All Isaca CISM certification exam dumps, study guide, training courses are prepared by industry experts. Isaca CISM certification practice test questions and answers, exam dumps, study guide and training courses help candidates to study and pass hassle-free!

Domain 01 - Information Security Governance

85. Risk Objectives Part1

One of the major factors in defining the desired state involves your approach to risk and your appetite for risk appetite. Again, without even having any type of risk assessment or risk management, it's very difficult for you to even know what the desired state is going to be. If you don't know what you're protecting or from whom you're protecting it, it's hard to know that you're there and feeling safe. Now, when we talk about risk appetite, the idea here, and I realise I'm about to try to quantify a way to add extra security when we said it's not quantifiable, is something qualitative. But I'm trying to illustrate a point here. If I said, "Look, I can get you from where you are now completely at risk and reduce that to 20% of the original, and it might cost you x dollars." And I said, but if you want to get a little closer to having no risk, if I can reduce that to 15%, a little 5% increase, but it's going to cost you 20 times the amount of money, then you might say, "Well, I don't see the cost benefit in that." But the true question is, do you have the appetite to accept that 20% risk? And that's what we're looking at here. We have to know what your determination of acceptable risk is. Because if I don't know what's acceptable, it's going to be difficult to actually determine whether the security is going to even meet its objectives or if it could meet those objectives. Now, operational risk management is a great way of exemplifying that there's a trade-off when it comes to the risk associated with either taking action or not taking action.

86. Risk Objectives Part2

Now, risks really carry costs, and usually we express those in an annual loss expectation. Now, remember, that's when we start talking about things that are quantifiable. Now, the ale is kind of a combination of many things to get to the annual loss expectation. First of all, when we are taking a look at the types of costs, how do we get there? Well, we have to have what we call an exposure factor. Now, an exposure factor tells me what percentage of loss I would have. And as long as I know the assets' value, I can come up with my single loss expectancy. Now, remember, we're trying to get to the point of talking about quantifying a value that can be an acceptable risk and just kind of giving you the way in which the basic numbers are done. And I realised that the actual approach to finding these values can be very difficult. But let's use something that's easy for me to do mathematically. Let's talk about your building and your office, and we'll say that the asset value was $100,000. Now, I realise I'm talking about just the brick and mortar. If we talked about the lost production while you were removing people to a new facility and buying new servers, I might realise that's why I'm saying it's sometimes very difficult to quantify these costs. But let's keep this in a simple mathematical example so we can see where we're going. So the exposure factor to a fire, we'll say, is 50%. So what that means is that if I had a fire occur, I would expect to have a 50% loss of that building. And, using simple math, this means that the building cost $100,000. A single fire event would cost me $50,000 in damage. Now, hopefully you're with me. And that exposure factor of 50%, along with the asset value, when I multiplied them together, gave me what's called the single loss expectancy. Meaning, if one event happened, what should I expect from that single loss? Now, the next thing we need to do is look and see how often fires occur in buildings like these, and we can annualize that to come up with an idea of how frequently it happens. Now, I'm going to make this sound horrible. We're going to just assume that one of these fires happens once every ten years. Now, that means that over a ten-year period, I expect to have a single loss expectation of $50,000. So, if I average that out over a year, it should be $5,000. That would be my ALE, my annual loss expectancy. At least, that's how they come up with those numbers. Is that an acceptable risk, or should you consider some controls or safeguards, such as installing sprinklers, that could greatly reduce that amount of annualised loss expectancy to a number that is more tolerable by your company? So that might be part of my strategy objective: to get to an amount that is suitable or acceptable. And it is an interactive approach. It's based on the analysis of costs to be able to achieve the desired state and reach that acceptable risk level.

87. Lesson 9: Determining Current State Of Security

Alright, let's take a look at how we can determine the current state of security. Remember, the current state of security is something that has to be evaluated with the same methodologies that were used to determine what the desired state is. If you use different frameworks, then you're not going to be able to really use what we call gap analysis. The US will determine whether the stated objectives have been met. In other words, if I have different ways of determining where I was and where I want to go, those frameworks may be so different that there is no easy or even comparable way of knowing where I was and where I want to be, if we've even made it that far. So again, I guess we're asking for the comparisons and the studies to be done with the same methodology throughout this process.

88. Current Risk Part1

When we discuss current risk or your current state of risk, it must be assessed by a comprehensive risk assessment, just as your risk objectives must be present to determine or be determined as part of your desired state. So what does that mean? That means that when we're doing a risk assessment, what we're really doing is looking at our current state. We're figuring out what the threats are; what's the likelihood of those threats going to be? What vulnerabilities could those threats exploit? What could be the damage done to the asset if the exploit is successful? And where do we want to be? What's our goal? Knowing what the threats and vulnerabilities are, as well as the risks, What can we put in place as a strategy to get to that desired state? I mean, that's kind of where we're trying to get to. So the comprehensive risk assessment does kind of give us a good picture of where we currently are, but it's also what we use to help get us to that endpoint, that desired state. But we are talking about current risk. So we should have a full risk assessment, and that means that we need to include a threat and vulnerability analysis. Now, earlier Maid mentioned that if you don't look at every single threat, then it's really hard for you to know if you've caught all of the actual risks that could hit you and your company. and that is a very difficult thing to do. I realise that being able to look at every potential threat and vulnerability could be an overwhelming task. And so we also have to realise we have resources and some limitations. And sometimes we can use an analytical approach to pick the threats that we believe are more relevant to us for whatever asset it is. This should now include a business impact analysis. That is, during the process of the risk assessment, we're going to probably want to look at those items or assets that are of most critical importance or have a high dependency on other services being available for us. Because when I take the time to do a risk assessment again, and I keep using this example as my example, I'm not so worried about people stealing pencils out of the supply closet as I am about them stealing credit cards from my customers. So my risk assessment is going to probably start with what my business impact analysis says is the most crucial part of my corporation's information knowledge. In that case, credit card numbers for my customer accounts Starting with that, I'll work on my risk assessment for that type of information.

89. Current Risk Part2

Now, when we're talking about our current risks, remember that those risks can be addressed in a lot of different ways. You know, we can be looking at things like changing risky behavior, you know, inappropriate use of the Internet, letting people download things from BitTorrents, or, you know, places that are notorious for having lots and lots of malware. We might have addressed the risks by developing countermeasures. Countermeasures could be as simple as adding malware detection to software programs, among many other options. We can address the risks by trying to reduce our vulnerabilities. Some of you might think of that as hardening your servers, removing services that you don't need, or whatever the case might be, or developing other types of controls. Remember, controls can be policies. They can be physical deterrents. Controls come in a variety of flavours depending on what they can do for us. That's an important aspect. Again, as we're looking at our current risks, what we have to do is pretty much figure out how we can address those risks that we currently have and start developing our strategy around some of these ways in which we can solve those risks.

CISM certification practice test questions and answers, training course, study guide are uploaded in ETE files format by real users. Study and pass Isaca CISM certification exam dumps & practice test questions and answers are the best available resource to help students pass at the first attempt.