ISACA's Risk IT in a Cloud-Based Environment

Home , IT risk, IT risk management, Risk IT

ISACA’s Risk IT in a Cloud-based environment

Kamal Khan, CISA, CISSP, MBCS, CITP Director, ISACA London Chapter

March 2020

Confidential. For internal use only. Agenda

• Introduction • Risk IT • Using Risk IT in a Cloud Environment • Conclusion Introduction

• Kamal Khan, Director of ISACA London Chapter • Over 30 years experience in Information Systems Audit and Control • Worked in Banking, Utilities, Oil and Gas industries • Worked on initial version of Risk IT and current one which is being revised as Subject Matter Expert • ISACA London Chapter: • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • The ISACA London Chapter • First in the UK • Established in 1981 • Over 4,200 members, largest in the world Risk IT

Confidential. For internal use only. Who uses a formal risk management process for their Cloud environment? Who has heard of ISACA Risk IT? What is Risk IT

• An ISACA publication. • An end-to-end, comprehensive view of all risks related to the use of IT • Consists of two documents • The Risk IT Framework • The Risk IT Practiotoner Guide Risk IT Principles

Confidential. For internal use only. Can we treat Risks in IT separately Enterprise Risk? Risk Universe

• IT Risk is a component of the overall risk universe • Also a component of Strategic Risk, Environmental risk etc

Enterprise Risk

Strategic Environmental Market Operational Credit Compliance Risk Risk Risk Risk Risk Risk IT-related Risk IT Programme and Project IT Operations and IT Benefit / Value Risk Delivery Risk Service Deliivery Risk Risk Culture Conservative Aggressive Risk Taking Risk Taking Behavriour Towards Taking Risk

Risk Learning Culture Compliance Culture Behavriour Behavriour Towards Towards Negative Policy Blaming Outcomes Compliance Non- Culture compliance Risk IT Principles Connect to Business Objectives • Risk IT is about business risk Function as Align IT Risk related to the use of IT: part of daily with ERM • Always connect to business objectives activities • Align the management of IT-related business risk with overall ERM Risk IT • Balance the costs and benefits of managing Principles IT risk • Establish the right tone from the top and define and enforce personal accountability Establish Tone Balance Cost / at the Top and Benefit of IT for operating within tolerance levels Accountability Risk • A continuous process and part of daily activities Promote fair and open communication Risk IT Framework

Confidential. For internal use only. Integrate Activities Risk IT Framework with ERM Processes Risk- Common aware risk view Decisions

RISK GOVERNANCE IT risk management practices Domain are embedded in the Activities enterprise

Collect Processes Activities Processes Articulate Risk Data Maintain Business Analyse Manage React to Risk Objectives Risk Risk Events Profile

RISK EVALUATION RISK EVALUATION IT-related risks and IT-related risks and Domain opportunities are identified, opportunities are identified, analysed and presented in Domain analysed and presented in Communication business terms business terms Risk Governance

Confidential. For internal use only. Common Risk View

Defining a Risk Universe • Objective: • Define: • Considerations in a Cloud • Define and • The Entity environment: describe the overall • External Environment • Ceding control to the Cloud Provider (CP) environment subject to risk • Internal Environment • Impact on the organization’s strategy and management • Risk Management capacity to meet its mission and goals Capability • Impossibility of complying with the security • IT Management Capability requirements • Deterioration of performance and quality of service • Introduction of compliance challenges. Risk Evaluation

Confidential. For internal use only. Analyse Risk

Estimate IT Risk • Objective: • IT Risk Scenarios: • Cloud environment risk example • Define and • Actor or scenario: understand IT- • Threat type • Actor: External attacker related risk using risk scenario • Event • Threat Type: Malicious act analysis. • Asset / Resource • Event: Disclosure • Risk scenario • Time: Timing, Duration, • Asset: Encryption Keys analysis is a Time lag • Time: Immediate downtime / Data may not technique to make be recoverable / Immediately detected IT risk more concrete and tangible Compliance Contractual skills and expertiseCloud provider Cloud of Performance / Selection aapoeto risks protection Data Tresassing Logical

High Level Risk Scenario ◉ ◉ ◉ ◉ ◉ Internal Internal External Internal External Internal External

Actor Disclosure Malicious Failure Failure Failure

Threat Type Personal sensitivedata Personal ◉ ◉ ◉ ◉ design Ineffective design Ineffective Disclosure use Inappropriate design Ineffective executionIneffective

Event (information) ◉ security) ◉ (information) ◉ security) ◉ requirements) externaltocompliance ◉ resources) human IT (manage Process design Ineffective Enterprise architecture architecture Enterprise systems (ensure Process architecture Enterprise systems (ensure Process (ensure Process

Asset / Resource ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ Timing (non Timing (non Timing (non Timing (unknown) Timing (non Timing Detecion (slow) Detecion (extended)Duration (slow) Detecion (extended)Duration (slow) Detecion (extended)Duration (instant) Detecion (extended)Duration (slow) Detecion (extended)Duration - - - - critical) critical) critical) critical) Time ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ ◉ Users circumventing logical logical rights acces circumventing Users logical rights acces circumventing Users Users sensitivedata stealing Users information unauthorised to access obtaining Users sensitive dataUsers stealing information unauthorised to access obtaining Users met not customers with obligations Contractual Cloud of mismatch or Lack ProviderCloude of performance Inadequate Provider Cloud from and services support Inadequate Negative Example Scenarios Example Negative - related skills related project delivery and value delivery deliveryvalueandproject ◉ delivery service ◉ partner strategic a Provieras Cloud Attracting the appropriate staff increases increases staff appropriate the Attracting Correct staff and skill mix will will skill support mixand staff Correct Positive Example Scenarios Example Positive Cloud Cloud provider Performance of Selection /

High Level Risk Scenario Internal

Actor Failure

Threat Type Ineffective design

Event Ineffective design

Asset / Resource ◉ ◉ ◉ Timing Timing (non Detecion (slow) Duration (extended) -

critical) Time ◉ Provider ◉ Inadequate performance of Cloude Provider Inadequate support and services from Cloud NegativeExample Scenarios Cloud PositiveExample Scenarios Provier as a strategic partner Manage risk

Confidential. For internal use only. Manage Risk

Implement controls • Objective: • Generic Scenarios: • Cloud environment risk example • Provide guidance • Control Title scenario: on how CobiT • Control Description • Generic scenario: Cloud provider Selection control objectives and management • Control Title: Supplier Selection practices can help • CobiT Control Objective: Select Cloud in risk mitigation provider according to a fair and formal activities. practice Generic Scenario Control Title CobiT Control Objective Cloud provider Selection Supplier Selection Select Cloud provider according to a fair and formal practice to ensur a viable best fit based on specified requirements. Requirements should be optimised with input from potential suppliers

Supplier Relation Formalise the relationship management processs for each Cloud provider. Ensure the quality of the Management relationship based on trust and transparency (eg through SLA's)

Contractual Compliance Supplier Contract Set up a proceudre for establishing, modifyng and terminating contracts for Cloud provders. Include Management minimum, legal, financial, etc responsibilities and liabilities

IT expertise and skills Personnel recruitment and Maintain it personnel recruitment processes to ensure that the organsation has an adequate Cloud retention expertise

Personnel Training Provide employees with on-going training to maintain their Cloud knowledge and skills.

Logical Tresassing Security Testing, Test and monitor the IT security to ensure that the information security baseline is maintained. A logging Surveillance and monitoring and monitoring function will enable early prevention and / or detectionof unusual activities

Data protection risks Security Requirements for Define and implement policies and procedures to identify and apply security requirements appicable to the Data Management receipt, processing, storage and output of data Generic Scenario Control Title CobiT Control Objective Cloud provider Supplier Selection Select Cloud provider according to a fair and formal practice to ensur a viable best fit based Selection on specified requirements. Requirements should be optimised with input from potential suppliers

Supplier Relation Formalise the relationship management processs for each Cloud provider. Ensure the Management quality of the relationship based on trust and transparency (eg through SLA's) Conclusion

• Risk IT is a a powerful tool that can help manage all aspects of Cloud environment • Provides all the tools you need to manage wrapped into a practical and comprehensive framework. • Has a strong business focus that enables the Board, Management, Regulators, Service Providers, IT Departments and Users to speak a common language.