DOCSLIB.ORG

The Risk It Framework

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Risk It Framework TTHEHE RRISKISK ITIT FFRAMEWORKRAMEWORK Principles Process Details Management Guidelines Maturity Models THE RISK IT FRAMEWORK ISACA® With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations. ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfil their IT governance responsibilities and deliver value to the business. Disclaimer ISACA has designed and created The Risk IT Framework (the ‘Work’) primarily as an educational resource for chief information officers (CIOs), senior management and IT management. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, officers and managers should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. Reservation of Rights © 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org ISBN 978-1-60420-111-6 The Risk IT Framework Printed in the United States of America CGEIT is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world. 2 © 2009 ISACA. ALL RIGHTS RESERVED. ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS ISACA wishes to recognise: Development Team Steven De Haes, Ph.D., University of Antwerp Management School, Belgium Gert du Preez, CGEIT, PricewaterhouseCoopers, Belgium Rachel Massa, CISSP, PricewaterhouseCoopers LLP, USA Bart Peeters, PricewaterhouseCoopers, Belgium Steve Reznik, CISA, PricewaterhouseCoopers LLP, USA Dirk Steuperaert, CISA, CGEIT, IT In Balance BVBA, Belgium IT Risk Task Force (2008-2009) Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland, Chair Steven Babb, CGEIT, KPMG, UK Brian Barnier, CGEIT, ValueBridge Advisors, USA Jack Jones, CISA, CISM, CISSP, Risk Management Insight LLC, USA John W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USA Gladys Rouissi, CISA, MComp, Commonwealth Bank of Australia, Australia Lisa R. Young, CISA, CISSP, Carnegie Mellon University, USA Expert Reviewers Mark Adler, CISA, CISM, CGEIT, CFE, CFSA, CIA, CISSP, Commercial Metals, USA Steven Babb, CGEIT, KPMG, UK Gary Baker, CGEIT, CA, Deloitte and Touche LLP, Canada Dave H. Barnett, CISM, CISSP, CSDP, CSSLP, Applied Biosystems, USA Brian Barnier, CGEIT, ValueBridge Advisors, USA Laurence J. Best, PricewaterhouseCoopers LLP, USA Peter R. Bitterli, CISA, CISM, Bitterli Consulting AG, Switzerland Luis Blanco, CISA, Citibank, UK Adrian Bowles, Ph.D., Sustainability Insights Group (SIG411), USA Dirk Bruyndonckx, CISA, CISM, CGEIT, MCA, KPMG Advisory, Belgium Olivia Xardel-Burtin, Grand Duchy of Luxembourg M. Christophe Burtin, Grand Duchy of Luxembourg Rahul Chaurasia, Student, Indian Institute of Information Technology, India Philip De Picker, CISA, MCA, Nationale Bank van Belgie, Belgium Roger Debreceny, Ph.D., FCPA, University of Hawaii-Manoa, USA Heidi L. Erchinger, CISA, CISSP, System Security Solutions Inc., USA Robert Fabian, Ph.D., I.S.P., Independent Consultant, Canada Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland Shawna Flanders, CISA, CISM, ACS, PSCU Financial Services, USA John Garms, CISM, CISSP, ISSEP, Electric-Tronics Inc., USA Dennis Gaughan, AMR Research, USA Yalcin Gerek, CISA, CGEIT, TAC, Turkey Edson Gin, CISA, CFE, CIPP, SSCP, USA Pete Goodhart, PricewaterhouseCoopers LLP, USA Gary Hardy, CGEIT, IT Winners, South Africa Winston Hayden, ITGS Consultants, South Africa Jimmy Heschl, CISA, CISM, CGEIT, KPMG, Austria Monica Jain, CGEIT, CSQA, CSSBB, USA Jack Jones, CISA, CISM, CISSP, Risk Management Insight LLC, USA Dharmesh Joshi, CISA, CGEIT, CA, CIA, CISSP, CIBC, Canada Catherine I. Jourdan, PricewaterhouseCoopers LLP, USA Kamal Khan, CISA, CISSP, MBCS, Saudi Aramco, Saudi Arabia Marty King, CISA, CGEIT, CPA, BCBSNC, USA Terry Kowalyk, Credit Union Deposit Guarantee Corp., Canada Denis Labhart, Swiss Life, Switzerland John W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USA Philip Le Grand, Datum International Ltd., UK Bjarne Lonberg, CISSP, A.P. Moller—Maersk, Denmark Jo Lusk, CISA, Federal Government, USA Charles Mansour, CISA, Charles Mansour Audit and Risk Service, UK Mario Micallef, CGEIT, CPAA, FIA, Ganado & Associates, Malta Jack Musgrove, CGEIT, CMC, BI International, USA Paul Phillips, Barclays Bank Plc, UK Andre Pitkowski, CGEIT, OCTAVE, APIT Informatica, Brazil Jack M. Pullara, CISA, PricewaterhouseCoopers LLP, USA © 2009 ISACA. A LL R I GHT S R E S E R VED . 3 THE RISK IT FRAMEWORK ACKNOWLEDGEMENTS (cont.) Expert Reviewers (cont.) Felix Ramirez, CISA, CGEIT, Riebeeck Associates, USA Gladys Rouissi, CISA, MComp, Commonwealth Bank of Australia, Australia Daniel L. Ruggles, CISM, CGEIT, CISSP, CMC, PMP, PM Kinetics LLC, USA Stephen J. Russell, PricewaterhouseCoopers LLP, USA Deena Lavina Saldanha, CISA, CISM, Obegi Chemicals LLC, UAE Mark Scherling, Canada Gustavo Adolfo Solis Montes, Grupo Cynthus SA de CV, Mexico John Spangenberg, SeaQuation, The Netherlands Robert E. Stroud, CGEIT, CA Inc., USA John Thorp, CMC, I.S.P., The Thorp Network, Canada Lance M. Turcato, CISA, CISM, CGEIT, CPA, CITP, City of Phoenix, USA Kenneth Tyminski, Retired, USA E.P. van Heijningen, Ph.D., RA, ING Group, The Netherlands Sylvain Viau, CISA, CGEIT, ISO Lead Auditor, 712iem Escadron de Communication, Canada Greet Volders, CGEIT, Voquals NV, Belgium Thomas M. Wagner, Marsh Risk Consulting, Canada Owen Watkins, ACA, MBCS, Siemens, UK Clive E. Waugh, CISSP, CEH, Intuit, USA Amanda Xu, CISA, CISM, Indymac Bank, USA Lisa R. Young, CISA, CISSP, Carnegie Mellon University, USA ISACA Board of Directors Emil D’Angelo, CISA, CISM, Bank of Tokyo Mitsubishi UFJ, USA, International President George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA-NV, Belgium, Vice President Yonosuke Harada, CISA, CISM, CGEIT, CAIS, InfoCom Research Inc., Japan, Vice President Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President Jose Angel Pena Ibarra, CGEIT, Alintec, Mexico, Vice President Robert E. Stroud, CGEIT, CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Rolf von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG LLP, UK, Past International President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Director Jeff Spivey, CPP, PSP, Security Risk Management, USA, Trustee Framework Committee Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associes SAS, France, Chair George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA-NV, Belgium, Vice President Steven A. Babb, CGEIT, United Kingdom Sergio Fleginsky, CISA, Akzonobel, Uruguay John W. Lainhart, IV, CISA, CISM, CGEIT, IBM Global Business Services, USA Mario C. Micallef, CGEIT, CPAA, FIA, Malta Derek J. Oliver, CISA, CISM, CFE, FBCS, United Kingdom Robert G. Parker, CISA, CA, CMC, FCA, Canada Jo Stewart-Rattray, CISA, CISM, CGEIT, RSM Bird Cameron, Australia Robert E. Stroud, CGEIT, CA Inc., USA Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany Special Recognition To the following members of the 2008-2009 IT Governance Committee who initiated the project and steered it to a successful conclusion: Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Chair Sushil Chatterji, Edutech Enterprises, Singapore Kyung-Tae Hwang, CISA, Dongguk University, Korea John W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USA Hugh Penri-Williams, CISA, CISM, CCSA, CIA, Glaniad 1865 Eurl, France Gustavo Adolfo Solis Montes, CISA, CISM, Grupo Cynthus SA de CV, Mexico Robert E. Stroud, CGEIT, CA Inc., USA John Thorp,
Load more

Recommended publications
  • Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
    1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction .............................................................................................................................. 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley .... 2 1. Is there an overall approach to IT risk and control consideration that should be followed? .......................... 2 2. Why is it so important to consider IT when evaluating internal control over financial reporting? ............... 4 3. How should Section 404 compliance teams define “IT risks and controls”? .................................................. 5 4. How does management identify and prioritize IT risks? ................................................................................. 5 5. What guidance does COSO provide with respect to IT controls? .................................................................. 6 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls? ........................................................................................................... 6 7. How do COSO and COBIT facilitate a Section 404 compliance effort? ........................................................ 6 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts? .......................................................................................................................
    [Show full text]
  • GTAG 1: Information Technology Controls
    Information Technology ControlsA uditing Application Controls Authors David A. Richards, CIA, President, The IIA Alan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200March 20057 Copyright © 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. GTAG — Table of Contents: Section 1 Section 19 Letter from the President..........................................ii Appendix H – CAE Checklist ................................423 Section 2 Section 20 IT Controls – Executive Summary ............................iii Appendix I – References ........................................445 Section 3 Section 21 Introduction ..........................................................1 Appendix
    [Show full text]
  • The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework
    100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 40 FEATURE The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework The tremendous rise of cybersecurity attacks, have their own proprietary frameworks or use a coupled with organizations’ exploration of new hybrid of frameworks. Do you have something technologies such as artificial intelligence (AI) and to say about this blockchain to expand their business or better Selecting a Risk Management Method or article? secure their controls, gives cause to review the Framework foundational framework that is being used to Visit the Journal pages identify, assess and action IT risk impacting What criteria are firms using to select the frameworks of the ISACA® website business objectives. This is a perpetual struggle: they use? How often are these frameworks and their (www.isaca.org/journal), reviewing the use of new technologies and their basic tenets reviewed? Is the selected framework find the article and click communicated to the employees of the firm? Is the on the Comments link to impact to the organization’s objectives, profit framework or methodology selected by the firm share your thoughts. mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new understood by all? Do these frameworks use https://bit.ly/2RCieXY credit card or the old news of Internet of Things quantitative factors or qualitative factors to evaluate (IoT) or driverless cars, enterprise risk and cyberrisk risk? Short of performing a scientific survey of departments or groups must be working overtime organizations to inventory and evaluate the to evaluate and drive the analysis of risk.
    [Show full text]
  • A Risk Management Framework for IT Systems Which Adopt Cloud Computing
    future internet Article ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,* 1 ING Bank, B-1040 Brussels, Belgium; [email protected] 2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea; [email protected] 3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea * Correspondence: [email protected]; Tel.: +82-54-478-7526 Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019 Abstract: Many companies are adapting cloud computing technology because moving to the cloud has an array of benefits. During decision-making, having processed for adopting cloud computing, the importance of risk management is progressively recognized. However, traditional risk management methods cannot be applied directly to cloud computing when data are transmitted and processed by external providers. When they are directly applied, risk management processes can fail by ignoring the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix this backdrop, this paper introduces a new risk management method, Enterprise Risk Management for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management methods by combining each component with another processes for comprehensive perception of risks. In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller migrates some modules to Microsoft Azure cloud.
    [Show full text]
  • ISACA's Risk IT in a Cloud-Based Environment
    ISACA’s Risk IT in a Cloud-based environment Kamal Khan, CISA, CISSP, MBCS, CITP Director, ISACA London Chapter March 2020 Confidential. For internal use only. Agenda • Introduction • Risk IT • Using Risk IT in a Cloud Environment • Conclusion Introduction • Kamal Khan, Director of ISACA London Chapter • Over 30 years experience in Information Systems Audit and Control • Worked in Banking, Utilities, Oil and Gas industries • Worked on initial version of Risk IT and current one which is being revised as Subject Matter Expert • ISACA London Chapter: • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • The ISACA London Chapter • First in the UK • Established in 1981 • Over 4,200 members, largest in the world Risk IT Confidential. For internal use only. Who uses a formal risk management process for their Cloud environment? Who has heard of ISACA Risk IT? What is Risk IT • An ISACA publication. • An end-to-end, comprehensive view of all risks related to the use of IT • Consists of two documents • The Risk IT Framework • The Risk IT Practiotoner Guide Risk IT Principles Confidential. For internal use only. Can we treat Risks in IT separately Enterprise Risk? Risk Universe • IT Risk is a component of the overall risk universe • Also a component of Strategic Risk, Environmental risk etc Enterprise Risk Strategic Environmental Market Operational Credit Compliance Risk Risk Risk Risk Risk Risk IT-related Risk IT Programme and Project IT Operations and IT Benefit / Value Risk Delivery
    [Show full text]
  • Auditing IS/IT Risk Management, Part 1
    Ed Gelbstein, Ph.D., 1940-2015, worked in Auditing IS/IT Risk Management, Part 1 IS/IT in the private and public sectors in various countries There are significant differences between THE PRACTICE for more than 50 years. conducting an IS/IT audit and conducting an IS/ Unfortunately, this is not always the case. This Gelbstein did analog and IT risk management audit. author audited several well-known organizations digital development in the that merely played lip service to risk management 1960s, incorporated digital THE THEORY at all levels. They went through the motions of computers in the control IS/IT auditors ought to be knowledgeable about engaging consultants to run a brief workshop systems for continuous the risk owned by the chief information officer on risk maps (heat maps), asked their staff to process in the late ‘60s and (CIO) and her/his team and those that have been develop them quickly, put them all in a big file early ‘70s, and managed externalized (outsourcing, cloud services, other and claimed they had done risk management. projects of increasing providers, vendors, etc.). In an ideal situation, at Given that internal audit and ERM both exist size and complexity until the least some of the IS/IT audit team should have to provide independent and robust advice to early 1990s. In the ‘90s, he a certification such as ISACA’s Certified in Risk senior management, friction between them—let became an executive at the and Information Systems Control™ (CRISC™). alone a turf war—would be bad for business. preprivatized British Railways Those involved in the enterprise risk This article provides a map of the IS/IT management (ERM) function should be able risk management activities that are auditable and then the United Nations to determine the business impact of the risk and shows how to maintain a collaborative global computing and data associated with IS/IT.
