Managing IT Risk: CRISC Certification for Controlling Information System Risk
The CRISC credential (Certified in Risk and Information Systems Control) was created by the Information Systems Audit and Control Association (ISACA) to certify an IT professional's ability to assess information system risk and implement risk management control solutions that support an enterprise's business goals. CRISC certification signifies a combination of deep technical knowledge, broad business understanding, plus years of relevant work experience.
Progent offers the expertise of a CRISC-certified consultant who can help you create and implement a modern risk management strategy based on best practices promoted by CRISC and geared to align with your company's risk tolerance, business objectives, and IT budget. Progent's CRISC-certified risk management consultants expand the skills of other cybersecurity and information assurance experts whose services are available from Progent. These specialists include Progent's CISA-certified cybersecurity audit consultants, who can objectively review your IS control design and operational effectiveness, and Progent's CISM-certified security management experts, who can evaluate your network security profile or implement enterprise-wide cybersecurity.
Progent's Support for CRISC Practice Domains
The CRISC certification program verifies a candidate's work experience and exhaustively tests skills in key practice areas of risk management:
- Risk identification
- Risk assessment
- Risk response and mitigation
- Risk and control monitoring and reporting
Progent offers a range of consulting services for each of the enterprise risk management (ERM) domains defined by CRISC.
Risk Identification
This facet of enterprise risk management involves cataloging a comprehensive set of IT risks to be addressed by an enterprise risk management plan that takes into account business objectives. Consulting services available from Progent in this practice area include:
- Gather all information garnered from interviews or documentation that can help identify and quantify areas of risk to business processes and network operation
- Evaluate the potential monetary or productivity loss that could result from various risk scenarios
- Review the impact that applicable laws, regulations, compliance requirements, and business agreements have on your risk profile
- Build a risk register to catalog all identified risk factors
- Document the likelihood and potential information system damage associated with major risk scenarios
- Use advanced risk analysis tools to understand the potential impact of risk scenarios on your business objectives
- Create a risk awareness initiative that educates stakeholders on IT risk and invites their participation in creating your risk management strategy
- Find consensus for risk appetite and risk tolerance among top leadership and critical stakeholders to ensure that everyone buys into the risk management program
Risk Assessment
This area of risk management involves performing sufficient analysis of risk likelihood and impact to provide the basis for sound risk management decisions. Services offered by Progent in this area include:
- Analyze risk scenarios based on their relationship to the structure, processes, and control mechanisms of your business
- Analyze risk controls currently in place and grade their effectiveness in mitigating risk
- Review risk and control analysis data to uncover any shortcomings in your current risk management solution
- Verify that risk ownership is correctly assigned and clearly understood
- Share the results of risk assessment with associated stakeholders to drive a rational risk management plan
- Document risk assessment results in the risk register
Risk Response and Mitigation
This area of risk management concerns the selection of effective risk response activity that is within the IT budget and is in line with business objectives. Consulting services available from Progent in this area include:
- Interview risk owners to determine risk responses that support business goals
- Collaborate with risk owners to make sure the processes, cost, and scheduling of risk response plans are well defined
- Work with risk control owners to ensure that the design and deployment of risk mitigation controls are properly managed
- Assign risk control ownership clearly and openly
- Help risk control owners to create and document effective control processes
- Edit the risk register to show any changes in risk identification and response processes
- Verify that actual responses to risk have followed the risk action plans
Risk and Control Monitoring and Reporting
This area of risk management concerns monitoring and management information system controls to ensure they continue to support business objectives. Progent's consulting services in this area include:
- Analyze and document your business process objectives and design to identify required information system controls
- Plan, supervise, and conduct testing to confirm continuous efficiency and effectiveness of your information system controls
- Collect information and review documentation to identify information system control deficiencies
- Review your information system policies, standards, and procedures to make sure they address your company's internal and external requirements
- Evaluate the current state of your information system processes using a maturity model to identify the gaps between current and targeted process maturity
- Determine how to correct information system control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and fixed
- Maintain adequate evidence to support conclusions on the completeness and operating effectiveness of your information system controls
- Test your information systems controls to verify their effectiveness and efficiency before they are implemented
- Deploy information systems controls
- Monitor your information systems control design and implementation process to make sure it is implemented effectively and within time, budget, and scope
- Provide progress reports on the deployment of your information systems controls to inform your stakeholders and to make sure deviations are addressed quickly
- Provide information system control status reporting to your relevant stakeholders to help them make informed decisions
- Evaluate and recommend tools to automate your information systems control processes
Other Security Credentials Held by Progent's Consultants
In addition to offering the services of security specialists with CRISC certification, Progent can also provide your business with access to CISM-certified security management consultants, CISSP-certified cybersecurity experts, CISSP-ISSAP certified cybersecurity architecture consultants, CISA-certified cybersecurity audit professionals, and GIAC-certified information assurance specialists.
Contact Progent for Access to a CRISC-certified Risk Management Consultant
To find out how to get in touch with a CRISC-certified risk management expert, phone Progent at 800-993-9400 or visit Contact Progent.
Ransomware 24x7 Hot Line: Call 800-462-8800
Progent's Ransomware 24x7 Hot Line is designed to help organizations to complete the time-critical first phase in mitigating a ransomware attack by containing the malware. Progent's remote ransomware engineer can help businesses to identify and isolate infected servers and endpoints and protect clean resources from being penetrated. If your network has been breached by any version of ransomware, act fast. Get help quickly by calling Progent's Ransomware Hot Line at 800-462-8800. For more information, visit Progent's Ransomware 24x7 Hot Line.