4

Information Risk Response

In this chapter, you will learn about the practical aspects of information risk management and explore risk management tools and techniques along with other important concepts from the perspective of the CISM exam.

This chapter will cover the following topics:

• Risk Treatment/Risk Response Options
• Risk Ownership and Accountability
• Risk Monitoring and Communication
• Implementing Risk Management
• Change Management
• Patch Management
• Operational Risk Management
• Risk Management Integration with Life Cycle

Risk Treatment/Risk Response Options

The treatment of risk is one of the most important aspects of risk management. Risk treatment is also sometimes referred to as risk response

The following are the four options for responding to risk.

Risk Mitigation

• In this approach, efforts are made to reduce the probability of risk or impact resulting from the risk event by designing appropriate controls.
• The objective of risk mitigation is to reduce the risk to an acceptable level.

Risk Sharing/Transferring

• In this approach, risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means.

For example, natural disasters have a very low probability of occurring but have a high impact if they do. The response to such a risk should be risk transfer.

Risk Avoidance

• In this approach, projects or activities that cause risk are avoided.
• Risk avoidance is the last choice when no other response is adequate.

An example would be terminating a project when business cases show a high risk of failure.

Risk Acceptance

• In this approach, risk is accepted as it is in accordance with the risk appetite of the organization.
• Risk is accepted when the cost of controlling the risk is more than the cost of the risk event.

For example, for a few noncritical systems, the cost of antimalware installation is more than the anticipated cost of damage due to any potential malware attack. In such a case, the organization would generally accept the risk as it is.

• In risk acceptance, no steps are taken to reduce the risk at this time (though the risk is recorded and reassessed at regular intervals to determine if this remains the best course of action)
• However, organizations need to be very careful when accepting any risk. If a risk is accepted without fully understanding its potential impact, it may result in a higher level of liability.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
Taking out insurance is an example of which risk treatment strategy?	Risk transfer
What is the most effective way to treat risks such as natural disasters that have a low probability but a high impact level?	Risk transfer
What are the components of risk treatment (risk response)?	Risk mitigation Risk acceptance Risk avoidance Risk transfer
What is the main objective of risk response?	To control the impact
Prioritization of risk response is based on what?	The likelihood of compromise and the impact on business processes

Figure 4.1: Key aspects from the CISM exam perspective

Note

The answers and explanations for all practice and revision questions for this chapter can be found via this link.

Practice Question Set 1

1. As an information security manager, you have requested approval for cyber insurance from senior management. Taking out insurance is an example of:
   1. Risk avoidance
   2. Risk acceptance
   3. Risk transfer
   4. Risk mitigation
2. The selection of a mitigating control is best decided by:
   1. The senior manager
   2. The business manager
   3. The audit manager
   4. The security manager
3. An organization has started operations in a country where identity theft is widespread. The best course of action for the organization is to:
   1. Set up monitoring techniques to detect and react to fraud
   2. Make customers liable for the fraud amount
   3. Make customers aware of the possibility of fraud
   4. Outsource the processes to a well-established service provider
4. The most effective way to mitigate phishing attacks is:
   1. Conducting user awareness training
   2. Email encryption
   3. Developing two-factor authentication
   4. Developing physical controls
5. The best response for a risk scenario with low probability and high impact, such as a natural disaster, is:
   1. Risk avoidance
   2. Risk acceptance
   3. Risk transfer
   4. Risk mitigation
6. The best way to mitigate the liability risk arising out of a breach of privacy law is:
   1. To mitigate the impact by purchasing insurance
   2. To implement an application-level firewall
   3. To conduct a business impact analysis
   4. To implement an intrusion prevention system
7. Risk acceptance is one of the components of:
   1. Risk reporting
   2. Risk treatment
   3. Risk monitoring
   4. Risk assessment
8. A recommendation for the implementation of information system controls, such as antivirus software, is an example of:
   1. Risk acceptance
   2. Risk mitigation
   3. Risk transfer
   4. Risk avoidance
9. What, from the following, is the best risk treatment method?
   1. A method that eliminates risk completely
   2. A method that is least costly
   3. A method that addresses the control objectives
   4. A method that reduces risk to the minimum level
10. The most effective risk treatment when the probability of occurrence of an event is very low, but where the impact can be very high, is:
    1. Accepting the high cost of controlling such an event
    2. Installing detective controls
    3. Avoiding the risk
    4. Transferring the risk to a third party
11. An area in which the data owner is responsible for risk mitigation is:
    1. Operating system security
    2. User entitlement
    3. Network security
    4. Intrusion detection
12. The best way to protect confidential information from an insider threat is:
    1. Implementing role-based access control
    2. Capturing transaction logs
    3. Developing a privacy policy
    4. Defense in depth
13. The most effective way to manage a security program with low funding is to:
    1. Remove security services that address low-risk activities
    2. Accept all remaining risk
    3. Use third-party service providers to manage low-risk activities
    4. Eliminate monitoring and reporting activities

Risk Ownership and Accountability

The following are some important aspects with respect to risk ownership and accountability:

• For successful risk management, each risk should have assigned ownership and accountability.
• Risk should be owned by a senior official who has the necessary authority and experience to select the appropriate risk response based on an analysis and any guidance provided by the risk practitioner.
• Risk owners should also own the associated controls and ensure the effectiveness and adequacy of those controls.
• Risk should be assigned to an individual employee rather than a group or a department. Allocating accountability to a department will circumvent ownership.
• Accountability for risk management lies with senior management and the board.
• Risk ownership is best established by mapping the risk to specific business process owners.
• Details of the risk owner should be documented in the risk register.
• The results of risk monitoring should be discussed and communicated with the risk owner as they own the risk and are accountable for maintaining the risk within acceptable levels.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
Who is in the best position to perform a risk analysis for a business process?	The process owner
Who should be the primary driver to implement new regulatory changes?	The business process owner

Figure 4.2: Key aspects from the CISM exam perspective

Practice Question Set 2

1. Which of the following functions is in the best position to conduct a risk analysis for a business process?
   1. The audit team
   2. The legal team
   3. The business process owner
   4. An external consultant
2. A project for implementing new regulatory requirements should be preliminarily driven by:
   1. The audit department
   2. The system analyst
   3. The business process owners
   4. The legal department

Risk Monitoring and Communication

Risk monitoring and communication are important elements of risk management. Risk monitoring is an ongoing process that helps to ensure continuous control effectiveness. There should be a structured communication channel for employees to report a risk to management. At the same time, management should provide relevant risk-related information to concerned employees.

Risk Reporting

The results of risk monitoring should be presented to management at regular intervals. These results should be meaningful to the recipient and be presented in a simple manner without the excessive use of technical terms. Red (high-risk), amber (medium-risk), and green (low-risk) reporting help management understand the risk posture of the organization.

A risk analysis should also include details about potential impact as it will help determine the extent of the risk mitigation measures required.

Key Risk Indicators

A risk indicator is a measure used by an organization to determine the level of current risk for an activity. This helps the organization monitor the risk level and receive alerts if a risk approaches an unacceptable level.

Thus, the objective of key risk indicators is to flag an exception as and when it occurs. This provides an opportunity for the organization to respond to the risk before damage is caused. Examples of key risk indicators are as follows:

• Amount of unauthorized software detected in an audit
• Hours of system downtime
• Number of systems without antivirus software

Take the example of system downtime. The threshold (maximum limit) for key risk indicators can be set as follows:

Description	Risk Indicator
System downtime less than 5 hours	Acceptable
System downtime between 5 and 10 hours	Close monitoring
System downtime more than 10 hours	Unacceptable

Figure 4.3: Example of a risk indicator

Reporting Significant Changes in Risk

As business processes and technology go through changes, the risk environment also changes, and new types of threats can emerge. No system can be considered perpetually secure. This indicates that risk assessments should be done at regular intervals to address emerging risks. The main benefit of performing a risk assessment on a consistent basis is that it helps to understand trends in the risk factor.

The prime objective of periodically analyzing the gap between existing controls and control objectives is to address the change in exposure. Changes in exposure or the business environment may require the implementation of additional controls.

Reporting a change in risk profile to management is the responsibility of the security manager. A security manager should present to management the status of the organization's updated risk profile at regular intervals. Management should also be updated about any significant events or incidents impacting the organization.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
What is the objective of periodically analyzing the gap between controls and control objectives?	To address changes in exposure or the business environment (changes in either may require additional controls).
What is the primary goal of a risk management program?	To support the achievement of business objectives.
Why should risk be assessed periodically?	Risk should be reassessed periodically because risk changes over time.

Figure 4.4: Key aspects from the CISM exam perspective

Practice Question Set 3

1. As an information security manager, you have been instructed by senior management to include the potential impact in any risk analysis presented to them. The most likely reason for this is:
   1. The potential impact helps to determine risk treatment options
   2. The potential impact indicates the cost of the assets
   3. The potential impact affects the extent of mitigation
   4. The potential impact helps determine the probability of occurrence of a risk event
2. As a newly appointed information security manager, you are required to identify new threats. Your first step should be:
   1. Conducting frequent reviews of risk factors
   2. Developing different security risk scenarios
   3. Understanding the business objectives and the flow and classification of information
   4. Reviewing post-incident reports prepared by IT
3. As an information security manager, you are evaluating the use of cloud services for the storage of an organization's data. An area of major concern for the use of cloud services is:
   1. Increase in cost
   2. Difficulty in the identification of the source of business transaction
   3. Increase in risk scenarios
   4. Increase in the chance of being hit by attackers
4. An area of major concern for the use of mobile devices is:
   1. High network connectivity issues
   2. High cost of battery recharge
   3. Unstructured operating system standardization
   4. Probability of mobile devices being lost or stolen easily
5. A security manager received a request to approve an exception to the security standard for a proposed system change. What should their first course of action be?
   1. Calculating the risk
   2. Mandating the security standard
   3. Suggesting a new design for the system change
   4. Implementing new controls
6. A security manager noted exceptions to a set of standards that result in significant risk. What should the first course of action for the security manager be?
   1. Updating the standard to approve the exceptions
   2. Designing new guidelines to address the risk
   3. Advising management of the risk and its potential impact
   4. Benchmarking standards with industry practices
7. The security policy of an organization mandates the encryption of data that is sent to an external party. However, a regulatory body insists that unencrypted data is shared with them. What should the security manager do?
   1. Train the regulatory body's employees on the encryption process
   2. Send the data with encryption to the regulatory body
   3. Define an exception process for sending the data without encryption
   4. Tell the regulator that unencrypted data will not be shared
8. Residual risk should be determined:
   1. When determining the results of the implementation of controls
   2. At the time of classification of assets
   3. At the time of identification of new risk
   4. At the time of valuation of the assets
9. The results of a risk analysis can be best used for:
   1. Preparation of a business impact analysis
   2. Preparation of a list of action items to mitigate the risk
   3. Assigning the risk to the process owner
   4. Quantification of the overall risk
10. A security manager received a request to approve an exception to a security standard for a proposed system change. What is their best course of action?
    1. To understand the risk due to noncompliance and recommend an alternate control
    2. To reject the approval and insist on compliance with the security policy
    3. To update the security policy and allow for the exception
    4. To provide training to the business manager on the importance of security compliance
11. The effectiveness of a risk assessment can be best measured by:
    1. Resource utilization and the cost of the risk assessment
    2. The sensitivity of new risks discovered
    3. The collective impact of identified risks
    4. The percentage of incidents from unknown risks
12. A security manager notices that risk management activities are inconsistent throughout the organization. What should their first course of action be?
    1. Escalate the issue to senior management
    2. Review compliance with the standards and policies
    3. Ensure a stringent penalty for noncompliance
    4. Ensure stringent enforcement
13. A continuous monitoring tool has flagged noncompliance. What should the security manager's first course of action be?
    1. To validate the noncompliance
    2. To report noncompliance to senior management
    3. To include noncompliance in the risk register
    4. To compare the noncompliance with the key risk indicator threshold
14. An organization uses electronic swipe cards for physical access. The security manager has requested access to physical access data. What is the primary cause for asking for this data?
    1. To ensure that employees are attending the office on time
    2. To determine the correctness of wage payment
    3. To compare logical access and physical access for deviations
    4. To determine the operating effectiveness of the physical access control system
15. The risk of disruption due to distributed denial of service (DDoS) can be classified as:
    1. Aggregate risk
    2. Systemic risk
    3. Residual risk
    4. Operational risk
16. The most effective way to address an insider security threat is:
    1. Penetration testing
    2. Network address translation
    3. Background checks for prospective employees
    4. A security awareness program
17. Legal and regulatory requirements should be considered:
    1. As per the security policy
    2. As per business decisions
    3. As per budget availability
    4. In line with mandatory compliance
18. Which is the area of most concern for a security manager reviewing the parameters for the acquisition of a new system?
    1. The functionality of the new system may not support business processes
    2. Existing staff may not be able to provide ongoing support for the new system
    3. The new system may affect the security or operations of other systems
    4. The time required to install and implement the new system
19. A security manager has been advised by an enforcement agency about their organization being the target of a group of hackers. What should the security manager's first step be?
    1. Conducting a detailed review of the organization's exposure to the attack
    2. Conducting awareness training for all staff members
    3. Immediately informing top management about the elevated risk
    4. Consulting experts to improve the security posture of the organization

