Documente Academic
Documente Profesional
Documente Cultură
The views expressed in this presentations may contain statements that involve
risks, uncertainties and assumptions. If any such uncertainties materialise or if any
of the assumptions proves incorrect, the results are nothing to do with the author,
or ISACA, or the ISACA Ireland Chapter as they are personal views expressed by the
author.
The information upon which this presentation is based comes from the author’s
own experience, knowledge and research from numerous sources including the
Internet. The opinions expressed in this presentation are those of the authors and
presenters and no-one else. We do not guarantee their fairness, completeness or
accuracy, we will however, do our professional best. The opinions, as of this date,
are subject to change. The authors or ISACA, or ISACA Ireland Chapter does not
accept any liability for your reliance upon them.
“Risk and time are opposite sides of the
same coin, for if there were no tomorrow,
there would be no risk. Time transforms
risk, and the nature of risk is shaped by
the time horizon: The future is the playing
field”
RISK REGISTER
• Risk register is a master document for all identified risks.
• Created and amended during the risk management cycle
process.
• It is prepared using a two dimensional approach
(Impact & probability)
• Often supported by a heatmap.
• Often used to support and drive risk based audits of
controls
• Support informed decision making
In the fields of observation
chance favors only the prepared
mind"
- Louis Pasteur
Is High Risk:
75%
51%
35%
20%
The previous version of ISO 27005 was released in 2011 and had become somewhat out of
alignment with the ISO 27001:2013.
Unlike ISO 31000:2018 Risk Management Guidelines, which were written to be easily
understood by top executives and board directors, the ISO 27005:2018 is longer, denser and
more technically targeted to chief information security officers (CISOs), chief risk officers and
auditors. It emphasizes the importance of a systematic approach to developing and
maintaining an information security risk management (ISRM) process — and reminds
stakeholders that risk management must be continual and subject to regular review to
ensure continued effectiveness.
ISO31000:2018
NIST
NIST Special Publication 800-30 - Guide to Conducting Risk Assessments
• Provides guidance on applying risk assessment concepts to: – All three tiers in the
risk management hierarchy – Each step in the Risk Management Framework
Also NIST 800 53 & 53A Security and Privacy Controls for Federal Information
Systems and Organizations
• Six Principles
• Enablers have become Components with process's now at 40
• Maturity has returned to the fold
• Two levels of Risk Management/Governance
Risk
Processes
Risk Categories
EDM 03 ENSURE RISK OPTIMISATION
Description - Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and that risk to
enterprise value related to the use of I&T is identified and managed.
Purpose - Ensure that I&T-related enterprise risk does not exceed the
enterprise’s risk appetite and risk tolerance, the impact of I&T risk to
enterprise value is identified and managed, and the potential for
compliance failures is minimized.
• EDM03.01 Evaluate risk management.
• EDM03.02 Direct risk management.
• EDM03.03 Monitor risk management.
Each Governance Practice has activities
that have a progressive capability rating
APO12 MANAGE RISK
Description Continually identify, assess and reduce I&T-related risk within tolerance levels
set by enterprise executive management.
Purpose Integrate the management of I&T-related enterprise risk with overall enterprise
risk management (ERM) and balance the costs and benefits of managing I&T-related
enterprise risk.
APO12- 02 ANALYSE RISK
BUG
Business IT Risk
Perspective
RISK MANAGEMENT IS NOT NEW………..
However !
“Firms should
assume that they will
be subject to
successful cyber-
attack or business
interruption.”
Central Bank of Ireland
Outsourcing
Change Management
Business Continuity
• Outsourcing
– A framework with clear lines of responsibility for ongoing
management, operational oversight, risk management and
regular review of outsourced service providers.
Central Bank of Ireland
• Change Management
– Formal IT change management processes that include approval
requirements are in place.
– IT project plans are documented, risk and impact analysis are
performed, documented, and established within firms risk
appetite.
• Cyber Security
– Cyber risk is managed within the context of overall IT
risk management.
– Strategy reviewed and approved by the Board.
– Documented policies and procedures, and monitoring.
– Awareness training programs.
Central Bank of Ireland
Cyber
Security
Example of
CBI
expectations
Central Bank of Ireland
“Risk Management“
European Banking Authority
• Business Growth
• Key objective of the Ireland Group is to support the management of risk through
COBIT and promote CRISC as the key IT risk methodology.
• Secondary objective to engage with the wider risk community.
SIG meets on a regular basis (approx. every 4-6 weeks). More information on SIG and
how to participate at the ISACA stand.
How to win a prize
Enter during the break and
prize winner announced after
the next session
• Selection
• Effectiveness
• Optimisation
• Maintenance
SELECTION
• Carefully selected and a limited in number
• Clearly specified – are complete and accurate [SMART]
• Measurable
• Linked to specific risks - to specific goals and objectives
• Provide results that can be monitored over time
• Are balanced between
• Lead indicators (indicating controls in place to prevent risk)
• Lag indicators (indicating risk after even occurred)
• Indicator Trends (analysing indicators over time to gain
additional insight)
EFFECTIVENESS
• Takes into consideration
• Impact - Indicators with high business impact more
likely to be KRI’s
• Effort - Use the easiest to measure indicator
• Reliability - must possess a high correlation with risk
and be a good predictor of the outcome
• Sensitivity - must be representative of risk and capable
of accurately indicating risk variances
• Repeatable – repeatable and measurable on a regular
basis to show trends
OPTIMISATION
• To ensure accurate and timely report KPI’s must
ensure that :
• The correct data is being collected and reported
on
• The KRI thresholds are set correctly