Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

Similar documents
CISM Certified Information Security Manager

IT risks and controls

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

What is IT Governance and Why is it Important?

Rethinking Information Security Risk Management CRM002

Certified Information Security Manager (CISM) Course Overview

Enterprise GRC Implementation

IT123: SABSA Foundation Training

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

Data governance and data quality: is it on your agenda or lurking in the shadows?

COSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2

Enabling efficiency through Data Governance: a phased approach

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Exam Requirements v4.1

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Effective COBIT Learning Solutions Information package Corporate customers

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

INTELLIGENCE DRIVEN GRC FOR SECURITY

COBIT 5 Implementation

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Implementation PREVIEW VERSION

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

POSITION DESCRIPTION

Threat and Vulnerability Assessment Tool

Digital Service Management (DSM)

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

Revisit the Foundations of ITSM SMSG

Frameworks and Standards

Leveraging COBIT to Implement Information Security

Digital Service Management (DSM)

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Manchester Metropolitan University Information Security Strategy

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Entergy Arkansas, Inc. Transition Plan Technical Conference #1

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Building a Resilient Security Posture for Effective Breach Prevention

Risk Advisory Academy Training Brochure

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

IS Audit and Assurance Guideline 2002 Organisational Independence

Information Security Architecture Gap Assessment and Prioritization

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Next Generation Policy & Compliance

Heads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Information Security Continuous Monitoring (ISCM) Program Evaluation

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Trillium Consulting. Data Governance. Optimizing Business Outcomes through Data and Information Assets

Achieving effective risk management and continuous compliance with Deloitte and SAP

Symantec Data Center Transformation

COBIT 5 With COSO 2013

Cybersecurity & Privacy Enhancements

Security Director - VisionFund International

Information Security Governance and IT Governance

ROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success.

CISA Training.

Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View. October, 2004

EXAM PREPARATION GUIDE

NERC Staff Organization Chart Budget 2019

BCS Practitioner Certificate in Information Risk Management Syllabus

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Getting Started with IT Service Management

Department of Management Services REQUEST FOR INFORMATION

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Cybersecurity in Higher Ed

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

GRC SURVEY RESULT Please indicate your profession

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

SDLC Maturity Models

falanx Cyber ISO 27001: How and why your organisation should get certified

NERC Staff Organization Chart Budget 2019

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Data ownership within governance: getting it right

MetricStream GRC Summit 2013: Case Study

Why you should adopt the NIST Cybersecurity Framework

COURSE BROCHURE CISA TRAINING

Business Analysis in Practice

Position Title: IT Security Specialist

Introduction to ISO/IEC 27001:2005

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

Best Practices & Lesson Learned from 100+ ITGRC Implementations

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

CCISO Blueprint v1. EC-Council

Transcription:

Managing IT Risk: The ISACA Risk IT Framework Charalampos (Haris)Brilakis, CISA ISACA Athens Chapter BoD / Education Committee Chair Sr. Manager, Internal Audit, Eurobank (Greece) 1 st ISACA Day, Sofia 15 October 2015 All technology should be assumed guilty until proven innocent David Brower, environmentalist

What is your role in managing risk? Do you: 1. Own and manage risks? (eg. Business & IT Mgmt) 2. Oversee risks? (eg. Security, Risk Mgmt, Compliance) 3. Provide independent assurance? (Internal Audit) Harry Brilakis ISACA Athens Chapter 2

Agenda ISACA s Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 3

Risk Management Frameworks & Risk IT Standards and frameworks are available, but are either too: Generic enterprise risk management oriented (COSO ERM) IT security oriented The Risk IT Framework fills the gap. Complete and Stand alone framework Integrates with other RM frameworks already implemented Complements ValIT and COBIT 4.1 Guidance available to ISACA Members The scope of the Risk IT framework is also fully covered within the scope of the COBIT 5 framework. Harry Brilakis ISACA Athens Chapter 4

What to do to manage IT risk? Key content of the Risk IT framework includes: Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) Process model sections that contain: Descriptions Input output tables RACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table Maturity model is provided for each domain Appendices Reference materials High level comparison of Risk IT to other risk management frameworks and standards Glossary Available as a free download to all: www.isaca.org/riskit Harry Brilakis ISACA Athens Chapter 5

