Skip to main content

1.11 Risk Awareness

1.11 Risk Awareness

 

·         The ultimate objective of a risk management program is to enable risk-aware business decisions.

 

 

·         Primary objective of creating a risk aware culture is to:

 

§  improve the ethics of the organization

§  enhance risk reporting procedure

§  suspected behavior is reported at the earliest

§  risk is well understood and known

 

·         Following are the mode of risk awareness programs:

 

§  Training and workshop

§  Periodic bulletins and magazine

§  Quizzes 

§  Control self-assessment programs

§  Awareness messages through emails and SMS

 

·         All the employees and associated vendors should be trained to identify vulnerabilities, suspicious activity and possible attacks and report the same at the earliest. Risk aware business decisions depends on availability of accurate and timely information.

 

 

·         Risk awareness program should be customized to address the needs and requirements of the individual groups within an organization and deliver content suitable for that group. Prime consideration when developing a risk awareness program is to ensure that process owner is able to understand how risk can impact their process as well as overall business.

 

·         A risk awareness program should not give too much details of the vulnerabilities or investigations that can further expose the organization.

 

·         Risk awareness, education and training helps to improve the risk and security in most cost effective way.

 

·         Employees and third party service providers should be made aware about organization’s security policies and procedures.

 

·         Training effectiveness can be measured through use of testing or quiz or some other metrics. For example, effectiveness of an incident reporting training can be determined by number of incidents reported subsequent to training. Increased reporting of valid indicates that users are aware of the security rules and know how to report incidents.

 

·         Training need identification is an important aspect that can be derived through various sources such as help desk activity, operational errors, security events and audits.

 

·         A separate risk awareness program should be arranged for senior management with more emphasis on need for compliance, due care and due diligence and the need to create the tone and culture of the organization through policy and good practice.  They should be reminded their roles and responsibility for determining risk acceptance levels.

 

·         Employees and vendors should be made aware of the risk related to social engineering attacks. Social engineering is a technique by which hacker attempts to manipulate the people and gather confidential information. No logical control can address the social engineering attacks. It can be only controlled through security awareness amongst the employees.  

 

Key aspects from CRISC exam perspective

 

CRISC Question

Possible Answer

Greatest benefit of a risk-aware culture

Suspected behaviour is reported at the earliest

Prime consideration when developing an  risk awareness program

Process owner should able to understand how risk can impact their process as well as overall business.

Best  approach when conducting an risk awareness campaign

Customized and tailored program addressing different business group

Risk aware business decisions depends on

Availability of accurate and timely information

Social engineering risk can be reduced by

Security awareness programs

Main objective of risk management process

Risk aware business decisions

Effectiveness of an incident training can be determined by

Increase in valid incident reporting

Most effective method to ensure that user comply with BYOD policies and procedures

Educating users on acceptable and unacceptable practices

 

 

Video Tutorial - 1.11 Risk Awareness


 




 

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more