Ed Gelbstein, Ph.D., 1940-2015, worked in Auditing IS/IT Risk Management, Part 1 IS/IT in the private and public sectors in various countries There are significant differences between THE PRACTICE for more than 50 years. conducting an IS/IT audit and conducting an IS/ Unfortunately, this is not always the case. This Gelbstein did analog and IT risk management audit. author audited several well-known organizations digital development in the that merely played lip service to risk management 1960s, incorporated digital THE THEORY at all levels. They went through the motions of computers in the control IS/IT auditors ought to be knowledgeable about engaging consultants to run a brief workshop systems for continuous the risk owned by the chief information officer on risk maps (heat maps), asked their staff to process in the late ‘60s and (CIO) and her/his team and those that have been develop them quickly, put them all in a big file early ‘70s, and managed externalized (outsourcing, cloud services, other and claimed they had done risk management. projects of increasing providers, vendors, etc.). In an ideal situation, at Given that internal audit and ERM both exist size and complexity until the least some of the IS/IT audit team should have to provide independent and robust advice to early 1990s. In the ‘90s, he a certification such as ISACA’s Certified in Risk senior management, friction between them—let became an executive at the and Information Systems Control™ (CRISC™). alone a turf war—would be bad for business. preprivatized British Railways Those involved in the enterprise risk This article provides a map of the IS/IT management (ERM) function should be able risk management activities that are auditable and then the United Nations to determine the business impact of the risk and shows how to maintain a collaborative global computing and data associated with IS/IT. Ideally, at least some of the relationship with the ERM team while avoiding communications provider. team should have a certification such as Certified conflicts of interest. Following his (semi) Information Systems Auditor® (CISA®) or Certified retirement from the UN, Information Security Manager® (CISM®).1 AUDITABLE ACTIVITIES he joined the audit teams of In 1999, The Institute of Internal Auditors Figure 1 shows a top-level map of the things an the UN Board of Auditors and (The IIA) published an updated definition auditor may consider including in an IS/IT risk the French National Audit of internal auditing, describing it as “an management audit assumed to be conducted by Office. Thanks to his generous independent, objective assurance and consulting the CIO and her/his team. spirit and prolific writing, activity designed to add value and improve an The organization’s business continuity and his column will continue to organization’s operations. It helps an organization impact assessment studies, assuming they be published in the ISACA® accomplish its objectives by bringing a exist and are regularly updated, assist the Journal posthumously. systematic, disciplined approach to evaluate and auditors in defining the scope of audit. If these improve the effectiveness of risk management, do not exist or are outdated, the first critical Do you have control and governance processes.”2 audit recommendation should be that they be something The Risk Management Society (RIMS)3 defines conducted as a matter of urgency. to say about ERM as a strategic business discipline, while the Figure 1 illustrates that there are enough this article? IIA4 defines it as a structured, consistent and activities to keep auditors busy for quite a while, Visit the Journal continuous process across the whole organization. and a good start would be to find out which of pages of the ISACA The CIO should be able to provide them have been done, by whom and when. It may web site (www.isaca. appropriate risk assessments for systems and be useful to identify first if a formal framework org/journal), find the services, ideally based on a formal framework for risk management was adopted by the IS/ article and choose and, to the extent possible, quantified. These risk IT function and, if so, which one. Some are the Comments tab to assessments and a related risk register describing simplistic, such as drawing risk maps of little share your thoughts. mitigation plans, their ownership and time scales boxes colored green, yellow and red based on 5 Go directly to the article: should have a clear link to the business impact intuition, and others are relatively complex, analyses that support business continuity plans. requiring considerable time to master (e.g., Business managers and systems and data COBIT® 5 for Risk6 and Operationally Critical owners are responsible for prioritizing risk for Threat, Asset, and Vulnerability Evaluation appropriate action and, thus, become the risk [OCTAVE],7 available in versions for large and owners. This implies that internal audit takes on smaller organizations). an assurance role that excludes consulting and partnering in risk management.
©2016 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 2, 2016 1 Figure 1—Scope of Auditable IS/IT Risk Management Activities CO�I�� � �or Ris� Future event scenarios NIST SP �00-30 Project/Operations impact Risk Planning OCTAVE Business impact Framework Adopted CRAMM Financial/�egal impact VERIS Others Risk Communication Risk appetite Training Given �efinitions �ho was trained �uality of material Risk Monitoring Risk Management Active Auditable Activities Inspection IS/IT Business Risk Audit Business impact Corrective action Critical facilities Risk Management Risk Controls Risk identification Reactive System Risk evaluation Investigation Risk oversight �evel of uncertainty Analysis Risk intelligence Residual risk ERM framework, e.g., COSO Risk prevention Risk transfer Role of ERM in IS/IT assessment Risk reduction Risk ownership Extent of IS/IT integration in ERM Risk detection Contingency plans Source: Ed Gelbstein. Reprinted with permission.
Some risk assessment methodologies may be poorly suited including incident management and disaster recovery plans, for IS/IT, for example, those specifically designed to assess necessarily focus on the threats and vulnerabilities that can financial risk because they require complex calculations and adversely affect business operations without necessarily being access to historically consistent data. conversant with the contents of the various business impact Adopting a methodology is, in itself, not enough if those analyses carried out on a regular basis, the risk appetite of who need to apply it do not know how. This implies some the organization or the organization’s priorities for mitigating kind of training and much study. Study requires time, and business risk. in today’s corporate environment it is hard to make time8 as What often happens is that, having identified threats (from the “urgent” displaces the “important” and the trend toward hackers to earthquakes) and vulnerabilities (the usual triad of open plan accommodation and densely packed cubicles makes people, process and technology), the CIO moves quickly to concentration on learning harder to achieve. address issues that, in terms of business impact, may not be at all important and are, therefore, a poor use of resources. IS/IT RISK TRANSLATED INTO BUSINESS RISK Achieving a successful translation into business risk requires The Risk IT Practitioner Guide9 (issued before COBIT® 5 extensive dialog with business process owners, senior for Risk) is a valuable document. Figure 2 presents a variant management and the ERM team, and collaboration toward of one of the guide’s figures (figure 5 in chapter 1) that producing an integrated risk register that can then be used to shows how the starting point in the CIO’s risk assessments is request the resources needed to mitigate the highest risk to transformed into business risk. the business. The CIO and the chief information security officer However, this requires every one of the players to make (CISO), as custodians of the organization’s systems and data, time available for such discussions and engage in a spirit of
2 ISACA JOURNAL VOLUME 2, 2016 ©2016 ISACA. All rights reserved. www.isaca.org Figure 2—How IS/IT Risk Translates Into Business Risk Threats: �uman accidental, human deliberate, natural forces Vulnerabilities: People, process, technology
IT benefit/value IT program and IT operations and enablement risk project delivery risk service delivery risk
IT-speak
IT risk translated into enterprise risk and its potential impact
Strategic Operational Financial Compliance Legal Reputational risk risk risk risk risk risk
Business-speak Prioritized business risk
Source: Ed Gelbstein. Reprinted with permission. collaboration, not allowing it to be inhibited by unavoidable IIA%20Executive%20Report%20Forging%20a%20 corporate politics. Small organizations may not have a formal Collaborative%20Alliance.pdf ERM team and/or business processes and may, therefore, have 3 The Risk and Insurance Management Society, www.rims.org limited knowledge of risk and impact assessment. 4 The Institute of Internal Auditors, www.theiia.org 5 Gelbstein, E.; “Quantifying Information Risk and PRELIMINARY CONCLUSION Security,” ISACA® Journal, vol. 4, 2013, www.isaca.org/ The reader may find the short article, “Writing Good Risk Journal/archives Statements,”10 very helpful. It confirms the statement, “If you 6 ISACA, COBIT® 5 for Risk, USA, 2013, www.isaca.org/ think this is simple, you just have not looked closely enough.” COBIT/Pages/Risk-product-page.aspx Part 2 of this column will examine the remaining branches 7 CERT Division, OCTAVE, Software Engineering Institute, of the map in figure 1, i.e., risk controls, risk management Carnegie Mellon University, USA, www.cert.org/resilience/ system, risk communications and risk scenario planning. products-services/octave/octave-method.cfm 8 Adams, S.; The Dilbert Principle: A Cubicle’s-Eye View of ENDNOTES Bosses, Meetings, Management Fads & Other Workplace 1 ISACA, Certified in Risk and Information Systems Control, Afflictions, HarperBusiness, USA, 1996 www.isaca.org/Certification/CRISC-Certified-in-Risk-and- 9 ISACA, Risk IT Practitioner Guide, USA, 2009, Information-Systems-Control/Pages/default.aspx https://www.isaca.org/bookstore/Pages/Product-Detail. 2 The Risk and Insurance Management Society and The aspx?Product_code=RITPG Institute of Internal Auditors, Risk Management and 10 Power, Benjamin; “Writing Good Risk Statements,” ISACA Internal Audit: Forging a Collaborative Alliance, executive Journal, vol. 3, 2014, www.isaca.org/Journal/archives report, 2012, https://na.theiia.org/standards-guidance/ Public%20Documents/RIMS%20and%20The%20
©2016 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 2, 2016 3