    [Show full text]
  • Risk Management & Governance
    RISK MANAGEMENT & GOVERNANCE KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Pete Burnap – Cardiff University EDITOR: Awais Rashid – University of Bristol REVIEWERS: Chris Johnson – University of Glasgow Ragnor Lofstedt – Kings College, London Jason Nurse – University of Kent Adam Shostack – Shostack & Associates © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Risk Management and Governance Pete Burnap July 2019 INTRODUCTION This Knowledge Area will explain the fundamental principles of cyber risk assessment and manage- ment and their role in risk governance, expanding on these to cover the knowledge required to gain a working understanding of the topic and its sub-areas. We begin by discussing the relationship be- tween everyday risk and why this is important in today’s interconnected digital world. We explain why, as humans, we need effective risk assessment and management principles to support the capture and communication of factors that may impact our values.
    [Show full text]
  • Risk It Practitioner Guide
    TTHEHE RRISKISK ITIT PPRACTITIONERRACTITIONER GGUIDEUIDE Risk Universe, Appetite and Tolerance Risk Awareness, Communication and Reporting Expressing and Describing Risk, Risk Scenarios Risk Responses and Prioritisation Using COBIT® and Val ITTM THE RISK IT PRACTITIONER GUIDE ISACA® With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), and Certified in the Governance of Enterprise IT® (CGEIT®) designations. ISACA developed and continually updates the COBIT, ® Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfil their IT governance responsibilities and deliver value to the business. Disclaimer ISACA has designed and created The Risk IT Practitioner Guide (the ‘Work’) primarily as an educational resource for chief information officers (CIOs), senior management and IT management. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, officers and managers should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment.
    [Show full text]
  • Risk IT a Set of Guiding Principles and the First Framework to Help
    What is Risk IT? www.isaca.org/riskit Risk IT is: • A framework to help establish effective governance and management of IT risk • Part of ISACA’s product portfolio on IT governance • A framework based on a set of guiding principles for effective management of IT risk Risk IT A set of guiding principles and the first framework to help enterprises identify, What does Risk IT do? 3701 Algonquin Road, Suite 1010 govern and effectively manage IT risk. Risk IT: Rolling Meadows, IL 60008 USA • Allows enterprises to customize the components provided in the framework Web site: www.isaca.org to suit their particular needs • Provides an end-to-end, comprehensive view of all risks related to the use of Phone: +1.847.660.5700 IT and a similarly thorough treatment of risk management, from the tone and Fax: +1.847.253.1443 culture at the top, to operational issues E-mail: [email protected] • Enables enterprises to understand and manage all significant IT risk types • Provides tangible business benefits • Allows the enterprise to make appropriate risk-aware decisions • Explains how to capitalize on an investment made in an IT internal control system already in place to manage IT-related risk • Enables integration with overall risk and compliance structures within the enterprise when assessing and managing IT risk What are the benefits of using Risk IT? The benefits of using Risk IT include: • A common language to help communication amongst business, IT, risk and audit management • End-to-end guidance on how to manage IT-related risks • A complete risk profile to better understand risk, so as to better utilize enterprise resources • A better understanding of the roles and responsibilities with regard to IT risk management • Alignment with ERM • A better view of IT-related risk and its financial implications • Fewer operational surprises and failures • Increased information quality • Greater stakeholder confidence and reduced regulatory concerns • Innovative applications supporting new business initiatives In business today, risk plays a critical role.
