INTRODUCTION TO THE

RISK IT FRAMEWORK
LISA YOUNG, VICE PRESIDENT, CYBER RISK ENGINEERING, AXIO
PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Windows on the platform can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Please click on the ISACA Customer Experience Center image to be

redirected to ISACA’s customer support page.

• Experiencing technical difficulties? Try Refreshing your browser!

CPE CERTIFICATE & CREDIT

LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time (50
minutes). Check the CPE Credit and Certificate window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS tab
on the MyISACA page in your account after completing the required viewing
time.

• Please be patient. This process could take up to 24 hours for your CPE
Certificate to appear in your account and another 24 hours for your CPE Credit
to be applied to your CPE Manager.

• As a reminder, all ISACA webinars and the CPE credits and CPE certificates
expire 365 days post live event.
TODAY’S SPEAKER

Lisa Young

Vice President, Cyber Risk Engineering

Axio

“Lisa Young @ISACA”

AGENDA RISK IT FRAMEWORK AND PRACTITIONERS GUIDE

• Common Language & Definitions

• Setting the context for Risk Management

• Principles
• Components and Alignment with COBIT
• Risk Governance
• Risk Awareness, Communication, and Risk Reporting
• Risk Scenarios and Response Options

• Q&A
SETTING THE CONTEXT FOR RISK MANAGEMENT

Definition: Ongoing, proactive process of adopting a holistic approach to address

uncertainty which:

• may effect the achievement of business or enterprise objectives

• leads to greater business robustness and resilience (minimizes downside impact)
• enables efficient risk-taking for appropriate benefit (opportunity)

Establish repeatable process to minimize and mitigate loss

 POLLING QUESTION

How would you a. It’s an issue.

describe a
missing patch on
a server
containing b. It’s a risk.
customer
sensitive data?
c. It’s a root cause.

d. It’s a control deficiency

THE NEED FOR A COMMON LANGUAGE
RISK DEFINED
Cyber Risk

Cyber Cyber Risk

Of or relating to computers, information technology,
electronic communications (especially the internet)
Risk
Exposure to danger, harm, or loss
related to the use of or dependence
on computers, electronic data, or
electronic communications
(including the Internet)
Typically involves unauthorized access or
unauthorized use of computer technology.

The combination of the likelihood of an event and its

impact

10
Other Common Cyber Risk Categories
In addition to tangible destruction and data destruction, we should be aware of these
Theft or Loss
of Data
Personal data, credit card data,
business data — any data with
black-market or competitive
value is at risk
Historically, the primary cyber
peril
Motive: financial or competitive
gain, extortion, intel gathering
Business Email
Compromise
Theft of funds through cyber
trickery
Up 1300% since early 2015; FBI
reports 22,143 victims and $3.1
billion stolen through mid 2016
Motive: financial
Communications
Disruption
Website or network disruption;
website defacement; social
media takeover
DDOS attacks have dramatically
increased in severity
Motive: financial, ideological,
extortion, terrorism, or war
11
SETTING THE CONTEXT FOR RISK
SERVICES, PRODUCTS, MISSION

• Outputs of an organization
• Can be internally or externally focused
• Typically align with a specific organizational unit, but can cross units and
organizational boundaries
• Collectively they enable an organization’s mission
BUSINESS OPERATIONS, BUSINESS PROCESSES, PRODUCTIVE
ACTIVITIES, PROJECTS
• The activities that the organization (and/or its suppliers) perform
to ensure that services and products are produced
• Traverse the organization; cross organizational lines
• A service or a product is made up of one or more Business
Processes, productive activities, projects or whatever they are
called in your organization.
ASSETS

• Something of value to the organization

• Placed into production to deliver and support services
• Asset value relates to the importance of the asset in
meeting the enterprise mission.
ORGANIZATIONAL CONTEXT FOR RISK
RISK MANAGEMENT WORKFLOW
RISK ASSESSMENT

Risk assessment must help the organization identify what could threaten the
organization’s ability to meet objectives
• Conditions
• What the probability is of the threat materializing or how susceptible are you?
• Uncertainty factor
• How the realized risk will impact the organization
• Consequence/Impact

• Risk
Analyze • Risk response,
identification • Assessment mitigation and
and and monitoring
prioritization quantification activities
of risk
Identify Manage
AUDITING AND RISK MANAGEMENT ARE COMPLIMENTARY

Discussion: What does it mean to

move from a Controls- or
Compliance-based approach to a
Risk-based approach?
RISK IT PRINCIPLES AND COBIT
ALIGNMENT
RISK IT PRINCIPLES
RISK IT
COMPONENTS AND
ALIGNMENT TO
COBIT
 POLLING QUESTION

What frameworks, standards, or guidelines are

you using for risk management today?
A. RISK IT Framework, COBIT
B. COSO Enterprise Risk Management
C. OCTAVE Allegro

D. ISO-27005 or ISO/IEC 31010

E. NIST SP800-30 or SP800-39

F. NIST Cybersecurity Framework

G. None
H. Other
RISK GOVERNANCE, AWARENESS,
COMMUNICATIONS, REPORTING
RISK GOVERNANCE
RISK AWARENESS, COMMUNICATIONS & REPORTING
RISK SCENARIOS AND RESPONSE
OPTIONS
CONSIDERATIONS FOR RISK SCENARIO DEVELOPMENT
RISK SCENARIOS
RISK RESPONSE
 POLLING QUESTION

What topics would you like to learn in a follow up

webinar on risk?
A. Risk identification techniques
B. Defining an integrated risk process for all
types of risk
C. Qualitative and Quantitative risk analysis
D. Risk Communication & Reporting
E. Maturing the risk management capability
F. Other?
QUESTIONS?
This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.

Copyright © 2020 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR