Risk Mgmt — Information Security Risk Management

Session 1 — Risk Fundamentals & Enterprise Risk Management (Day 10, Mon Apr 6)

How CISM Defines Risk

Risk is the combination of the likelihood that a threat will exploit a vulnerability and the business impact if it does. CISM's fundamental risk equation:

Each component matters:

• Threat: A potential cause of an unwanted incident. Threats are external (hackers, natural disasters) or internal (employees, system failures). You cannot eliminate threats — they exist in the environment.
• Vulnerability: A weakness that could be exploited by a threat. Vulnerabilities can be reduced through controls. This is where security programs have the most leverage.
• Asset: Anything of value to the organization that could be impacted. Information assets, systems, processes, reputation, financial resources.
• Likelihood: How probable is it that this threat exploits this vulnerability? Influenced by threat frequency, attacker capability and motivation, existing controls.
• Impact: What is the business consequence if the risk materializes? Financial loss, operational disruption, regulatory penalty, reputational damage.

Enterprise Risk Management (ERM) and Security Risk

ERM is the organization-wide framework for identifying, assessing, and managing all categories of risk: strategic, operational, financial, legal, and technology/security. CISM expects the information security manager to integrate security risk into the ERM framework — not manage it in isolation.

When security risk is integrated into ERM:

• Security risks are visible to the same risk committee that sees financial and operational risks
• Security risk is expressed in the same language as other business risks (financial exposure, probability, business impact)
• Security investment decisions compete on an equal footing with other business risk investments
• The board sees security risk as a business risk, not a technical issue

Risk Appetite vs. Risk Tolerance vs. Risk Capacity

Term	Definition	Who Sets It
Risk Appetite	The amount and type of risk an organization is willing to pursue or accept overall. A strategic, qualitative stance (e.g., "low risk tolerance for data breach, moderate for operational disruption").	Board of Directors
Risk Tolerance	The acceptable variation in outcomes relative to risk appetite. More operational — the specific bounds within which risk must be kept (e.g., "no more than 3 major incidents per year").	Executive management
Risk Capacity	The maximum amount of risk the organization could absorb before its existence or business model is threatened. The absolute ceiling.	Board (informed by finance)

The information security manager ensures that identified security risks are evaluated against the organization's risk appetite. Risks within tolerance may be accepted. Risks approaching the tolerance boundary require attention. Risks exceeding capacity require immediate escalation.

Session 2 — Risk Assessment Methodology (Day 11, Tue Apr 7)

Risk Assessment — The Process

A risk assessment is a structured process for identifying, analyzing, and evaluating risks. CISM describes it as having clear sequential steps. Know these steps cold:

1. Asset identification: What needs to be protected? Critical information assets, systems, processes. Prioritize by business value.
2. Threat identification: What could harm these assets? Internal threats (employee error, insider threat), external threats (external attackers, natural disasters, third-party failures).
3. Vulnerability identification: Where are the weaknesses that threats could exploit? Technical vulnerabilities (unpatched systems), process vulnerabilities (weak change management), human vulnerabilities (lack of awareness).
4. Risk analysis: For each threat/vulnerability combination: how likely is it? What would the impact be? This produces a risk score or rating.
5. Risk evaluation: Compare risk scores to risk appetite and tolerance. Which risks are acceptable? Which require treatment?
6. Risk treatment: For unacceptable risks, select and implement a treatment option (next session).
7. Documentation: Record all findings in the risk register.

Qualitative vs. Quantitative Risk Assessment

Approach	How It Works	Pros	Cons
Qualitative	Rates likelihood and impact on descriptive scales (High/Med/Low or 1-5). Produces heat maps.	Fast, accessible, good for initial assessment. No data required.	Subjective. Hard to compare across risks. Difficult to calculate ROI.
Quantitative	Assigns financial values. Uses ALE = SLE × ARO. Produces dollar figures.	Objective, financial language. Enables ROI calculations. Board-friendly.	Data-intensive. Requires accurate loss estimates. Time-consuming.
Semi-quantitative	Qualitative ratings converted to numerical scores. Hybrid.	Balance of speed and comparability.	May give false precision.

Quantitative Risk Formulas — Memorize These

Session 3 — Risk Treatment Options & Controls (Day 12, Wed Apr 8)

The Four Risk Treatment Options

Once a risk is assessed and found to exceed acceptable levels, the information security manager selects a treatment option. CISM defines four:

Option	Also Called	What It Means	When To Use
Avoid	Terminate	Eliminate the activity that causes the risk. Stop doing the thing.	When risk exceeds any acceptable threshold and the activity isn't essential.
Transfer	Share	Shift financial consequence to a third party (insurance, contracts). Risk still exists — financial impact is shared.	When risk can't be reduced to acceptable levels cost-effectively, but consequences can be insured.
Mitigate	Reduce	Implement controls to reduce likelihood or impact. Most common treatment.	When risk is above tolerance but can be reduced to acceptable levels with cost-effective controls.
Accept	Tolerate	Acknowledge the risk and consciously choose not to treat it further. Must be documented and approved by appropriate authority.	When residual risk is within tolerance, or treatment cost exceeds benefit.

