Cyber Risk Concepts - CRISC certification notes - Part 4 - IT Systems

CRISC IT Systems Topic areas:

Information Technology Principles

• Enterprise architecture: Managing and governing the overall structure of an organization's IT systems.

• IT operations management: Handling the day-to-day IT processes, such as change management, IT asset management, and incident management.

• Project management: Applying risk management principles throughout the system development life cycle (SDLC).

• Disaster recovery management (DRM): Creating and maintaining a plan to restore technology and systems after a disaster.

• Data lifecycle management: Controlling the flow of data from creation and storage to deletion.

• Emerging technologies: Understanding and managing the risks associated with new technologies like artificial intelligence (AI), cloud computing, and the Internet of Things (IoT).

Information Security Principles

• Information security concepts, frameworks, and standards: Applying established principles and guidelines to maintain data confidentiality, integrity, and availability.

• Information security awareness training: Educating personnel to be a proactive defense against security threats.

• Business continuity management: Ensuring that an organization can continue to operate and deliver products or services during and after an incident.

• Data privacy and data protection principles: Adhering to legal and regulatory requirements for safeguarding sensitive data.

Enterprise architecture

Risk response mitigations are accomplished through security controls which are commonly planned through enterprise architectures, and implemented, tracked, and audited via security control frameworks.

• Enterprise Architectures provide a strategic, high-level blueprint for aligning an organization’s IT infrastructure, business processes, and technology goals. They focus on structure, integration, and alignment of systems and capabilities across the enterprise (e.g., TOGAF, Zachman Framework).

• Security Control Frameworks, on the other hand, focus specifically on managing and mitigating risk by providing tactical and operational guidance on implementing safeguards to protect information systems (e.g., NIST SP 800-53, ISO/IEC 27001, CIS Controls).

In short:

Enterprise Architecture and Frameworks

Within the domain of enterprise architecture, it is standard to define several sub-architectures, each addressing a different aspect of the organization’s structure:

• Business Architecture – Defines business strategy, governance, organization, and key business processes.

• Application Architecture – Details individual applications, their interactions, and their alignment with business needs.

• Data Architecture – Focuses on data assets, data management policies, and standards.

• Technology Architecture – Covers the infrastructure, hardware, and software needed to support applications and data.

Common Enterprise Architecture Frameworks

Several frameworks guide the development and implementation of enterprise architectures:

• TOGAF (The Open Group Architecture Framework):A widely adopted framework providing a structured approach to designing, planning, and governing enterprise IT. It helps align IT strategy with business goals using its ADM (Architecture Development Method).

• DODAF (Department of Defense Architecture Framework): Used by the U.S. Department of Defense to describe and manage complex system architectures across multiple stakeholders, promoting standardization and improved decision-making.

• FEAF (Federal Enterprise Architecture Framework): A U.S. federal government framework designed to improve cross-agency collaboration, reduce duplication, and increase efficiency through standardized architectural practices.

• Zachman Framework: An ontology-based model that provides a formalized way to describe an enterprise from multiple perspectives (planner, owner, designer, etc.) and across six dimensions (What, How, Where, Who, When, Why).

• SABSA (Sherwood Applied Business Security Architecture): A risk- and business-driven security architecture methodology that integrates security into enterprise architecture, ensuring alignment between business objectives and security strategies.

Questions related to enterprise architecture:

• Are we doing the right things?

• Are we doing them the right way?

• Are we getting them done well?

• Are we getting the benefits?

IT operations management

COBIT: Control Objectives for Information and Related Technologies

COBIT, developed by ISACA, is a globally recognized framework for the governance and management of enterprise IT. The latest version, COBIT 2019, is built around aligning IT goals with business objectives while ensuring risk management, compliance, and value delivery.

COBIT 2019 Publications

1. Introduction and Methodology – Provides an overview of COBIT and its structure.

2. Governance and Management Objectives – Details 40 key objectives mapped to specific processes.

3. Design Guide – Helps tailor COBIT to enterprise-specific needs.

4. Implementation Guide – Provides a roadmap for adopting COBIT in real-world environments.

COBIT Domains and Core Processes

COBIT 2019 defines 40 Governance and Management Objectives, grouped into five process domains:

1. Evaluate, Direct, and Monitor (EDM)

Focus: Governance

• EDM is the governance layer that ensures IT is aligned with business goals.

• Includes 5 objectives centered on strategic alignment, performance optimization, stakeholder engagement, and ensuring value delivery.

2. Align, Plan, and Organize (APO)

Focus: Strategic and Organizational Planning

• Contains 14 objectives related to enterprise architecture, budgeting, HR management, third-party/vendor management, risk, and data governance.

• Covers both internal and external service agreements.

3. Build, Acquire, and Implement (BAI)

Focus: Solution Development and Change Management

• Covers 11 objectives that address the full solution delivery lifecycle, including software acquisition, implementation, change management, and capacity planning.

• Emphasizes strong project and change management practices.

4. Deliver, Service, and Support (DSS)

Focus: IT Operations and Security

• Contains 6 objectives dealing with operations management, incident handling, problem resolution, continuity planning, service requests, and security controls.

• Highly IT-centric and operational.

5. Monitor, Evaluate, and Assess (MEA)

Focus: Performance Monitoring and Compliance

• Consists of 4 objectives related to evaluating system performance, internal controls, regulatory compliance, and audit assurance.

• MEA focuses on operational oversight, while EDM operates from a governance (executive) perspective.

Project management (SDLC)

Software Development Life Cycle (SDLC) and Risk

An important category of risk lies within software developed by the organization. To manage this, organizations often follow the Software Development Life Cycle (SDLC), a structured framework that guides the planning, development, deployment, and eventual retirement of software systems.

In secure software development, risk should be addressed at every phase of the SDLC. The earlier security risks are identified and mitigated, the easier they are to manage and the less costly they are to fix.

SDLC Phases

1. Initiation – Define project scope, goals, and feasibility.

2. Development/Acquisition – Design or acquire software based on requirements.

3. Implementation – Deploy the software into the environment.

4. Operation/Maintenance – Monitor, update, and support the software in production.

5. Disposal – Retire the software securely and ensure data is properly handled.

SDLC Risk vs. Project Risk

While project risk focuses on meeting timelines, budgets, and business objectives, SDLC risk is concerned with the software development process itself , including flaws in design, insecure coding practices, and deployment vulnerabilities. Both types of risk are closely related and must be managed in tandem to ensure successful, secure software delivery.

Related Concept: Secure Development Lifecycle (SDL)

Incorporating threat modeling into the Secure Development Lifecycle (SDL) ensures threats are considered throughout development.

SD3+C Framework:

• Secure by Design

• Secure by Default

• Secure in Deployment

• Secure Communication

Related Concept: Capability Maturity Model (CMM) and Its Broader Applications

In the context of software development, organizations are often assessed using the Capability Maturity Model (CMM), which evaluates the maturity of processes across five levels:

1. Initial – Processes are ad hoc and unpredictable.

2. Managed – Basic project management processes are established.

3. Defined – Processes are standardized, documented, and communicated.

4. Quantitatively Managed – Processes are measured and controlled using data.

5. Optimized – Focus is on continuous improvement through feedback and innovation.

Originally developed for software development, the CMM framework is now being widely applied to assess organizational maturity in other critical areas, including:

• Vulnerability Management

• Incident Response

• Detection Engineering

• Security Operations Center (SOC) Capabilities

Using CMM as a benchmark in these domains helps organizations understand their current state, identify gaps, and create roadmaps for achieving higher levels of operational maturity and effectiveness.

Data lifecycle management

Data Risks

Data is often the primary asset at risk, making it essential to understand the roles of data classification and data lifecycle management in an organization’s overall risk posture. These processes not only help protect sensitive information but also support informed risk evaluation and mitigation.

Data Classification

Data classification involves categorizing data based on specific criteria to determine the appropriate level of protection. Key classification factors include:

• Regulatory Requirements – Compliance with laws such as GDPR, HIPAA, or CCPA.

• Business Impact – Potential harm from data loss, alteration, or disclosure.

• Data Type – Personal, financial, health, proprietary, etc.

• Access Control – Who can access the data and under what conditions.

• Location – Where the data resides, including jurisdictional implications.

Proper classification ensures that critical data receives the appropriate security controls and monitoring.

Data Lifecycle Management

Understanding how data flows through its lifecycle is crucial for identifying when and where it is most vulnerable. The typical stages include:

1. Creation – Generation or acquisition of data.

2. Storage – Secure retention of data in appropriate systems.

3. Use – Access and processing by authorized users.

4. Sharing – Controlled dissemination within or outside the organization.

5. Archiving – Long-term storage of infrequently accessed data.

6. Destruction – Secure and irreversible deletion when data is no longer needed.

Data Management vs. Data Governance

• Data Management focuses on the technical execution of data handling—storage, access, backup, and security measures.

• Data Governance emphasizes the strategic, policy-driven oversight of how data is managed, ensuring accountability, compliance, and alignment with business objectives.

Data owners play a critical role by offering essential insights into their systems and data, which significantly aids in identifying and understanding potential risks.

Cybersecurity Budgeting

Information security budgets typically fall into three categories:

1. Mandatory Spending – Activities required to meet regulatory or compliance obligations.

2. Fiduciary/Strategic Spending – Investments aimed at preventing material negative impact to the organization, fulfilling your responsibility to protect assets and operations.

3. Discretionary Spending – Budgets influenced by internal priorities, emerging threats, or external conditions that warrant proactive investment.

Evaluating Cyber Tool Investments

• Identify the top 10 annually renewing cybersecurity tool contracts.

• Assess the ROI for each tool:

  • How effectively does it reduce potential material impact to the organization?

  • Are you allocating $1M to protect assets or processes of relatively low business value?

• Focus spending where it delivers the greatest risk reduction relative to cost.

This approach ensures your budget aligns with compliance, risk reduction, and strategic business priorities.

Cybersecurity Budgeting Framework