DOCSLIB.ORG

Auditing IS/IT Risk Management, Part 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Auditing IS/IT Risk Management, Part 1 Ed Gelbstein, Ph.D., 1940-2015, worked in Auditing IS/IT Risk Management, Part 1 IS/IT in the private and public sectors in various countries There are significant differences between THE PRACTICE for more than 50 years. conducting an IS/IT audit and conducting an IS/ Unfortunately, this is not always the case. This Gelbstein did analog and IT risk management audit. author audited several well-known organizations digital development in the that merely played lip service to risk management 1960s, incorporated digital THE THEORY at all levels. They went through the motions of computers in the control IS/IT auditors ought to be knowledgeable about engaging consultants to run a brief workshop systems for continuous the risk owned by the chief information officer on risk maps (heat maps), asked their staff to process in the late ‘60s and (CIO) and her/his team and those that have been develop them quickly, put them all in a big file early ‘70s, and managed externalized (outsourcing, cloud services, other and claimed they had done risk management. projects of increasing providers, vendors, etc.). In an ideal situation, at Given that internal audit and ERM both exist size and complexity until the least some of the IS/IT audit team should have to provide independent and robust advice to early 1990s. In the ‘90s, he a certification such as ISACA’s Certified in Risk senior management, friction between them—let became an executive at the and Information Systems Control™ (CRISC™). alone a turf war—would be bad for business. preprivatized British Railways Those involved in the enterprise risk This article provides a map of the IS/IT management (ERM) function should be able risk management activities that are auditable and then the United Nations to determine the business impact of the risk and shows how to maintain a collaborative global computing and data associated with IS/IT. Ideally, at least some of the relationship with the ERM team while avoiding communications provider. team should have a certification such as Certified conflicts of interest. Following his (semi) Information Systems Auditor® (CISA®) or Certified retirement from the UN, Information Security Manager® (CISM®).1 AUDITABLE ACTIVITIES he joined the audit teams of In 1999, The Institute of Internal Auditors Figure 1 shows a top-level map of the things an the UN Board of Auditors and (The IIA) published an updated definition auditor may consider including in an IS/IT risk the French National Audit of internal auditing, describing it as “an management audit assumed to be conducted by Office. Thanks to his generous independent, objective assurance and consulting the CIO and her/his team. spirit and prolific writing, activity designed to add value and improve an The organization’s business continuity and his column will continue to organization’s operations. It helps an organization impact assessment studies, assuming they be published in the ISACA® accomplish its objectives by bringing a exist and are regularly updated, assist the Journal posthumously. systematic, disciplined approach to evaluate and auditors in defining the scope of audit. If these improve the effectiveness of risk management, do not exist or are outdated, the first critical Do you have control and governance processes.”2 audit recommendation should be that they be something The Risk Management Society (RIMS)3 defines conducted as a matter of urgency. to say about ERM as a strategic business discipline, while the Figure 1 illustrates that there are enough this article? IIA4 defines it as a structured, consistent and activities to keep auditors busy for quite a while, Visit the Journal continuous process across the whole organization. and a good start would be to find out which of pages of the ISACA The CIO should be able to provide them have been done, by whom and when. It may web site (www.isaca. appropriate risk assessments for systems and be useful to identify first if a formal framework org/journal), find the services, ideally based on a formal framework for risk management was adopted by the IS/ article and choose and, to the extent possible, quantified. These risk IT function and, if so, which one. Some are the Comments tab to assessments and a related risk register describing simplistic, such as drawing risk maps of little share your thoughts. mitigation plans, their ownership and time scales boxes colored green, yellow and red based on 5 Go directly to the article: should have a clear link to the business impact intuition, and others are relatively complex, analyses that support business continuity plans. requiring considerable time to master (e.g., Business managers and systems and data COBIT® 5 for Risk6 and Operationally Critical owners are responsible for prioritizing risk for Threat, Asset, and Vulnerability Evaluation appropriate action and, thus, become the risk [OCTAVE],7 available in versions for large and owners. This implies that internal audit takes on smaller organizations). an assurance role that excludes consulting and partnering in risk management. ©2016 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 2, 2016 1 Figure 1—Scope of Auditable IS/IT Risk Management Activities COBIT® 5 for Risk Future event scenarios NIST SP 800-30 Project/Operations impact Risk Planning OCTAVE Business impact Framework Adopted CRAMM Financial/Legal impact VERIS Others Risk Communication Risk appetite Training Given Definitions Who was trained Quality of material Risk Monitoring Risk Management Active Auditable Activities Inspection IS/IT Business Risk Audit Business