Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

You're reading from   ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide A primer on GRC and an exam guide for the most recent and rigorous IT risk certification

Arrow left icon
Product type Paperback
Published in Sep 2023
Publisher Packt
ISBN-13 9781803236902
Length 316 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Shobhit Mehta Shobhit Mehta
Author Profile Icon Shobhit Mehta
Shobhit Mehta
Arrow right icon
View More author details
Toc

Table of Contents (28) Chapters Close

Preface 1. Part 1: Governance, Risk, and Compliance and CRISC
2. Chapter 1: Governance, Risk, and Compliance FREE CHAPTER 3. Chapter 2: CRISC Practice Areas and the ISACA Mindset 4. Part 2: Organizational Governance, Three Lines of Defense, and Ethical Risk Management
5. Chapter 3: Organizational Governance, Policies, and Risk Management 6. Chapter 4: The Three Lines of Defense and Cybersecurity 7. Chapter 5: Legal Requirements and the Ethics of Risk Management 8. Part 3: IT Risk Assessment, Threat Management, and Risk Analysis
9. Chapter 6: Risk Management Life Cycle 10. Chapter 7: Threat, Vulnerability, and Risk 11. Chapter 8: Risk Assessment Concepts, Standards, and Frameworks 12. Chapter 9: Business Impact Analysis, and Inherent and Residual Risk 13. Part 4: Risk Response, Reporting, Monitoring, and Ownership
14. Chapter 10: Risk Response and Control Ownership 15. Chapter 11: Third-Party Risk Management 16. Chapter 12: Control Design and Implementation 17. Chapter 13: Log Aggregation, Risk and Control Monitoring, and Reporting 18. Part 5: Information Technology, Security, and Privacy
19. Chapter 14: Enterprise Architecture and Information Technology 20. Chapter 15: Enterprise Resiliency and Data Life Cycle Management 21. Chapter 16: The System Development Life Cycle and Emerging Technologies 22. Chapter 17: Information Security and Privacy Principles 23. Part 6: Practice Quizzes
24. Chapter 18: Practice Quiz – Part 1
25. Chapter 19: Practice Quiz – Part 2
26. Index 27. Other Books You May Enjoy

GRC for cybersecurity professionals

In this section, we’ll learn about cybersecurity, information assurance, and the difference between these two concepts.

Cybersecurity and information assurance

For non-cybersecurity professionals, the word cybersecurity is synonymous with hacking, but in reality, this could not be further from the truth.

There are various ways to look at cybersecurity from an outsider’s view. In the industry, this is often categorized as a red team (attackers), blue team (defenders), and purple team (a combination of the red team and blue team focusing on collaboration and information sharing). For this book, I will take a different approach that is more aligned with the objectives of this book and your understanding when you prepare for the certification.

Firstly, let’s segregate cybersecurity into two major practices: cybersecurity and information assurance.

In the cybersecurity realm, we consider activities such as penetration testing, vulnerability assessments, network monitoring, malware analysis, and all the other practices that require robust technical understanding and knowledge to prevent unauthorized access and disruption to the business.

The second practice, information assurance, is going to be the focus of this book. Information assurance includes activities such as policy and procedure development, risk assessments and management, data analysis, IT audits, compliance with regulatory frameworks, incident management, vulnerability management, vendor management, KPI and KRI reporting and dashboards, and all the other sub-domains that do not require extensive technical understanding. However, these practices do require thorough collaboration across all teams and a strong understanding of the fundamentals of cybersecurity concepts. These activities are important for complying with multiple federal and state regulations as well as to ensure the implementation of compliance with industry-standard practices.

Many organizations tend to completely segregate the cybersecurity and information assurance functions into different verticals altogether, where the communication between different teams and opportunities to collaborate are limited. This leads to security being seen as a gatekeeper and not an enabler.

As security is continuing to shift left – that is, being prioritized more and more in the initial stages of software development and project viability – this distinction is fading and teams using modern security tools collaborate a lot more than just meeting once a month.

As you continue with this book, you will realize that though the CRISC exam covers all concepts of cybersecurity and information assurance, the focus will primarily be on the latter as the entire purpose of the CRISC exam is to help you prepare for the IT risk management of an organization, regardless of its size.

So far, we have learned about GRC, the importance of GRC, and how to differentiate between different verticals of cybersecurity. In the next section, we’ll learn about the importance of GRC for cybersecurity professionals and industry-standard frameworks to implement a GRC program.

You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023
Publisher: Packt
ISBN-13: 9781803236902
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime