sign in sign up
<<
Home , IT risk, Risk IT

100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 40

FEATURE

The Optimal Management Framework Identifying the Requirements and Selecting the Framework

The tremendous rise of cybersecurity attacks, have their own proprietary frameworks or use a coupled with organizations’ exploration of new hybrid of frameworks. Do you have something technologies such as artificial intelligence (AI) and to say about this blockchain to expand their business or better Selecting a Method or article? secure their controls, gives cause to review the Framework foundational framework that is being used to Visit the Journal pages identify, assess and action IT risk impacting What criteria are firms using to select the frameworks of the ISACA® website business objectives. This is a perpetual struggle: they use? How often are these frameworks and their (www..org/journal), reviewing the use of new technologies and their basic tenets reviewed? Is the selected framework find the article and click communicated to the employees of the firm? Is the on the Comments link to impact to the organization’s objectives, profit framework or methodology selected by the firm share your thoughts. mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new understood by all? Do these frameworks use https://bit.ly/2RCieXY credit card or the old news of Internet of Things quantitative factors or qualitative factors to evaluate (IoT) or driverless cars, enterprise risk and cyberrisk risk? Short of performing a scientific survey of departments or groups must be working overtime organizations to inventory and evaluate the to evaluate and drive the analysis of risk. Some commonly used risk methods, frameworks, their pros organizations have their own risk management and cons, and their methods of implementation, the frameworks that are modeled after COBIT®. Others National Cyber Security Centre, a part of Government Communications Headquarters (GCHQ), an intelligence and security organization for the United Kingdom, summarized the commonly used risk methods and frameworks.1 ISACA’s Risk IT Framework Excerpt2 was referenced to understand the essentials of risk governance and the purpose and intended audience of the risk framework. Using the guidance from ISACA® and GCHQ can provide a reference point to determine the optimal framework and enablers to evaluate technology risk. What are several of the gaps in the frameworks that give one pause?

Larry Marks, CISA, CRISC, CGEIT, CFE, CISSP, CSTE, ITIL, PMP Has focused his career on leading through collaboration to ensure best practices are implemented to assist compliance and process improvement. He has focused on audit, security, risk, compliance, privacy and program/project management across financial services, healthcare and telecommunications. Marks has extensive experience in designing, managing, auditing and implementing IT processes, policies, controls and technology. He has managed teams, priorities and expectations across business and IT leadership while delivering fit-for-purpose services. He is a peer reviewer for the ISACA® Journal and the Association of Certified Fraud Examiners’ (ACFE) Fraud Magazine. Marks is also associate editor for Journal: A Global Perspective, published by (ISC)2, and contributes book reviews to InfoSecurity Professional. Marks was recently selected to be a member of the Rutgers University Cyber Advisory Council (New Brunswick, New Jersey, USA). He has been a developer of ISACA® white papers and has authored/coauthored ISACA audit programs. He currently holds a leadership position in the ACFE New Jersey (USA) chapter. Marks is an active volunteer with ISACA, having recently served on its Ceritifed in Risk and Information Systems ControlTM (CRISCTM) Exam Writing Team and is part of the Project Management Institute’s ISO Committee. He is also a blogger and contributor to the leadership section of ProjectManagement.com. His work has been published in (ISC)2 Security Journal, PMI Journal and the ISACA Journal.

40 ISACA JOURNAL VOL 1 100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 41

Ensure the Selection Meets the Needs needed to tailor the implementation to the requirements of the business. The cost of To ensure that the risk management framework Enjoying these resources should be considered this article? meets the organization’s needs, the criteria shown along with the cost of purchasing the in figure 1 should be used. standards.4 • Read Getting Started with Risk Determine the Right Time to Use a Risk The risk IT principles used should be flexible Management. Method or Framework enough to adjust to current threats and risk and, www.isaca.org/ where possible, should provide the basis for the Management and risk assessors, along with the Getting-Started- practitioner to inventory the business-related and IT business, need to understand not only how, but With-Risk risk impacting the enterprise. when to use risk methods or frameworks. One • Learn more framework should cover all situations or should be about, discuss able to be customized to the current threats and Recommendations and collaborate vectors affecting cyber or IoT. Organizations are using the US National Institute of on risk Standards and Technology (NIST) Cybersecurity management International Organization for Standardization Framework to customize their assessment of ISACA’s Online (ISO)/International Electrotechnical Commission controls related to cyber or cloud to mitigate the Forums. (IEC) ISO/IEC 27005:2001 mentions, threats and other risk impacting the network assets https://engage. isaca.org/online Assessment and analysis is only effective or enterprise IT structure, COBIT, and other forums in situations where it can be used to obtain frameworks. The following assumptions are new information, in support of decision applicable: making and management, since the • vectors, such as IoT, continue to challenge 3 scenario is knowable. business and security professionals alike on a methodology to respond. As a result, it is preferable that organizations use a • variety of different approaches. Skill sets to implement a framework may become immature. It is recommended that a risk framework, • One risk framework may not fit all firms or fit the assessment and supporting analysis be used to entire firm. help guide IT and the business in driving value to • the organization. It should help determine priorities A risk framework may fit some scenarios, but not and expectations. all scenarios. • NIST; Federal Financial Institutions Examination Costs and Prerequisites Council (FFIEC); and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Given the broad and generic nature of the have at their core, or reference, COBIT. guidance, specialist skilled resources are

