applying the risk process in the real worldisaca-events.org.za/wp-content/uploads/2016/09/... ·...
TRANSCRIPT
Applying the Risk Process in the Real World
Mark Thomas CGEIT, CRISC
MARK THOMAS – CGEIT, CRISC
Areas of expertise
Governance of Enterprise IT (CGEIT)
Enterprise Risk Management (CRISC)
COBIT
ITIL Expert
PRINCE2 Practitioner
Experience
IT Director
VP, IT Operations
Enterprise Program Manager
Governance frameworks consulting
OBJECTIVES Understand the application of COBIT5 risk practices and activities
and how they are being used today.
Select and prioritize scenarios to create a risk register that can be used in multiple enterprise environments.
Link the risk process to industry standards and frameworks to create appropriate and applicable controls.
Agenda
Introduction
Connecting COBIT and Risk
Understanding Risk
Real World Application
Closing and Questions
VALUE CREATION
THE TONE STARTS AT THE TOP
GovernanceEvaluateEvaluate DirectDirect MonitorMonitor
ManagementPlanPlan BuildBuild RunRun MonitorMonitor
EVALUATE stakeholder needs, conditions and options
DIRECT through prioritization and decision making
MONITOR performance, compliance and progress against agreed-on direction and objectives
PLAN, BUILD, RUN and MONITOR activities
Align with the direction set by the governance body to achieve the enterprise objectives
MULTIPLE PERSPECTIVES
AGENDA
Introduction
Connecting COBIT and Risk
Understanding Risk
Real World Application
Closing and Questions
FIRST, SOME DEFINITIONSRisk—the possibility of a situation or event with uncertain frequency and magnitude of loss (or gain) occurring that is associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
Threat
Vulnerabilities
Risk appetite
Risk tolerance
Risk optimization
Risk hierarchy
TYPES OF RISK
Operational RiskOperational Risk
Portfolio RiskPortfolio Risk
Program RiskProgram Risk
Project RiskProject Risk
Strategic RiskStrategic Risk
CATEGORIES IN ASSESSING RISK
The risk associatedwith an event when no controls are in place.
InherentRisk
InherentRisk
The risk that is associated with an event after controls have been applied.
ResidualRisk
ResidualRisk
Results from the internal control systems’ failure to prevent, detect or correct an incident in a timely manner.
ControlRisk
ControlRisk
Risk that the prescribed controls, substantive testing procedures or monitoring will fail to detect an error that could be material.
DetectionRisk
DetectionRisk
AGENDA
Introduction
Connecting COBIT and Risk
Understanding Risk
Real World Application
Closing and Questions
COBIT
COBIT is the only end to end business framework that offers a holistic and integrated view of the governance of enterprise IT (GEIT). COBIT assists enterprises in many areas, to include:
Maintain high-quality information to support business decisions.
Achieve strategic goals and realize business benefits.
Support compliance with relevant laws, regulations, contractual agreements and policies.
Maintain IT-related risk at an acceptable level.
Optimize the cost of IT services and technology.
COBIT PRINCIPLES
COBIT GOALS CASCADE
Translates stakeholder needs into specific, practical and customized goals.
Allows the definition of priorities for:
Risk scenario analysis, assessment and responses
Implementation
Improvement
Assurance efforts for the governance of enterprise IT
COBIT ENABLERS
COBIT PRODUCT FAMILY
COBIT FOR RISKCOBIT5 for Risk provides guidance on how to manage risk to levels within the enterprise’s risk appetite as well as how to set up the right risk culture for the enterprise.
End-to-end guidance on managing risk with a common approach for assessment and response.
Integrates IT risk management with the overall risk and compliance structures within the enterprise.
Promotion of risk responsibility and its acceptance throughout the enterprise.
DOMAINSGovernance Domain Management Domain
Ensure Risk Optimization Manage Risk
Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.
• Evaluate risk management• Direct risk management• Monitor risk management
Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
• Collect data• Analyze risk• Maintain a risk profile• Articulate risk• Define a risk management action
portfolio• Respond to risk
RISK PROFILE
RiskRegister
Risk ActionPlan
Loss Events(historical
and current)
RiskFactors
Independent Assessment
Findings
Resulting from risk analysis, consists of a list of risk scenarios and their associated estimates for impact and frequency.
Includes action items, status, responsible, deadline, etc.
Loss data related to events occurring over the last reporting period(s).
Both contextual risk factors and capability-related risk factors (vulnerabilities).
Result of independent assessments (e.g., audit findings, self-assessments).
RISK SCENARIOS
RISK MAP
A common, very easy and intuitive technique to present risk is the risk map, where risk is plotted on a two-dimensional diagram, with frequency and impact. This representation provides an immediate and complete view on risk and apparent areas for action. Probability
Impa
ct
RISK RESPONSE
This is where you determine which controls best satisfy business needs.
CONTROLS
AGENDA
Introduction
Connecting COBIT and Risk
Understanding Risk
Real World Application
Closing and Questions
COMPANY BACKGROUND
Background Service Provider – North America
Niche market in the real-estate industry
Rapid growth
Owned by a larger holding company
Challenges Holding company security audit
Multiple audit findings
No process for managing risks
Aggressive timeline to ‘become compliant’
Methodology
BUSINESS GOALSMaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
RISK SCENARIOS
MaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
Step 1: Identified 16 generic risk categories
RISK SCENARIOSMaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
RISK SCENARIOS
RISK SCENARIOS
RISK SCENARIOSMaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
Step 3: Determine the scenario short list.
Full list on next slide
RISK REGISERMaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
Top 10 Scenarios
Risk Register
Event Actor Threat Type Asset/Resource Response
There is an overreliance on key IT staff.
Hardware components were configured erroneously.
The database is corrupted, leading to inaccessible data.
IP is lost and/or competitive information is leaked due to key team members leaving the enterprise.
The IT in use is obsolete and cannot satisfy new business requirements (networking, security, database, storage, etc.).
Hardware systems fail and lose availability.
Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies.
There is an intrusion of malware on critical operational servers.
Industrial espionage takes place.
There is a virus attack.
Specific events related to the scenario
Internal, External
MaliciousAccidental
ErrorFailureNatural
External Req.
AcceptTransferShareAvoid
Mitigate
ProcessPeople/Skills
Org. StructurePhysical Inf.
IT Inf.InformationApplications
TOP FOCUS AREAS
Linked results to applicable standards and processes ISO27000
NIST
COBIT5 – not considered a standard, but used to help manage processes
MaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
MAINTAIN REGISTER
Communicate risk register to all appropriate stakeholders.
Continually update scenarios and register to maintain a current profile of risks and responses.
Support the adoption of controls based on the risk register.
MaintainRegister
Top 5 Focus Areas
RiskRegister
RiskScenarios
BusinessGoals
NEXT STEPS Linking different levels of risks into a cascading risk register.
Work with the Board of Directors to articulate risk from a governing body perspective.
Create a risk management function.
Create key risk indicators.
AGENDA
Introduction
Connecting COBIT and Risk
Understanding Risk
Real World Application
Closing and Questions