Cyber Risk Concepts - CRISC certification notes - Part 4 - IT Systems

CRISC IT Systems Topic areas:

Information Technology Principles

• Enterprise architecture: Managing and governing the overall structure of an organization's IT systems.

• IT operations management: Handling the day-to-day IT processes, such as change management, IT asset management, and incident management.

• Project management: Applying risk management principles throughout the system development life cycle (SDLC).

• Disaster recovery management (DRM): Creating and maintaining a plan to restore technology and systems after a disaster.

• Data lifecycle management: Controlling the flow of data from creation and storage to deletion.

• Emerging technologies: Understanding and managing the risks associated with new technologies like artificial intelligence (AI), cloud computing, and the Internet of Things (IoT).

Information Security Principles

• Information security concepts, frameworks, and standards: Applying established principles and guidelines to maintain data confidentiality, integrity, and availability.

• Information security awareness training: Educating personnel to be a proactive defense against security threats.

• Business continuity management: Ensuring that an organization can continue to operate and deliver products or services during and after an incident.

• Data privacy and data protection principles: Adhering to legal and regulatory requirements for safeguarding sensitive data.

Enterprise architecture

Risk response mitigations are accomplished through security controls which are commonly planned through enterprise architectures, and implemented, tracked, and audited via security control frameworks.

• Enterprise Architectures provide a strategic, high-level blueprint for aligning an organization’s IT infrastructure, business processes, and technology goals. They focus on structure, integration, and alignment of systems and capabilities across the enterprise (e.g., TOGAF, Zachman Framework).

• Security Control Frameworks, on the other hand, focus specifically on managing and mitigating risk by providing tactical and operational guidance on implementing safeguards to protect information systems (e.g., NIST SP 800-53, ISO/IEC 27001, CIS Controls).

In short:

Enterprise Architecture and Frameworks

Within the domain of enterprise architecture, it is standard to define several sub-architectures, each addressing a different aspect of the organization’s structure:

• Business Architecture – Defines business strategy, governance, organization, and key business processes.

• Application Architecture – Details individual applications, their interactions, and their alignment with business needs.

• Data Architecture – Focuses on data assets, data management policies, and standards.

• Technology Architecture – Covers the infrastructure, hardware, and software needed to support applications and data.

Common Enterprise Architecture Frameworks

Several frameworks guide the development and implementation of enterprise architectures:

• TOGAF (The Open Group Architecture Framework):A widely adopted framework providing a structured approach to designing, planning, and governing enterprise IT.

  • It helps align IT strategy with business goals using its ADM (Architecture Development Method).

  • TOGAF provides flexibility needed to align enterprise architectures across different regions while supporting standards and interoperability.

  • Its Architecture Development Methodology (ADM) allows for iterative development that can cater to both local autonomy and enterprise-wide integration.

  • TOGAF is also good for hybrid environments.

  • TOGAF architecture vision phase is most critical for identifying security and risk management requirements.

• DODAF (Department of Defense Architecture Framework): Used by the U.S. Department of Defense to describe and manage complex system architectures across multiple stakeholders, promoting standardization and improved decision-making.

• FEAF (Federal Enterprise Architecture Framework): A U.S. federal government framework designed to improve cross-agency collaboration, reduce duplication, and increase efficiency through standardized architectural practices.

• Zachman Framework: An ontology-based model that provides a formalized way to describe an enterprise from multiple perspectives (planner, owner, designer, etc.) and across six dimensions (What, How, Where, Who, When, Why).

• SABSA (Sherwood Applied Business Security Architecture): A risk- and business-driven security architecture methodology that integrates security into enterprise architecture, ensuring alignment between business objectives and security strategies.

Questions related to enterprise architecture:

• Are we doing the right things?

• Are we doing them the right way?

• Are we getting them done well?

• Are we getting the benefits?

IT operations management

COBIT: Control Objectives for Information and Related Technologies

COBIT, developed by ISACA, is a globally recognized framework for the governance and management of enterprise IT. The latest version, COBIT 2019, is built around aligning IT goals with business objectives while ensuring risk management, compliance, and value delivery.

COBIT is the most suitable framework for guiding the IT asset classification process. Developed by ISACA, it offers a comprehensive approach to establishing, monitoring, and improving IT governance and management practices. Designed to align IT objectives with overall business goals, COBIT provides a structured and effective foundation for identifying, classifying, and managing IT assets within an organization.

COBIT 2019 is a comprehensive framework that integrates IT governance and management with overall business objectives, making it a powerful tool for managing IT-related risks. It offers a structured approach to ensuring that IT investments effectively support enterprise goals while meeting risk management and compliance obligations.

In contrast to frameworks such as PRINCE2 and PMP, which emphasize project management, or TOGAF, which focuses on enterprise architecture, COBIT 2019 provides end-to-end coverage of IT governance and management. This breadth makes it an ideal choice for organizations aiming to embed IT risk management within a cohesive and enterprise-wide governance structure.

COBIT integrates governance, risk management, and compliance (GRC) principals while providing a structured methodology for adapting to changes.

The Evaluate, Direct, Monitor (EDM) domain that ensures governance of enterprise IT is the COBIT component that should be focused on the most to ensure IT processes are delivering value to the business while managing risk.

The COBIT Governance and Management Objectives are designed to help organizations align their IT risk management practices with their overall governance framework. This component offers detailed guidance on effectively governing and managing IT, ensuring that risk management is seamlessly integrated into enterprise-wide governance activities.

By applying these objectives, organizations can establish clear accountability and expectations for IT risk management, aligning practices with strategic goals and industry standards. This alignment not only strengthens the organization’s IT risk management capabilities but also supports digital transformation initiatives by promoting a structured, consistent, and governance-driven approach to managing IT risks.

• COBIT 5: Organized around five principles and seven enablers for governance and management.

• COBIT 2019: Replaces those with “Core Model” governance and management objectives — 40 in total — to make it more practical and measurable.

COBIT 2019 Publications

1. Introduction and Methodology – Provides an overview of COBIT and its structure.

2. Governance and Management Objectives – Details 40 key objectives mapped to specific processes.

3. Design Guide – Helps tailor COBIT to enterprise-specific needs.

4. Implementation Guide – Provides a roadmap for adopting COBIT in real-world environments.

COBIT Domains and Core Processes

COBIT 2019 defines 40 Governance and Management Objectives, grouped into five process domains:

1. Evaluate, Direct, and Monitor (EDM)

Focus: Governance

• EDM is the governance layer that ensures IT is aligned with business goals.

• Includes 5 objectives centered on strategic alignment, performance optimization, stakeholder engagement, and ensuring value delivery.

• EDM03 - 'Ensure Risk Optimization'

  • Promote risk aware culture

  • Integration of IT risk strategy and enterprise risk strategy

  • Team wide risk reporting

  • Key risk goals and monitoring

2. Align, Plan, and Organize (APO)

Focus: Strategic and Organizational Planning

• Contains 14 objectives related to enterprise architecture, budgeting, HR management, third-party/vendor management, risk, and data governance.

• Covers both internal and external service agreements.

• APO12 'Manage Risk'

  • Risk analysis results

  • results of 3rd party risk assessments

  • Actions to address risk management deviations

• APO 12 05 'Define A Risk Management Action Portfolio In COBIT APO12.05"

  • Identify Risks: The first step in defining a risk management action portfolio is identifying all potential risks that could impact the organization. This includes internal and external risks such as cybersecurity threats, compliance issues, and operational challenges.

  • Assess Risks: Once risks have been identified, the next step is to assess their potential impact and likelihood of occurrence. This can be done using risk assessment tools and techniques such as risk matrices and scenario analysis.

  • Prioritize Risks: Not all risks are equal, and it is important to prioritize them based on their potential impact on the organization. This involves considering factors such as the likelihood of occurrence, potential financial impact, and regulatory requirements.

  • Define Response Strategies: After prioritizing risks, the next step is defining appropriate strategies to mitigate or eliminate them. This could include risk avoidance, transfer, mitigation, or acceptance.

  • Allocate Resources: Effective resource allocation is crucial for implementing the chosen response strategies. This could involve assigning responsibilities to specific individuals or teams and securing the budget and other resources needed to address the risks.

  • Monitor and Review: Risk management is an ongoing process, and it is important to continuously monitor and review the effectiveness of the chosen response strategies. This may involve regular performance reviews, risk audits, and updates to the risk management action portfolio.

• APO 13 'Manage Security'

3. Build, Acquire, and Implement (BAI)

Focus: Solution Development and Change Management

• Covers 11 objectives that address the full solution delivery lifecycle, including software acquisition, implementation, change management, and capacity planning.

• Emphasizes strong project and change management practices.

4. Deliver, Service, and Support (DSS)

Focus: IT Operations and Security

• Contains 6 objectives dealing with operations management, incident handling, problem resolution, continuity planning, service requests, and security controls.

• Highly IT-centric and operational.

