As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. Scroll through this slideshare to learn about 4 essential frameworks.
2. Developing a Risk Management
Strategy with CAP
As an information security professional, it is your role to take on the cybersecurity
challenges in your organization. That is where a solid understanding of Risk
Management comes in. Risk Management is a lot like a chess game. To succeed
you need to understand the risks ahead and be able to plot future scenarios,
to weigh up the relative impacts and then plan accordingly.
The Certified Authorization Professional (CAP) certification attests to professionals’
expertise in risk assessment and security authorization.
Learn More about (ISC)2
’s
CAP Certification and
Training Options.
2
3. Risk management is the process of identifying, assessing and controlling threats
to an organization’s capital and earnings. In many ways, risk management is very
similar to a chess game. Of course, the main difference is that chess is only a
game, with predefined rules, but the strategies are easily transferrable to how
risk management works.
Think of a chess board. It is a deceptively simple, predefined field of 64 squares.
In a risk management scenario, the operational field is also predefined for the
industry in which the risk register is quantified. Careful risk planning is about
anticipating risks to a specific industry, rather than flights of fancy. This is why
it is important to have a qualified professional who is well-versed in various
risk frameworks on your team.
3
What is Risk Management?
4. Benefits of Risk Management
The opening moves of a chess game can have a lasting impact throughout
the entire contest. The most amazing part of the game is that no pieces are
hidden from view. How could such an obvious layout of pieces, all with
set rules for their movement, have seemingly infinite outcomes? This is due
to the robustness of strategy offered through the careful orchestration
of all the pieces working together.
A robust risk management strategy has many benefits, and must also function
in a prudently managed mode. Some ways that a sound risk management
strategy can work to protect a company include:
• Protecting its future by considering the risks
or events before they occur
• Helping a company establish procedures:
– To avoid potential threats
– Minimize their impact should they occur and
– Cope with the results
• Creating a safe and secure environment for
all employees and customers
4
5. 5
How Frameworks Help
Manage Risk
Sometimes, constraints can be crippling. A beginner in chess will often
wonder why a piece can only move a certain way. This presents often frustrating
predicaments. Yet, as one progresses and becomes more accustomed to the
movements, patterns emerge that can be liberating. What was once an empty
framework becomes an empty canvas with multiple possibilities.
A framework acts as a skeleton, and can give the total enterprise risk
management strategy a proper guideline with steps to follow.
They are used to:
• Assess the state of the overall security program
• Build a comprehensive security program
• Measure maturity and conduct industry comparisons
• Simplify communications with business leaders
6. There are 7 important principles in chess that can help guide your approach
to implementing a successful risk management framework.
1. Develop all your pieces
2. Create a favorable structure
3. Restrict your opponent’s pieces
4. Neutralize your opponent’s plan
5. Accumulate small advantages
6. Convert temporary advantages into
permanent ones
7. Don’t take unnecessary chances
Start by choosing the most appropriate
frameworks for your organization
and build resilience over time using these
same principles.
The Most Important Principles
6
7. 7
The National Institute of Standards and Technology (NIST) Risk Management
Framework (RMF) provides a flexible, holistic and repeatable 7-step process
to manage security and privacy risk:
1. Prepare for risk management through essential activities critical to
design and implementation of a risk management program
2. Categorize Information Systems
3. Select Security Controls
4. Implement Security Controls
5. Assess Security Controls
6. Authorize Information Systems
7. Continuously Monitor Security Controls
NIST Risk Management Framework
The Legendary Move
NIST
RMF
RISK MANAGEMENT FRAMEWORK
nist.gov/rmf
CATEGORIZE
S
E
L
E
C
T
I
M
P
L
E
M
E
N
T
A
S
S
E
S
S
A
U
T
H
O
R
I
Z
E
M
O
N
I
T
O
R
P
REPARE
8. 8
ISO 27001 “Information technology — Security techniques —
Information security management systems — Requirements” is a
framework that helps organizations “establish, implement, operate,
monitor, review, maintain and continually improve an ISMS”
.
The basic goal of ISO 27001 is to protect the confidentiality,
integrity and availability of information.
There are 5 steps for an effective
ISO 27001 risk assessment:
1. Establish a risk management framework
2. Identify risks
3. Analyze risks
4. Evaluate risks
5. Select risk treatment options
ISO 27001
The Thunderbolt Gambit
ISO 27001
MANAGEMENT
SYSTEM CLAUSES
Scope, normative references
and terms and definitions.
Internal and external issues that
may be relevant to the business
and to the achievement of the
objectives of the ISMS. Includes
confirming interested parties
and scope.
How top management will
support the ISMS by creating
roles and measures to
implement and monitor it.
Includes developing an
information security policy
aligned to business objectives.
How the organization
creates actions to address risks.
Includes setting information
security objectives.
Securing the right resources,
the right people and the right
infrastructure to manage and
maintain the ISMS.
How the plans and processes
will be executed, including
documentation that needs
to be produced.
How the organization will
monitor, measure, analyze
and evaluate the ISMS.
Corrective action and
continual improvement
requirements.
1 2 3
4
5
6
7
8
9
10
CONTEXT
CONTEXT
4 4
7
SUPPO
RT
LEADERSHIP
5
ASSESS RISKS
ASSESS RISKS
6
&
8
6
&
8
6
PLANNING
1
0
I
M
P
R
O
V
E
8
O
P
E
R
A
T
I
O
N
9
PERFORMANCE
EVALUATION
9. 9
ISO 31000 is an international standard for risk management that provides a set of
principles, a risk management framework and a risk management process, which
helps organizations take a proactive approach to risks they face.
