Introduction
The process of balancing economic opportunity with possible information security-related losses is known as information risk management.
Because it is impossible to predict the frequency and expense of severe loss occurrences, information risk management is primarily a qualitative endeavor.
Nonetheless, various risk measurement methodologies have been developed to assist companies in better understanding risks and how to manage them.
These approaches encompass both qualitative and quantitative procedures, and they are used to help businesses make decisions.
This domain assesses CISM applicants’ understanding of risk management concepts and practices and their ability to apply them to an organization’s information security program.
The disciplined application of management rules, processes, and practices to the activities of detecting, analyzing, assessing, presenting, and tracking information-related risk is known as information risk management.
In a previous article, we provided an overview of all four domains in the CISM exam, with a brief overview of information risk management.
In this blog, we see a little more detailed understanding of information risk management.
The CISM Exam Objectives (IRM)
The relevance of risk management as a tool for fulfilling business goals and establishing a security management programme to support these needs must be understood by CISM applicants.
Information security risk management, as contrasted to information security governance, specifies the scope of protection and is based on the organization’s business requirements, goals, and priorities.
Applicants will be expected to demonstrate their ability to identify, analyse, quantify, report, and manage information security-related risk in order to meet business objectives by completing a series of tasks.
Because information security is a part of enterprise risk management, the strategies, methods, and metrics utilised may need to be considered in the context of organisational risk.
Human resource, operational, physical, geopolitical, and environmental risk must all be considered while managing information security risks. Human resource, operational, physical, geopolitical, and environmental risk must all be considered while managing information security risks.
This domain represents 30 percent of CISM examination.
Information risk management’s Relevance
Any business that wants to be fairly aware of risks must start with risk management.
If risks are not detected and managed, unanticipated losses may occur, and the organization's existence may be jeopardized.
The purpose of risk management is the identification of credible threats and the means to decide what to do about those threats.
Organizations that employ effective risk management practises see fewer security events, with lower impact, and the firm is better prepared to deal with them.
Confidence for business activities is provided when risks are controlled to levels that are acceptable to the organization’s goal.
Otherwise, it would be impossible to identify the potential cost or impact of certain risks, or the necessary mitigation actions, without adequate risk management.
Risk management offers critical information that allows the security manager to prioritise precious resources in order to reduce risk as much as feasible.
Without risk management strategies, security administrators would have to rely on instincts or other arbitrary methods to prioritise threats.
Risk management design and implementation are influenced by a number of elements –
- The culture of the company. This will have an impact on how employees accept new ideas. They may approve or disapprove of the concept.
- The objectives, mission and goals of the organisation. The purpose and objectives of the company must be linked with the requirement to adopt risk management, or else there will be a lot of resistance.
- The structure of the company. Processes and bureaucracy slow down the implementation of solutions and ideas in most businesses. This is something that has to be considered.
- Specific organisational rules and procedures will be required to execute successful risk management. For example, certain people may be required to have a specific degree of qualification.
Two elements impact the effectiveness of a risk management programme: top management support and an organization’s security awareness and accountability culture.
A good risk management programme may also help pave the way for subtle but strategic changes in an organization’s culture.
Information Risk Management’s Results
An organisation that adopts an efficient risk management programme will have a greater understanding of how technology is used in the workplace and how it affects the business.
The most significant advantage to an organisation will be a lower likelihood of security events, and for those incidents that do occur, the company will be better prepared, and the effect of the occurrence will be lessened.
Some of the outcomes from Information risk management are –
- Knowledge of the threats that have been or may be experienced in the future, as well as their risk characteristics
- Evaluating the level of risk and the potential repercussions of a breach
- Risk mitigation plan adequate to achieve acceptable residual risk impacts
- Quantifiable proof that risk management assets are being used appropriately and efficiently.
A risk management program will help a company establish a culture of risk-aware strategy, reasoning, and judgment.
The organization’s leadership will be more mindful to risk, resulting in a more accurate assessment of the hazards connected with the use of information technology and the Internet.
Managers and other decision-makers will begin to gain a sense of the risks associated with various types of company operations.
Want to know the best books for CISM preparation? Click here are our recommendations.
Information Risk Management Strategy
A risk management strategy’s goals are to identify all credible hazards and decrease them to an acceptable level for the company.
A risk management strategy must be an integrated business process with clearly defined objectives that encompasses all of the organization’s risk management procedures, activities, techniques, and policies in order to be effective.
The adoption and refining of controls will be driven by the organization’s tolerable level of risk (risk tolerance).
Risk assessments and risk treatment will then drive modifications to its controls with time.
Controls are the key way of minimising risks by delivering intended results, whatever those goals may be.
Risk management methods are influenced by a number of internal and external variables.
Organizational maturity, history, culture, structure, and risk tolerance are all internal variables to consider. Industry sector, as well as legal and regulatory constraints, are examples of external influences.
The first stages in developing a risk management programme may be –
- Defining the program’s context and goals
- Establishing the program’s scope and mission.
- Identifying, classifying, and claiming ownership of assets
- Choosing the appropriate technique
- Putting together the implementation team
While risk management is the duty of everyone in the business, it is critical for applicants to grasp the scope of responsibility and authority that falls solely on the information security manager and stakeholders.
Establishing the scope minimises process gaps, improves overall consistency of risk management operations, and eliminates unnecessary duplication.
Applicants will be assessed on asset classification as well as the duties of an information security manager in respect to asset classification.
The value of asset classification in terms of sensitivity and criticality to the organization’s needs, as well as who owns them, will be reviewed.
While the overarching goal could be to reduce all risk to tolerable levels, resource constraints make this very improbable, necessitating the establishment of priorities.
Applicants must demonstrate that they comprehend risk classification as a goal.
For example, students will be given situations and tested, as appropriate, on how certain dangers cannot be avoided and must be accepted, while others may wait while others demand immediate action.
Communicating Information risk
Risk management cannot be a covert company function.
It must be communicated to the organization’s key stakeholders in such a way that they understand the significance of risk management.
Stakeholders must understand how the risk management programme will operate and what role they will play.
This is important in making it a successful programme for attaining company goals.
Helping stakeholders understand the impact of the risk management programme on their relationships with one another is an essential part of the process.
Stakeholder autonomy, as well as how the programme will benefit the company, including their own careers, are also important considerations.
Roles and Responsibilities in Information Risk Management
Information risk management is an important aspect of governance, and it necessitates the involvement of the board of directors or an analogous body to guarantee that the efforts are successful.
Periodic updates on the efforts and success of risk management operations should be required to give the feedback needed to ensure that management intent, direction, and expectations are fulfilled.
Applicants must also be aware of the many jobs that are involved in information risk management.
The essential tasks of the individuals who must support and participate in the risk management process are described in Publication 800-30 by the US National Institute of Science and Technology.
The following are some of the jobs that are engaged in IRM:
Roles that candidates may require to understand include System and information owners, Governing Boards and Senior Management, Chief Information Officer, and Information Security Manager.
Information Risk Awareness
Actions aimed at raising knowledge of the organization’s information risk management program among business leaders, stakeholders, and others are referred to as risk awareness.
The objective of risk awareness programs, like security awareness programs, is to make sure that company executives and decision-makers understand that every business choice has a risk component and that many of those decisions have consequences for information risk.
They must also be aware of the existence of a structured information risk management program, which includes a risk-conscious decision-making process and methodologies.
Standards for Information Risk Management
The information security manager must create processes and procedures, roles and duties, and business record templates while creating an information risk programme.
Rather than starting from scratch, security professionals may use one of the numerous high-quality risk management standards available.
Some example of the applicable standards can be –
- ISO/IEC 27001 – Information security management systems — Requirements
- ISO/IEC 27005 – Information security risk management
- ISO/IEC 31010 – Risk management — Risk assessment techniques
- NIST Special Publication 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- NIST Special Publication 800-39 – Managing Information Security Risk
- COBIT 5.
Gap Analysis
An assessment of a process or system to discover discrepancies between its current state and a planned future state is known as a gap analysis.
This aids the security manager in comprehending the existing situation and how it differs from the intended future one.
The gap analysis will indicate which aspects of the present state may be kept, which should be eliminated, which should be replaced, and which should be introduced in more depth.
Conclusion
The heart of an organization’s information security program is risk management.
Risk management helps organizations prioritize precious resources to most effectively minimize risk by using strategies for detecting hazards and evaluating their probability of occurrence and impact on the company.
Through increased resilience and planning, risk management may assist an organization decrease the frequency and severity of security events.
Several aspects of the company must be considered while developing a risk management program, including risk tolerance, regulatory and legal requirements, management structure, executive management support, and culture.
Further Study : CISM domains
- Information Security Governance(24%)
- Information Risk Management and Compliance (30%)
- Information Security Program Development and Management (27%)
- Information Security Incident Management (19%)
- Introduction to CISM exam process
- Introduction to the four domains
Further Study : CISM Resources
Below are some recommended CISM books on Amazon :
CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory
This bundle contains all-in-one exam guide and CISM practice exams. When searching for the CISM preparation material, I could find only this book worth giving a try apart from the ISACA review manual.
The study guide is thorough and covers all aspects of the exam.
Electronic exams are included in both the study guide and the practice test book. Some questions are shared between both but they rarely overlap.
The practice tests and questions were as close to the exam version I took as feasible without being dumps, indicating that they were extremely accurate reflections of the test material.
With around 20 days of regular studying for about 1-2 hours per day, I was able to pass the test on my first attempt with ease. Based on the findings, I believe the study guide and practice test set is well worth the money and should likely be the only study material necessary.
CISM Review Manual, 15th Edition by ISACA
It’s a good handbook to read for the CISM exam, however, some of the information is a little raw. It’s kind of required reading for the CISM test, however, it’s a rather dull read. Lots of relevant and useful content. However, this appears to be a review handbook rather than a guidebook.