindset
CRISC exam outline
CRISC job practice areas
CRISC exam structure
CRISC certification requirements
The ISACA mindset
Additional material
Summary
4
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
5
Chapter 3: Organizational Governance, Policies, and Risk Management
Chapter 3: Organizational Governance, Policies, and Risk Management
IT governance and risk
IT risk management
Organizational structure
Organizational culture
Policy documentation
Organizational asset
Summary
Review questions
Answers
6
Chapter 4: The Three Lines of Defense and Cybersecurity
Chapter 4: The Three Lines of Defense and Cybersecurity
The 3LoD model
3LoD and cybersecurity
Critical concepts for risk assessment and management
Risk tolerance versus risk capacity
Risk appetite and business objectives
Summary
Review questions
Answers
7
Chapter 5: Legal Requirements and the Ethics of Risk Management
Chapter 5: Legal Requirements and the Ethics of Risk Management
Major laws for IT risk management
Ethics and risk management
How do ethics affect IT risk?
ISACA Code of Professional Ethics
Summary
Review questions
Answer
8
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
9
Chapter 6: Risk Management Life Cycle
Chapter 6: Risk Management Life Cycle
Comparing risk and IT risk
IT risk management life cycle
Requirements of risk assessment
Issues, events, incidents, and breaches
Correlating events and incidents
Summary
Review questions
Answers
10
Chapter 7: Threat, Vulnerability, and Risk
Chapter 7: Threat, Vulnerability, and Risk
Threat, vulnerability, and risk
The relationship between threats, vulnerabilities, and risk
Understanding threat modeling
Vulnerability analysis
Tools for identifying vulnerabilities
Vulnerability management program
Summary
Review questions
Answers
11
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Chapter 8: Risk Assessment Concepts, Standards, and Frameworks
Risk assessment approaches
Risk assessment methodologies
Risk assessment frameworks
Risk assessment techniques
Importance of a risk register
Summary
Review questions
Answers
12
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Chapter 9: Business Impact Analysis, and Inherent and Residual Risk
Differentiating between BIA and risk assessment
Key concepts related to BIA
Understanding types of risk
Summary
Review questions
Answers
13
Part 4: Risk Response, Reporting, Monitoring, and Ownership
Part 4: Risk Response, Reporting, Monitoring, and Ownership
14
Chapter 10: Risk Response and Control Ownership
Chapter 10: Risk Response and Control Ownership
Risk response and monitoring
Risk owners and control owners
Risk response strategies
Risk optimization
Summary
Review questions
Answers
15
Chapter 11: Third-Party Risk Management
Chapter 11: Third-Party Risk Management
The need for TPRM
Managing third-party risks
Upstream and downstream third parties
Responding to anomalies
Summary
Review questions
Answers
16
Chapter 12: Control Design and Implementation
Chapter 12: Control Design and Implementation
Control categories
Control design and selection
Control implementation
Control testing and evaluation
Summary
Review questions
Answers
17
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting
Log aggregation and analysis
SIEM
Risk and control monitoring
Risk and control reporting
Key indicators
Summary
Review questions
Answers
18
Part 5: Information Technology, Security, and Privacy
Part 5: Information Technology, Security, and Privacy
19
Chapter 14: Enterprise Architecture and Information Technology
Chapter 14: Enterprise Architecture and Information Technology
Enterprise architecture
The CMM framework
Computer networks
Networking devices
Firewalls
Intrusion detection and prevention systems
The Domain Name System
Wireless networks
Virtual private networks
Cloud computing
Summary
Review questions
Answers
20
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Chapter 15: Enterprise Resiliency and Data Life Cycle Management
Enterprise resiliency
Business continuity and disaster recovery
Recovery objectives
Data classification and labeling
Data life cycle management
Summary
Review questions
Answers
21
Chapter 16: The System Development Life Cycle and Emerging Technologies
Chapter 16: The System Development Life Cycle and Emerging Technologies
Introducing the SDLC
Project risk and SDLC risk
System accreditation and certification
Emerging technologies
Summary
Review questions
Answers
22
Chapter 17: Information Security and Privacy Principles
Chapter 17: Information Security and Privacy Principles
Fundamentals of information security
Access management
Encryption
Hashing
Digital signatures
Certificates
Public key infrastructure
Security awareness training
Principles of data privacy
Comparing data security and data privacy
Summary
Review questions
Answers
23
Part 6: Practice Quizzes
Part 6: Practice Quizzes
24
Chapter 18: Practice Quiz – Part 1
Chapter 18: Practice Quiz – Part 1
25
Chapter 19: Practice Quiz – Part 2
Chapter 19: Practice Quiz – Part 2
26
Index
Index
Why subscribe?
27
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Importance of GRC for cybersecurity professionals

As mentioned earlier, the lack of an effective GRC program makes it difficult to collaborate across all teams. An effective GRC program is the prerequisite to an effective cybersecurity program.

With the continuously increasing emphasis on privacy in the form of GDPR, CCPA, HIPAA, LGPD, and other state, national, and international regulations, the cybersecurity and information assurance teams can’t work in silos. Compliance with these laws and regulatory requirements requires commitment and tenacity from all functions of the organization.

The following table shows the importance of implementing an overarching GRC framework for an organization in detail:

Non-GRC

Effective GRC

Lack of effective oversight

Effective oversight across all departments

Focus on achieving results only

Achieving results with integrity and ethics

Organizational and functional silos

Integrated decision-making

Lack of visibility

Shared technology, services, and vocabulary

Disjointed strategy

Integrated strategy

Duplication of efforts

Create-once, use-multiple

High costs

Optimized costs

Inefficient efforts

Efficient efforts

Lack of integrity

Culture of integrity

Wasted information

Shared and common knowledge

Fragmented information

Continuous flow of information

Table 1.1 – Importance of a GRC framework

In the next section, we’ll learn about how we can use ISACA COBIT to implement a GRC program and its relationship with ITIL.

Implementing GRC using COBIT

Now that we have a good understanding of GRC and what it entails, it’s important to understand how to translate this knowledge into practice.

ISACA, the certification body of CRISC, also provides a comprehensive framework called Control Objectives for Information and Related Technology (COBIT) to bridge the gap between governance, technical requirements, business objectives and risks, and control requirements.

The latest version of COBIT (COBIT 2019) guidance from ISACA focuses on providing elaborate guidance on managing risk, optimizing resources, and creating value by streamlining all business objectives.

There are four publications under the COBIT 2019 framework:

  • Introduction and Methodology: This is the fundamental document for implementing the COBIT framework that details governance principles, provides key concepts and examples, and lays out the structure of the overall framework, including the COBIT Core Model.
  • Governance and Management Objectives: This publication contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. These are then defined and matched with the relevant processes, enterprise goals, and governance and management practices.
  • Design Guide: Designing an Information and Technology Governance Solution: This publication provides essential guidance on how to put COBIT to practical use while offering perspectives for designing a tailored governance system for an organization.
  • Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution: This document, combined with the COBIT 2019 Design Guide, provides a practical approach to specific governance requirements.

COBIT Core includes 40 governance and management objectives that have defined purposes that are mapped to specific core processes. These objectives are primarily divided into five categories:

  • Evaluate, Direct, and Monitor (EDM): EDM has five objectives that focus on a few specific, governance-related, areas. These include alignment of enterprise and IT strategies, optimization of costs and efficiency, and stakeholder sponsorship.
  • Align, Plan, and Organize (APO): APO’s 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of IT, vendors, service-level agreements (SLAs), risk optimization, and data management.
  • Build, Acquire, and Implement (BAI): The 11 BAI objectives are focused on managing changes to data and assets while ensuring end user availability and capacity needs are met.
  • Deliver, Service, and Support (DSS): DSS contains six objectives and mostly aligns with the IT domains. DSS is focused on managing operations, problems, incidents, continuity, process controls, and security.
  • Monitor, Evaluate, and Assess (MEA): MEA has four objectives related to creating a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include managing performance and conformance, internal control, external requirements, and assurance. Notably, MEA differs from EDM by concentrating on the monitoring function from an operational standpoint, whereas EDM monitors from a governance (or top-down) approach.

The following figure shows the five domains and 40 COBIT Core processes:

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Figure 1.2 – COBIT 2019 Core Model (COBIT® 2019 Framework: Governance and Management Objectives ©2019 ISACA. All rights reserved. Used with permission.)

Important note

Detailed guidance on ISACA introduction and methodology is available at no cost to members and non-members on the ISACA website: https://www.isaca.org/resources/cobit.

COBIT and ITIL

This section would not be complete without understanding the relationship between COBIT and ITIL.

ITIL is a framework designed to standardize the selection, planning, delivery, and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.

ITIL and COBIT are both governance frameworks but serve different purposes. ITIL primarily aims to fulfil service management objectives, whereas COBIT is globally recognized for both enterprise governance and IT management.

On their own, each framework is extremely successful in offering custom governance while delivering quality service management. When paired together, however, COBIT and ITIL have the potential to dramatically increase value for customers as well as internal and external stakeholders.

The COBIT framework helps identify what IT should be doing to generate the most value for a business, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints – for example, from the COBIT domain, BAI, process BAI06 Managed IT Changes is equivalent to ITIL Change Management; process BAI10 Managed Configuration is equivalent to ITIL Configuration Management, and so on.

A major differentiation between COBIT and ITIL is that COBIT covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are accomplished, whereas ITIL is focused entirely on IT service management. COBIT aims to achieve its objectives through policies, processes, people, information, and culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization, whereas ITIL provides prescriptive guidance on implementing these objectives.

In the previous section, we learned about the importance of ISACA COBIT for implementing a GRC program and its relationship with ITIL. In the next section, we will learn about multiple cybersecurity domains and the NIST CSF.

Previous Section
End of Section 4
Next Section