    [Show full text]
  • CENTER for INFORMATION SYSTEMS RESEARCH IT Risk
    CENTER FOR Massachusetts INFORMATION Institute of SYSTEMS Technology RESEARCH Sloan School Cambridge of Management Massachusetts IT Risk Management: From IT Necessity to Strategic Business Value George Westerman December 2006 CISR WP No. 366 and MIT Sloan WP No. 4658-07 © 2006 Massachusetts Institute of Technology. All rights reserved. Research Article: a completed research article drawing on one or more CISR research projects that presents management frameworks, findings and recommendations. Research Summary: a summary of a research project with preliminary findings. Research Briefings: a collection of short executive summaries of key findings from research projects. Case Study: an in-depth description of a firm’s approach to an IT management issue (intended for MBA and executive education). Technical Research Report: a traditional academically rigorous research paper with detailed methodology, analysis, findings and references. CISR Working Paper No. 366 Title: IT Risk Management: From IT Necessity to Strategic Business Value Author: George Westerman Date: December 2006 Abstract: With information technology becoming an increasingly important part of every enterprise, managing IT risk has become critically important for CIOs and their business counterparts. However, the complexity of IT makes it very difficult to understand and make good decisions about IT risks. CISR research has identified four business risks ⎯ Availability, Access, Accuracy, and Agility ⎯ that are most affected by IT. Since nearly every major IT decision involves conscious or unconscious tradeoffs among the four IT risks, IT and business executives must understand and prioritize their enterprise’s position on each. Three core disciplines ⎯ IT foundation, risk governance process, and risk aware culture ⎯ constitute an effective risk management capability.
    [Show full text]
  • IT Risk Assessment
    IT Risk Assessment Happiest People . Happiest Customers Contents Contents…………………………………………………………………………………………………………2 Introduction………………………………………………………………………………………………..........3 What benefits accrue from an IT risk assessment?………………………………………………………...3 Conducting an IT Risk Assessment………………………………………………….............………………4 Common Pitfalls to Avoid…………………………………………...................………………….……….....5 Our solution for conducting an efficacious IT Risk Assessment.................………………….………......5 Conclusion……………………………………………………………………………………………………….5 About the Author……………………………………………………………………………………………......6 2 © Happiest Minds Technologies. All Rights Reserved Introduction A 2014 study by the Ponemon Institute and HP showed that the average annual cost of cyber crime incurred by U.S. organiza- tions has risen by 96% between 2010 and 2014, to a staggering $12.7 million. All organizations are aware of the danger posed by hackers out to steal data and money, and yet, many fail to keep their security policies and systems updated. Outdated software with vulnerabilities and practices that leave the organization open to threat are still common. In order to protect your organization, you must methodically evaluate the risks, threats, and vulnerabilities surrounding your IT infrastructure. In short, you need an IT Risk Assessment. An IT Risk Assessment is a comprehensive review of the IT organization, with the objective of identifying existing flaws that could be exploited to threaten the security of the network and data. It serves as the basis for deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. What benefits accrue from an IT risk assessment? An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy.
    [Show full text]
  • Questioning the Need for Separate IT Risk Management Frameworks
    Questioning the need for separate IT risk management frameworks Nicolas Racz1, Edgar Weippl1,Andreas Seufert2 1Institut fürSoftwaretechnik undInteraktive Systeme TU Wien Favoritenstr. 9-11/188 1040 Wien,Austria 2Institut fürBusiness Intelligence, Steinbeis Hochschule Berlin {racz, eweippl}@ifs.tuwien.ac.at; [email protected] Abstract: Thegrowing importance of enterprise risk management andthe resultingintegration efforts put theneed for separate IT risk management frameworks in question. In this research we analysecommonand distinct elements of theCOSO enterprise risk management andISACA RiskITframeworks. The analysis affirmsthe hypothesis that separate IT risk managementframeworks are redundant. 1 Motivation The alignment of IT with business objectives is an important part of contemporaryIT management. Ever sincethe creationofthe terms “enterprise risk management” (ERM) and “governance,risk, andcompliance” (GRC) the searchfor integration possibilities within these disciplines has been ongoing. Howeveras of todaydifferent frameworks are used forthe management of business risksand IT risks. The emergenceofhorizontal integration(across disciplines andacross departments) andvertical integration(across the organisationalhierarchyand across processlevels) has helped to realise that formerly separate approaches areoften redundant[Mi07],which provokes the authorstoestablish the hypothesis that a separate management of IT risksmight not be justified. 2 Status quo in research andpractice A quick scan of the ACM, SpringerLinkand EmeraldInsight
    [Show full text]