ISACA JOURNAL VOL 1 41 100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 42

• The risk framework has to be nimble, simple to • ISACA’s Risk IT principles5 should be followed: use, consistent and adaptable to different – Connect to the business objectives. scenarios. – Align the IT risk with enterprise risk management (ERM). • The design and implementation of the risk – Function as part of the daily activities. framework should be kept simple. – Establish tone at the top and accountability. • There may be licensing restrictions or limitations – Promote fair and open communication. on available resources to design and implement a – Balance the cost/benefit of IT risk. framework or keep its implementation evergreen. – Share risk with senior management. There • The threat to the organization may be too should be no separate silos of risk that may complex or inconsistent to be understood. not be communicated to employees.

Accounting for these assumptions, practicable Conclusions recommendations follow. No matter the method, the basic elements of the framework should include Each risk management framework has its pros and 6, 7, 8, 9, 10, 11, 12 the following: cons, as illustrated in figures 2 and 3 . Practitioners should use the simplest framework • What is the risk? that meets their requirements and use common • Can the risk be evaluated on a quantitative or sense to ensure its proper implementation and qualitative basis? communication. There is no finite list of requirements. As organizations conduct their • The criteria for selection and implementation of periodic risk control assessments, they must ensure the framework should be understood by the that their selection meets their needs. Risk control business. assessments change over time. ISACA’s Risk IT • The business should be a partner in collaborating principles help the user determine the proper on how the risk or threat affects the people, framework and guide its implementation, processes or technology of the organization and communication and ensure that it remains in helping to prioritize the risk remediation evergreen. approach and strategy. Figure 2—Risk IT Principles • The strategy for implementing the framework should be simple and unscheduled. Connect to • Business The required resources and response to the risk Objectives must be proportionate and sustainable to the risk and threat. Function as Align IT Risk Part of Daily Management With ERM • Before an organization contacts a vendor Activities requesting a risk management product, the Risk IT objective for the product’s purchase, selection Principles and implementation should be approved by Establish senior management. There are too many vendors Tone at the Balance who are willing to sell a risk method or Top and Cost/Benefit Accountability of IT Risk assessment to support management’s decision- making. Management must first decide on the Promote Fair and Open objective, approach and time frame to Communication communicate, implement and select the framework, and establish a threat response

methodology that prioritizes the threats and Source: ISACA, The Risk IT Framework Excerpt, USA, 2009. Reprinted with permission. techniques.

• It should be understood that the staff may not know about all threats all the time to know how to respond to each and cannot always expect that the framework will give this guidance.

42 ISACA JOURNAL VOL 1 100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 43

Figure 3—Comparison of Risk Frameworks Communications- Electronics European Union Security Agency for Group (CESG) Network and Information Description COBIT® 5 NIST 800-37, Rev. 2 OCTAVE Allegro Security (ENISA) Standard 1 & 2 Comment(s) Purpose of Risk N/A N/A “The Operationally The main Purposes of Management Critical Threat, Asset, and motivation behind issuing advice to Framework (RMF) Vulnerability Evaluation the framework is UK government, (OCTAVE) methodology addressing the public sector originates from Carnegie uncertainty of organizations Mellon University in the accumulation risk and/or related USA. Older versions of cyberincidents. organizations are still in use but the (WP2017 O-3-3-2 1 most recent version, Recommendations OCTAVE Allegro, is more on Cyber Insurance) streamlined and is actively supported. It is primarily intended as a qualitative assessment, although may be used for simple quantitative analysis.” (NCSC) Audience All All Small group of participants N/A Predominantly from the operational and by central IT areas of the business, government not requiring extensive departments, expertise the wider public sector and its suppliers Number of 7 N/A N/A N/A Not available Enablers Description of 1. Principles, Policies N/A N/A Policy Enablers and Frameworks—Risk impacts considered in light principles, risk policies of real-world scenarios to and compliance identify risk approaches 2. Processes—The core N/A N/A N/A Risk appetite risk processes in the Evaluate, Direct and Monitor (EDM) and Align, Plan and Organize (APO) domains, as well as the application of many other processes to the risk function 3. Organizational N/A N/A N/A Technical risk Structures—ERM assessment committee, chief risk

4. Culture, Ethics and N/A N/A N/A Risk treatment Behavior—Enterprisewide and accreditation behavior, management obligations behavior and risk professionals’ behavior supporting risk management 5. N/A N/A N/A N/A risk scenarios, risk map 6. Services, Infrastructure N/A N/A N/A N/A and Applications— Emerging risk advisory services 7. People, Skills and N/A N/A N/A N/A in Risk and Information Systems Control™

risk management and technical skills Number of Phases 7 N/A N/A 20

ISACA JOURNAL VOL 1 43 100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 44

Figure 3—Comparison of Risk Frameworks (cont.) Communications- Electronics European Union Security Agency for Group (CESG) Network and Information Information Assurance Description COBIT 5 NIST 800-37, Rev. 2 OCTAVE Allegro Security (ENISA) Standard 1 & 2 Comment(s) Risk Management Evaluate, Direct, and Prepare, Categorize, N/A N/A N/A Framework Steps/ Monitor; Align, Plan and Select, Implement, Assess, Processes Organize; Build, Acquire and Authorize, Monitor Implement; Deliver, Service and Support; Monitor, Evaluate and Assess Objectives Governance and management “There are seven major N/A N/A “Intended to of enterprise information objectives for this update: support setting technology (IT) • To provide closer linkage an organization’s and communication Information between the risk Security Strategy, management processes supporting and activities at the IA structures, C-suite or governance level policies and of the organization and the processes” individuals, processes, and activities at the system and operational level of the organization; • To institutionalize critical organization-wide risk management preparatory activities to facilitate a

and cost-effective execution of the RMF; • To demonstrate how the Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes; • To integrate privacy risk management concepts and principles into the RMF and support the use of the consolidated security and privacy control catalog in NIST Special Publication 800-53, Revision 5; • To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160 with the steps in the RMF; • To integrate supply chain risk management (SCRM) concepts into the RMF to protect against untrustworthy suppliers, ‘insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, poor manufacturing and development practices throughout the SDLC; and • To provide an alternative organization-generated control selection approach to complement the traditional baseline control selection approach.”

44 ISACA JOURNAL VOL 1 100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 45

Figure 3—Comparison of Risk Frameworks (cont.) Communications- Electronics European Union Security Agency for Group (CESG) Network and Information Information Assurance Description COBIT 5 NIST 800-37, Rev. 2 OCTAVE Allegro Security (ENISA) Standard 1 & 2 Comment(s) Provision for Yes Yes. The RMF addresses N/A Acceptance of security and privacy privacy reference to Security and risk from two distinct privacy Privacy Risk perspectives—an information system perspective and a common controls perspective. Provision for Yes. Controls and Assurance No N/A Cloud Computing in the Cloud: Using COBIT® 5 cloud computing reference to Risk? published. cloud computing Covers Cyber and Yes N/A N/A Yes Emerging Risk? Drivers for Risk “The need to improve N/A N/A N/A N/A Management business outcomes, decision making and overall strategy” General No No No No No Description of Roles and Responsibilities RACI Chart No No No No No Available Use of No No No No No Quantitative Factors to Evaluate Risk?

Editor’s Note 8 ISACA, COBIT® 5 for Risk, USA, 2013,

® www.isaca.org/COBIT/Pages/Risk-product- ISACA recently released COBIT 2019 page.aspx (www.isaca.org/COBIT). COBIT 2019 is an evolution 9 European Union Agency for Network and of COBIT® and incorporates Risk IT, similar to the ® Information Security, “Octave v2.0,” approach in COBIT 5. A COBIT 2019 Risk Focus https://www.enisa.europa.eu/topics/threat-risk- area is in development and is expected to be management/risk-management/current-risk/risk- released in 2019. management-inventory/rm-ra- methods/m_octave.html Endnotes 10 Caralli, R.; J. Stevens; L. Young; W. Wilson; 1 National Cyber Security Centre, “Summary of Introducing OCTAVE Allegro: Improving the Risk Methods and Frameworks,” United Information Security Risk Assessment Process, Kingdom, 23 September 2016, Carnegie Mellon, USA, May 2007, https://www.ncsc.gov.uk/guidance/summary- https://resources.sei.cmu.edu/asset_files/ risk-methods-and-frameworks TechnicalReport/2007_005_001_14885.pdf 2 ISACA®, The Risk IT Framework Excerpt, USA, 11 National Institute of Standards and Technology, 2009, www.isaca.org/Knowledge-Center/ “Information Risk Management: HMG IA Research/Documents/Risk-IT-Framework- Standard Numbers 1 and 2,” USA, 8 August Excerpt_fmk_Eng_0109.pdf 2015, https://www.ncsc.gov.uk/guidance/ 3 Op cit National Cyber Security Centre information-risk-management-hmg-ia-standard- 4 Ibid. numbers-1-2 5 Op cit ISACA 12 European Union Agency for Network and 6 Op cit National Cyber Security Centre Information Security, “Recommendations on 7 National Institute of Standards and Technology, Cyber Insurance,” “Systems Security Engineering: Considerations https://www.enisa.europa.eu/procurement/ for a Multidisciplinary Approach in the recommendations-on-cyber-insurance Engineering of Trustworthy Secure Systems,” NIST Special Publication 800-160, USA, November 2016, https://nvlpubs.nist.gov/ nistpubs/specialpublications/nist.sp.800-160.pdf ISACA JOURNAL VOL 1 45