Premium Members Get 10% Off and Earn Rewards Find Out More
CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition

CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition

CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition
Add to Wishlist
CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition

CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition

Overview

A fully updated self-study guide for the industry-standard information technology risk certification, CRISC

Written by information security risk experts, this complete self-study system is designed to help you prepare for—and pass—ISACA’s CRISC certification exam. CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide, Second Edition features learning objectives, explanations, exam tips, and hundreds of practice questions. Beyond exam prep, this practical guide serves as an ideal on-the-job reference for risk management and IT security professionals.

Covers all exam topics, including:

  • IT and cybersecurity governance
  • Enterprise risk management and risk treatment
  • IT risk assessments and risk analysis
  • Controls and control frameworks
  • Third-party risk management
  • Risk metrics, KRIs, KCIs, and KPIs
  • Enterprise architecture
  • IT operations management
  • Business impact analysis
  • Business continuity and disaster recovery planning
  • Data privacy
Online content includes:
  • 300 practice exam questions
  • Test engine that provides full-length practice exams and customizable quizzes by exam topic

Product Details

ISBN-13: 9781260473346
Publisher: McGraw Hill LLC
Publication date: 05/06/2022
Sold by: Barnes & Noble
Format: eBook
File size: 6 MB

About the Author

Peter H. Gregory, CRISC, CISM®, CISA®, CDPSE™, CIPM®, CISSP®, DRCE, CCSK™, is a career information technologist, conference speaker, and security leader. He is the senior director of cyber GRC in a telecommunications company and the author of over forty books, including CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition, and CISM Certified Information Security Manager All-in-One Exam Guide.

Dawn Dunkerley, PhD, CRISC, CISSP, CISSP-ISSAP®, CISSP-ISSEP®, CISSP-ISSMP®, CSSLP®, CompTIA Security+™, is a leading cyberwarfare and cybersecurity researcher and author. She is an editor for The Cyber Defense Review published by the United States Army Cyber Institute and a Fellow of the Americas Institute for Cybersecurity Leadership.

Bobby E. Rogers is an information security engineer working as a contractor for Department of Defense agencies and has secured networks all over the world. His many certifications include CRISC, CISSP-ISSEP, CEH™, MCSE: Security, CompTIA A+™, Network+™, Security+, and Mobility+™.

Table of Contents

Acknowledgments xv

Introduction xvii

Chapter 1 Governance 1

Organizational Governance 2

Organizational Strategy, Goals, and Objectives 2

Organizational Structure, Roles, and Responsibilities 3

Organizational Culture 4

Policies and Standards 5

Business Processes 5

Organizational Assets 6

Risk Governance 10

Enterprise Risk Management and Risk Management Frameworks 10

Three Lines of Defense 12

Risk Profile 13

Risk Appetite and Risk Tolerance 13

Legal, Regulatory, and Contractual Requirements 14

Professional Ethics of Risk Management 15

Chapter Review 15

Quick Review 16

Questions 17

Answers 20

Chapter 2 IT Risk Assessment 21

IT Risk Identification 22

Risk Events 25

Threat Modeling and Threat Landscape 28

Vulnerability and Control Deficiency Analysis 30

Risk Scenario Development 38

IT Risk Analysis and Evaluation 40

Risk Assessment Concepts, Standards, and Frameworks 40

Risk Assessment Standards and Frameworks 45

Risk Ranking 51

Risk Ownership 51

Risk Register 52

Risk Analysis Methodologies 56

Business Impact Analysis 66

Inherent and Residual Risk 71

Miscellaneous Risk Considerations 72

Chapter Review 73

Quick Review 75

Questions 75

Answers 78

Chapter 3 Risk Response and Reporting 81

Risk Response 82

Risk and Control Ownership 82

Risk Treatment/Risk Response Options 83

Third-Party Risk 86

Issues, Findings, and Exceptions Management 89

Management of Emerging Risk 90

Control Design and Implementation 93

Control Types and Functions 93

Control Standards and Frameworks 96

Control Design, Selection, and Analysis 101

Control Implementation 104

Control Testing and Effectiveness Evaluation 106

Risk Monitoring and Reporting 106

Risk Treatment Plans 108

Data Collection, Aggregation, Analysis, and Validation 108

Risk and Control Monitoring Techniques 109

Risk and Control Reporting Techniques 109

Key Performance Indicators 110

Key Risk Indicators 112

Key Control Indicators 113

Chapter Review 114

Quick Review 116

Questions 119

Answers 123

Chapter 4 Information Technology and Security 127

Enterprise Architecture 128

Platforms 129

Software 129

Databases 130

Operating Systems 130

Networks 130

Cloud 131

Gateways 132

Enterprise Architecture Frameworks 132

Implementing a Security Architecture 135

IT Operations Management 135

Project Management 137

Business Continuity and Disaster Recovery Management 140

Business Impact Analysis 141

Recovery Objectives 141

Recovery Strategies 141

Plan Testing 142

Resilience and Risk Factors 142

Data lifecycle Management 144

Standards and Guidelines 145

Data Retention Policies 146

Hardware Disposal and Data Destruction Policies 147

Systems Development Life Cycle 147

Planning 149

Requirements 149

Design 149

Development 150

Testing 150

Implementation and Operation 150

Disposal 151

SDLC Risks 151

Emerging Technologies 152

Information Security Concepts, Frameworks, and Standards 154

Confidentiality, Integrity, and Availability 154

Access Control 155

Data Sensitivity and Classification 156

Identification and Authentication 157

Authorization 157

Accountability 158

Non-Repudiation 158

Frameworks, Standards, and Practices 159

NIST Risk Management Framework 160

ISO 27001/27002/27701/31000 162

COBIT 2019 (ISACA) 162

The Risk IT Framework (ISACA) 164

Security and Risk Awareness Training Programs 165

Awareness Tools and Techniques 165

Developing Organizational Security and Risk Awareness Programs 166

Data Privacy and Data Protection Principles 167

Security Policies 167

Access Control 167

Physical Access Security 168

Network Security 168

Human Resources 173

Chapter Review 175

Quick Review 177

Questions 178

Answers 181

Appendix A Implementing and Managing a Risk Management Program 183

Today's Risk Landscape 183

What Is a Risk Management Program? 186

The Purpose of a Risk Management Program 187

The Risk Management Life Cycle 188

Risk Discovery 188

Types of Risk Registers 193

Reviewing the Risk Register 194

Performing Deeper Analysis 196

Developing a Risk Treatment Recommendation 199

Publishing and Reporting 203

Appendix B About the Online Content 205

System Requirements 205

Your Total Seminars Training Hub Account 205

Privacy Notice 205

Single User License Terms and Conditions 205

Total Tester Online 207

Technical Support 207

Glossary 209

Index 221

From the B&N Reads Blog
Page 1 of

Customer Reviews