impact Corrective action Critical facilities Risk Management Risk Controls Risk identification Reactive System Risk evaluation Investigation Risk oversight Level of uncertainty Analysis Risk intelligence Residual risk ERM framework, e.g., COSO Risk prevention Risk transfer Role of ERM in IS/IT assessment Risk reduction Risk ownership Extent of IS/IT integration in ERM Risk detection Contingency plans Source: Ed Gelbstein. Reprinted with permission. Some risk assessment methodologies may be poorly suited including incident management and disaster recovery plans, for IS/IT, for example, those specifically designed to assess necessarily focus on the threats and vulnerabilities that can financial risk because they require complex calculations and adversely affect business operations without necessarily being access to historically consistent data. conversant with the contents of the various business impact Adopting a methodology is, in itself, not enough if those analyses carried out on a regular basis, the risk appetite of who need to apply it do not know how. This implies some the organization or the organization’s priorities for mitigating kind of training and much study. Study requires time, and business risk. in today’s corporate environment it is hard to make time8 as What often happens is that, having identified threats (from the “urgent” displaces the “important” and the trend toward hackers to earthquakes) and vulnerabilities (the usual triad of open plan accommodation and densely packed cubicles makes people, process and technology), the CIO moves quickly to concentration on learning harder to achieve. address issues that, in terms of business impact, may not be at all important and are, therefore, a poor use of resources. IS/IT RISK TRANSLATED INTO BUSINESS RISK Achieving a successful translation into business risk requires The Risk IT Practitioner Guide9 (issued before COBIT® 5 extensive dialog with business process owners, senior for Risk) is a valuable document. Figure 2 presents a variant management and the ERM team, and collaboration toward of one of the guide’s figures (figure 5 in chapter 1) that producing an integrated risk register that can then be used to shows how the starting point in the CIO’s risk assessments is request the resources needed to mitigate the highest risk to transformed into business risk. the business. The CIO and the chief information security officer However, this requires every one of the players to make (CISO), as custodians of the organization’s systems and data, time available for such discussions and engage in a spirit of 2 ISACA JOURNAL VOLUME 2, 2016 ©2016 ISACA. All rights reserved. www.isaca.org Figure 2—How IS/IT Risk Translates Into Business Risk Threats: Human accidental, human deliberate, natural forces Vulnerabilities: People, process, technology IT benefit/value IT program and IT operations and enablement risk project delivery risk service delivery risk IT-speak IT risk translated into enterprise risk and its potential impact Strategic Operational Financial Compliance Legal Reputational risk risk risk risk risk risk Business-speak Prioritized business risk Source: Ed Gelbstein. Reprinted with permission. collaboration, not allowing it to be inhibited by unavoidable IIA%20Executive%20Report%20Forging%20a%20 corporate politics. Small organizations may not have a formal Collaborative%20Alliance.pdf ERM team and/or business processes and may, therefore, have 3 The Risk and Insurance Management Society, www.rims.org limited knowledge of risk and impact assessment. 4 The Institute of Internal Auditors, www.theiia.org 5 Gelbstein, E.; “Quantifying Information Risk and PRELIMINARY CONCLUSION Security,” ISACA® Journal, vol. 4, 2013, www.isaca.org/ The reader may find the short article, “Writing Good Risk Journal/archives Statements,”10 very helpful. It confirms the statement, “If you 6 ISACA, COBIT® 5 for Risk, USA, 2013, www.isaca.org/ think this is simple, you just have not
Load more

Recommended publications
  • Mitigate Cyber Attack Risk Solution Brief
    SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations extend technology deeper into their day-to-day business HIGH operations, their risk profiles evolve. DIGITAL RISK New digital risks—those unwanted and often unexpected outcomes that stem MEDIUM from digital transformation, digital business processes and the adoption RISK of related technologies—represent a LOW larger portion of potential obstacles to TRADITIONAL BUSINESS RISK achieving business objectives. While the digital technology creates new DIGITAL ADOPTION business opportunities, it frequently leads to higher levels of cybersecurity, FIGURE 1: Digital risk increasing the overall business risk as organizations embrace digital transformation. third-party, compliance and business resiliency risk. The impacts from these growing digital risks may be more disruptive than the operational risks that businesses have historically managed. In fact, many organizations are finding that as digital adoption accelerates, digital risk becomes the greatest facet of risk they face, especially growing cyber risks. AS ORGANIZATIONS EXPAND DIGITAL OPERATIONS, CYBER SECURITY RISKS MULTIPLY Organizations need to evolve to stay in front of rising cyber threats and their wide-reaching impact across increasingly digitized operations. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. At the same time, responsibilities for detecting and responding to security It’s arguably impossible incidents are expanding beyond the security operations center (SOC). Business stakeholders continue to digitize their operations, elevating the risk and potential to prevent all cyber impact of cyber attacks.
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • IT Risk Management and Control Frameworks
    IT Risk Management and Control Frameworks Guðjón Viðar Valdimarsson CIA, CFSA, CISA Product Manager and Internal Auditor Summary • Introduction or the “art” of Risk Management • The objectives, risks and controls • Risk Management Methodology • The control frameworks • IT Risk Management Introduction or the “art” of Risk Management “Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.” Or how to stop bad things from happening by figuring out what can happen and do something about it ! What do you need ? To do a risk assessment you need : Objectives/assets • What does management and the board want to aim for in terms of risk appetite and risk tolerance. • What are the critical assets and processess you want to protect Risks • What are the relevant risks for the subject/assets at hand Controls • What generally accepted control framework is appropriate for the subject matter. Risk Management Methodology There are a number areas of risk management areas depending on the industry or subject at hand. Risk Risk Risk Financial risk management Enterprise management management management activities as risk regarding of (VaR and applied to management natural information CVaR) project disasters technology management IT Risk Management The Certified Information Systems Auditor Review Manual provides the following definition of
    [Show full text]
  • The Reputational Impact of It Risk
    FALLOUT THE REPUTATIONAL IMPACT OF IT RISK IN ASSOCIATION WITH: CONTENTS Executive Summary ..............................................................................................................................................2 Introduction: The Black Friday data breach .................................................................................................3 Where the Risks Are: From Human Error to System Failure ................................................................ 5 Sidebar: The Promise and Perils of the Cloud............................................................................................11 Protecting Your Reputation in the Always-On World ............................................................................12 Conclusion ..............................................................................................................................................................18 Acknowledgments...............................................................................................................................................19 EXECUTIVE SUMMARY U.S. retailers were not the first to su!er a massive data breach. Nor will they be the last, as cyber attacks, security breaches and system outages proliferate. Shadow technology and expanding supply chains bring more risks. How can companies better protect their reputation by ensuring the continuous—and secure—flow of information to support their business? After all, a major part of the brand experience for most customers comes through the
    [Show full text]
  • Software Security Total Risk Management
    Software Security Total Risk Management SECURITY INNOVATION’S BLUEPRINT FOR EFFECTIVE PROGRAM DEVELOPMENT 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com Software Security Total Risk Management 2 Table of Contents Introduction ......................................................................................................................................3 Why Software Security Risk Management Matters .............................................................................3 Why Software Security Risk Management Gets Overlooked ................................................................4 Foundations of IT Risk Management ...................................................................................................5 Operational Integration, Availability and Security Risk Management ...................................................6 From ITSRM to Software Security Total Risk Management ..................................................................7 The Steps of the SSTRM......................................................................................................................8 Summary ......................................................................................................................................... 10 www.securityinnovation.com Software Security Total Risk Management INTRODUCTION 3 Introduction Current challenges of the financial services sector aside, risk management has a long and venerable tradition of practical success in the world of insurance
    [Show full text]
  • The Case for Enterprise Risk Management in Insurance Manage Risk, Change Your Business, Create Value, Achieve Your Objectives
    Research partner Independent research by The Case for Enterprise Risk Management in Insurance Manage risk, change your business, create value, achieve your objectives March 2017 About Chartis Chartis Research is the leading provider of research and analysis on the global market for risk technology. It is part of Incisive Media, which owns market-leading brands such as Risk and Waters Technology. Chartis’s goal is to support enterprises as they drive business performance through improved risk management, corporate governance and compliance and to help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. Areas of expertise include: • Credit risk • Operational risk and governance, risk and compliance (GRC) • Market risk • Asset and liability management (ALM) and liquidity risk • Energy and commodity trading risk • Financial crime including trader surveillance, anti-fraud and anti-money laundering • Cyber risk management • Insurance risk • Regulatory requirements including Basel 2 and 3, Dodd-Frank, MiFID II and Solvency II Chartis is solely focussed on risk and compliance technology, which gives it a significant advantage over generic market analysts. The firm has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses. Visit www.chartis-research.com for more information. Join our global online community at www.risktech-forum.com. © Copyright Chartis Research Ltd 2017. All Rights Reserved. Chartis Research is a wholly owned subsidiary of Incisive Media Ltd.
    [Show full text]
  • Privacy As a Risk Management Challenge for Corporate Practice
    Privacy as a Risk Management Challenge for Corporate Practice By Kathleen Greenaway, Susan Zabolotniuk and Avner Levin Research Assistance provided by Judit Langhammer, Colin Rogers and Melanie Torrie March 2012 This is a work in progress which will be updated frequently. It is not for public use, duplication, citation, linking or other reference without the express written permission of the authors. PRIVACY AND CYBER CRIME INSTITUTE Acknowledgements This project has been funded through the Contribution Program of the Office of the Federal Privacy Commissioner and in-kind contributions from the Office of the Dean of the Ted Page | 2 Rogers School of Management, Ryerson University. We are grateful to both organizations for supporting research into the privacy practices of Canadian organizations. We also thank the companies and privacy experts who gave of their time and lent their expertise to assist us with this study. It is reassuring to meet Canadian business people who value research sufficiently to participate in our project. Finally, we thank our student researchers, Judit Langhammer, Colin Rogers and Melanie Torrie for their enthusiastic and able assistance. Table of Contents Acknowledgements Page | 3 Introduction Privacy Risk Management in context Project Goals and Objectives Methodology Literature Review Academic LIT Practitioner LIT Regulatory LIT The Concept of STILL TO BE SORTED Privacy as a Risk Management Privacy Risk Discipline Privacy risk as operational risk Governance considerations & etc. PRM in action in STILL TO BE SORTED Canadian Organizations & etc. CONCLUSION Summary of Findings Recommendations Future Research REFERENCES APPENDICES Lit Review tables PRM – Review of available models Page | 4 Risk/RM in Guidance Documents Research protocols Introduction Privacy Risk Management in context Organizations appear to have entered a “third phase” in their approach to the provision of Page | 5 information privacy to their customers.
    [Show full text]
  • Cyber Benefits and Risks: Quantitatively Understanding and Forecasting the Balance
    Cyber Benefits and Risks: Quantitatively Understanding and Forecasting the Balance Extended Project Report from the Frederick S. Pardee Center for International Futures Josef Korbel School of International Studies University of Denver www.pardee.du.edu September 2015 Barry B. Hughes, David Bohl, Mohammod Irfan, Eli Margolese-Malin, and José Solórzano In project collaboration with and the Table of Contents Executive Summary 4 Conceptualizing Benefits and Costs 4 Using the IFs System for Analysis 4 Background Research Foundations 5 Forecasts and Findings 9 Conclusion 11 A Final Note on Study Contributions 12 1. Introduction: Understanding and Anticipating Change in the Benefits and Costs of Cyber Technology 13 2. ICT and Cyber Development Indices 18 Indices Replicated in the IFs Forecasting System 18 ICT Development Index 18 Global Cybersecurity Index 19 Additional Indices of Importance in Cyber Security Analyses 21 Digitization Index 21 Digital Economy Ranking Index 21 Networked Readiness Index 22 3. Benefits 23 Competing Schools of Thought on Economic Benefits 23 Pessimism Versus optimism concerning ICT’s economic production impacts 23 ICT as a general-purpose technology 25 ICT’s Economic Impact: The Production Side 26 ICT as a growth sector in the economy 26 ICT investment and capital services 29 ICT and multifactor productivity 32 Comparing the Productivity Impacts of GPTs: Steam, Electricity, ICT 33 Variation in ICT Impact across Time/Pervasiveness and Countries 36 Drivers of variation in ICT impact: ICT (especially broadband) pervasiveness 36 Drivers of variable ICT impact: Beyond PCs and broadband 39 Drivers of variable ICT impact: Country development level 41 Consumer Surplus 42 Consumer surplus forecasts 46 Summary of Knowledge Concerning Cyber Risk Benefits: Modeling Implications 47 4.
    [Show full text]
  • Decoding the Future IT Risk Management. Disrupted
    Decoding the future IT Risk Management. Disrupted. Exploring the future of IT risk management By Chris Recchia, Tom Bigham and Rob Dighton Decoding the future | IT Risk Management. Disrupted. IT Risk Management. Disrupted. With fragmented IT architecture and legacy infrastructure still widespread across the financial services industry, many organisations are already struggling to get IT risk management right. A wave of change is coming that will make this challenge even more complex. Current approaches to managing IT risk, developed in an era focused on establishing controls for financial reporting, are no longer fit-for-purpose and need to be redesigned. Now is the time for senior financial services risk professionals to begin preparing for the array of changes that are altering the world in which we all operate and compete. The need for effective risk management is rapidly increasing in response to the rise in threats and the unprecedented wave of innovation spreading across the financial services industry. Robotics, Fintech, artificial intelligence, cognitive computing and blockchain are some of the emerging trends that are expected to reshape the financial services industry and have a substantial impact on firms of all sizes and geographical spread. Financial services firms employ many more risk managers than they traditionally did, yet risk management teams remain on a reactive footing with a predominant focus on traditional IT general controls and risk assessment techniques, and are limited by the processes, systems and wider business insight with which they have been equipped. As technology transforms banking and insurance and shifts the risk landscape, organisations will need to develop an entirely new approach to IT risk management.
    [Show full text]
  • Information Technology Sector Baseline Risk Assessment
    Information Technology Sector Baseline Risk Assessment Table of Contents EXECUTIVE SUMMARY .........................................................................................................................................4 1 INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION ............................................................................................................................................................9 1.1. PARTNERING FOR SECURITY...........................................................................................................................9 1.2. IT SECTOR PROFILE......................................................................................................................................11 2 RISK MANAGEMENT APPROACH, METHODOLOGY, AND PROCESS ............................................13 2.1. ASSESSING RISK AT A SECTOR-LEVEL ..........................................................................................................13 2.2. IDENTIFYING CRITICAL FUNCTIONS..............................................................................................................14 2.3. DEVELOPING ATTACK TREES .......................................................................................................................16 2.4. IDENTIFYING AND MEASURING RISK ............................................................................................................17 2.4.1 Analyzing Threats ................................................................................................................................17
    [Show full text]
  • Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
    1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction .............................................................................................................................. 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley .... 2 1. Is there an overall approach to IT risk and control consideration that should be followed? .......................... 2 2. Why is it so important to consider IT when evaluating internal control over financial reporting? ............... 4 3. How should Section 404 compliance teams define “IT risks and controls”? .................................................. 5 4. How does management identify and prioritize IT risks? ................................................................................. 5 5. What guidance does COSO provide with respect to IT controls? .................................................................. 6 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls? ........................................................................................................... 6 7. How do COSO and COBIT facilitate a Section 404 compliance effort? ........................................................ 6 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts? .......................................................................................................................
    [Show full text]
  • GTAG 1: Information Technology Controls
    Information Technology ControlsA uditing Application Controls Authors David A. Richards, CIA, President, The IIA Alan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200March 20057 Copyright © 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. GTAG — Table of Contents: Section 1 Section 19 Letter from the President..........................................ii Appendix H – CAE Checklist ................................423 Section 2 Section 20 IT Controls – Executive Summary ............................iii Appendix I – References ........................................445 Section 3 Section 21 Introduction ..........................................................1 Appendix
    [Show full text]