我的职业道路和许多人的道路一样. 它的起点很简单:大学, 初级技术支持角色, 晋升为“网络男”,,然后最终进入管理层. Along the way I was constantly learning and taking certifications. 在过去的20多年里发生了很多变化, 但是回想一下, 有一点没有改变,那就是管理风险的必要性.
回顾, risk management has always been a key component of working in information technology even if it was the small “r” version of risk management. 例如, 当你在服务台工作,并对票务进行分类时, the ticket that gets immediate attention is often directly related to the level of risk that it presents.
So, if risk management (even the small “r” version) has been being practiced for all these years, 你为什么要改变你现在正在做的事情? 威胁! The number of threats an organization now faces is larger than ever before. 再加上暴露, which increases the likelihood of a threat affecting your organization, 意思是如果你不带着比赛的表情, there is a good chance a bad day is in store for you sooner rather than later.
我获得crisc认证的途径
话虽如此,我该怎么办呢? 开始实践大R风险管理. 确定, 我承认, it is easy to get caught up in the hype of the latest (fill in the letter) DR solution (EDR, XDR, 耐多药, 等.). 我和其他人一样喜欢很酷的工具, 但, 如果您没有将这些工具与已识别的风险对齐, 你怎么知道它有帮助? How do you know spending lots of money on a tool is the most effective way to treat the risk? 也许简单的流程改变也同样有效.
Wanting to practice BIG “R” risk management is what led me to becoming CRISC-certified. 我一直是一个需要目标的人, 一条明确的道路来帮助我学习, 而考取证书对这一点有帮助.
Another motivator for learning BIG “R” risk management was being able to effectively communicate risk to management. 在我看来, too often IT and cybersecurity are seen as always looking for more budget for some new gadget that may or may not be needed. Being able to communicate in a language the business understands and connecting the dots with the organization’s goals and objectives is crucial to being successful in getting the resources you need to do the job properly.
Having an IT/security background is not required before attaining your CRISC, 但它确实有帮助. 有很多术语, 包括我以前学过的概念和原则, and not having that base would have been an additional challenge and required more preparation time.
那么,什么是大R风险管理呢? The answer to that lies in the four domains the CRISC is broken down into:
领域1:治理
What are the goals and objectives of the organization and how will risk management align with them?
What structure will be put in place to oversee risk management activities?
Who is responsible for the different aspects of risk management? Better yet, who is the person who makes the decision on how to respond to the risk? 谁负责任?
What is the organization’s risk profile, and how will you monitor for changes to it?
组织的风险能力和容忍水平是什么?
风险管理如何与法律相适应, 组织的规章制度和合同要求?
领域2:IT风险评估
如何识别风险?
What are risk scenarios and how can you use one to understand risks and potential impact?
风险的根本原因是什么?
了解不同的风险评估方法
领域3:风险响应和报告
What are the different options for responding to and treating risk, 为什么你会选择其中一个而不是另一个?
第三方和新兴技术会带来什么风险?
什么是风险处理计划?
How do you select the appropriate controls including design, implementation and testing?
你如何监控风险, including your chosen risk treatment plan to ensure that it is reducing risk to the desired level?
What are the different types of indicators to monitor your risk management activities?
领域4:信息技术和安全
网络安全关键概念概述:
What are core aspects of information technology operations and what risks do they present and/or treat?
What are the different cybersecurity frameworks and standards that can aid your activities?
How does risk management fit into project management and the systems development lifecycle?
隐私和业务连续性管理概念
我是如何为危机做准备的?
如前所述, having a solid background in information technology and cybersecurity helps, 特别是对于Domain 4. My suggestion if you do not have that background is to explore options such as ISACA’s 网络安全基础证书.
我使用的准备材料是:
CRISC审查手册th 版: This review manual does a good job at covering all the material you need to know. I did not feel there were any questions on the exam I was blindsided on.
CRISC复习问题,答案 & 解释6th 版测试你的知识是关键. My method is to work through all the questions, fully reading all the explanations. Even if I answered the question correctly the explanations for the other incorrect answers helped solidify the information. 在解决问题之后, any question I answered wrong I made sure to go back to the CRISC Review Manual and thoroughly cover the topic again.
额外的培训: I also enrolled in a continuing education course from the University of Toronto, 网络安全风险评估, 治疗及报告.” This course covered many of the CRISC domains (with a NIST perspective) 但 the primary reason I chose to take it was the collaboration with peers and the hands-on aspect. I firmly believe you can pass the CRISC just with the two books mentioned above, 但 engaging in group discussions and putting the learning into practice through class assignments was a welcomed addition to my study.
那么,你还在等什么? 迈出这一步,学习大“R”风险管理!