• DSS05 'Manage security services'

5. Monitor, Evaluate, and Assess (MEA)

Focus: Performance Monitoring and Compliance

• Consists of 4 objectives related to evaluating system performance, internal controls, regulatory compliance, and audit assurance.

• MEA focuses on operational oversight, while EDM operates from a governance (executive) perspective.

COSO ERM

COSO ERM (Enterprise Risk Management) is designed to help organizations integrate risk management directly into their overall business strategy. Unlike ISO 27001, which focuses on information security, or ITIL 4, which centers on IT service management, COSO ERM offers a comprehensive framework for identifying, assessing, and managing risks in alignment with organizational objectives. This strategic alignment ensures that risk management initiatives actively support and enhance the achievement of business goals. While COBIT 2019 provides valuable guidance for IT governance, it does not offer the same enterprise-wide risk focus as COSO ERM. COSO ERM provides a comprehensive approach to enterprise-wide risk management, integrating internal controls with business strategy and governance, and is well suited to address both operational and financial risks.

The COSO ERM framework is built around five core components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting. It’s important to note that the Control Environment belongs to the COSO Internal Control framework, not ERM. Each ERM component plays a vital role in embedding risk management into the organization’s strategic planning and operational decision-making, ensuring a cohesive and enterprise-wide approach to managing risk.

The COSO ERM framework is best suited for aligning risk management with business strategy and performance.

COSO ERM helps organizations understand the interrelationships between different types of risks and ensures that risk management is embedded in the strategic planning process.

Other ERM notes

The Risk Control Self-Assessment (RCSA) is a key component of an Enterprise Risk Management framework, enabling proactive risk identification across the organization. It engages business units to evaluate their own risks and control processes, helping to uncover both internal and external sources of risk while strengthening overall risk awareness and accountability.

The Internal Environment component of the COSO ERM framework defines the organization’s culture and sets the foundation for effective risk governance. It reflects the board’s oversight role and encompasses the organization’s risk philosophy, appetite, integrity, and ethical values. By shaping how risk is perceived and managed, the internal environment establishes the tone for the entire organization. A strong internal environment ensures that risk management practices align with strategic objectives and fosters a consistent, risk-aware culture across all levels of the organization.

Project management (SDLC)

Software Development Life Cycle (SDLC) and Risk

An important category of risk lies within software developed by the organization. To manage this, organizations often follow the Software Development Life Cycle (SDLC), a structured framework that guides the planning, development, deployment, and eventual retirement of software systems.

In secure software development, risk should be addressed at every phase of the SDLC. The earlier security risks are identified and mitigated, the easier they are to manage and the less costly they are to fix.

SDLC Phases

1. Initiation – Define project scope, goals, and feasibility.

   1. Strict change control processes that require formal approval help limit scope creep.

2. Development/Acquisition – Design or acquire software based on requirements.

3. Implementation – Deploy the software into the environment.

4. Operation/Maintenance – Monitor, update, and support the software in production.

5. Disposal – Retire the software securely and ensure data is properly handled.

SDLC Risk vs. Project Risk

While project risk focuses on meeting timelines, budgets, and business objectives, SDLC risk is concerned with the software development process itself , including flaws in design, insecure coding practices, and deployment vulnerabilities. Both types of risk are closely related and must be managed in tandem to ensure successful, secure software delivery.

Related Concept: Secure Development Lifecycle (SDL)

Incorporating threat modeling into the Secure Development Lifecycle (SDL) ensures threats are considered throughout development.

SD3+C Framework:

• Secure by Design

• Secure by Default

• Secure in Deployment

• Secure Communication

Related Concept: Capability Maturity Model (CMM) and Its Broader Applications

In the context of software development, organizations are often assessed using the Capability Maturity Model (CMM), which evaluates the maturity of processes across five levels:

1. Initial – Processes are ad hoc and unpredictable.

2. Managed – Basic project management processes are established.

3. Defined – Processes are standardized, documented, and communicated.

4. Quantitatively Managed – Processes are measured and controlled using data.

5. Optimized – Focus is on continuous improvement through feedback and innovation.

To progress from an "initial" to a "managed" maturity level, it is essential to establish a formal risk management framework. A structured framework provides a solid foundation for standardized, repeatable processes, ensuring that risk management activities are organized and consistent. This framework should clearly define roles, responsibilities, methodologies, and procedures for identifying, assessing, and mitigating risks. By implementing a formalized approach, organizations can ensure uniform application of risk practices across all departments and foster a shared understanding of risk processes. Establishing this framework is a critical step toward advancing maturity and achieving sustainable improvements in risk management.

