IT Risk Management (MGS 640) Spring 2025 PDF

IT RISK MANAGEMENT (MGS 640) ‘- Spring 2025 Instructors: Manish Gupta, CRISC, CISA John Walp, CRISC, CISSP 1 Job Practice Domains (2021- Present) DOMAIN 1—Governance 26%...

IT RISK MANAGEMENT (MGS 640) ‘- Spring 2025 Instructors: Manish Gupta, CRISC, CISA John Walp, CRISC, CISSP 1 Job Practice Domains (2021- Present) DOMAIN 1—Governance 26% ‘- DOMAIN 2—IT Risk Assessment 20% Organizational Governance A IT Risk Identification A Organizational Strategy, Goals, and Objectives Risk Events (e.g., contributing conditions, loss result) Organizational Structure, Roles, and Responsibilities Threat Modelling and Threat Landscape Organizational Culture Vulnerability and Control Deficiency Analysis (e.g., root cause analysis) Policies and Standards Risk Scenario Development Business Processes Organizational Assets IT Risk Analysis and Evaluation B Risk Assessment Concepts, Standards, and Frameworks Risk Governance B Risk Register Enterprise Risk Management and Risk Management Framework Risk Analysis Methodologies Three Lines of Defense Business Impact Analysis Risk Profile Inherent and Residual Risk Risk Appetite and Risk Tolerance Legal, Regulatory, and Contractual Requirements Professional Ethics of Risk Management Source: ISACA Website at: http://www.isaca.org/ 2 Job Practice Domains (2021- Present) DOMAIN 3—Risk Response and Reporting 32% Risk Response A Risk Treatment / Risk Response Options ‘- Risk and Control Ownership Third-Party Risk Management DOMAIN 4—Information Technology and Security Issue, Finding, and Exception Management Management of Emerging Risk 22% Information Technology Principles A Enterprise Architecture Control Design and Implementation B IT Operations Management (e.g., change management, IT assets, Control Types, Standards, and Frameworks problems, incidents) Control Design, Selection, and Analysis Project Management Control Implementation Disaster Recovery Management (DRM) Control Testing and Effectiveness Evaluation Data Lifecycle Management System Development Life Cycle (SDLC) Risk Monitoring and Reporting C Emerging Technologies Risk Treatment Plans Data Collection, Aggregation, Analysis, and Validation Information Security Principles B Risk and Control Monitoring Techniques Information Security Concepts, Frameworks, and Standards Risk and Control Reporting Techniques (heatmap, scorecards, Information Security Awareness Training dashboards) Business Continuity Management Key Performance Indicators Data Privacy and Data Protection Principles Key Risk Indicators (KRIs) Key Control Indicators (KCIs) Source: ISACA Website at: http://www.isaca.org/ 3 DOMAIN 1—Governance Organizational Risk Governance B Governance A Enterprise Risk Management and Risk Organizational Strategy, Goals, and ‘- Management Framework Objectives Three Lines of Defense Organizational Structure, Roles, and Risk Profile Responsibilities Risk Appetite and Risk Tolerance Organizational Culture Legal, Regulatory, and Contractual Policies and Standards Requirements Business Processes Professional Ethics of Risk Management Organizational Assets Source: CRISC ™ Review Manual 7th Edition (2021) 4 1.1. Organizational Strategy, Goals, and Objectives 1.1. Organizational Strategy, Goals, and Objectives 1.1.1. The Context of IT Risk Management 1.2.2. Key Concepts of Risk ‘- 1.2.3. Importance and Value of IT Risk Management 1.2.4. IT Risk Strategy of the Business 1.2.5. Alignment with Business Goals and Objectives 5 Learning Objectives (1) Collect and review existing information regarding the organization’s business and IT environments Identify potential or realized impacts of IT risk to the organization’s business objectives and operations Identify threats and vulnerabilities to the organization’s people,‘-processes and technology Evaluate threats, vulnerabilities and risk to identify IT risk scenarios Establish accountability by assigning and validating appropriate levels of risk and control ownership Establish and maintain the IT risk register and incorporate it into the enterprise-wide risk profile Facilitate the identification of risk appetite and risk tolerance by key stakeholders Promote a risk-aware culture by contributing to the development and implementation of security awareness training 6 Learning Objectives (2) Conduct a risk assessment by analyzing IT risk scenarios and determining their likelihood and impact Review the results of risk analysis and control analysis to assess any gaps between current and desired states of the IT risk environment Facilitate the selection of recommended risk responses by‘-key stakeholders Collaborate with risk owners on the development of risk treatment plans Collaborate with control owners on the selection, design, implementation and maintenance of controls Define and establish key risk indicators (KRIs) Monitor and analyze key risk indicators (KRIs) Collaborate with control owners on the identification of key performance indicators (KPIs) and key control indicators (KCIs) 7 IT Risk Management IT risk management is the application of risk management methods to Information technology in order to manage IT risk, i.e.: The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization ‘- IT risk management can be considered a component of a wider enterprise risk management system - Risk IT Framework 8 Risk IT: A Balance Is Essential Risk and value are two sides of the same coin. Risk is inherent to all enterprises. ‘- BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. 9 Why Care About IT-related Risk? Enterprises are dependent on automation and integration. Need to cross IT silos of risk ‘- management. Important to integrate with existing levels of risk management practices. Recognize ever evolving reliance on IT systems and rising complexity. 10 Manage and Capitalize on Business Risk Enterprises achieve return by taking risks. ‘- Some try to eliminate the very risks that drive profit. Guidance was needed on how to manage risk effectively. 11 Organizational Governance Governance To ensure balance between performance and conformance - To meet stakeholder needs and deliver value while protecting assets Directors (usually Board) accountable for governance Senior management – oversee day to day operations ‘- Effective risk governance helps ensure that risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return 12 Corporate Governance It is a system by which entity is controlled and directed Set of responsibilities and practices who provide strategic directions, thereby ensuring that Goals are achievable, Risks are properly addressed and ‘- Organizational resources are properly utilized Involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders Chief executive officers (CEOs), chief financial officers (CFOs) and chief information officers (CIOs) agree that the strategic alignment between IT and enterprise objectives is a critical success factor for an organization. 13 Enterprise Governance of IT (EGIT) GEIT is one of the domains of Corporate governance GEIT is a system in which all stakeholders, including the board, senior management, internal customers and departments such as finance, provide input into the decision-making process. ‘- GEIT is the responsibility of the board of directors and executive management. Purposes of GEIT are: to direct IT endeavors to ensure that IT performance meets the objectives of aligning IT with the enterprise’s objectives and the realization of promised benefits enable the enterprise by exploiting opportunities and maximizing benefits IT resources should be used responsibly, and IT-related risk should be managed Appropriately Key element of GEIT is the alignment of business and IT, leading to the achievement of business value. 14 Enterprise Governance ‘- 15 Enterprise governance drives IT governance Enterprise governance is about: Conformance Adhering to legislation, internal policies, audit requirements, ‘- Performance etc. Conformance Performance Improving profitability, efficiency, effectiveness, growth, etc. Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Source: ITGI 16 Source: Presentation by Marlene Badenhorst - Making sense of IT Governance – Implications of King III Organizational Governance ‘- 17 4 questions Governance answers four questions: 1. Are we doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well? ‘- 4. Are we getting the benefits? There is a clear distinction between governance and management. Management focuses on planning, building, running and monitoring within the directions set by the governance system to create value by achieving objectives. Risk management foresees the challenges to achieving these objectives and attempts to lower the chances and impacts of them occurring. 18 ‘- 19 Organizational Strategy, Goals, and Objectives Enterprise exists to achieve strategic vision Strategy drives firm’s efforts, investments, decisions How companies derive their strategy (below)? ‘- 20 Organizational Strategy, Goals, and Objectives Why understanding organization strategy is important? To ensure - risk governance processes are aligned - Risk efforts are evaluated, directed and monitored ‘- - Risk appetite and tolerance are understood and widely communicated - Establishment of risk management capabilities/infrastructure 21 Risk Governance Objectives Effective risk governance helps ensure that risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. Risk governance has four main objectives Establish and maintain a common risk view. ‘- Integrate risk management into the enterprise. Make risk-aware business decisions. Ensure that risk management controls are implemented and operating correctly. 22 Establish and maintain a common risk view Effective risk governance establishes the common view of risk for the enterprise. This determines which controls are necessary to mitigate risk and how risk-based controls are integrated into business processes and information security. The risk governance function sets the tone of the business‘- regarding how to determine an acceptable level of risk tolerance. The risk governance function must oversee the operations of the risk management team. 23 Integrate risk management into the enterprise Integrating risk management into the enterprise enforces a holistic enterprise risk management (ERM) approach across the entire enterprise. It requires the integration of risk management into every department, function, system and geographic location. Understanding that risk in one department or system may pose an unacceptable risk to ‘- another department or system requires that all business processes be compliant with a baseline level of risk management. The objective of ERM is to establish the authority to require all business processes to undergo a risk analysis on a periodic basis or when there is a significant change to the internal or external environment. 24 Make risk-aware business decisions To make risk-aware business decisions, the risk governance function must consider the full range of opportunities and consequences of each such decision and its impact on the enterprise, society and the environment. ‘- 25 Ensure that risk management controls are implemented and operating correctly Governance requires oversight and due diligence to ensure that the enterprise is following up on the implementation and monitoring of controls to ensure that the controls are effective to mitigate risk and protect organizational assets. ‘- 26 ‘- 27 Risk Management Capability Models, frameworks, methods Risk taxonomy (how risk is classified) Risk ontology ‘- Risk effort integration Risk management Risk-based decision-making process Track and report outcomes of risk efforts Resource allocation 28 THE CONTEXT OF IT RISK MANAGEMENT Risk management is defined as the coordinated activities to direct and control an enterprise with regard to risk. In simple terms, risk can be considered as a challenge to achieving objectives. Therefore, risk management can be considered as the activity undertaken to foresee challenges and lower the chances of those challenges occurring and their impact. ‘- Effective risk management can also assist in maximizing opportunities. International Organization for Standardization/International Electrotechnical Commission (lSO/IEC) 31000 states, "Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected- positive and/or negative." However, ISO/IEC 27005 regards risk solely from a negative angle, stating "information security risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization." There are levels of risk, and the greater the risk, the higher the probability of loss. 29 THE CONTEXT OF IT RISK MANAGEMENT Risk management starts with understanding the organization, but the organization is mostly a servant of the environment, or context, in which it operates. Other considerations include: Vulnerability to changes in economic or political conditions Changes to market trends and patterns Emergence of new competition ‘- Impact of new legislation Existence of potential natural disaster Constraints caused by legacy systems and antiquated technology Strained labor relations and inflexible management The strategy of the organization will drive the individual lines of business that make up the organization, and each line of business will develop information systems that support its business function. 30 ‘- 31 BUSINESS RISK VERSUS IT RISK Risk is a critical part of business. Need to realize the benefits associated with risk. Too much risk may lead to increased likelihood of failure of the business and loss of investment. ‘- This is a decision that reflects the risk acceptance level of the senior management team. IT risk is a subset of business risk. The relationship between IT and the business is a critical success factor (CSF) that must be considered. 32 Risk Strategy Risk is an influencing factor and must be evaluated at all levels of the organization-the strategic level, the business unit level and the information systems level. A properly managed risk framework addresses and takes into consideration the impact of risk at all levels and describes how a risk at one level may affect the other levels as well. ‘- IT risk management is the implementation of a risk strategy that reflects the culture, appetite and tolerance levels of the senior management of the organization; considers technology and budgets; and addresses the requirements of regulation and compliance. 33 Risk Lifecycle IT risk management is a cyclical process. The first step is the identification of IT risk, which includes determining the risk context and risk framework, and the process of identifying and documenting risk. ‘- Next, IT risk assessment. The effort to assess risk, including the prioritization of risk, will provide management with the data required for consideration as a key factor in the next phase, risk response and mitigation. Risk response and mitigation addresses the risk appetite and tolerance of the organization and the need to find cost-effective ways to address risk. The final phase, risk and control monitoring and reporting. 34 ‘- 35 Key Concepts of Risk Common view (taxonomy, ontology) Likelihood and impact/consequence Assessing impact (productivity, response costs, legal costs, reputational loss, ‘- concerns) impaired growth, health safety, security and environmental Threat and vulnerabilities Threat modeling Vulnerability (Weakness) management 36 THREATS AND VULNERABILITIES RELATED TO ASSETS Threats Despite best efforts, threats will always exist. Threats are often beyond the direct control of the risk practitioner or the owner of the asset. Threats can be external or internal and intentional or unintentional. ‘- Risk should be tailored for each organization, and not all threats will be a factor for every organization. For example, an organization that operates in a region with a seismic rating of zero does not have to document their exposure to volcanoes or earthquakes. They may note that those threats were intentionally bypassed just to assure an audit that the threat was not missed or forgotten. The risk practitioner may create a threat assessment report to document the results of the threat analysis. Threat Categories (examples) Physical Natural events Loss of essential services Disturbance due to radiation Compromise of information Technical failures 37 ISO/lEC 27005 and NIST Special Publication 800-30 Revision I: Guide to Conducting Risk Assessment both describe the process of risk identification in a similar series of steps, as seen in exhibit 1.5 ‘- 38 IMPORTANCE OF IT RISK MANAGEMENT IT risk management, especially organization-wide risk management, is a valuable part of the governance and effective management of the organization. It addresses the uncertainty of what may, or may not, happen and the measures taken to address the effects of an event if it were to take place. The benefits of IT risk management include: Better oversight of organizational assets ‘- Minimized loss Identification of threats, vulnerabilities and risk Prioritization of risk response efforts Legal and regulatory compliance Increased likelihood of project success Improved performance and the ability to attain business goals Increased confidence of stakeholders (owners, customers, employees, regulators, etc.) Creation of a risk-aware culture Better incident and business continuity management Improved controls Better monitoring and reporting Improved decision making Ability to meet business objectives 39 The IT Risk Strategy of the Business IT Risk is Business Risk Use, ownership, operation, influence and adoption of IT Business Strategy  Business Risk Strategy  IT Risk Strategy (alignment with enterprise goals and priorities) ‘- Additionally, risk universe, risk management capabilities, controls, regulations should inform IT Risk strategy 40 41 Business Related IT Risk Types (examples) Access Risk Availability Risk Cybersecurity Risk Emerging Technology Risk ‘- Infrastructure Risk Integrity Risk Investment Risk Program/Project Risk Relevance Risk Schedule Risk Talent Risk Third-party risk 41 Alignment with Business Goals and Objectives Department and Enterprise View IT and process view ‘- Understand strategy Review historical events 42 Organizational Structure, Roles and Responsibilities Besides, senior management support, ensure appropriate positioning of risk management function within organizational structure Should have enterprise wide scope Risk management program advises senior management to‘-make informed risk-based decisions IT Risk should be integrated in ERM structure 43 RACI (Responsible, Accountable, Consulted, Informed) There are four main types of roles that are involved in the risk management process: The individuals responsible for managing the risk (RP) The individuals accountable for the risk management effort (SM) The individuals who provide support and assistance to‘-the risk management effort (consulted) (Business, SM) The individuals who evaluate or monitor the effectiveness of the risk management effort (informed) (SM, Board) Org structure Centralized (framework, policies, etc) and decentralized 44 RACI (Responsible, Accountable, Consulted, Informed) Responsible The person(s) tasked with getting the job done. This is the role of the person(s) performing the actual work effort to meet a stated objective. Accountable ‘- The person accountable (liable, answerable) for the completion of the task. He/she is responsible for the oversight and management of the person(s) responsible for performing the work effort. He/she may also play a role in the project and bear the responsibility for project success or failure. Accountability should be with a sole role or person in order to be effective. Consulted The person{s) consulted as a part of the project. They may provide input data, advice, feedback or approvals. Consulted personnel may be from other departments, from all layers of the organization, from external sources or from regulators. Informed The person{s) who are informed of the status, achievement and/or deliverables of the task, but who are often not directly responsible for the work effort. 45 RACI – Risk Management ‘- 46 Key roles Risk Manager Risk Analyst Risk Owner ‘- Control Owner Control Stewards Subject Matter Experts 47 Organizational Structure and Culture ‘- 48 ‘- 49 Risk Culture Elements How much risk does the enterprise feel it can absorb, and what specific risk is it willing to take? ‘- To what extent will people embrace and/or comply with policy? How does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause? 50 Q&A Which of the following is the GREATEST benefit of a risk-aware culture? Issues are escalated when suspicious activity is noticed. Controls are double-checked to anticipate any issues ‘- Individuals communicate with peers for knowledge sharing. Employees are self-motivated to learn about costs and benefits. 51 Risk Communication The method and openness of risk communications also plays key role in defining and understanding the risk culture of the organization. Risk communication removes the uncertainty and doubts concerning risk management. If risk is to be managed and mitigated, it must first be discussed and effectively communicated in an appropriate level ‘- to the various stakeholders and personnel throughout the organization 52 Risk Communication The benefits of open communication on risk include: Understanding of the actual exposure to risk, enabling the definition of appropriate and informed risk responses Awareness among all internal stakeholders of the importance ‘- of integrating risk management into their daily duties Transparency to external stakeholders regarding the actual level of risk and risk management processes in use 53 Risk Communication The consequences of poor communication on risk include: A false sense of confidence at all levels of the enterprise and a higher risk of a breach or incident that could have been prevented. Risk ignorance is an unacceptable risk management strategy. ‘- Unbalanced communication to the external world on risk, especially in cases of high, but managed, risk, which may lead to an incorrect perception on actual risk by third parties such as: Clients Investors Regulators The perception that the enterprise is trying to cover up known risks from stakeholders 54 ‘- 55 Policies and Standards Policies provide direction regarding acceptable and unacceptable behaviors and actions to the enterprise. Standards and procedures support requirements defined in policies. High level policies are instrumental in determining the approach of the enterprise toward risk management and acceptable levels of risk. RP (Risk practitioner) should identify presence or lack of policies, and methods of enforcement RP should assess policy framework Examples – Enterprise risk policy, information security policy, privacy policy, risk appetite/tolerance/acceptance policy ‘- A standard is a mandatory requirement, code or practice or specification approved bya recognized external standards organization such as NIST and ISO. IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies. IT governance is to ensure that IS policies exist and adequately reflect the approved IS strategies, and that IS standards and procedures effectively enforce and communicate IS policies. Procedures are more granular than standards and support their implementation (steps necessary to perform specific operations in conformance with applicable standards. Exception Management 56 IT Risk Management Standards and Frameworks The process of IT risk management should follow a structured methodology based on good practices and a desire for continuous improvement. When starting a risk management effort, the risk practitioner should review the current risk assessment practices of the organization in relation to the processes of risk identification, assessment, ‘- response and monitoring. This will determine whether the organization's IT risk management program is based on acceptable and recognized good practices. IT risk management practices may be based on an international standard or on another risk management model to ensure that it is complete and authoritative. 57 IT Risk Management Standards and Frameworks ISO 31000:2018 – Risk Management Guidelines ‘- 58 IT Risk Management Standards and Frameworks ISO 31000:2019 – Risk Assessment Techniques There are 31 risk assessment techniques listed on Annex B of ISO/IEC 31010. 1.Brainstorming 2.Structured or semi-structured interviews 3.Delphi method 4.Checklist EC 31010:2019 is published as a 5.Preliminary hazard analysis (PHA) double logo standard with ISO 6.Hazard and operability study (HAZOP) 7.Hazard analysis and critical control points (HACCP) and provides guidance on the 8.Toxicity assessment 9.Structured What If Technique (SWIFT) selection and application of 10.Scenario analysis techniques for assessing risk in a ‘- 11.Business impact analysis 12.Root cause analysis 13.Failure mode and effects analysis (FMEA) wide range of situations. The 14.Fault tree analysis techniques are used to assist in 15.Event tree analysis 16.Cause and consequence analysis making decisions where there is 17.Cause-and-effect analysis 18.Layer protection analysis (LOPA) uncertainty, to provide 19.Decision tree 20.Human reliability analysis (HRA) information about particular 21.Bow tie analysis 22.Reliability centered maintenance risks and as part of a process for 23.Sneak circuit analysis managing risk. The document 24.Markov analysis 25.Monte Carlo simulation provides summaries of a range 26.Bayesian statistics and Bayes nets 27.FN curve of techniques, with references to 28.Risk index 29.Risk Matrix other documents where the 30.Cost/benefit analysis 31.Multi-criteria decision analysis (MCDA) techniques are described in 59 IT Risk Management Standards and Frameworks COBIT and Information Risk ISO/IEC 27001:2013 Information Technology – Security Techniques – Information Security Management Systems – requirements ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks ‘- tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. ISO/IEC 27005:2013 Information Technology – Security Techniques – Information Security Management Systems – requirements Guidelines for ISRM in accordance with 27001:2013 NIST Special Publications NIST SP 800-30 (Guide for conducting Risk Assessment) NIST SP 800-39 Managing Information Security Risk 60 An example of a recognized risk management program based on ISO/lEC 27005 includes several components ‘- 61 ISO/IEC 27005 Process Steps Context Establishment Setting the basic criteria necessary for establishment of information security risk management (ISRM) Defining the scope and boundaries ‘- Establishing an appropriate organization operating the ISRM Risk Assessment Determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified, determines the potential consequences and finally, prioritizes the derived risk and ranks it against the evaluation criteria set in the context establishment. This process step consists of risk identification, risk analysis and risk evaluation. 62 ISO/IEC 27005 Process Steps Risk Identification Includes the identification of: - Assets - Threats ‘- - Vulnerabilities - Existing controls - Consequences The output of this process is a list of incident scenarios with their consequences related to assets and business processes 63 ISO/IEC 27005 Process Steps Risk Analysis Assessment of consequences Assessment of incident likelihoods Determination of level of risk ‘- Risk Evaluation In this step, levels of risk are compared according to risk evaluation criteria and risk acceptance criteria. The output is a prioritized list of risk elements and the incident scenarios that lead to the identified risk elements 64 ISO/IEC 27005 Process Steps Risk Treatment Risk modification Risk retention Risk avoidance ‘- Risk sharing Risk Acceptance The input is a risk treatment plan and the residual risk assessment subject to the risk acceptance criteria. This stage comprises the formal acceptance and recording of the suggested risk treatment plans and residual risk assessment by management, with justification for those that do not meet the enterprise's criteria 65 ISO/IEC 27005 Process Steps Risk Communication and Consultation This is a transversal process where information about risk should be exchanged and shared between the decision maker and other stakeholders through all the steps of the risk management process. ‘- Risk Monitoring and Review Risk and its influencing factors should be monitored and reviewed to identify any changes in the context of the organization at an early stage and to maintain an overview of the complete risk picture. 66 Risk Management Principles, Processes and Controls ‘- 67 IT Risk in relation to other business functions Risk and Business Continuity Risk and Audit Risk and Information Security Control Risk ‘- Project Risk Change Risk 68 Organizational Assets People Many organizations are vulnerable to the loss of a key employee who may be the only person with knowledge in a certain area or specific expertise. The loss of an employee through retirement, illness or recruitment by another organization may leave the organization in a very precarious and vulnerable position. The failure of management to identify key employees and ensure that they are supported through cross-training and incentive programs is far too common. Even when a departure is expected, such as an employee's retirement, organizations can still find themselves unprepared. Technology ‘- Technology is changing rapidly, and new technologies are always being developed. The risk practitioner should be aware of new technologies and the risk they pose; however, there are other concerns that may be overlooked related to the technology already in use. Outdated technology is often an overlooked risk in an organization. Equipment that is past its MTBF is often vulnerable. The lack of patching and updating of systems and applications leaves them vulnerable to malware or misuse. Older systems may require expertise that is not readily available to maintain. Older systems may not be documented may be difficult to obtain replacement parts for or may be reliant on an individual to maintain At end of life, system hardware may contain sensitive data that must be securely deleted. Often this will require overwriting, degaussing or physical destruction of the equipment. The method of secure disposal will be based on the risk associated with the data on the device. There is also the risk that data may be needed later on and the organization may need to retain a copy of the software to read the data. If the data are encrypted, the keys must also be stored. Failure to remove the system from backups or business continuity or disaster recovery plans may also affect the integrity of those operations. 69 Organizational Assets Data Data are a valuable asset of the organization. Customer lists, financial data, marketing plans, human resources data and research are some ofthe data-related assets that must be protected. Sensitive data must be protected from disclosure or modification; critical data must be protected from destruction or loss. The systems that host, process or transmit the data must ensure that data are protected at all times, in all forms (paper, magnetic storage, optical storage, reports, etc.) and in all locations (storage, networks, filing cabinets, archives, etc.). ‘- Trademarks and Intellectual Property A special form of information is IP. This includes trademarks, copyrights, patents, brands and other items associated with the reputation and goodwill of the organization. Research that leads to a new product may represent the future earnings potential of the organization, and failure to protect it from disclosure may result in the loss of competitive advantage or future earnings. All employees and business partners should be bound by nondisclosure agreements (NDAs) and reminded of their responsibility to protect the IP of the organization and handle it properly. This may include strict access controls, shredding of documents, caution when discussing information in a public location and encryption of data on portable media. The controls will be examined in more detail in chapter 3, Risk Response and Mitigation. Asset Valuation Asset inventory and Documentation 70 ‘- 71 Security Categorization Process ‘- 72 Risk Governance Enterprise Risk Management and Risk Management Framework Three Lines of Defense Risk Profile Risk Appetite and Risk Tolerance Legal, Regulatory, and Contractual Requirements ‘- Professional Ethics of Risk Management 73 Enterprise Risk Management and Risk Management Framework IT Risk Management Good Practices Comprehensive Complete Auditable Justifiable Compliant ‘- Monitored Enforced Up to Date Managed Establishing an enterprise approach to Risk Management Exectuve Sponsorship Policy https://www.protiviti.com/US-en/insights/board- perspectives-risk-oversight-issue-51 74 Three Lines of Defense ‘- 75 Risk Profile Based on overall risk posture of an enterprise Includes risk management activities Changes in risk profile New technologies Changes in business ‘- Mergers or acquisitions New or revised regulations Changes in customer expectations Actions of competitors Effectiveness of risk-awareness programs Monitoring risk profile is important 76 RISK CAPACITY, RISK APPETITE AND RISK TOLERANCE Risk acceptance must not exceed the risk capacity of the organization. Risk capacity is defined as the objective amount of loss an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which is a board/management decision on how much risk is desirable. ‘- COBIT 5 for Risk notes that risk capacity and risk appetite are defined by board and executive management at the enterprise level, Some of the benefits of this approach include: Supporting and providing evidence of the risk-based decision-making processes Supporting the understanding of how each component of the enterprise contributes to the overall risk profile Showing how different resource allocation strategies can add to or lessen the burden of risk by simulating different risk response options Supporting the prioritization and approval process of risk response actions through risk budgets Identifying specific areas where a risk response should be made Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. 77 RISK CAPACITY, RISK APPETITE AND RISK TOLERANCE Risk tolerance levels are defined as tolerable deviations from the level set by the risk appetite definitions. As with all risk, risk appetite and tolerance change over time, and several factors (such as new technology, organizational structures, business ‘- strategy, etc.) require the organization to reassess its risk portfolio and reconfirm its risk appetite. NOTE: Risk tolerance is defined as the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. - The interpretation of the ISACA definition is that while management has an official acceptance level of one value, they may accept a slight deviation from that level. An example of tolerance is a situation where the speed limit on a highway is 65 miles/hour, but a police officer may allow a person to travel at a speed up to 70 miles/hour before issuing a ticket. 78 Risk Appetite and Risk Tolerance Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. (Ability) Effective governance starts with defining the enterprise risk appetite, the amount Risk Tolerance Risk tolerance levels are of risk that the enterprise prefers to accept as it pursues its objectives. Because acceptable deviations from risk individual circumstances vary, an enterprise also typically has a degree of risk appetite. They are always lower than risk tolerance, referring to the extent that actual risk can be permitted to deviate from (exceed) the risk appetite. capacity. Risk Appetite Amount of risk an organization is Risk appetite and risk tolerance work together. A policy may state that projects must be accomplished on time and within budget, but approval can be ‘- willing to take. (Willingness) granted for overruns of up to 10 percent over estimates. In practice, this makes the acceptable level of cost equal to 110 percent of the estimate. Nonetheless, it would be foolish for a project manager to interpret the tolerance threshold as a casual limit; when tolerance is exceeded, a project may be subject to immediate intervention and termination, and the consequences for an individual’s career are unlikely to be positive. Relationship between Risk Capacity, Risk Tolerance and Risk Appetite: Risk Capacity is always greater as compared to tolerance and appetite. Tolerance can be either equal to or greater than appetite. Risk tolerance levels are acceptable deviations from risk appetite. Risk acceptance generally should be within the risk appetite of the organization. In no case, it should exceed risk capacity. 