CRISC Virtual Instructor-Led Course –

Participant Guide Session 3

Risk Response and Reporting

MODULE 3

Exam Relevance
The domain represents 32% of
the CRISC examination 22
(approximately 48 questions). 26

20
32

Domain 1 Domain 2
Domain 3 Domain 4

©2021. ISACA. All Rights Reserved

1
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Topics
Risk and Control Ownership
Risk Treatment/Risk Response Options
Managing Risk from Processes, Third Parties and Emergent
Sources
Control Types, Standards and Frameworks
Control Design, Selection and Analysis
Control Implementation, Testing and Effectiveness Evaluation
Risk Treatment Plans
Data Collection, Aggregation, Analysis and Validation
Risk and Control Monitoring and Reporting Techniques
Performance, Risk and Control Metrics

Learning Objectives
Determine roles accountable for risk and control ownership.

Align risk treatment and response options with enterprise risk

appetite and tolerance.

Address risk originating from outside the enterprise (or from third
parties).

Apply procedures to processes and functions containing high

amounts of variability.

Evaluate emerging technologies and changes to the environment

for threats, vulnerabilities and opportunities. Categorize controls
relative to the type of risk response required.

Leverage common standards and frameworks in designing and

implementing controls.

©2021. ISACA. All Rights Reserved

2
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Learning Objectives
Identify the current state of existing controls and evaluate their
effectiveness for IT risk mitigation.

Assess gaps between current and desired states of the IT risk

environment.

Collaborate with control owners on the selection, design and

implementation of controls.

Conduct aggregation, analysis and validation of risk and control

data.

Validate risk responses have been executed according to risk

treatment plans.

Describe the types of risk data available to monitor and report risk.

Learning Objectives
Identify types of control assessments.

Explain the process of compiling and reporting the status of controls.

Apply the steps of control monitoring process

Establish a process to define, monitor and analyze metrics relevant

to enterprise risk.

©2021. ISACA. All Rights Reserved

3
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Risk and Control Ownership

Risk Response Overview

Focuses on decisions made regarding the IT Risk

Identification
correct way to address identified risk

Based on information provided in the earlier

steps of risk identification and risk assessment

Reduced risk is balanced with the constraints Risk and

placed on the enterprise. Control IT Risk
Monitoring and Assessment
Management should be prepared to justify to Reporting
stakeholders why its risk response decisions
reflect the best balance of competing factors.
Risk response should be performed to protect
current operations to the greatest extent
possible. Risk Response
and Mitigation

©2021. ISACA. All Rights Reserved

4
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Risk and Control Ownership

1
Every risk identified in the risk register should have a specified
owner at a management level empowered to make decisions on
behalf of the enterprise.

2 Risk practitioners should communicate with risk owners to ensure

awareness of risk responses already implemented and responses
that are pending implementation.

3
Clearly convey current and anticipated levels of risk to provide
insight into the aggregate risk facing the enterprise.

Review Question
When aligning controls with business objectives, what is MOST
important?

A. Monitoring control activities periodically

B. Ensuring ownership of key control activities

C. Reviewing the risk management strategy

D. Prioritizing control activities based on residual risk

10

10

©2021. ISACA. All Rights Reserved

5
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Risk Ownership and Accountability

The purpose of determining risk ownership is to Risk Owners:

ensure accountability is in place.
Actively drive risk management activities performed to
ensure understanding of desire outcomes
Risk owner must be someone with the ability to
select an appropriate risk response Do not require detailed knowledge of controls or
significant technical expertise

Every risk should have a single risk owner, seek May own controls and are accountable for ensuring that
consensus if multiple areas are impacted risk control effectiveness is monitored

Accountability extends beyond the basic risk May be required to prepare reports about that risk due
response decision to approving specific controls to laws or regulations
when mitigation is the response.

11

11

Risk Treatment/Risk Response Options

12

12

©2021. ISACA. All Rights Reserved

6
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Aligning Risk Response with Business Objectives

The goal of risk response is to bring risk into alignment with the organizational risk appetite and tolerance

Consider multiple factors Indicate the assessed Management is responsible

should be when deciding level or priority of each risk for evaluating and responding
what responses are best in the assessment report to recommendations and
suited to certain risk areas. and risk register. developing an action plan.

13

13

Risk Response Options

Sharing/
Acceptance Transfer

Mitigation Avoidance

All response activities incur some cost, typically a mix of the direct cost of
response and the potential cost of impact. Finding the right balance is a
14 management function that considers the enterprise constraints.

14

©2021. ISACA. All Rights Reserved

7
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
When responding to an identified risk event, the MOST important
stakeholders involved in reviewing risk response options to an IT risk
are the:

A. information security managers

B. internal auditors

C. incident response team members

D. business managers

15

15

Choosing a Risk Response

A risk may be acceptable but also have Selection response is usually based on
potential for mitigation to improve value obtained for the cost and is
operational efficiency. documented in business cases.

The best risk response may

not be immediately apparent.

Perform cost/benefit or ROI calculations to Document risk response in the risk register,
help guide decision making. including accountability and timeframes to
aid in tracking progress.

16

16

©2021. ISACA. All Rights Reserved

8
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

The Risk Practitioner’s Role

Decisions made with regards to all aspects of risk
management may diverge from recommendations made by
risk practitioners

Ensure management has best available information to make

informed decisions, including:

• Drivers for risk management

• Compliance with regulations

• Aligned risk responses

17

17

Review Question
When a risk cannot be sufficiently mitigated through manual or
automatic controls, which of the following options will BEST protect
the enterprise from the potential financial impact of the risk?

A. Insuring against the risk

B. Updating the IT risk register

C. Improving staff training in the risk area

D. Outsourcing the related business process to a third party

18

18

©2021. ISACA. All Rights Reserved

9
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Managing Risk from Processes, Third Parties

and Emergent Sources

19

19

The Risk Practitioner’s Role

Advise that Understand the

appropriate security variety of cloud
and regulatory computing models
requirements are and capabilities the
addressed in all enterprise may
agreements pursue
Address risk that Ensure outsourced
arises when an service providers
organization used are compliant
outsources with defined
business functions enterprise
requirements

20

20

©2021. ISACA. All Rights Reserved

10
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Issue and Finding Management

Variation from the norm or desired outcome represents uncertainty, which is a source of risk.

Apply strong Understand Determine and Monitor

procedures to and prioritize work toward addressed issues
variations issues desired end state and findings

21

21

Review Question
Which of the following BEST ensures that appropriate mitigation
occurs on identified information systems vulnerabilities?

A. Presenting root cause analysis to the management of the

enterprise

B. Implementing software to input the action points

C. Incorporating the findings into the annual report to shareholders

D. Assigning action plans with deadlines to responsible personnel

22

22

©2021. ISACA. All Rights Reserved

11
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Configuration Management

Technical complexity and leading-edge

technology use can be a key cause of
information risk and scales with size.
Standard configurations reduce complexity
by simplifying planning, testing,
implementation and maintenance.

Determine if standard configurations are

established and approved, and then verify
proper documentation.
Spot-validate use of documentation when
planning changes and confirm updates to
reflect implemented changes.

23

23

Release and Exception Management

Release Management
Exception Management

In environments where software is developed Enterprises may find situations where usual
for internal use, formal management of new practices are unsuitable due to timely technical or
updates or version releases of developed administrative constraints.
applications is crucial. Exceptions represent deviation from standards
Releases should be: and introduce complexity (creating or obscuring
• Coordinated with production staff risk).
• Subject to independent (nondeveloper) Exceptions should be:
verification and protection before • Documented and approved by senior or
deployment executive management
• Aligned with the enterprise overall life cycle • Reviewed annually for relevance to remove
for system development unnecessary exceptions

24

24

©2021. ISACA. All Rights Reserved

12
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Monitoring has flagged a security exception. What is the MOST
appropriate action?

A. Escalate the exception.

B. Update the risk register.

C. Activate the risk response plan.

D. Validate the exception.

25

25

Change Management Under an effective change control model,

changes are submitted for review by the
CAB verifying:
• Change request does not unknowingly
Requests to change systems or configurations affect risk or security.
should be subject to formal review and
approval by a change advisory board (CAB). • Change is formally requested, clearly
justified, approved and documented.
Provides communications channel between
• Change is scheduled at a time
business units and IT to consider technical
convenient for the business and IT.
and operational impacts of changes
• All stakeholders affected by the change
Balances between allowing needed changes are advised.
and preserving system reliability and stability • Change request includes test,
implementation and rollback plans.
Interacts with and oversees the other • Change will not compromise the
processes should all be processed as enterprise security baselines.
changes, subject to review by the CAB

26

26

©2021. ISACA. All Rights Reserved

13
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Third-Party Risk Management Overview

Outsourcing is a form of risk transfer and reliance on a third-party provider that also creates exposure.

Ownership of data and business processes remains with the

outsourcing enterprise, not the contracted service provider.

Can create legal liability for the outsourcing enterprise, placing

operations within the scope of the contract outside the direct control of
the enterprise

Risk of noncompliance with the agreement must be met through review,

monitoring and enforcement of the contract terms.

Limited mitigation may be attained using carefully worded indemnity

clauses that require the vendor to repay the losses suffered due to legal
or regulatory violations on the part of the service provider

27

27

Managing the Third-Party Relationship

Defined by a contract, commonly enforceable through service level agreements (SLAs)

A formal guarantee that certain

performance targets or standards met, Contracts should address the jurisdiction
including predetermined compensation for any issues with the provider and
for failure to meet those targets regulations in the host country.

Outsourcing enterprise is responsible for

ensuring adequate security requirements Jurisdiction of the agreement also
and regulations information handling are includes courts that would hear any
written into the outsourcing agreement dispute related to the contract.

28

28

©2021. ISACA. All Rights Reserved

14
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
An enterprise has outsourced several business functions to a firm in
another country, including IT development, data hosting and support.
What is the MOST important question the risk professional will ask in
relation to the outsourcing arrangements?

A. Are policies and procedures in place to handle security

exceptions?

B. Is the outsourcing supplier meeting the terms of the service level

agreements?

C. Is the security program of the outsourcing provider based on an

international standard?

D. Are specific security controls mandated in the outsourcing

contract/agreement?

29

29

Management of Emerging Risk

Dynamic Continuous Potential

30
30

30

©2021. ISACA. All Rights Reserved

15
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Vulnerabilities Associated With New Controls

Carefully consider control changes (addition or modification)

because they can introduce new vulnerabilities

Modified controls may also perform differently

than expected, potentially reducing effectiveness

Coordinate with stakeholders proactively

Access control systems may inadvertently deny
and perform rigorous user acceptance
access to legitimate users
testing under real world conditions

Risk associated with deploying a control may

exceed risk to mitigate

31

31

Review Question
What is the MOST important control that should be in place to
safeguard against the misuse of the corporate social media account?

A. Social media account monitoring

B. Two-factor authentication

C. Awareness training

D. Strong passwords

32

32

©2021. ISACA. All Rights Reserved

16
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Impact of Emerging Technologies

Emerging technology has significant effects Previously effective controls may be rendered
on the design and implementation of controls obsolete with advances in computing power or
(positive or negative). improvements in algorithmic design.

Organizational risk profiles are subject to If alternate channels for data movement exist,
sudden and potentially severe changes. organizations may find that their risk profiles
have expanded far beyond expectation.

Emerging technology can lead to shadow IT Increase awareness of required processes to

occurring when technology is adopted submit new technology for consideration.
informally by those not empowered to accept Document exceptions and gain approval by
the commensurate risk. management.

33

33

The Risk Practitioner’s Role

Design and implement controls that Maintain awareness of new threats

are suited to address the threats, and attack vectors that are gaining
vulnerabilities and impacts of credibility or visibility within real-
dynamic environments. world business environments.

Alert to the development of new As conditions change, previous

technologies and proactive in assumptions are subject to regular
assessing the risk of incorporation re-examination before exploitation by
into the enterprise waiting adversaries.

34

34

©2021. ISACA. All Rights Reserved

17
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Types, Standards and Frameworks

35

35

Control Categories

Preventive Detective Compensating

01

Deterrent Corrective

36

36

©2021. ISACA. All Rights Reserved

18
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which of the following categories of information security controls
addresses a deficiency or weakness in the control structure of an
enterprise?

A. Corrective

B. Preventive

C. Compensating

D. Directive

37

37

Administrative, Technical and Physical Controls

Administrative Technical Physical

(Managerial controls) (Logical controls) Physically installed

Provided by use of devices used to restrict
Includes oversight,
technology, equipment or access to a facility or
reporting, procedures and
devices hardware
operations of a process
Includes firewalls, intrusion Includes locks, fences,
Typically performed by
detection systems and cameras and guards
humans
passwords
Requires proper
administrative controls

38

38

©2021. ISACA. All Rights Reserved

19
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Assessing the Control Environment

Risk is more serious when any of these are true:

Opportunity to evaluate the risk

culture and effectiveness of the Controls are inadequate Wrong controls are used
current risk management program
Controls are ignored or Controls are poorly
Used to determine the level of risk bypassed maintained
currently facing the enterprise and
the seriousness of that risk Logs or control data not
Controls not tested
reviewed
Changes to control Duties inadequately
configuration not managed segregated

Controls can be physically

accessed and altered

39

39

Review Question
System backup and restore procedures can BEST be classified as:

A. Technical controls

B. Detective controls

C. Corrective controls

D. Deterrent controls

40

40

©2021. ISACA. All Rights Reserved

20
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Design and Implementation

Mitigation is by far the most common response to risk

Review controls, evaluate

Risk practitioners should be aware of
effectiveness and verify balance
the current control environment and
between technical, administrative
any anticipated changes.
(managerial) and physical controls.

Implementing technical controls

Controls are implemented to reduce
requires training, configuration,
or maintain risk at acceptable levels.
monitoring and testing.

Technical controls may be less

Controls might be poorly maintained,
effective if coinciding administrative
unsuitable for the risk meant to
controls are not in place, resulting in
control or incorrectly configured.
a false sense of security.

41

41

Control Standards and Frameworks

Selection of controls requires evaluation and implementation.

Standards may be supplemented or even

Management decides the best available control or
superseded by law or regulations in some
group of controls to mitigate a specific risk
locations.

Poorly implemented controls may pose a risk to

Enterprises may choose to adopt standards
the enterprise if they create a false sense of
without intending to formally certify compliance.
security.

Adoption of standards and frameworks facilitates Standards may also include or be supported by
the process of selecting controls by specifying frameworks, with sets of recommended controls
what should be done and directing how to do it. for implementation, if chosen by the enterprise.

42

42

©2021. ISACA. All Rights Reserved

21
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Capability Maturity Models

Describes an evolutionary improvement path from ad hoc,
immature processes to disciplined, mature processes

01 02 03 04
Set realistic long-term Compare the state of Following defined, Consistently apply policies
goals for risk the enterprise risk reliable processes allows and procedures to drive
management by having management program the enterprise to prevent, improvements in efficiency
a clear understanding of to an established model detect and recover and effectiveness of risk
their current maturity. of capability maturity. rapidly from incidents management capabilities.

43

43

Review Question
Which of the following choices BEST assists a risk practitioner in
measuring the existing level of development of risk-management
processes against their desired state?

A. A capability maturity model

B. Risk management audit reports

C. A balanced scorecard

D. Enterprise security architecture

44

44

©2021. ISACA. All Rights Reserved

22
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Design, Selection and Analysis

45

45

Current State Assessment

Awareness of the current state of the control environment using the
results of control testing activities and incident management programs

Refers to condition of a program

Provide the reference point to Investigate to determine the
at a point in time, use regular
understand the gap between the reason and to identify workable
reviews to determine the state
current and desired state solutions
over a defined time frame

Review a recent audit report to use as the starting point for self
assessments, identifying any changes in the environment.

46

46

©2021. ISACA. All Rights Reserved

23
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Designing and Selecting Controls

Closes the gap between the current An effective control is one that prevents,
state and an acceptable level of risk detects or contains an incident, or
enables recovery from a risk event.

When designing controls, consider not Understand throughput or speed

only functionality but also maintenance requirements of associated or affected
and sustainment. processes.

47

47

Proactive vs Reactive Controls

Proactive Reactive

• Attempt to prevent an incident • Facilitate detection, containment

before it occurs and recovery of operations should
an incident occur
• Sometimes called safeguards
• Often called countermeasures
• Sign warning of fire risk
• Fire extinguisher or sprinkler
system

48

48

©2021. ISACA. All Rights Reserved

24
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
A PRIMARY reason for initiating a policy-exception process is:

A. the risk is justified by the benefit.

B. policy compliance is difficult to enforce.

C. operations are too busy to comply.

D. users may initially be inconvenienced.

49

49

Adjusting Controls
Current controls may not be sufficient to adequately protect the enterprise.

Requires the adjustment of

current controls or implementation Implement compensating
01 of new controls within the system 02 controls as an alternative
(may not be cost efficient or
feasible)

Address weaknesses through Combine with existing

03 concepts such as layered 04 controls to offset the risk
defense, increased supervision, that cannot be addressed
or increased audits and logging of directly.
system activity

50

50

©2021. ISACA. All Rights Reserved

25
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Testing, Implementation, and

Effectiveness Evaluation

51

51

Control Testing
Test selected Use a realistic Test all types
controls in distinct context of controls
environment

Mimic production Coordinate through Distribute changes

environment formal change and assess for
management operational impact

52

52

©2021. ISACA. All Rights Reserved

26
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which of the following choices should be considered FIRST when
designing information system controls?

A. The organizational strategic plan

B. The existing IT environment

C. The present IT budget

D. The IT strategic plan

53

53

Control Implementation

Parallel Phased Abrupt

Operating the new and old Replace components or Single-instant movement from
systems simultaneously modules in old systems with old systems to new systems
new or modified components
Allows project team greater
ease to test reliability and Riskiest of changeover
Provides safest and quickest processes due to potential for
performance of new systems means of changeover in case lost opportunities in business
of rollback processing
Allows staff time to learn and
take training for new systems More difficult to implement Proactively communicate to
Higher maintenance cost and because test environments stakeholders and update
monitoring requirement due may not accurately represent documentation or training in
to multiple systems the state of production advance of changeover

54

54

©2021. ISACA. All Rights Reserved

27
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Fallback or Rollback

Every changeover should account for the possibility of a fallback (rollback) scenario.

Applies equally to basic controls

Subject fallback plan to
within complex systems and to
rigorous testing before the
changes made at the systemwide
changeover is attempted.
level.

Project team should have a

fallback plan enabling return
to the pre-change status and
resume normal processing.

55

55

Review Question
The implementation of unjustified controls is MOST likely to result in:

A. an increase in residual risk related to the controls.

B. a decrease in residual risk related to the controls.

C. an ineffective monitoring of the related controls.

D. a smaller return on IT investment.

56

56

©2021. ISACA. All Rights Reserved

28
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Data Migration Challenges

Migrating from one system or making fundamental modifications to an existing system may require
the migration or conversion of data, which poses inherent risk to data integrity and availability.

Assess the process

used for data migration Develop, test and practice
to identify any likely procedures for data recovery
areas of concern. in pre-conversion state before
conversion, for insurance
against unexpected negative
outcomes.

57

57

Postimplementation Review
A timely postimplementation review offers the best opportunity to capture lessons learned so that they
can be applied to future projects. Not all lessons may be evident right away. Assess changes over time
to assess effectiveness and value.

What went well during the project, and what could have been done better?

Did the project bring the risk within acceptable risk levels?

Were all user requirements and business objectives met?

If any inadequacies or deficiencies have been identified, how might these be addressed now?

Were specified methodologies, standards and techniques followed? If not, why not?

How does the final cost compare to estimates?

Were the project targets accomplished in terms and resources or were additional ones needed?

58

58

©2021. ISACA. All Rights Reserved

29
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

The Risk Practitioner’s Role

Plays a key role in ensuring that controls are properly set up,
operated, maintained and evaluated, with results reported to
management on a regular basis.

Provide formal documentation, which promotes consistency in

task execution that manifests in reliable reports
Ensure that each mitigation project is implemented according
to the intent and design of the project architects and that any
changes did not erode or diminish effectiveness
Each control, document justification for its implementation,
owners, and review and reporting schedules.
Carefully justify and document any exclusions applicable to a
control.

59

59

Control Testing
Control testing provides an opportunity to uncover flaws early
enough to more cost-effectively prevent potential failures.

Test controls at as many Include good practices based Testing can be progressive
levels as needed to assess on standards used at each (looking for flaws) or regressive
the complete scope. level and the results of all (working backward from known
tests formally documented. flaws).

60

60

©2021. ISACA. All Rights Reserved

30
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Good Practices for Testing

Effective testing considers specific considerations for data, version
control and code to the extent that these apply to given controls.

Environmental
Data Version Control
Separation

Allow testing of all possible Prevent potential for cross- Assignment of specific
process functions and error population of data or version numbers or tracking
handling application code outside the mechanisms for each revision
approval process

Unit Testing and Integration/

Code Locking
Code Review System Testing

Ensures source code cannot Reveal certain errors that Assess how components work
be modified or tampered with can be remedied before together with their interfaces
after approval for final testing moving to integration and deliver overall operational
capability
61

61

Review Question
A financial institution is undergoing testing of its electronic funds
transfer (EFT) system after major enhancements. The risk
practitioner would MOST benefit from a test that:

A. identifies the introduction of potential new gaps in security.

B. verifies adequate system recovery in case of failure.

C. ensures the system performs to expectation.

D. ensures the system can support the volume of transactions.

62

62

©2021. ISACA. All Rights Reserved

31
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

User Acceptance Testing (UAT)

A project must deliver what is needed by the enterprise to be considered successful.

Highlights problems
unanticipated by the
requirements process

Verifies that the system Suggests flaws in

meets user requirements enterprise needs analysis
and expectations and requirements
definition processes

63

63

Quality Assurance Testing

1 A systematic plan of all actions necessary to provide adequate

confidence that an item or product conforms to established
technical requirements without the need for testing

2
Failure in QA suggests flaws in the processes for development
and execution

3 Includes detection of such flaws and their remediation in the

assurance processes to eliminate repetition of problems in
future iterations

64

64

©2021. ISACA. All Rights Reserved

32
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Testing Non-Technical Controls

Administrative and physical controls should be tested with
the same level of rigor applied to technical controls.