The ISO 31000 standard has 8 principles:
1. Integrated into all business operations
and activities
2. Structured and comprehensive
3. Tailored to the organization’s goals
and business environment
4. Inclusive and involving all responsible
stakeholders
5. Robust and dynamic, adapting to
the evolving risk landscape
6. Limitations of available information
should be considered
7. Human and cultural factors should
be considered
8. The risk management framework is
continuously improved through lessons
learnt, feedback, and experience
ISO 31000
The Stunner Switch
VALUE CREATION
AND
PROTECTION
C
O
N
T
I
N
U
A
L
I
M
P
R
O
V
E
M
E
N
T
HUMAN
AND CULTURAL
FACTORS
BEST
AVAILABLE
INFORMATION
I
N
T
E
G
R
A
T
E
D
STRUCTURED
AND
COMPREHENSIVE
CUSTOMIZED
I
N
C
L
U
S
I
V
E
D
Y
N
A
M
I
C
10. 10
COBIT is an IT management framework developed by ISACA to
help businesses develop, organize and implement strategies
around information management and governance.
The framework includes 40 objectives and focuses
specifically on:
• Security
• Risk Management
• Information Governance
Control Objectives for
Information Technologies (COBIT)
The King’s Counter
1. WHAT ARE THE DRIVERS?
2
.
W
H
E
R
E
A
R
E
W
E
N
O
W
?
6
.
D
I
D
W
E
G
E
T
T
H
E
R
E
?
THE
M
OMENTUM GOING?
7. HOW
DO WE KEEP
INITIATE PROGRAM
R
E
A
L
I
Z
E
B
E
N
E
F
I
T
S
EFFECTIVENESS
O
P
P
O
R
T
U
N
I
T
I
E
S
REVIEW
D
E
F
I
N
E
P
R
O
B
L
E
M
S
A
N
D
I
M
P
L
E
M
E
N
T
A
T
I
O
N
SUSTAIN
F
O
R
M
T
E
A
M
ESTABLISH DESIRE
E
M
B
E
D
N
E
W
TO CHANGE
A
P
P
R
O
A
C
H
E
S
R
E
C
O
G
N
I
Z
E
N
E
E
D
T
O
A
C
T
ASSESS
CURRENT STATE
BUILD
IMPROVEMENTS
DEFIN
E
TARGET
STATE
IM
PLEM
ENT
IM
PRO
VEM
ENTS
OPERATE AND
MEASURE
M
O
N
I
T
O
R
A
N
D
E
V
A
L
U
A
T
E
5
.
H
O
W
D
O
W
E
G
E
T
THERE?
4. WHAT NEEDS TO BE DONE?
3. W
HERE
D
O
W
E
W
A
N
T
T
O
B
E
?
E
X
E
C
U
T
E
P
LAN
PLAN PROGRAM
DEFIN
E
R
O
A
D
M
A
P
O
P
E
R
A
T
E
A
N
D
USE
IDENTIFY ROLE
CO
M
M
U
N
I
C
A
T
E
PLAYERS
O
U
T
C
O
M
E
•PROGRAM
MANAGEMENT
(outer ring)
•CHANGE
ENABLEMENT
(middle ring)
•CONTINUAL
IMPROVEMENT
LIFE CYCLE
(inner ring)
11. The Amazing Endgame
Chess is not an easy game to master. However, the correct understanding of the
nuances can make all the difference in one’s enjoyment of such a challenging
endeavour. Similarly, a solid risk management approach is based on many of the
same principles that make any disciplined undertaking valuable. The difference
is that, with risk management, the stakes are higher, as the protection of the
organization is the goal.
Understanding, selecting and applying the right
framework falls within the responsibilities of a CAP.
CAP professionals possess the knowledge to:
• Understand the foundations
• Define the scope
• Select and approve security and privacy controls
• Implement the selected security and privacy controls
• Assess the applicability and effectiveness of established
security and privacy controls
• Authorize an Information System.
• Establish continuous monitoring to adapt to the
changing risk environment
The Role of a Certified
Authorization Professional (CAP)
11
12. 12
The CAP certification shows employers you have the advanced technical
skills and knowledge to understand Governance, Risk and Compliance (GRC)
and can authorize and maintain information systems utilizing various risk
management frameworks, as well as best practices, policies and procedures.
The CAP is ideal for IT, information security and information assurance
practitioners who work in GRC roles and have a need to understand,
apply and/or implement a risk management program for IT systems
within an organization.
Work in government? See how the CAP meets the
U.S. Department of Defense (DoD) Directive 8570.1.
Explore our (ISC)2
Official CAP training options:
online instructor-led, or self-study tools.
Learn More about CAP:
Cybersecurity’s Specialized Risk Management
Security Certification
13. 13
Want More Insights?
Read Our Latest CAP Resources:
Your Guide to Mitigating Evolving Risk
Get the Guide
Advance Your Information Security Career Strategy
Read the eBook
For more guidance, contact your local office:
Looking to train
your team?
Get Team Consult
Americas
+1.866.331.4722 ext. 2
training@isc2.org
EMEA
+44-203-960-7800
info-emea@isc2.org
Asia-Pacific
+852-2850 6951
isc2asia@isc2.org