Infosectrain
Uploaded on Dec 21, 2021
Category
Education
let us discuss domain 2 of CISM, which is Information Risk Management.
Category
Education
ISACA s CISM Domain 2 Information Risk Management
ISACA’s CISM Domain 2:
Information Risk Management
www.infosectrain.com | [email protected]
www.infosectrain.com | [email protected]
CISM Domains:
1.Information Security Governance
2.Information Risk Management
3.Information Security Program Development and Management
4.Information Security Incident Management
In this blog, let us discuss domain 2 of CISM, which is
Information Risk Management.
Note: To get a clear understanding of Information Risk
Management, let me explain them separately.
www.infosectrain.com | [email protected]
Information: Information is organized, structured, and processed
data which helps in decision making. For example, assume you
have a toy shop, a single customer sales of an item is called data,
and this data becomes information when you can find the most
popular and least popular toys. And with that information, you
can add and remove toys from your shop/store.
Risk: Risk in this context is the potential possibility of occurrences
of incidents or events that may materially harm the company’s
data/information.
Management: Management means identifying, assessing,
evaluating, and dealing with risks (coping with any changes)
through proactive, deliberate, explicit, and systematic measures.
Additionally, it means managing the process, controlling the
authorization, resourcing, risk treatment, etc.
www.infosectrain.com | [email protected]
Information Risk Management process:
The process of Information Security management can be
summed up as shown in this diagram.
www.infosectrain.com | [email protected]
The first stage of the process is to identify the potential risk factors like
vulnerabilities, threats, incidents, and impacts.
The second stage is to evaluate the risks, which includes accessing or
considering the information collected in the first stage to define the
significance of various risks.
In the third stage, which is threat risks, we avoid, share, or mitigate them.
In this stage, we usually implement the risk treatment decisions.
Handling changes may seem obvious, but their importance is emphasized
in the above mentioned infographic. The information risks within an
organization are constantly shifting, partly as a result of the risk
treatment, partly as a result of various other factors.
At the end of the diagram, you can see that organizations must often
respond to external obligations like market pressure, exceptions, and
compliance.
www.infosectrain.com | [email protected]
Information Risk Management best practices:
No one can guarantee that the IRM process of one data asset
can be successful with another data asset; hence it is essential
for organizations to use a combination of various strategies and
policies. But, there are a few best practices that every
organization must commonly implement to maintain a strong
cybersecurity posture.
https://youtu.be/eBnnpLD8cXE
Here are the three best practices that must be taken by every
organization to maintain a great Information Risk Management
program.
www.infosectrain.com | [email protected]
Monitor the IT environment:
Constantly monitoring the IT environment will help the
organization identify vulnerabilities and help to prioritize the
remediation activities.
For instance, many organizations struggle to configure cloud
resources. News reports often mention Amazon’s S3 buckets.
Inherently, these public cloud storage locations are not risky,
but not configuring them appropriately opens them up to the
public, including to attackers. By monitoring your IT
environment continuously and consistently, you can identify
misconfigured databases and storage locations, improving the
security of your data.
www.infosectrain.com | [email protected]
Monitor the supply team:
Risk mitigation from third-party vendors is also an important
aspect of your IT risk management approach. While you may
have authority over your vendors, you may not be able to hold
their vendors to the same contractual requirements. You
require insight into the cybersecurity posture throughout your
ecosystem as part of your holistic Information Risk
Management approach.
You might be at risk if your vendor’s vendor uses a cloud
database and stores your information as plain text. Continually
monitor your supply stream for encryption, which makes data
unreadable even if a hacker accesses it, this gives you insight
into the cyber health of your ecosystem.
www.infosectrain.com | [email protected]
Monitor compliance:
Legislative agencies and industry standards groups have issued
increasingly strict compliance rules as data breaches continue
to make headlines. Several new legislation, like the General
Data Protection Regulation (GDPR), the California Consumer
Privacy Act (CCPA), and the New York Stop Hacks and Improve
Electronic Data Security (NY SHIELD) Act, mandate constant
monitoring as part of a cybersecurity compliance program.
You must monitor and record your efforts to offer assurance to
internal and external auditors in order to develop a compliant
IT risk management program. You must prioritize repair
measures and record your operations as you regularly monitor
your enterprise’s IT ecosystem, giving proof of governance to
your auditors.
www.infosectrain.com | [email protected]
Why InfosecTrain?
•InfosecTrain allows you to customize your training schedules; our trainers will
provide one-on-one training.
•You can hire a trainer from Infosec Train who will teach you at your own pace.
•As ISACA is our premium training partner, our trainers know how much and what
exactly to teach to make you a professional.
•One more great part is that you will have access to all our recorded sessions.
www.infosectrain.com | [email protected]
That sounds exciting, right? So what are you waiting for? Enroll in our
CISM course and get certified. Here you can get the best CISM domain training.
www.infosectrain.com | [email protected]
About InfosecTrain
• Established in 2016, we are one of the finest
Security and Technology Training and
Consulting company
• Wide range of professional training programs,
certifications & consulting services in the IT
and Cyber Security domain
• High-quality technical services, certifications
or customized training programs curated with
professionals of over 15 years of combined
experience in the domain
www.infosectrain.com | [email protected]
Our Endorsements
www.infosectrain.com | [email protected]
Why InfosecTrain Global Learning Partners
Certified and Flexible modes Access to the
Experienced Instructors of Training recorded
sessions
Post training Tailor Made
completion Training
www.infosectrain.com | [email protected]
Our Trusted Clients
www.infosectrain.com | [email protected]
Contact us
Get your workforce reskilled
by our certified and
experienced instructors!
IND: 1800-843-7890 (Toll Free) / US: +1 657-221-
1127 / UK : +44 7451 208413
[email protected]
www.infosectrain.com
Comments