Physical security systems have Enterprises use policies and

known vulnerabilities that can be procedures to inform human
reduced or eliminated through judgment, maintaining risk within
effective simulation training. acceptable levels.

Human performance of security

functions should be assessed
against clear procedures and
realistic conditions.

65

65

Updating the Risk Register

The risk register should show the progress of testing and attainment of
milestones during the progress of each mitigation project.

Control

Validated as effective Residual levels of risk Risk register updated

formally accepted to reflect the changes

By keeping the risk register accurate and up to date, the risk practitioner ensures that it is
consistently available as a resource for risk management activities across the enterprise.

66

66

©2021. ISACA. All Rights Reserved

33
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Risk Treatment Plans

67

67

Risk Monitoring and Reporting Overview

Enterprises rely on monitoring and reporting Should be broad enough to provide a

functions to identify risk for assessment and reasonable view of risk environment without
response. losing results in a flood of data

Effectiveness depends on successful

Identification and use of metrics can greatly
integration with reporting and consistent,
improve the monitoring process.
repeatable methods.

Management should be aware of changes

The changing nature of risk and associated
to risk over time to strategically plan and
controls requires continuous monitoring.
mitigate.

68

68

©2021. ISACA. All Rights Reserved

34
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which of the following is the MOST important information to include
in a risk treatment plan that already has an appropriate resolution and
a date for completion?

A. responsible personnel.

B. mitigating factors.

C. likelihood of occurrence.

D. cost of completion.

69

69

Risk Mitigation
When mitigation is the chosen response, making decisions can be
difficult and often requires a method of comparing control options.

Is there sufficient skill to

Will the control be Will the control provide
implement, configure and
effective? satisfactory ROI?
maintain the control?

Is there sufficient budget What is the cost to

How will the control
and time to implement operate the control
the control? impact productivity?
annually?

70

70

©2021. ISACA. All Rights Reserved

35
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

The Risk Practitioner’s Role

Advises control owners on policies,

Plays a consultative role in assisting risk
procedures, control effectiveness and
owners to decide the correct risk response
leveraging of existing controls

Run risk treatment planning as a project Explain that changes in delivery of any
with a defined start and end date project element on the critical path affects
delivery of the entire project

Give critical path elements special

Regularly advises the risk owner on the
consideration because delays in these
feasibility of meeting a scheduled end date
elements increase overall project risk.

71

71

Review Question
Which of the following would ensure that critical dependencies are
addressed in the risk treatment plan?

A. Implement the risk treatment strategy for all possible risk.

B. Verify the accomplishment of business objectives through a top-

down process review.

C. Treat each risk independently

D. Verify the accomplishment of business objectives through a

bottom-up process review.

72

72

©2021. ISACA. All Rights Reserved

36
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Data Collection, Aggregation, Analysis and

Validation

73

73

Data Collection

The risk practitioner has a wealth of data sources available, including

network devices, application logs, threat intelligence and audit reports.

Incorrect analysis of
data may lead to an
erroneous conclusion.

Data is valuable, but Be attentive to the

events may be hidden trends of events in
by sheer volume. the data sources

74

74

©2021. ISACA. All Rights Reserved

37
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Data Aggregation and Validation

Operational staff frequently aggregate data from multiple sources for broader visibility.

Summary view that may obscure Detailed analysis of original sources may
details present in individual sources reveal patterns not identifiable under
aggregation

Validate data to ensure its quality Where validation fails, investigate if there
is a problem in data retrieval or the
source

75

75

Review Question
Investments in risk management technologies should be based on:

A. audit recommendations.

B. vulnerability assessments.

C. business climate.

D. value analysis

76

76

©2021. ISACA. All Rights Reserved

38
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Logs
Logs, commonly provided by systems, devices and applications, are
the most popular way to capture and store data for analysis.

Used to:
Time synchronized logs can
• Identify security violations assist in correlating events from
multiple sources.
• Aid forensics investigations
• Alert the organization to malicious activity
• Identify the source of an attack Logging also takes time,
potentially decreasing throughput
• Assist in tailored strengthening of controls
for each transaction monitored.

77

77

Integrated Test Facilities

A testing methodology that processes test data through production
systems to determine if systems are operating correctly.

Use fictitious customers or Track test data to ensure no

transactions along with live data unintended consequences

Observe production
system operation to
ensure correct processing
78

78

©2021. ISACA. All Rights Reserved

39
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Security Information and Event Management

Integrated data correlation tools used to address the problem of data volume

Captures data from multiple Used to detect attacks in

sources to analyze reported activity progress by signature or behavior
for possible security events and identify compliance violations

Provides security reports at the Allows granular assessment and

enterprise level to highlight correlation based on multiple
relationships across the system criteria

Better identify risk and bring it to the attention of management

79

79

Review Question
How can an enterprise determine the aggregated risk from several
sources? Through a:

A. security information and event management system

B. fault tree analysis

C. failure modes and effects analysis

D. business impact analysis

80

80

©2021. ISACA. All Rights Reserved

40
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Risk and Control Monitoring and

Reporting Techniques

81

81

Risk and Control Monitoring Techniques

1 3
Ensure logs are
Ensure processes, Ensure capability to When using MSSP or
enabled, controls can
logs and audit hooks monitor a control and SEIM, enable data
be tested, and regular
are commonly placed support monitoring is capture and staff
reporting procedures
into the control addressed in control notification features
are developed
framework design.

2 4

82

82

©2021. ISACA. All Rights Reserved

41
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Monitoring
Set up an IS control monitoring process reflecting objectives,
scopes and methods consistent with enterprise objectives

Integrate risk monitoring and evaluation

with enterprise performance management Verify whether the control is effectively
systems to ensure alignment between IT addressing the risk, and not testing
risk and business risk. whether the control itself is working

Align mandated controls with IT security Encourage each process owner to take
and related enterprise policies, subject to ownership of control improvement through
a regular review and revision process. a continuing program of self-assessment.

83

83

Control Monitoring Process

Identify and confirm risk control Engage with stakeholders and Align and maintain evaluation
communicate requirements and monitoring approach with
owners and stakeholders.
and objectives. IT and enterprise approaches

Establish monitoring Determine life cycle management Request, prioritize and allocate
processes and procedures. and change control processes. resources for monitoring.

Encourage process owners to continually evaluate for control

improvement.

Record explicit acknowledgment by management that all monitoring

activities are functioning as designed in the risk registry.
84

84

©2021. ISACA. All Rights Reserved

42
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which of the following assessments of an enterprise’s risk monitoring
process will provide the BEST information about its alignment with
industry-leading practices?

A. A capability assessment by an outside firm

B. A self-assessment of capabilities

C. An independent benchmark of capabilities

D. An internal audit review of capabilities

85

85

Risk Monitoring and Evaluation

Collect, validate and Monitor processes to Provide systematic and

evaluate business, IT and ensure actual performance timely reports to relevant
process goals and metrics. with established metrics. stakeholders.

Gather data related to Continuously Ensure assurance Report exceptions to

risk management in a monitor, benchmark activities performed risk monitoring and
timely and accurate and improve the IT by independent control activities to
manner. control environment entities are always further analyze and
and framework. independent. address.

86

86

©2021. ISACA. All Rights Reserved

43
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Control Assessment and Monitoring

Effective control monitoring relies on the accuracy and completeness of the data provided for
monitoring and evaluation. Data must be genuine and free from errors or misstatements.

Control Self-Assessment Vulnerability Scan

Internal Audit Review Vulnerability Assessment

Penetration Test

87

87

Risk and Control Reporting Techniques

Provide regular reports to Requires the review of

leadership on risk management enterprise control
program and the overall risk effectiveness and compliance
profile of the enterprise. with established policy.

Controls may need adjustment, Present information in a clear,

replacement or removal useful and timely manner
depending on the changes in (heatmaps, scorecards,
the risk environment dashboards)

88

88

©2021. ISACA. All Rights Reserved

44
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Report Types

Heatmaps Dashboards

Scorecards
89

89

Review Question
Which of the following BEST helps while presenting the current risk
profile to executive management and the board of directors?

A. Risk response dashboard

B. Emerging risk report

C. Risk register dashboard

D. Key risk indicators report

90

90

©2021. ISACA. All Rights Reserved

45
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Performance, Risk and Control Metrics

91

91

Key Performance Indicators

Performance indicators measure

how well a process is performing in
Provide insight into whether changes should be
terms of its stated goal.
made before significant impacts occur

5% Error Effective in predicting whether organizational goals

will be reached

Indicate the capabilities, practices and skills of

value to the organization

• Anything greater is unacceptable

• Requires escalation and response Set benchmarks for risk management goals and
monitor whether those goals are attained

92

92

©2021. ISACA. All Rights Reserved

46
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which of the following choices is the BEST measure of the
operational effectiveness of risk-management process capabilities?

A. Key performance indicators

B. Key risk indicators

C. Base practices

D. Metric thresholds

93

93

Key Risk Indicators

Measures risk levels in comparison to Highly relevant subset of risk

defined risk thresholds, alerting the indicators that possess a high
enterprise when risk approaches an probability of predicting important
unacceptable level risk

Identification Culture Regulatory

compliance

Measurement
Appetite Mitigation
and reporting

94

94

©2021. ISACA. All Rights Reserved

47
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

KRI Selection

Work with relevant stakeholders to ensure greater buy-in and ownership.

Risk indicators should be identified for all stakeholders, and KRI Flaws:
IT- based metrics should be aligned with other metrics used  Not linked to specific risk
in the enterprise to the greatest extent possible.  Incomplete or inaccurate due to
unclear specifications
 Difficult to measure, aggregate,
Select KRIs carefully and sparingly. Common mistakes compare and interpret
made when implementing KRIs include regarding too many  Provide results that cannot be
risk indicators as being KRIs and choosing KRIs that are compared over time
flawed in some way.  Not linked to goals

95

95

KRI Effectiveness Criteria

The effectiveness of KRIs depends in large part on the strength of their metrics.

Balance Root Cause

Lagging indicators Should drill down to reveal
Leading indicators cause of events, not just
Trends symptoms

Impact Effort Reliability Sensitivity Repeatable

96

96

©2021. ISACA. All Rights Reserved

48
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
What is the BEST approach for creating key risk indicators (KRIs) for
quarterly reporting to senior leadership?

A. Survey senior leaders about their primary risk concerns.

B. Identify a list of the most common vulnerabilities in the network.

C. Determine which KRIs are used in similar industry verticals.

D. Identify the enterprise risk appetite and metrics and measures of

current risk.

97

97

KRI Optimization
For meaningful reporting, ensure thresholds are set correctly and correct data are collected and reported.

Sensitivity Timing
Track system transactions that violate
Automated tool to analyze and report on
defined SoD rules before month-end
access control logs based on severity
processing

Frequency Corrective Action

Performed on actively operating Remediation process to bring controls
controls regularly (weekly) to detect into alignment with the organizational
control failure in sufficient time risk appetite using existing tools

98

98

©2021. ISACA. All Rights Reserved

49
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Using KPIs with KRIs

Identify: KPI Provide:

• Underperforming KRI • Early warnings of

aspects of the increased risk
enterprise • Forward-looking
• Business functions signals of risk to the
that may require enterprise
additional resources
Used together to measure and monitor
and attention performance and mitigate risk

99

99

Review Question
A company has set the unacceptable error level at 10 percent. Which
of the following tools can be used to trigger a warning when the error
level reaches eight percent?

A. A Fault Tree Analysis

B. Statistical Process Control

C. A Key Performance Indicator

D. A Failure Modes and Effects Analysis

100

100

©2021. ISACA. All Rights Reserved

50
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

KPI and KRI Example

Average Time to Deploy Patches Triggered

30

25

20
Days

30-day KPI
15
25-day KRI
10

0
UNIX Windows Other

101

101

Key Control Indicators

Certain indicators reveal the effectiveness of controls.
KCIs quantify how well a specific control is working.

1. Tracks performance 2. Provides insight into the 3. Correlated with controls

of control actions ongoing adequacy of a and the underlying risk
relative to tolerances control

4. Typically act as secondary 5. Show broader implications

indicators to control failure. as individual controls can
affect multiple risk areas.

102

102

©2021. ISACA. All Rights Reserved

51
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Review Question
Which indicator ensures that the enterprise’s risk is effectively
treated?

A. An indicator that is used to define the control environment and

measures toward tolerance

B. An indicator implemented to detect and signal the root cause of a

risk event

C. An indicator used to define and monitor changes in the risk profile

D. An indicator used to define performance targets and measure

progress toward goals

103

103

Review Question
An enterprise implemented a new control to mitigate a recurring risk
event. Which of the following would BEST measure the effectiveness
of the implemented control?

A. Reduction in financial impact on the annual report

B. Measurable reduction in likelihood, impact or both

C. Readjustment of risk appetite to meet residual risk

D. Increased efficiency over the appropriate processes

104

104

©2021. ISACA. All Rights Reserved

52
CRISC Virtual Instructor-Led Course –
Participant Guide Session 3

Summary and Q/A

Risk and Control Ownership

Risk Treatment/Risk Response Options

Managing Risk from Processes, Third Parties and Emergent Sources

Control Types , Standards and Frameworks

Control Design, Selection and Analysis

Control Implementation, Testing and Effectiveness Evaluation

Risk Treatment Plans

Data Collection, Aggregation, Analysis and Validation

Risk and Control Monitoring and Reporting Techniques

Performance, Risk and Control Metrics

105

105

Preparing for Session Four

• Review the pre-session materials

• Complete session three activities

• Review and answer session four questions

106

106

©2021. ISACA. All Rights Reserved

53