Guide on How to implement it Key contents of The Risk IT Practitioner Guide: Review of the Risk IT process model Risk IT to COBIT and Val IT How to use it: 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritisation 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Mappings: Risk IT to other risk management standards and frameworks Glossary Available as a free download to ISACA Members Harry Brilakis ISACA Athens Chapter 6

Benefits Benefits of adopting the Risk IT Framework : Guidance on how to manage IT related risks A common and sustainable approach for IT risk assessment and response A better view of IT related risk and its financial implications A better understanding of the roles and responsibilities with regard to IT risk management A common language to help communication amongst business, IT, risk and audit management Opportunities for integration of IT risk management with the overall risk and compliance structures within the enterprise Alignment with ERM Harry Brilakis ISACA Athens Chapter 7

Who can benefit from ISACA s RiskIT Framework? Boards and executive management who need to set direction and monitor risk at the enterprise level Managers of IT and business departments, who need to define risk management process Risk management professionals who need specific IT risk guidance External stakeholders Harry Brilakis ISACA Athens Chapter 8

Agenda The Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 9

Which of the following entail IT risk? Business objectives Generic IT risks 1. Improve customer service scores [xx]% in every branch by year end 2. Reduce customer wait time in line to [xx] minutes 3. By the end of the year decrease administration expenses by [xx]%. 4. Introduce a mobile application for expanding our service to younger customers 5. Timely produce accurate customer monthly billing statement 6. Adapt to the new tax law / comply with new regulation of 1. IT Project budget overrun or new application development failure, delaying business initiatives 2. Dependency and use of end user computing and ad hoc solutions for important information needs 3. Intentional or unintentional software modification leading to wrong data or fraudulent actions 4. Systems cannot handle increased transaction volumes 5. Virus attack 6. Data corruption 7. Lack of new technology IT skills Harry Brilakis ISACA Athens Chapter 10

What is IT risk? IT risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Risk and opportunity relationship also holds for IT risk Business management is the most important stakeholder Determines what IT needs to do to support the business IT risk is not purely a technical issue. Harry Brilakis ISACA Athens Chapter 11

IT risk in the Risk Hierarchy IT risk is a component of the overall risk universe of the enterprise IT risk is not limited to information security, but covers all ITrelated risks. For example: IT service interruptions, business efficiency, late project delivery Harry Brilakis ISACA Athens Chapter 12

The Risk IT Principles Always connect to business objectives. Align the management of IT related business risk with overall ERM (if implemented). Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well defined tolerance levels. Are a continuous process and part of daily activities. Balance the costs and benefits of managing IT risk. Promote fair and open communication of IT risk. Harry Brilakis ISACA Athens Chapter 13

The three Domains Risk Governance Domain Ensure that IT risk management practices are embedded in the enterprise Risk Evaluation Domain Ensure that IT related risks and opportunities are identified, analysed and presented in business terms Risk Response Domain Ensure that IT related risk issues, opportunities and events are addressed in a cost effective manner and in line with business priorities Harry Brilakis ISACA Athens Chapter 14

The RiskIT Process Model Harry Brilakis ISACA Athens Chapter 15

Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 16

Risk Governance Domain Domain s basic concepts include: Responsibility and accountability for IT risk Awareness and communication Risk appetite and tolerance, risk capacity Risk culture Harry Brilakis ISACA Athens Chapter 17

Risk Governance Domain Assign Responsibilities and Accountability for IT risk Stakeholders are across the enterprise, not just IT Guidance is provided (RACI charts) Promote risk awareness via risk communication Risks are well understood and known, IT risk issues are identifiable, and the enterprise recognises and uses the means to manage them. What to communicate: Risk strategy, policies and procedures, awareness training Risk management process maturity Risk profile, KRIs, events and loss data, root causes of loss events To whom: Executive Management, Board, CRO, CIO, CFO, Business Management, IT Management, Risk control, Compliance, Audit, HR, staff Harry Brilakis ISACA Athens Chapter 18

Risk Governance Domain Risk Appetite The broad based amount of risk a company or other entity is willing to accept when trying to achieve its objectives Measured in terms of frequency and magnitude of a risk What is the amount of loss the enterprise wants to accept to pursue a return? Harry Brilakis ISACA Athens Chapter 19

Risk Governance Domain Risk Tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Often measured in the same units as those used to measure the related objective. At lower levels of the enterprise exceptions can be tolerated as long as at the overall exposure (at enterprise level) does not exceed the set risk appetite Risk Capacity The cumulative loss an enterprise can withstand without risking its continued existence. It differs from risk appetite, which is more about how much risk is desirable. Harry Brilakis ISACA Athens Chapter 20

Risk Governance Domain Risk Appetite and Risk Capacity Left diagram A relatively sustainable situation Risk appetite is lower than risk capacity Actual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity Right diagram An unsustainable situation Risk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss. As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. 21

Risk Governance Domain 9 Risk culture A setting in which components of risk are discussed openly, and acceptable levels of risk are understood and maintained. Harry Brilakis ISACA Athens Chapter 22

Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 23

Risk Evaluation Domain Essentials Domain s basic concepts include: Risk scenarios Business impact descriptions Harry Brilakis ISACA Athens Chapter 24

Risk Evaluation Domain Essentials IT Risk scenarios a description of a possible IT related event that when/if it occurs can lead to a business impact. Components: Actor, Threat Type, Event, Asset/Resource, Time NOTE: Risk Scenarios are key elements of the COBIT 5 risk management process APO12 Harry Brilakis ISACA Athens Chapter 25

Risk Evaluation Domain Essentials Example of generic IT risk scenarios Eg. Damage of critical server / regular software malfunction of critical application software Harry Brilakis ISACA Athens Chapter 26

Risk Evaluation Domain Essentials IT Risk scenarios (cont) IT Risk scenarios can be created, with a combination of Top down from business objectives to probable IT risk scenarios Bottom up from generic IT scenarios Both approaches are complementary and should be used simultaneously. The Risk IT Practitioner & COBIT 5 for Risk provide a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios. Harry Brilakis ISACA Athens Chapter 27

Risk Evaluation Domain Essentials IT Risk scenarios (cont) Risk factors: factors that influence the frequency and/or business impact of risk scenarios Related to enterprises environment capabilities Harry Brilakis ISACA Athens Chapter 28

Risk Evaluation Domain Essentials Business impact descriptions IT risk should be expressed in unambiguous and clear, business relevant terms. RiskIT Framework does not prescribe any single method IT risk scenarios should be linked to ultimate business impact Harry Brilakis ISACA Athens Chapter 29

Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 30

Risk Response Domain Essentials Domain s basic concepts include: Key risk indicators (KRIs) Risk response definition and prioritisation Harry Brilakis ISACA Athens Chapter 31

Risk Response Domain Essentials Key risk indicators (KRIs) Metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite. Harry Brilakis ISACA Athens Chapter 32

Risk Response Domain Essentials Risk response definition and prioritisation Bring risk in line with the defined risk appetite for the enterprise after risk analysis. a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually depending on budgets available), within risk tolerance limits. Harry Brilakis ISACA Athens Chapter 33

Risk Response Domain Essentials Responses to risk: Risk Avoidance: exiting the activities or conditions that give rise to risk. Risk Reduction/Mitigation: action is taken to detect the risk, followed by action to reduce the frequency and/or impact of a risk. Risk Sharing/Transfer: reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. Risk Acceptance: no action is taken relative to a particular risk, and loss is accepted when/if it occurs. IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board. Harry Brilakis ISACA Athens Chapter 34

Risk Response Domain Essentials Risk response selection Cost of response (eg. insurance) Importance of risk Capability to implement response Effectiveness of the response Efficiency of the response Risk response prioritisation QuickWin: Efficient and effective response on high risk BC: Expensive/difficult responses to high risks or efficient and effective on lower risk Defer: Costly response to lower risk Harry Brilakis ISACA Athens Chapter 35

Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain (act) Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 36

Risk IT Process Model 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritization 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Harry Brilakis ISACA Athens Chapter 37

Key Points ISACA Risk IT complements other Risk frameworks Can/should be adapted to the organisation IT risk is business risk Business management is the most important stakeholder Should be expressed in business terms Contains both opportunities for benefit and threats for success Responsibilities of the three lines of defense Own/Manage, Oversee, Assure Risk culture, communication and awareness around IT s role in risk and opportunity Harry Brilakis ISACA Athens Chapter 38

Thank you! Charalampos (Harry) Brilakis, CISA harry.bril {at} gmail.com ISACA Athens Chapter Massalias 22 106 80 Athens Info {at} isaca.gr 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback