CRISC Domain 2 Control Environment Assessment in Risk Management
                     #learntor i s
e  
CONTROLS
Reduce or maintain risk at 
acceptable levels
Impor tance of
Control Issues: Poor maintenance, 
Environment unsuitability,
incorrect configuration
Ensure effectiveness
Regular 
Review of 
Controls
B
a
l
a
n
c
Implementatio e Requirements: Training, 
onf  Technical  procedures, responsibilities, 
Controls b monitoring, testing
e Issues: False sense of 
t security,
w unidentified vulnerabilities
e
e
n
 
t
www. infosectra in.com e
 c
h
n
i
c
a
l
,
 
m
a
n
a
g
e
r
i
a
l
,
a
n
d
 
p
h
y
s
i
c
a
l
 
c
o
n
t
r
o
l
s
E
x
a
m
p
l
e
:
 
F
i
r
e
w
a
l
l
CRISC DOMAIN 2
CONTROL CATEGORIES
Example: Encryption, user
Preventive: Inhibit attempts to authentication, vault-
violate security construction doors
policy
Deterrent: Provide Example: Warning 
warnings that may banners,
dissuade threat agents rewards for arrest of 
from attempting hackers
coDmirpercotmiveis:e .Provide warnings 
that may dissuade threat Example: 
agents from attempting Policies
compromise.
Detective: Provide warning of 
violations or attempted Example: Audit trails, IDSs,checksu
violations of security ms
policy.
Corrective: Remediate errors,
omissions, unauthorized Example: Data backups, 
correction, automated 
uses,
er failoveranrodr intrusions when 
Codmetpeectnesda.ting: An Example: Isolated 
alternate form of control network
that corrects a deficiency segments, third-party 
or weakness in the challenge-
control structure. response mechanisms
www.infosectra in.com
 
CRISC DOMAIN 2
ASSESSING CONTROL ENVIRONMENT
Evaluate risk culture and current risk management 
program
Determine the level and seriousness of risk
Inadequate controls
Wrong controls
used
Controls ignored
or bypassed
Poof rc omnatrinotlsenance
Indicator
s of Unreviewed 
Serious logs
Risk or control 
dUantatested 
controls
Unmanaged 
changes to 
Phcoynsitcraolls 
access and Approve 
alteration of changes
controls Make changes
sIneagdregqautaite Monitor 
on changes
of duties Analyze 
changes
Report on 
changes
www.infosectra in.com
 
CRSIC DOMAIN 2
CAPABILITY MATURITY MODELS
Compare the state of the 
organization’s risk management to 
an established capability maturity 
model.
Purpose
Evolutionary improvement from ad 
hoc, immature processes to 
disciplined, mature processes.
Defined, reliable processes.
Consistent follow-
through. Continuous 
improvement.
Benefits
Better incident 
prevention, detection,
and recovery.
Well-structured risk 
management procedures 
across all departments.
Core risk management 
www. infosectra in.com principles, policies, procedures, 
 and standards.
CRSIC DOMAIN 2
CAPABILITY MATURITY MODELS
Support of senior management.
Regular communication between 
stakeholders.
Existence of policies, procedures, and 
stAavnadilaarbdisli.ty of a current 
BIA.
Logging and monitoring of system 
Key activity.
Elemen Regular review of 
ts of IT logs.
Risk Scheduled risk assessments and 
Manageme reviews.
nt Testing of BCPs and DRPs.
Capability Training of staff.
Involvement of risk principles and
personnel in IT projects.
Gathering feedback from users and 
stakeholders.
Validating the risk appetite and risk 
acceptance levels.
Time to detect/resolve a security incident.
Consistent application of policies and 
Improvemen procedures.
ts Efficiency and effectiveness 
of risk management 
practices.
www. infosectra in .co
m 
CRSIC DOMAIN 2
SYSTEM DEVELOPMENT LIFE CYCLE (SDLC)
Characteristics: Need for IT system 
epxuprpreosssee adn; d scope 
Phase documented
1 Risk Management Support: Identified risk 
Initiatio supports system requirements development, 
n including security requirements and 
strategy
Phase 2 Characteristics: IT system designed, 
Developme purchased, programmed, developed, or 
nt or constructed
Acquisition
Risk Management Support: Risk 
supports security analyses, leading to 
architecture and design trade-offs
Phase 3 Characteristics: System security 
Implementati features
on configured, enabled, tested, and 
verified
Risk Management Support: 
Phase 4 Supports implementation against 
Operatio requirements; risk decisions made 
onr beRfisokre  Mopaenraagteiomnent Support: Periodic 
Maintenance Csyhsatreamc teristreicasu: tShyosritzeamtio n, major 
pchearfnogrmess  its fruenvcietiwoends;  perifoodr ic risk 
umpadnaatgees more ncht anges to hardware 
Phase Charaacntde rsisotfitcwsa: re Disposition of 
5 information, hardware, and software
Dispos Risk Management Support: Ensures proper 
al disposal of components, handles residual 
data, secures system migration
www. infosectra in .co
m 
CRSIC DOMAIN 2
PROJECT MANAGEMENT CORE PRINCIPLES
Proper 
oversight
Clear 
requirements
User 
involvement
Communication between team members 
and users
Regular review of project 
progress
www. infosectra in .co
m 
CRSIC DOMAIN 2
COMMON CAUSES OF PROJECT FAILURE
Scope creep
Changing
requiremen New business priorities
ts Poorly understood initial 
requirements
Trained 
Unavailab staff
le 
resources Budget
Suppliers 
Availability Outsource
of a
current BIA. rs 
Technolog
Technology y
issues
Underestimated 
project 
complexity
Lack of 
Poor resource leadership
management Accountability
Oversight
Unrecognized symptoms of 
failure
Lack of coordination with 
suppliers
www. infosectra in .co
m 
CRSIC DOMAIN 2
CONSEQUENCES OF PROJECT FAILURE
Indirect financial Loss of competitive 
loss advantage
Direct financial Contract or SLA 
loss violations
Inability to adjust to changing operational 
environment
Damage to 
reputation
Decreased team 
morale
www. infosectra in .co
m 
CRSIC DOMAIN 2
OCTAVE RISK ASSESSMENT APPROACH
Process-driven methodology for 
information security risk assessment 
and management
Overview
Helps organizations understand, 
assess,
and address information security risk
Develop qualitative risk evaluation 
criteria based on operational risk 
tolerances
Objectiv Identify assets critical to the
es ocrrgitaicnaizla atisosne'sts mission
IEdveanltuiafyt ev uplonteernatbiailli ties and threats 
tcoonsequences if threats are 
realized
Initiate corrective actions for risk 
mitigation and develop a protection 
strategy
Focu Critical assets and the risk to those assets
s
Systematic, context-driven, and self-directed 
evaluation Proactive security posture with an 
organizaIdtieonntaifil epse rcsrpiteicctaivl einformation assets
Focuses risk analysis on critical 
assets
Characteristi Considers relationships among 
cs assets,
threats, and vulnerabilities
Evaluate risk in an operational 
context
www. infosectra in .co
m Creates practice-based protection 
strategy and mitigation plans
CRSIC DOMAIN 2
OCTAVE RISK ASSESSMENT PHASES
Determine critical assets and 
Phase 1: current protection measures
Build 
Asset- Identify security requirements for 
Based each critical asset
Threat 
Profiles Establish organizational 
(Organizatio vulnerabilities and threat profiles
nal 
Evaluation)
Identify network access paths 
and IT components related to 
Phase 2: 
critical assets
Identify 
Infrastructure Determine the resistance of 
Vulnerabilitie components to network attacks
s Establish technological 
(Technologica vulnerabilities exposing critical 
l Evaluation) assets
Establish risk to critical assets 
based
on gathered information
Phase 3: Decide on actions to 
Develop address risk
Security 
Strategy and Create protection strategy 
Mitigation Plans and mitigation plans
(Strategy and 
Plan Determine "next steps" for 
Development) implementation
and gain senior management 
approval
www. infosectra in .co
m 
CRSIC DOMAIN 2
FOUND THIS 
USEFUL?
To Get More Insights Through Our 
FREE
Courses | Workshops | eBooks | Checklists | Mock Tests
LIKE SHARE FOLLOW