Skip to main content

2.2 Analyzing Risk Scenarios

2.2 Analyzing Risk Scenarios


Risk Scenarios


·         A risk scenario is a process to identify various risk events and their impact on business processes. For example, a risk practitioner may determine following risk scenario:

§  What can be impact on business process if network is not available?

§  What can be impact on business process in case of system downtime?

§  What can be impact on business process if database is hacked?

·         Risk scenarios are the potential risk events which is used determine current state of preparedness and probable impact on business processes.

·         Analysis of various risk scenarios helps the organization to keep themselves prepared of possible events and thus minimizing the impact of the even by taking appropriate measures.

·         Unpreparedness may cause severe damage and result in much higher recovery costs.

·         A risk register includes status of all current identified risk along with corrective actions and residual risk.

Policies & Standards


·         Approved policies provide the direction regarding acceptable and unacceptable behaviors and actions to the organization.

·         Guidelines and procedures provide details do’s and don’ts to support the organization’s policies.

·         A standard is a mandatory requirement to be followed to comply with a given framework or certification. Standard help to ensure efficient and effective process which results into reliable products or services. Standards are updated as and when required to embed with current environment. In absence of documented policies, guidelines and procedures, it is difficult to achieve intended objective of the organization.

·         It is very important for a risk practitioner to determine the availability and adequacy of organization level policies.

Data Classification Policy


Data classification policy play a pivotal role in defining the level of controls required for each class of assets. Data classification policy includes:


·         categories for asset classification

·         level of protection to be provided for each category of data

·         roles and responsibilities of end users

·         roles and responsibilities of system and data owner

Data Retention Policy


·         Data retention policy defines the retention period for each class data. Two major factors on which data retention period is defined are:

§  Business requirements

§  Legal and contractual requirements


Global Policy


·         It is very difficult for a multiple national organization to manage different policy for each region. They cannot make a standard policy as different regions have their own local laws.

·         Best approach is to have a global policy which can be amended by regions as per their local laws and requirements.

Policy Exceptions


·         Exceptions to policy is required in few cases where benefits exceed the costs or where taking risk is justified by the relevant benefits.

·         An exception to policies and procedures should only be allowed through a documented and formal escalation process.

·         There should be a structured process for providing exception and not merely on the basis of judgement of process owner or manager.

·         It is always advisable to validate the exception before reporting the same. This will help to rule out any false positives.

Effectiveness of Security Programs


·         Adherence to information security requirements is the best way to monitor the effectiveness of security program.

·         If exceptions are minimum, then it indicates that employees are aware about the security requirements.

·         More exceptions indicate that there is lack of awareness among the employees and information security programs are not effective.

Control Categories


Risk practitioner should evaluate the current control environment to determine effectiveness, efficiency and adequacy of the controls implemented. For effective control management, risk practitioner should determine:


·         Whether controls are adequate

·         Whether controls have any scope for bypassing

·         Whether controls are reviewed and tested

·         Whether segregation of duties is maintained


  Risk practitioner should be aware of following control categories:


Control Categories



Objective is to prevent an event from occurrence. Example includes locked doors, user authentication, encryption etc.


Objective is to detect an event. Example includes audit, IDS, CCTV cameras, checksum etc.


Objective is to correct the error or omissions. Example include data backup, forward error control etc. 


Objective is to deter an event by providing warning Example include warning signs etc.


Objective is to mandate the behavior aspect by specifying do’s and don’ts. Example includes acceptance usage policy.


Objective is to address the absence of control or weak control in particular domain. Example includes a weak physical control is compensated by a stringent logical access control


New System and Infrastructure


Most important requirement for setting up an information security infrastructure for a new system is to conduct a risk assessment before implementation. Risk assessment should primarily include:

§  Business justification for new system

§  Capability of existing infrastructure to support new system

§  Security assessment of new systems


Segregation of duties


·         Segregation of duty requires more than one person to complete a task. Objective of segregation of duties is to prevent fraud and error.

·         Violation of segregation of duties means same person doing two different function which are segregated to prevent fraud.

·         To prevent violation of SoD, person should be provided with role-based access. He should not have access to the role for which he is not authorized.


Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Policy that determines the level of information protection within the organization  

Data classification policy

Most important requirement for setting up an information security infrastructure for a new system

Risk Assessment

Primary influencer for data retention policy 

·         Business Requirement

·         Legal and contractual requirement

Greatest risk of inadequate ownership

Inappropriate access rights

Best approach for creating a policy for global organization

A global policy that is locally amended to comply with local laws

Best approach for exception management

Documented escalation process

Violation of segregation of duties can be prevented by

Role-based access

Document that provides status of all current identified risk along with corrective actions and residual risk

Risk Register

Primary influencer for risk appetite of the organization 

The culture and predisposition toward risk taking

Example of Management Control

Security Policy

Primary reason for a policy exception process is


To allow exception when risk is justified by the benefit

Best metric to monitor the information security program

Adherence to information security requirements 

Password is an example of

Preventive Control

Most important for selecting an appropriate risk management methodology

Risk culture of the organization


Flashcards - 2.2 Analyzing Risk Scenarios 


Practice Questions – Analyzing Risk Scenario




Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates