Domain 2 Introduction Information Security Risk ManagementDomain 2 Introduction Information Security Risk Management

Introduction to Information Risk Management
- Focuses on managing information security aligned with the organization's goals and objectives.
- Emphasizes the importance of leadership in security functions.
Key Areas of Focus for the CISM Exam
- Identifying risks
- Assessing risks
- Managing risks
  1. Continuous monitoring of risk mitigation controls.
- Reporting and communicating relevant risks to stakeholders.
  1. Stakeholders can be internal (management, CEO, board of directors) or external (clients, customers, shareholders, regulators).
Definition and Goal of Information Risk Management
- Information Risk Management is aimed at handling risks to assets to an acceptable level defined by asset owners.
  1. Owners are accountable for protecting those assets' value.
- Supports the organization's business and compliance needs while promoting goals and objectives.

The job practice areas relevant to Domain Two are structured into two distinct categories:
- Information Security Risk Assessment
  1. Ability to assess risks associated with information security.
- Information Security Risk Response
  1. Implementation of strategies aligned with corporate goals and objectives to mitigate risks continuously.

Understanding the Value of Assets
- Asset valuation helps to drive security efforts, essential to the owners of those assets.
Risk Assessments
- Identify, evaluate, and assess risks through the following steps:
1. Identifying risks present to the organization.
2. Evaluating and assessing the likelihood and impact of each risk.
3. Determining the severity of each risk in relation to organizational goals and objectives.
Risk Response
- Treatment options include:
  - Avoid: Eliminate the risk entirely.
  - Mitigate: Reduce the severity or likelihood of the risk.
  - Transfer: Shift the risk to a third party.
  - Accept: Acknowledge the risk and decide to live with it.

Implementing measures to reduce risks to an acceptable level, which involves:
- Choosing appropriate controls and strategies to manage identified risks.

Ongoing process of reviewing the risk environment and effective risk management efforts.
- Ensures that risk management practices remain relevant and efficient.

Reporting and sharing information about risks and risk management activities with relevant stakeholders.
- Essential for ensuring awareness of potential risks and effectiveness of the controls implemented.

Domain Two of the CISM certification emphasizes the need to identify, assess, and manage risks pertaining to an organization’s valuable assets.
- Focus on risk assessment, response, monitoring, and communication.

The materials presented will focus on:
- Understanding and assessing risks to manage effectively aligned with organizational goals.
- Implementing a risk management program to address risks, threats, and vulnerabilities to valuable assets.
- Articulating cost-effective security controls to stakeholders.
- Differentiating between risk treatment types and aligning them with organizational objectives.

Emphasis on the concept of ownership regarding the protection of assets and the accountability of asset owners.
- Leaders within the organization must drive cybersecurity efforts ensuring alignment with strategic goals and objectives.

Once risk treatment programs are established, continuous monitoring is necessary to assess effectiveness.
Relevant information about risk management must continually be reported to stakeholders, both internal and external to the organization.
Conclusion:
- Domain Two presents critical concepts and practices for successfully managing information risk and ensuring organizational security and efficacy.