Originally developed for software development, the CMM framework is now being widely applied to assess organizational maturity in other critical areas, including:

• Vulnerability Management

• Incident Response

• Detection Engineering

• Security Operations Center (SOC) Capabilities

Using CMM as a benchmark in these domains helps organizations understand their current state, identify gaps, and create roadmaps for achieving higher levels of operational maturity and effectiveness.

Conducting maturity model assessments provides significant benefits by identifying opportunities for process improvement and growth within the risk function. These assessments deliver a detailed evaluation of current risk management practices, highlighting both strengths and areas needing enhancement. Understanding maturity levels allows organizations to target specific improvements and implement focused strategies to advance their risk capabilities. This emphasis on continuous improvement ensures that risk management practices evolve over time, remaining effective and aligned with business objectives. Furthermore, maturity assessments support strategic planning by guiding resource allocation to strengthen the organization’s overall risk posture.

Code development

The branch-per-feature model is an effective approach for managing large development teams working on multiple features concurrently. By assigning each feature to its own isolated branch, teams can minimize integration risks and maintain codebase stability. Developers can work independently, test thoroughly, and merge changes only when they are stable and complete. This model promotes parallel development, streamlines collaboration, and provides greater control over code integration. By isolating new features, organizations can prevent incomplete or unstable code from affecting the main branch, resulting in smoother integration and more reliable deployments.

Maintaining a comprehensive audit trail is essential in a DevSecOps environment to support risk management and regulatory compliance. Audit trails document every action within development and deployment processes, enabling organizations to trace changes, monitor access, and ensure accountability. This visibility is critical for detecting anomalies, responding to incidents, and validating security controls. Beyond compliance, a robust audit trail strengthens stakeholder trust by demonstrating transparency and the organization’s commitment to secure and responsible development practices.

Data lifecycle management

Data Risks

Data is often the primary asset at risk, making it essential to understand the roles of data classification and data lifecycle management in an organization’s overall risk posture. These processes not only help protect sensitive information but also support informed risk evaluation and mitigation.

Data Classification

Data classification involves categorizing data based on specific criteria to determine the appropriate level of protection. Key classification factors include:

• Regulatory Requirements – Compliance with laws such as GDPR, HIPAA, or CCPA.

• Business Impact – Potential harm from data loss, alteration, or disclosure.

• Data Type – Personal, financial, health, proprietary, etc.

• Access Control – Who can access the data and under what conditions.

• Location – Where the data resides, including jurisdictional implications.

Proper classification ensures that critical data receives the appropriate security controls and monitoring.

Data Lifecycle Management

Understanding how data flows through its lifecycle is crucial for identifying when and where it is most vulnerable. The typical stages include:

1. Creation – Generation or acquisition of data.

2. Storage – Secure retention of data in appropriate systems.

3. Use – Access and processing by authorized users.

4. Sharing – Controlled dissemination within or outside the organization.

5. Archiving – Long-term storage of infrequently accessed data.

6. Destruction – Secure and irreversible deletion when data is no longer needed.

Data Management vs. Data Governance

• Data Management focuses on the technical execution of data handling, storage, access, backup, and security measures.

• Data Governance emphasizes the strategic, policy-driven oversight of how data is managed, ensuring accountability, compliance, and alignment with business objectives.

Data owners play a critical role by offering essential insights into their systems and data, which significantly aids in identifying and understanding potential risks.

Encryption

A key advantage of encryption over tokenization is its ability to provide reversible data protection. Encryption transforms data into an unreadable format using cryptographic algorithms and keys, allowing authorized users to decrypt and restore the original information when needed.

Cybersecurity Budgeting

Information security budgets typically fall into three categories:

1. Mandatory Spending – Activities required to meet regulatory or compliance obligations.

2. Fiduciary/Strategic Spending – Investments aimed at preventing material negative impact to the organization, fulfilling your responsibility to protect assets and operations.

3. Discretionary Spending – Budgets influenced by internal priorities, emerging threats, or external conditions that warrant proactive investment.

Evaluating Cyber Tool Investments

• Identify the top 10 annually renewing cybersecurity tool contracts.

• Assess the ROI for each tool:

  • How effectively does it reduce potential material impact to the organization?

  • Are you allocating $1M to protect assets or processes of relatively low business value?

• Focus spending where it delivers the greatest risk reduction relative to cost.

This approach ensures your budget aligns with compliance, risk reduction, and strategic business priorities.

Cybersecurity Budgeting Framework