79 Risk Capacity ‘- 80 Legal, Regulatory, and Contractual Requirements; & Professional Ethics of Risk Management Awareness about applicable laws and regulations Ensure continued compliance amidst changes Often challenges in interpretation and contradictions with other requirements Example “ Adequate protection of sensitive data” ‘- Potential report on compliance Examples: GDPR, NYS DFS, PCI DSS, GLBA (Financial Services Modernization Act of 1999) Control Frameworks? 81 ‘- 82 Appendix (For case study) ‘- 83 RISK SCENARIOS To properly assess risk in a qualitative manner, it is necessary to develop risk scenarios that will be used in the IT risk assessment. Each scenario should be based on an identified risk, and each risk should be identified in one or more a scenarios. Each scenario is used to document the level of risk associated with the scenario in relation to the business objectives or operations that would be impacted by the risk event. ‘- COBIT 5 for Risk describes a risk scenario as: A risk scenario is a description of a possible event that, when occurring, will have an uncertain impact on the achievement of the enterprise s objectives. The impact can be positive or negative. The core risk management process requires risk needs to be identified, analysed and acted on. Well-developed risk scenarios support these activities and make them realistic and relevant to the enterprise. 84 Risk Scenario Development Tools and Techniques The development of the risk scenarios is an art. It requires creativity, thought, consultation and questioning. If an incident has occurred previously, it does not require much thought or preparation to document the risk event, unless the event was not examined in detail. In many cases, the risk practitioner finds that the first concern of the management team was to treat the event as a rare event rather than thoroughly delve into the specifics of the event. This will result in a risk scenario that may easily happen again and that could have been avoided through a better approach to‘-investigating and resolving the issues associated with the event. The development of risk scenarios is based on describing a potential risk event and documenting the factors and areas that may be affected by the risk event. Risk events may include system failure, loss of key personnel, theft, network outages, power failures, natural disasters or any other situation that could affect business operations and mission. Each risk scenario should be related to a business objective or impact. The key to developing effective scenarios is to focus on real and relevant potential risk events. Examples of this would be to develop a risk scenario based on a radical change in the market for an organization's products, a change in government or leadership, or a supply chain failure. 85 ‘- 86 ‘- 87 Approaches – Risk Scenario A top down approach to scenario development is based on understanding business goals and how a risk event could affect the achievement of those goals. The risk practitioner looks for the outcome of events that may hamper business goals. Various scenarios are developed that allow the organization to examine the relationship between the risk event and the business goals, so that the impact of the risk event can be measured. By directly relating a risk scenario to the business, management can be educated ‘- and involved in how to understand and measure risk. The top down approach is suited to general risk management of the company, because it looks at both IT- and non-IT-related events. A benefit of this approach is that because it is more general, it is easier to achieve management buy-in even if management usually is not interested in IT. The bottom up approach to developing risk scenarios is based on the describing risk events that are specific to individual enterprise situations. An example of this would be developing scenarios based on a risk event in one department, on a failure of one IT system or a failure of a business process. 88 Developing IT Risk Scenarios Actor The internal or external party or entity that generates the threat Threat type ‘- The nature of the threat event (malicious or accidental; a natural event; an equipment or process failure) Event The security incident, such as the disclosure of information, the interruption of a system or project, including: Asset The entity affected by the risk event, including: Time If relevant to the scenario, including: - Duration (extended outage) A risk scenario is a description of an IT- related risk event that can lead to a business impact. The risk scenario contains the following components: 89 IT Risk Scenario Components ‘- 90

IT Risk Management (MGS 640) Spring 2025 PDF

Document Details

Tags

Related

Summary

Full Transcript