Implementing Risk Management

The implementation of a risk management program is important for ensuring effective and efficient governance, risk management, and compliance (GRC). A security manager should identify the existing risk management activities and try to integrate them for optimum utilization of resources. The integration of risk management activities helps to prevent duplication of efforts and minimize gaps in assurance functions.

Risk Management Process

The implementation of a risk management program in a structured manner helps to achieve maximum efficiency and effectiveness with minimum effort. It is recommended to implement the program as per the following sequence:

Step 1: Determine the scope and boundaries of the program.

Step 2: Determine the assets and processes that need to be protected.

Step 3: Conduct a risk assessment by identifying risk, analyzing the level of risk based on impact, and evaluating whether the risk meets the criteria for acceptance.

Step 4: Determine the risk treatment options for risks that are above the acceptable level. Risk treatment can come in any of the following forms:

• Mitigating the risk by implementing additional controls
• Accepting the risk (generally, this option is selected when the impact is low and the cost of treatment exceeds the impact)
• Avoiding the risk (generally, this option is selected when a feasibility study or a business case does not indicate positive results)
• Transferring the risk to third parties, such as insurance companies (generally, this option is selected for low-probability risks that have a high impact, such as a natural disaster)

An appropriate risk treatment method is one that helps to achieve the control objectives in an efficient manner.

Step 5: Determine the acceptability of the residual risk (that is, risk remaining after the treatment) as per the management.

Step 6: Monitor the risk on a continuous basis and develop an appropriate procedure to report the results of the risk monitoring to management.

During all the mentioned steps, it is equally important to share the relevant information about risk management activities with the concerned stakeholders. An effective communication process improves the entire risk management process.

Effective risk management requires participation, support, and acceptance by all relevant members of the organization, starting with senior management. Employees must understand their responsibilities and be able to perform their required roles.

Risk controls are considered sufficient when the residual risk is less than or equal to the acceptable risk.

Integrating Risk Management into Business Processes

For effective risk management, it should be ensured that risk management processes are integrated with business processes. The best way to implement this is to conduct a workflow analysis and understand each process's vulnerabilities and then build relevant controls within those processes.

Prioritization of Risk Response

It may not be feasible for an organization to address all risks. In such cases, risk should be prioritized based on its criticality. High-level risks should be addressed first. Prioritization of treatment options will be the most effective if based on the likelihood of compromise and its impact on the business.

Defining a Risk Management Framework

A framework is a structure or outline that supports the implementation of any program. Frameworks are flexible structures that any organization can adopt as per their environment and requirements. Many standards and guidelines on best practices are available for the effective management of IT risks, such as the following:

• COBIT
• ISO 31000 on Enterprise Risk Management
• ISO 27001 on Information Security Management System

Generally, all the preceding frameworks/standards have the following requirements:

• Availability of documented policy that defines the objectives of the program
• Availability of documented roles and responsibilities for the implementation of the program
• Commitment from senior management to review the program at frequent intervals
• Availability of procedure documents
• Availability of adequate records to satisfy an independent audit

By defining the risk management framework, the basic parameters for managing risks are established. Basic parameters include criteria for acceptable risk, the objective of controls, and processes to monitor the effectiveness of those controls. Frameworks help to achieve the following objectives:

• Having a common understanding of organizational objectives
• Developing a set of criteria for the measurement of risks
• Developing a structured process for the identification of risk and assessment of the level of risk
• Integration of different assurance functions

Defining the External and Internal Environment

When designing a risk management program, the requirements of the stakeholders should be considered. Stakeholders can be either external or internal. The external context includes laws and regulations, social and cultural conditions, the risk from competitors, and the financial and political environment. It also includes consideration of threats and opportunities generated from external sources.

The internal context includes management requirements, the organization's structure and culture, goals and objectives, and the organization's strengths and weaknesses.

Determining the Risk Management Context

The risk management context refers to the scope and applicability of risk management activities. It defines the environment in which risk management will operate. It is very important for a security manager to understand the risk management context. It is generally determined by the culture of the organization in terms of risk averseness or risk aggressiveness.

Gap Analysis

A gap analysis is the process used to determine the gap between the existing level of risk management compared to the desired state of it. Based on the desired state, control objectives are defined. The objective of a gap analysis is to identify whether the control objectives are being achieved through the risk management process.

Periodically determining the gap between actual controls and their objectives should be routine practice. A gap analysis is generally done by determining the effectiveness of controls through control testing. If a gap is identified, then controls may need to be modified or redesigned to improve their effectiveness.

Cost-Benefit Analysis

The most important factor in the selection of controls is the cost-benefit balance. The implemented controls should be effective (that is, able to address the risk) as well as efficient (providing the most benefit compared to the costs incurred).

A cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit and that the best control is implemented for the given cost. A cost-benefit analysis helps to justify the implementation of a specific control measure.

Other Kinds of Organizational Support

An organization can rely on the services of external service providers to understand the current threat landscape and identify industry-level best practices. These services help to use the expertise of service providers and improve the security posture of the organization. Some widely used services are as follows:

• Organizations such as ISACA, NIST, (ISC)², and SANS often publish best practices and other industry-wide data, which can be used to determine and evaluate a security program.
• Many organizations sponsor security-related roundtables to discuss topics of common interest. This helps to accumulate knowledge from experts in the industry.
• Various organizations sponsor research and studies linked to security-related aspects.
• Many institutes are involved in training related to security aspects, such as vulnerability assessment, penetration testing, secure coding, and end user awareness.
• Many organizations release a list of current vulnerabilities impacting specific technology. This can be either a free service or a subscription-based service. External vulnerability sources are the most cost-effective methods of identifying new vendor vulnerabilities.

Information security is an ever-evolving subject, and a security manager should keep themself updated through the preceding sources.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
What is the prime objective of an acceptable usage policy?	To reduce the risk of data leakage
In which phase of system development should risk assessment be initiated?	The feasibility phase (risk should be addressed as early as possible in the development cycle)
Which factor influences the selection of controls the most?	A cost-benefit balance
What is the objective of a cost-benefit analysis?	A cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit and that the best control is implemented for the given cost.
What is the prime objective of a gap analysis?	To measure the current state vis-à-vis the desired state
What is the most effective way to mitigate the risk of phishing?	User awareness
What is the prime objective of a risk management program?	To reduce the risk to an acceptable level
What is the most effective method to address insider threats to confidential information?	Implementing role-based access controls
What is the objective of segmenting sensitive data?	To reduce the exposure of sensitive data Reducing exposure reduces the likelihood of a vulnerability being exploited.
What is the objective of an indemnity clause?	To reduce the financial impact on the organization An indemnity clause helps the organization claim financial loss from a service provider if a loss is suffered due to an act of the said service provider. Indemnity clauses can transfer operational risk and financial impacts. However, legal responsibility for the consequences of a compromise generally remains with the original organization.
Which type of analysis is used to determine the prioritization of actions in a business continuity plan (BCP)?	Business impact analysis
What is the objective of a network vulnerability assessment?	To identify misconfigurations and missing updates
In what scenario is policy exception generally allowed?	When the risk is justified by the benefit
Which of the following is the best resolution when a security standard is in conflict with a business objective?	To perform a risk analysis and decide, based on the cost-to-benefit ratio, whether an exception to the standard is to be allowed
What is the objective of integrating different assurance functions?	To achieve cost-effective risk mitigation across the organization

Figure 4.5: Key aspects from the CISM exam perspective

Practice Question Set 4

1. Which of the following is the best method to reduce the risk of data leakage?
   1. Availability of backup procedures
   2. Availability of data integrity checks
   3. Availability of an acceptable usage policy
   4. Availability of an incident management process
2. As an information security manager, you are required to implement controls and countermeasures. Your most important consideration should be:
   1. Reducing IT risk
   2. Cost-benefit balance
   3. Resource utilization
   4. A count of assets protected
3. Which of the following is the most important objective of a gap analysis?
   1. To evaluate the business impact analysis
   2. To design a balanced scorecard
   3. To determine the overall cost of controls
   4. To measure the current state of control versus the desired future state
4. The main objective of including an indemnity clause in a service-level agreement is:
   1. To decrease the probability of an incident
   2. To limit the impact on the organization
   3. To comply with regulatory requirements
   4. To improve performance
5. The best method to evaluate and select a control when there is a budget constraint is:
   1. A business impact analysis
   2. A risk analysis
   3. A cost-benefit analysis
   4. A vulnerability analysis
6. Which of the following is the most effective technique to determine whether a specific risk reduction control should be implemented?
   1. A cost-benefit analysis
   2. A vulnerability analysis
   3. Penetration testing
   4. Expected annual loss
7. The first step in establishing a data leakage program is to:
   1. Create user awareness training
   2. Develop an information classification program
   3. Design a network control
   4. Develop a physical control
8. The prime objective of segmenting a critical database is:
   1. To reduce the threat
   2. To reduce the sensitivity
   3. To reduce the criticality
   4. To reduce the exposure
9. The main objective of implementing security aspects during the first stage of a project's life cycle is:
   1. To minimize the cost of security
   2. To determine the project's feasibility
   3. To obtain budget approval
   4. To classify the project
10. An information security manager notices that due to slow biometric response and a large number of employees, a substantial amount of time is wasted in gaining access to the building. This has also increased instances of piggybacking. What is the security manager's best course of action?
    1. To replace the biometric system with one that has a better response time
    2. To escalate the issue to management
    3. To discontinue the use of the biometric access system
    4. To ensure strict enforcement
11. In a BCP, the prioritization of action is primarily dependent on:
    1. A business impact analysis
    2. A risk analysis
    3. A threat analysis
    4. A vulnerability assessment
12. What is the primary objective of periodic analysis of the gap between the control and the control objectives?
    1. To reduce the count of audit findings
    2. To address any change in exposure
    3. To utilize the security budget
    4. To comply with the regulatory requirements
13. The results of a risk management process are used for:
    1. Changing business objectives
    2. Updating audit charters
    3. Making security policy decisions
    4. Updating SDLC processes
14. What is the best way to determine the most critical factor among confidentiality, integrity, and availability?
    1. On the basis of the threat applicable to each factor
    2. Confidentiality should always be given preference
    3. On the basis of the risk applicable to each factor
    4. All three factors should be treated equally
15. What is the prime objective of a cost-benefit analysis before the implementation of a control?
    1. It helps to adhere to the budget
    2. It is a mandatory requirement set by senior management
    3. It helps to determine the conducting industry benchmark
    4. It ensures that costs are justified by a reduction in risk
16. The best quantitative indicator of an enterprise's current risk appetite is:
    1. A count of the incidents and subsequent mitigation efforts
    2. Layers of implemented controls
    3. The level of security requirements in policy and standards
    4. The ratio of cost-to-insurance coverage for business interruption protection
17. An organization has two servers that have similar content. However, only one of the servers is hardened. The most probable reason for this choice is:
    1. The second server is only a backup server
    2. The second server supports noncritical functions
    3. The second server is placed where there is no exposure
    4. The second server is monitored on a continuous basis
18. The first step for integrating risk management practices into business processes is:
    1. A workflow analysis
    2. A threat analysis
    3. A hierarchy analysis
    4. A business impact analysis
19. An indemnity clause in a service agreement:
    1. Addresses the legal as well as the financial liability of the organization
    2. Is preferable to purchasing insurance
    3. Addresses the reputational risk of the organization
    4. Addresses the financial liability but leaves the legal and reputational risks generally unchanged
20. The most important outcome of a risk management program is:
    1. Continuous monitoring of vulnerabilities
    2. Continuous monitoring of threats
    3. Determining the implementation of control objectives
    4. Decreasing the number of incidents impacting the organization
21. The effective protection of information assets strongly supports:
    1. The data workflow
    2. The data classification policy
    3. The security culture
    4. A business-oriented risk policy
22. The best measure of the effectiveness of risk management is:
    1. The number of incidents not detected by the security team
    2. The number of security audits
    3. The number of vulnerabilities not mitigated by the security team
    4. The number of security incidents causing significant financial loss or business disruptions

Change Management

A change management process is used to change hardware, install software, and configure various network devices. This process includes approval, testing, scheduling, and rollback arrangements.

Any changes to the system or the process are likely to introduce new vulnerabilities. Hence, it is critical for a security manager to identify and address new risks.

Objectives of Change Management

The main objective of change management is to support the processing and traceability of changes made to a system. Change management ensures that any modification or updating of the system is carried out in a controlled manner.

Approval from the System Owner

A security manager should also ensure a structured change management process. While implementing a change, all relevant personnel should be kept informed, and specific approval should be obtained from the relevant information asset owners.

Regression Testing

Regression testing is a part of change management. The objective of regression testing is to prevent the introduction of new security exposures when making modifications. Thus, change management is the best way to ensure that modifications made to systems do not introduce new security exposures. System users are in the best position to conduct user acceptance testing and determine whether any new vulnerabilities have been introduced during the change management process.

Involvement of the Security Team

For effective change management, it is important that the security team be apprised of every major change. It is recommended to include representation from the security team on the change control board. This will ensure that security aspects are considered for any change.

Preventive Controls

Change management is considered a preventive control as it requires all change requests to pass through formal approval, documentation, and testing via a supervisory process.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
What is the prime objective of change management?	To ensure that only authorized changes are carried out To ensure that modifications made to the system do not introduce new security exposures
What is the best way to reduce the risk arising from modifications of a system?	Implementing a change management process
Change management is considered as which of the following: a preventive, detective, or corrective control?	A preventive control

Figure 4.6: Key aspects from the CISM exam perspective

Practice Question Set 5

1. As an information security manager, you are concerned about new security exposures when modifying the system. The most effective method to address this is:
   1. Load testing
   2. Patch management
   3. Change management
   4. Security baseline
2. The most effective method to prevent a weakness from being introduced into an existing system is:
   1. Antimalware software
   2. Patch management
   3. Change management
   4. A firewall
3. Who is in the best position to determine that a new vulnerability has not been introduced during the change management process?
   1. An internal auditor
   2. A system user
   3. A system administrator
   4. A data security manager
4. What is the most effective method to evaluate a security risk while modifying applications?
   1. Incident management process
   2. Problem handling process
   3. Change control process
   4. System benchmarking
5. What is the most important aspect of a change management process?
   1. The change management process should be handled by the information security team
   2. The change management process should be monitored by the steering committee
   3. The change management process should be a part of release and configuration management
   4. The change management process should include mandatory involvement of the information security department
6. Which type of control is a change management process?
   1. Compensating control
   2. Corrective control
   3. Preventive control
   4. Deterrent control
7. For an emergency change, which of the following steps can be bypassed?
   1. Detailed documentation
   2. Impact analysis
   3. Scheduling
   4. Authorization
8. Production risk is primarily addressed by:
   1. Audit management
   2. Release management
   3. Change management
   4. Configuration management
9. Why it is important to get approval from the security manager for implementing any major changes?
   1. To ensure that changes comply with the business objectives
   2. To ensure that any risks arising from the proposed changes are managed
   3. To ensure that rollback arrangements are incorporated
   4. To ensure adherence to budget
10. Disruptions to the production system can be most effectively prevented by:
    1. A structured patch management process
    2. A structured security baseline
    3. A structured antimalware system
    4. A structured change management system
11. An organization's change management process includes threat and vulnerability assessments. The primary reason for this is:
    1. To reduce the requirement for periodic full risk assessments
    2. To reduce the expenses of risk management activities
    3. To change policies to address new risks
    4. To adhere to legal requirements
12. What is an area of major concern with respect to security risks for an organization with multiple locations?
    1. System operational guidelines are not monitored
    2. Poor change management procedures
    3. Outsourcing of application development
    4. Poor capacity management procedures
13. The main objective of including a threat and vulnerability assessment in a change management process is:
    1. To reduce the requirement for periodic full risk assessments
    2. To ensure that risk assessment is cost effective
    3. To ensure that changes are approved by the information security team
    4. To ensure legal compliance

Patch Management

Patch management is the process of updating operating systems and other software to correct errors or enhance performance.

A well-defined and structured patch management process helps to address new vulnerabilities related to operating systems. The timely update of patches helps to secure operating systems and applications.

Patches are generally applied to operating systems, applications, and network software. They help fix vulnerabilities in the system.

Patches should be applied through a structured change management process that includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch prior to implementation is of utmost importance. Deploying untested patches may cause the system to fail. Furthermore, appropriate rollback procedures should be in place in case of unexpected failure.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
What is the best way to ensure that newly identified security weaknesses in an operating system are mitigated in a timely manner?	Patch management
What is the first step when an organization receives a patch update?	To validate the authenticity of the patch
What is the correct frequency for a patch update?	Whenever important security patches are released. However, all patches should be tested first.

Figure 4.7: Key aspects from the CISM exam perspective

Practice Question Set 6

1. What is the best method to determine whether all patch updates have gone through the proper change control process?
   1. Verifying the change control request and tracing it to the patch logs
   2. Verifying whether the last patch was properly documented and verified
   3. Verifying the patch logs and tracing them to the change control request
   4. Verifying whether the last change control request was properly documented
2. An area of major concern for an enterprise resource planning (ERP) system is:
   1. User logs not being reviewed at regular intervals
   2. Only a single switch being used for routing network traffic
   3. Operating system security patches not being applied
   4. Vendor default ERP settings have not been changed
3. The most important factor to be considered while implementing a patch management procedure is:
   1. Testing of a patch prior to deployment
   2. Technical expertise of the responsible team
   3. Automated procedure for deployment
   4. Adherence to the patch management budget
4. What is the first step when a system starts facing issues immediately after the deployment of a patch?
   1. Assessing the problem and initiating rollback procedures if required
   2. Switching off the network connection until the problem is corrected
   3. Removing the patch from the system
   4. Raising a ticket with the vendor regarding the problem
5. An organization has received a patch through email to be applied on an emergency basis. What should the first step be?
   1. The patch should be downloaded to an isolated machine
   2. The patch should be applied immediately
   3. The patch should be validated to ensure its authenticity
   4. The patch should be encrypted to prevent tampering
6. Which of the following is the best technique for timely mitigation of a newly identified vulnerability in an operating system?
   1. Patch management
   2. Internal audit
   3. Change management
   4. Security baseline
7. New patches for an operating system should be updated:
   1. When new applications are rolled out
   2. At the end of every month
   3. At the time of hardware maintenance
   4. As and when critical security patches are released

Operational Risk Management

Operational risk means risk related to processes and systems that can interrupt business operations. Managing operational risk is one of the key roles of an information security manager. Some of the key aspects of operational risk that an information security manager must understand are as follows:

• Recovery time objective (RTO)
• Recovery point objective (RPO)
• Service delivery objective (SDO)
• Maximum tolerable outage (MTO)
• Allowable interruption window (AIW)

Recovery Time Objective

The Recovery Time Objective (RTO) is a measure of the user's tolerance to system downtime. In other words, the RTO is the extent of acceptable system downtime. For example, an RTO of 2 hours indicates that an organization will not be overly impacted if its system is down for up to 2 hours.

Recovery Point Objective

The Recovery Point Objective (RPO) is a measure of the user's tolerance to data loss. In other words, the RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours.

Difference between RTO and RPO

The following is the difference between RTO and RPO:

RTO	RPO
RTO is acceptable system downtime	RPO is acceptable data loss

Figure 4.8: Difference between RTO and RPO

Remember, RTO (that is, time) is for system downtime, whereas RPO (that is, point) is for data loss.

The following practical examples further explain the difference between the two:

• Example 1: An organization can accept data loss for up to 4 hours. However, it cannot afford to have any downtime. What are the RTO and RPO?

Solution: RTO – 0 hours; RPO – 4 hours

• Example 2: An organization takes a data backup twice daily, that is, at 12 a.m. and then at 12 p.m. What is the RPO?

Solution: Here, a data backup is done every 12 hours, so the maximum data loss is 12 hours. Hence, the RPO is 12 hours.

• Example 3: An organization takes a data backup three times a day. The first backup is at 8 a.m., the second at 4 p.m., and the third at 12 a.m. What is the RPO?

Solution: Here, a data backup is done every 8 hours, so the maximum data loss is 8 hours. Hence, the RPO is 8 hours.

• Example 4: Following an incident, systems at the primary site went down at 3 p.m. and then resumed from the alternate site at 6 p.m., as per the defined RTO. What is the RTO?

Solution: The system was down for 3 hours, so the RTO is 3 hours.

• Example 5: Identify the RTO and RPO in an instance where the BCP of an organization requires zero data loss (that is, no data should be lost) and processing should resume in 36 hours.

Solution: Here, the organization is accepting a system downtime of up to 36 hours, so the RTO is 36 hours. However, the organization cannot afford to have any data loss, so the RPO is 0 hours.

RTO and RPO for Critical Systems

The RTO indicates a user's tolerance for system downtime. Similarly, the RPO indicates a user's tolerance for data loss. In the case of critical systems and critical data, an organization cannot afford to have much downtime or data loss. Hence, in the case of critical systems, the RTO and RPO are generally zero or near zero. A low RTO indicates that a system should be resumed at the earliest possible juncture. A low RPO indicates that data loss should be at a minimum.

To put it in another way, if the RTO and RPO are low (that is, zero or near zero), then the systems and data are both critical to the organization.

RTO, RPO, and Maintenance Costs

A low RTO indicates that systems are critical and need to be resumed as soon as possible. To achieve this objective, organizations need to invest heavily in redundancy, that is, duplicate or alternative processing sites. A hot site is ideal where the RTO is lower, but this is a costly affair. A hot site refers to a site where all the infrastructure is readily available.

On the other hand, if the RTO is high, this indicates that systems are not that critical and that the organization can afford downtime to some extent. An organization need not invest in redundancy for systems with a high RTO. A cold site is ideal when the RTO is higher. A cold site refers to a site where there is only limited infrastructure.

A low RPO indicates that data is critical and should not be lost. That is, if the RPO is zero, the security manager needs to ensure that there is no data loss. They should invest heavily in data backup management. Data mirroring or data synchronization are some ideal techniques to use when the RPO is zero or very low. Hence, for a low RPO, data maintenance costs will be higher compared with a high RPO. Thus, if both the RTO and RPO are low (that is, zero or near zero), then the cost of maintaining the environment is high.

RTO, RPO, and Disaster Tolerance

Disaster tolerance indicates an organization's tolerance to the nonavailability of IT facilities. A low RTO/RPO indicates that the disaster tolerance is low; that is, the organization cannot tolerate system downtime or data loss. A high RTO/RPO indicates that disaster tolerance is high; that is, the organization can tolerate system downtime and/or data loss up to a certain level.

RTO, RPO, and BIA

The RTO and RPO are preliminarily based on business impact analysis (BIA). The BIA helps to determine critical systems and processes of the organization. The RTO and RPO of critical systems and processes are low compared to noncritical systems and processes. For example, online banking systems have almost zero RTO and RPO. Banks cannot afford to lose even a single transaction.

Service Delivery Objective

The Service Delivery Objective (SDO) is the level of service and operational capability to be maintained from an alternate site. The SDO is directly related to business needs and refers to the level of service that needs to be attained during disaster recovery. It is influenced by business requirements.

Maximum Tolerable Outage

The Maximum Tolerable Outage (MTO is the maximum period of time that an organization can operate from an alternate site. Various factors affect the MTO, such as location availability, resource availability, raw material availability, and electric power availability at the alternate site, as well as other constraints.

Allowable Interruption Window

Allowable Interruption Window (AIW) is the maximum period of time for which normal operations of an organization can be down. After this point, the organization starts facing major financial difficulties threatening its existence. The MTO should be as long as the AIW to minimize the risk to the organization.

Practice Question Set 7

1. The recovery time objective (RTO) is primarily derived from:
   1. Risk assessment
   2. Gap analysis
   3. BCP testing
   4. Business impact analysis
2. An information security manager observes that not enough details are documented in the recovery plan, and this may prevent meeting the RTO. Which of the following compensates for the lack of details in the recovery plan and ensures that the RTO is met?
   1. Establishing more than one operation center
   2. Delegating authority for recovery execution
   3. Outsourcing the recovery process
   4. Taking incremental backups of the database

Risk Management Integration with Life Cycle

A security manager should understand that risk management activities are not one-time events. Risk management is a continuous process. For effective risk management, the related activities should be integrated with the process life cycle.

System Development Life Cycle

A security manager should be aware of the following system development life cycle (SDLC) phases:

Phase	Description
Phase 1: Initiation/Feasibility	The Objective, purpose, and scope of the system are discussed, finalized, and documented. In this phase, the system design is finalized and approved. Internal controls should also be incorporated during the initial design stage. During the feasibility phase (planning or initiation), the process for change management should be defined. It is very important to prevent scope creep. Scope creep refers to uncontrolled changes in the scope of the project. This can occur when the scope of a project is not properly defined, documented, or controlled.
Phase 2: Development/Acquisition	In this phase, alternatives are evaluated, and the system is developed or acquired from a third party.
Phase 3: Implementation	In this phase, the system is tested, and migration activities are carried out.
Phase 4: Operations/Maintenance	In this phase, regular updates and maintenance are carried out for the upkeep of the system.
Phase 5: Disposal	In this phase, obsolete systems are discarded by moving, archiving, discarding, or destroying information and sanitizing the hardware and software.

Figure 4.9: SDLC phases

A security manager should be involved in all phases of the SDLC. Furthermore, the security requirements should be integrated into all SDLC phases. Performing risk assessments at each stage of the SDLC is the most cost-effective way of addressing any flaws early.

The following aspects should be addressed during the risk assessment of any project:

• What level of confidentiality is required for the system?
• What level of availability is required for the system?
• The impact of any laws or regulations on the project (for example, privacy laws)
• Architectural and technological risks
• The use of a secure information systems development process
• Security training for the developers and staff members

The best way to implement risk management processes on a continuous basis is to develop a structured change management procedure.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question	Possible Answer
What is the most effective approach to ensure the continued effectiveness of information security controls?	Effective life cycle management
What is the best way to address risk at various life cycle stages?	A structured change management procedure

Figure 4.10: Key aspects from the CISM exam perspective

Practice Question Set 8

1. Risk assessment should first be conducted in which phase of the system development life cycle (SDLC)?
   1. Implementation
   2. Testing
   3. Programming
   4. Feasibility
2. A risk assessment should be performed:
   1. Only before starting development
   2. During the system deployment stage
   3. During the feasibility stage
   4. At each stage of the SDLC
3. Which of the following processes addresses risk at various life cycle phases?
   1. Change management
   2. Patch management
   3. Release management
   4. Configuration management
4. Which of the following is the most effective method for the continued effectiveness of controls?
   1. Increasing the security budget
   2. Ensuring strategic alignment
   3. Ensuring effective life cycle management
   4. Ensuring frequent benchmarking

Summary

In this chapter, you explored the practical aspects of risk management. This chapter helps you, the CISM candidate, to classify assets and manage the operational risks of your organization. This chapter also helps you integrate risk management with the asset life cycle.

The next chapter will cover the procedural aspects of information risk management.

Revision Questions

1. What is the primary objective of a risk management program?
   1. To protect the IT assets
   2. To implement preventive controls
   3. To achieve the stated objectives
   4. To ensure the availability of IT systems
2. Which of the following vulnerabilities will allow attackers to access data through a web application?
   1. Validation checks are missing in data input fields
   2. The password history rule is not implemented
   3. Application logs are not monitored at frequent intervals
   4. Two-factor authentication is not implemented
3. The best way to understand the evolving nature of attacks is:
   1. To place a honeypot
   2. A rogue access point
   3. Industry tracking groups
   4. Penetration test
4. A previously accepted risk:
   1. Should be reassessed on a periodic basis as risks change over time
   2. Does not need to be assessed again in the future
   3. Should be removed from the risk register
   4. Should be mitigated in the next assessment
5. A security manager notes an incident though none of the controls have failed. What is the most likely cause of there being no failure?
   1. Inadequate risk analysis
   2. Absence of controls
   3. A new type of attack
   4. Operational error
6. What is the best metric to determine the effectiveness of a control monitoring program?
   1. The count of key controls being monitored
   2. The time gap between detection and initiation of corrective action
   3. The cost of the control monitoring program
   4. The time gap between the occurrence of the incident and its detection
7. An organization decides to not comply with a recent set of regulations. What is the most likely reason for this decision?
   1. The regulation will increase the complexity of business processes
   2. The regulation is difficult to interpret
   3. The cost of implementation of the regulation is much higher than the risk of noncompliance
   4. There are frequent changes in regulations
8. What is the main objective of a risk management program?
   1. To eliminate all risks
   2. To support management's due diligence
   3. To comply with regulatory requirements
   4. To improve the investment portfolio
9. What is the main objective of a network vulnerability assessment?
   1. To identify deviation from a secure coding policy
   2. To identify malware and spyware
   3. To identify weaknesses in the security design
   4. To identify misconfiguration and missing updates
10. Which of the following is used to identify deficiencies in a system?
    1. Performance metrics
    2. Business impact analysis
    3. A security gap analysis
    4. Incident management procedures
11. Which among the following is the main criterion for approving a policy exception?
    1. Project deadlines
    2. The risk being justified by the benefits
    3. High cost of policy compliance
    4. Inconvenience to the users
12. A security manager notes that a new regulatory requirement is applicable to the organization. What should their next course of action be?
    1. To take approval from the information security committee to implement the new requirement
    2. To perform a gap analysis
    3. To implement controls
    4. To evaluate budget availability
13. A security manager notes that a new privacy requirement is enacted. What should their next course of action, to determine the potential impact of this privacy law on the organization, be?
    1. To develop a roadmap for the implementation of achieving compliance with the privacy law
    2. To determine the systems and processes that contain the privacy components
    3. To stop business processes until compliance is achieved
    4. To determine the actions taken by other organizations
14. The most important aspect of an effective risk management program is:
    1. A high security budget
    2. A defined security baseline
    3. The detection of new risks
    4. A documented risk reporting process
15. The valuation of assets in a BIA is based on:
    1. The cost of acquisition
    2. The cost of replacement
    3. The opportunity costs
    4. The cost to recreate
16. Which of the following components of a risk assessment will require the highest amount of speculation?
    1. Consequences
    2. Exposure
    3. Vulnerability
    4. Likelihood
17. A security manager has received a request from a business unit to implement a new technology that goes against the information security standards. What should their next course of action be?
    1. Reject the request
    2. Modify the standards to allow the use of the new technology
    3. Conduct a risk assessment to quantify the risk
    4. Engage experts to identify a better technology
18. A security manager has received a request from the IT function to not update the business impact analysis for a new application as there is no change in the business process. What should their next course of action be?
    1. To verify the decision of the business unit through a risk analysis
    2. To reject the request
    3. To provide instructions to modify the BIA after a post-implementation review of the new application
    4. To recommend an audit review
19. What is the best way to address a conflict between a security requirement and a business objective?
    1. Changing the security requirement
    2. Changing the business objective
    3. Conducting a risk analysis
    4. Accepting the risk
20. A security manager notes a security breach in another organization that has employed a similar technology. What should their next course of action be?
    1. To evaluate the likelihood of incidents from the reported cause
    2. To stop using the breached technology
    3. To provide assurance to senior management about the security posture
    4. To remind staff that the organization is not currently affected by security breaches
21. What is the most important aspect of the effective risk management of IT activities?
    1. Risk management activities should be treated as a separate process
    2. Risk management activities should be controlled by the IT department
    3. Risk management activities should be integrated within the business processes
    4. Risk management activities should be communicated to all staff
22. What is the most important element of a business impact analysis?
    1. Downtime tolerance
    2. Security budget
    3. BCP testing process
    4. Crisis management procedure
23. A security manager has determined the objectives of a review. The next step is to determine:
    1. The limitations
    2. The approach
    3. The scope
    4. The report structure
24. A security manager notes that there is a considerable delay between the identification of a vulnerability and the application of a patch. What should be their first course of action to address the risk during this period?
    1. To apply compensating controls for the vulnerable system
    2. To discontinue the services of the vulnerable system
    3. To communicate the weakness to the end users
    4. To update the signatures of the antivirus system
25. A security manager notes that not all employees comply with the access control policy for the data center. To address this issue, the security manager should first:
    1. Determine the risk of noncompliance
    2. Arrange security awareness training
    3. Report it to senior management
    4. Impose a heavy penalty for noncompliance
26. Which of the following is used to determine the level of effort required to improve risk management processes?
    1. A workflow analysis
    2. A program evaluation and review technique
    3. A gap analysis
    4. Return on investment
27. A security manager is implementing a bring your own device (BYOD) program. Their first step should be:
    1. To allow or reject access to devices as per their approval status
    2. To perform a comprehensive assessment before approving devices
    3. To report compliance with the BYOD policy to senior management
    4. To install a mobile device management system on each of the approved devices
28. A security manager notes that different criteria are used by different departments for measuring risk. To improve this situation, the manager should recommend:
    1. Applying standard risk measurement criteria throughout the organization
    2. Introducing a common risk appetite across the organization
    3. Mandating the quantification of each risk
    4. Obtaining the results of a risk assessment reviewed by the department head
29. The most important aspect to be included in a BYOD policy is:
    1. A requirement to return the device to the organization
    2. Requirements to protect sensitive information on the device
    3. Restrictions on the installation of third-party applications
    4. A requirement to seize the device during a forensic investigation
30. A regulatory compliance requirement should be dealt with as:
    1. A zero-deviation area
    2. A risk management area of focus
    3. An operational issue
    4. Just another risk
31. Risk management should be considered an ongoing activity because:
    1. Processes are prone to errors.
    2. Technology gets updated.
    3. The environment changes.
    4. Policies get updated.
32. A security manager notes that a web-based service is gaining popularity on the market. They should first:
    1. Conduct an annual vulnerability assessment
    2. Obtain third-party liability insurance
    3. Perform a business impact analysis
    4. Arrange a real-time failover capability
33. What is the best way to achieve cost-effective risk mitigation activities throughout an organization?
    1. A decentralized risk management function
    2. Continuous risk assessments
    3. Assurance process integration
    4. A standard risk appetite across the organization
34. What is the most effective way to address a regulatory risk?
    1. A regulatory risk should be treated like any other risk
    2. A regulatory risk should be treated as a zero-deviation area
    3. A regulatory risk should be complied with mandatorily
    4. A regulatory risk should be transferred by taking out insurance
35. A security manager has received a request for overwriting the data stored on a magnetic tape due to limited storage availability. They should refer to:
    1. The data classification policy
    2. The data retention policy
    3. The data access policy
    4. The data protection policy
36. The most essential element to consider the extent of protection requirements is:
    1. Exposure
    2. Threat
    3. Vulnerability
    4. Probability
37. The legal and regulatory requirements should be prioritized on the basis of:
    1. The level of penalty action
    2. The probability and consequences
    3. The level of the director's liability
    4. The discretion of the compliance manager
38. In which of the following circumstances is a high-risk tolerance useful?
    1. When the risk appetite is high
    2. When the uncertainty of the risk is high
    3. When the impact of the risk is high
    4. When the inherent risk is high

    Your Unique Sign-Up Code

    Your unique sign-up code to unlock the online content is 456yt65. The sign-up link is http://packt.link/cismsignup.