Control Categories — Functional

Category	Purpose	Examples
Preventive	Stop the risk event from occurring	Firewalls, access controls, encryption, training
Detective	Identify that a risk event has occurred	SIEM, audit logs, intrusion detection, monitoring
Corrective	Restore normal operations after an incident	Backup restoration, incident response, patches
Deterrent	Discourage potential attackers or violators	Warning banners, visible cameras, legal notices
Compensating	Alternative controls when primary controls can't be implemented	Manual reviews when automated controls aren't possible
Recovery	Restore operations after significant disruption	Disaster recovery, BCP

Control Categories — Implementation Type

Type	Description	Examples
Administrative	Policies, procedures, training, background checks	Security policy, awareness training, hiring procedures
Technical (Logical)	Technology-based controls	Firewalls, encryption, MFA, IDS/IPS
Physical	Physical environment controls	Locks, guards, cameras, biometrics, environmental controls

The Risk Register

The risk register is the central documentation tool for the risk management program. It records:

• Risk identifier and description
• Asset at risk
• Threat and vulnerability involved
• Likelihood and impact ratings
• Current risk score (inherent risk)
• Existing controls
• Residual risk (after existing controls)
• Treatment option selected
• Treatment owner and timeline
• Risk acceptance signature (if accepted)

The risk register is a living document. It must be reviewed regularly (at minimum annually, and whenever significant changes occur) and updated as risks change, controls are implemented, and the business environment evolves.

Session 4 — Risk Monitoring & Reporting (Day 13, Thu Apr 9)

Continuous Risk Monitoring

Risk assessment is not a once-a-year exercise. Risks change: new threats emerge, vulnerabilities are discovered, business processes change, controls fail. Effective risk management includes continuous monitoring to detect these changes and respond before they become incidents.

Key monitoring activities:

• Vulnerability scanning: Regular automated scans to detect new vulnerabilities in systems and applications.
• Threat intelligence: Monitoring of threat landscape changes — new attack techniques, active campaigns targeting the industry, zero-days.
• Control effectiveness testing: Periodic testing to verify controls are working as designed (configuration reviews, penetration tests, log reviews).
• KRI monitoring: Tracking key risk indicators for early warning signals that risk is increasing.
• Third-party risk monitoring: Ongoing oversight of vendor security posture.

Risk Reporting

Risk reporting translates the risk register into actionable information for different audiences:

Audience	What They Need	Frequency
Board/Audit Committee	Top risks, business exposure, governance-level decisions needed	Quarterly
Executive/C-suite	Risk posture summary, significant risk changes, investment decisions	Monthly
Business unit leaders	Risks specific to their area, control gaps, treatment progress	Quarterly
Risk committee	Full risk register review, treatment plan status, escalations	Monthly
Security team	Operational risk details, control failures, remediation priorities	Continuous

Session 5 — Threat & Vulnerability Management (Day 14, Fri Apr 10)

Threat Intelligence

Threat intelligence is the process of gathering, analyzing, and using information about threats to inform risk management decisions. For a CISO, threat intelligence answers: who is targeting organizations like ours, with what techniques, and what do we need to do about it?

Threat intelligence categories:

• Strategic: High-level trends for executives — industry threat landscape, geopolitical factors, regulatory environment.
• Operational: Details about specific campaigns and attack patterns for security managers.
• Tactical: Specific IoCs (indicators of compromise), attack techniques (TTPs) for security operations.

CISM won't test you on specific IoCs — but it will test whether you know that threat intelligence should inform risk assessments and control priorities.

Vulnerability Management

A vulnerability management program systematically identifies, assesses, and remediates vulnerabilities in the organization's systems. Core components:

1. Discovery: Asset inventory. You can't secure what you don't know you have.
2. Scanning: Automated vulnerability scanning on all in-scope assets. Frequency based on criticality (critical systems more frequently).
3. Assessment: Prioritize vulnerabilities based on criticality (CVSS score), exploitability, asset value, and exposure.
4. Remediation: Patch, configure, or apply compensating controls. Track to closure within defined SLAs.
5. Verification: Confirm the vulnerability is remediated. Re-scan.
6. Reporting: Track metrics (patch compliance rate, mean time to remediate, open critical vulns).

Third-Party Risk Management

Third parties — vendors, suppliers, service providers, contractors — often have access to organizational systems and data. A supply chain attack or vendor breach can directly impact the organization. CISM expects the information security manager to manage third-party risk as part of the overall risk management program.

Third-party risk management lifecycle:

• Due diligence at onboarding: Assess security posture before awarding a contract. Security questionnaires, SOC 2 reports, certifications.
• Contractual requirements: Security requirements must be in the contract. Data protection clauses, breach notification obligations, right to audit.
• Ongoing monitoring: Annual reassessments, continuous monitoring where possible. Adjust risk posture as vendors change.
• Offboarding: Revoke access, ensure data return/destruction, close accounts.