28
CGEIT EXAM PREP #3 Copyright ©2011 Tunitas Group. All rights reserved. This presentation material may be used solely by participants in SFISACA’s 2010 CGEIT Preparation Class. No other use is permitted without express written authorization. 1 Risk Management Steve Kruse Sr. Solutions Principal, RSA Agenda: Required Knowledge* What is IT Risk? * Align the IT risk management processes with the enterprise business risk management framework (where this exists). What is an IT Risk Management Framework? * Ensure a consistent application of the risk management framework across the enterprise IT environment. . How is Risk Managed? * Ensure a consistent application of the risk management framework across the enterprise IT environment. * Ensure that risk assessment and management is included throughout the information life cycle. * Define risk management strategies, and prioritize responses to identified risks to maintain risk levels within the appetite of the enterprise How is Risk Communicated & Monitored? * Implement timely reporting on risk events and responses to appropriate levels of management (including the use of key risk indicators, as appropriate). * Establish monitoring processes and practices to ensure the completeness and effectiveness of established risk management processes. 2 * From CGEIT Job Practice (Risk Management domain)

cgeit Risk Management

Embed Size (px)

DESCRIPTION

cgeit Risk Management

Citation preview

Page 1: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

1

Risk Management

Steve Kruse

Sr. Solutions Principal, RSA

Agenda: Required Knowledge*What is IT Risk?

* Align the IT risk management processes with the enterprise business risk management framework (where this exists). 

What is an IT Risk Management Framework?* Ensure a consistent application of the risk management framework across the enterprise IT 

environment. . 

How is Risk Managed?* Ensure a consistent application of the risk management framework across the enterprise IT 

environment. * Ensure that risk assessment and management is included throughout the information life 

cycle. * Define risk management strategies, and prioritize responses to identified risks to maintain risk 

levels within the appetite of the enterprise

How is Risk Communicated & Monitored?* Implement timely reporting on risk events and responses to appropriate levels of 

management (including the use of key risk indicators, as appropriate). * Establish monitoring processes and practices to ensure the completeness and effectiveness of 

established risk management processes. 

2

* From CGEIT Job Practice (Risk Management domain)

Page 2: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

2

WHAT IS IT RISK?

3

Some Risk Categories• Important point to define IT risk beyond just CIA –

Confidentiality, Integrity Availability – types of risk also include:

– Hazard risk Liability torts, Property damage, Natural catastrophe Financial risk ,Pricing risk

– Asset risk, Currency risk, Liquidity risk, Technology obsolescence

– Operational risk Customer satisfaction, Product failure, Integrity

– Strategic risks Competition, Social trend, Capital availability, Reputational risk

– Security risks

4

Page 3: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

3

Information Properties

IT responsibility to develop and preserve multiple information properties (per COBIT)– effectiveness

– efficiency

– confidentiality

– integrity

– availability

– reliability 

– compliance

• Managing ‘security’ is only part of managing IT Risk

5

Security

This broader definition of IT Risk is also driven by Regulations

• SOX• Basel II:

Level 1                Level 2 

Internal Fraud              Unauthorized Activity 

Theft and Fraud 

 

External Fraud              Theft and Fraud 

System Security 

 

Employment Practices            Employee Relations 

Safe Environment 

Diversity and Discrimination 

 

Clients, Products, and Business Practices      Suitability, Disclosure, and Fiduciary 

Product Flaws 

Improper Business or Market Practices 

Advisory Activities 

Selection, Sponsorship, and Exposure 

 

Damage to Physical Assets          Disasters and Other Events 

Business Disruptions and System Failures      Systems 

Execution Delivery and Process Management  Transaction Capture, Execution, and 

Maintenance 

Monitoring and Reporting 

Customer Intake and Documentation 

Customer Account Management 

Page 4: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

4

A Risk Framework incorporating the broader definitions

• U.K. Office of Government and Commerce (OGC)– Management of Risk (M_o_R) Framework

Strategic Level

Program Level

Project Level

Operational Level

Decisions on business strategy

Decisions transforming 

strategy into action

Decisions required to enable 

implementation of actions

WHAT IS AN IT RISK MANAGEMENT FRAMEWORK?

8

Page 5: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

5

IT Risk Frameworks

• Intended to ensure the appropriate recognition and  treatment of risk – Best Practices

• Frameworks define

– Required management activity

– Scope

– Roles and responsibilities

– Mechanisms | Methods

– Artifacts

– Assurance requirements

9

Risk FrameworksCOSO ERM

– Applies to all aspects of enterprise risk

– IT risk managed as a special case

– Specialized IT risk frameworks should be considered as a special case

OCTAVE– Carnegie Mellon’s Software Engineering Institute’s contribution

ISO 31000– Risk framework generally applied (operational, technical, enterprise)

– Supercedes AS/NZS 4360:2004 as existing legislated standard on risk management

IT risk addressed as a component service or project management, eg,  ITIL (ISO 20000), PMBOK

10

Page 6: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

6

Risk Artifacts

Risk Register– Capture all relevant risks

– Origins in Project Management

OCTAVE Threat Tree

Heat MapsSpecialized IT risk framework applied to information security

Gap Assessment – Current and Desired States

11

Risk RegisterCollection of identified risks

– Typically rated on Impact and Likelihood estimates

– Expands beyond projects to enterprise registers

12

Risk number

Risk name Risk Owner

Key issues Residual risk score

Raw risk score

Rank (based on residual score)

Previous rank

Status green/orange/ red

1 2 3 4 5

Likelihood of risk1 – Very low2 – Low3 – Medium4 – High5 – Very highIf likelihood was assessed as very low (e.g. earthquake) it could be given a score of “less than 1” such that even highest impact risks could attract on overall score of “less than 5”.

Impact of risk1 – Insignificant2 – Minor3 – Moderate4 – Serious5 – Very serious

Total residual risk score (likelihood x impact) – and traffic light1 – 6 Low (green traffic light)8 – 12 Medium (green/orange light)14 – 20 High (orange/red light)Over 20 Very high (red light)

*Register and rating methodology courtesy Cambridge University

Page 7: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

7

OCTAVE Threat Tree

13

 Asset Access Actor Motive Outcome Impact ISO 17799 Clauses

Values

Con

fiden

tialit

y

Inte

grity

Ava

ilabi

lity

Pro

babi

lity

1. S

ecur

ity P

olic

ies

2. O

rg.

Sec

urity

3. A

sset

Cla

ssifi

catio

n

4. P

erso

nnel

Sec

urity

5. P

hysi

cal S

ecur

ity

6. C

omm

. M

anag

emen

t

7. A

cces

s C

ontr

ol

8. S

ys.

Dev

elop

men

t

9. in

cide

nt M

anag

emen

t

10.

Con

tinui

ty M

gmt.

11.

Com

plia

nce

Acc

ept

Miti

gate

disclosure H L Xaccidental modification

interruption L M Xinside loss/destruction M L X

disclosure H L Xdeliberate modification L L X

physical interruption L M Xloss/destruction L L X

disclosure H L Xaccidental modification

interruption L L Xoutside loss/destruction L L X

disclosure H L Xdeliberate modification

interruption M L Xloss/destruction M L X

IP Data

Human Actors Using Physical AccessApproach

Heat Map

14

Likelihood and Impact

VH M H VH VH VH

H L M H H H

M VL L M M M

L VL VL L L L

VL VL VL VL VL VL

VL L M H VH

Legend

VL Very LowL LowM MediumH HighVH Very High

Map current risks onto “heat map” to identify current risks and their potential likelihood and impact.

Can be transposed from a risk register:

Numbers from numbered risks are plotted on the map to quickly depict which risks are potentially most damaging if actualized

Page 8: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

8

Heat Map

15

Gap Analysis – Current and Desired

16

Maturity Levels

ISO 27002 

Major 

Clauses Ad hoc Repeatable Defined Measured Optimized

Security Policies X OOrganizational Security X OAsset Classification X OPersonnel Security X OPhysical Security X OCommunications Management X OAccess Control X OSystem Development X OIncident Management X OContinuity Management X OCompliance X O

Current State X

Desired State O

Page 9: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

9

HOW IS RISK MANAGED?

17

• Classic Risk Formula – Impact x Likelihood

• Another popular (IT centric) perspective:

Realized Threat on Asset with Vulnerability

• ISO’s new definition:

ISO 31000 “effect of uncertainty on objectives”

18

Page 10: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

10

HOW IS RISK COMMUNICATED & MONITORED?

19

• Risk Governance – how are we determining the management of the risk program?

– Cited by George Westerman in his article Building IT Risk Management Effectiveness, one of the CGEIT suggested articles. 

– Westerman’s 4A’s – Availability, Access, Accuracy and Agility – his book IT Risk

• Database of risk – the risk register

• Tracking, trending of risks

20

Page 11: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

11

Information Security Governance:Guidance for Boards

• Purpose of infosec governance:• Alignment w/ business strategy (avoid focus on past wars)

• Risk management

• Efficient use of resources

• Monitoring and reporting of appropriate risk metrics

• Optimize value of security investments

• Roles & responsibilities– Board

• Define ‘global risk profile’

• Set tone

• Resource infosec

• Obtain independent assurance from auditors (internal or external)

☼ Insist that management makes security investments measurable & reports on security program effectiveness

21

Information Security Governance: Guidance for Boards

• Roles & responsibilities– Sr. Management

• Oversight for security and control framework: policy, standards, practices and procedures,  measures

• Appropriate risk identification

• Security infrastructure

• Monitoring

• Reviews of effectiveness

• Incorporation into SDLC

• Questions

• Infosec Governance Deliverables (by domain)

• Maturity model– IT focus is associated w/ lower levels of maturity

22

Page 12: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

12

Risk Awareness and Culture

• Risk Awareness– Those closest to the process/technology/program have the greatest knowledge of the 

potential risks

– Again, these can be business (non‐technical) risks

– We as risk professionals must tap that knowledge – “What keeps you up at night?” and other open‐ended questions

• Proper awareness fosters a risk culture– OK to talk about risks

– OK to take risks

– OK to fail (if managed appropriately)

23

• Key Risk Indicators – KRI’s

– Measure to indicate how risky an activity is

– Primary use to report risk profiles to Sr. Management ‐ according to Risk Management Association (RMA) 2005 survey

– Proprietary within each organization, no common set of KRI’s

24

Page 13: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

13

• Enterprise Risk Management needs a consistent and universal way to articulate risk throughout the environment

– Quantifying risk into $ another approach to talk the language of business

25

• Roles & responsibilities

– Risk must be communicated throughout the organization

– Various organization structures proposed• Chief Risk Officer

• Risk Managers in Business Units

– ITGI recommends

• Risk Management Plan – subject to periodic review

• IT Executive Committee to review the plan– Committee reviews priorities

– Approves allocation of resources to mitigate prioritized risks

26

Page 14: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

14

• Monitoring, Reviewing and Trending Risk

– Management of risk takes a lifecycle approach

– Obtain assurance of effectiveness

• Alignment of risk management with business objectives

• Understanding the risk landscape allows the organization to take judicious greater risks when appropriate (change the risk appetite)

27

Practice Question

• Which of the following would be implemented at the highest level of an enterprise?

A. An enterprise risk register

B. A risk management board

C. A risk owner

D. A risk council

28

Page 15: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

15

Answer

• Which of the following would be implemented at the highest level of an enterprise?

A. An enterprise risk register is a management tool that is used within the context of the risk management board

B. A risk management board is made up of managers who are responsible for the reporting of the enterprise’s risk response to the board

C. Although the highest level of management is responsible for risk, the risk owner is tied to a low‐level project, program, or business unit.

D. The risk council is defined either by the enterprise board or the marketplace itself.

Reference: ISACA; IT Governance Practices and Competencies: Information Risks: Whose Business Are They?

29

GOVERNANCE RISK & COMPLIANCETOOLS

30

Page 16: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

16

Risk Management Snapshot

Results from the April 2009 Archer Technologies Risk Management Working Group poll.

The 2008 global financial crisis has raised awareness for business‐oriented risk management on issues such as IT security and financial reporting, as well as the need to have a 

comprehensive understanding of risk across the organization. Despite these heightened concerns, most organizations continue to struggle with silos of risk management activities 

that fail to provide an integrated framework for these efforts.

‐ Paul Proctor, Douglas McKibben. An Overview of IT and Enterprise Risk Management.  Gartner, Inc. December, 2008.

Results from the September 2009 Archer Technologies Risk Management Working Group poll.

The 2008 global financial crisis has raised awareness for business‐oriented risk management on issues such as IT security and financial reporting, as well as the need to have a 

comprehensive understanding of risk across the organization. Despite these heightened concerns, most organizations continue to struggle with silos of risk management activities 

that fail to provide an integrated framework for these efforts.

‐ Paul Proctor, Douglas McKibben. An Overview of IT and Enterprise Risk Management.  Gartner, Inc. December, 2008.

Policies ControlStandards

Authoritative Sources

AssessmentsRisk Register

Test Results

QuestionLibrary

Scoping

Devices

ApplicationsBusinessProcesses

BusinessHierarchy

CorporateObjectives

Metrics

Findings

Product/Services

Facilities

Archer’s Approach to GRC

Archer Policy ManagementCentrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance.

Archer Risk ManagementIdentify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance.

Archer Compliance ManagementDocument your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.

Archer Enterprise ManagementManage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.

Go

vern

ance

Ris

kC

om

pli

ance

En

terp

rise

Man

agem

ent

LossEvents

Information

ControlProcedures

Manual Automated

Testing

Quarterly Risk Review

RemediationPlans

ExceptionRequests

Page 17: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

17

Risk Management Process

• Risk Register

• Loss Events

• Metrics

• Quarterly Risk Reviews

• Question Library

• Assessments

• Findings

• Exception Requests

• Remediation Plans

Risk Register

QuarterlyRisk Reviews

Exception Requests

Loss Events

Question Library

Assessments

Findings

Metrics

RemediationPlans

A Top‐Down Risk ApproachRisk Register

Metrics

LossEvents

Quarterly Risk 

Review

QuestionLibrary

Affected Business Units

Risk Nature

Risk Ownership

Source Information

Impact Score

Loss Amounts

Likelihood Score

Risk Response 

Inherent Risk Score

Residual Risk Score

Page 18: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

18

Follow on Top DownRisk Register

Metrics

LossEvents

Quarterly Risk 

Review

QuestionLibrary

Status

Ownership

Objective

How to Calculate

Measurement Frequency

Threshold Type and Value

Current Value

Date Measured

Impacted Business Processes

Financial Valuation & Recovery Summary

Offset Transactions

Root Cause Analysis

Failed Controls

Violated Policies

Top‐Down ContinuedRisk Register

Metrics

LossEvents

Quarterly Risk 

Review

QuestionLibrary

Statuses

Submitter & Reviewer

Review & Due DatesType & Status

Policy References

Answer Inheritance

Page 19: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

19

A Bottom‐Up Risk Approach

Assessments

RemediationPlans

ExceptionRequests

Findings

Fraud Assessment

Application Assessment

Facility Assessment

Information Asset Assessment

Device Assessment

Bottom‐Up Continued

Assessments

RemediationPlans

ExceptionRequests

Findings

Status

Authoritative Source References

Control Standards

Approval Workflow

Finding Description

Finding Response

Remediation Status and Dates

Page 20: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

20

Bottom‐Up Risk 3

Assessments

RemediationPlans

ExceptionRequests

Status

Exception Declaration

Impacted Control Standards

Compensating Controls

Exception Attachments

Review and Approvals

Findings

Status

Cost Analysis

Approval Workflow

Related Findings

Related Vulnerabilities

Related Configuration Check Results

Risk Management Reporting• Over 140 Out‐of‐the‐Box Reports 

including:

– Risk Impact and Rating Summary

– Risks by Inherent and Residual Rating

– Risks by Company Objective

– Metric Status Summary

– Net Total Losses by Business Unit by Month

– Open Loss Events by Business Unit

– All Events by Basel II Categories

– Risk Assessment Average Residual Scores by Business Unit

– Risk Findings by Status

Page 21: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

21

END

41

ERM Components• Objective Setting

• Necessary preconditions of risk management – strategic objectives regarding operations, reporting and compliance

• Event identification• Positive or negative risk related events

• Risk assessment• Impact and likelihood of identified events

• Risk response• Avoidance, reduction, sharing, acceptance

• Control activities• Controls that ensure that risk response is completed

• Information and communications• Processes that link the above components

• Monitoring• Ensure that all the above processes work effectively

Page 22: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

22

COSO ERM Principles

• ERM is a process implemented in context of the internal control environment.  Takes into consideration:

– Risk management philosophy

– Risk appetite

– BOD attitude

– Integrity and ethical values

• Implemented by people

• Reasonable assurance

• Supports achievement of objectives

COSO ERM

• Risk management is essential component of COSO internal control model

– Identify risk; estimate its significance and frequency; determine what actions should be taken in response

– General lack of a comprehensive risk assessment process

• Silo approaches preclude:– Comparison of risk across functional components 

– Integrated management

Page 23: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

23

• COSO ERM

– Eight Components and Four Objectives Categories

• Eight Components– Internal Environment Risk Response

– Objective Setting Control Activities

– Event Identification Information and Communication

– Risk Assessment Monitoring

• Four Objectives Categories– Strategy Operations

– Financial Reporting Compliance

45

COSO ERM Framework

• General framework for management of enterprise risk

– Common language & approach

• Management of IT related risks (eg infosec) should be addressed as special case of ERM

– Enterprise context

– IT risk as ‘just another’ kind of business risk

46

Objectives Categories

Com

pone

nt a

ctiv

ity

Page 24: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

24

COSO ERM Component Activity

• Control activity– Policies and procedures that ensure that risk response activity 

carried out• E.g., (trivial) not the password policy, but the AD & Win logon mechanism that 

enforces the policy

• Information and communication – Outputs, indicators, reports that coordinate other component 

activities

• Monitoring– Processes needed to determine the effectiveness of all the other 

ERM components 

47

• Other ERM Frameworks

– ISO 31000 – recent work by the International Organization for Standards (November, 2009)

• Replaced AS/NZS 4360:2004

– Risk IT – ISACA’s own

• Leverages elements of George Westerman’s work at MIT, Jack Jones FAIR Methodology (Heat Maps)

• Balance risk with opportunity – little to no risk means fewer necessary controls to identify and work towards opportunities

48

Page 25: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

25

Risk IT Framework

• 3rd Component of ITGI’s IT Governance Framework

– Val IT – creation of business value 

– Risk IT – protection of information assets

– COBIT ‐ control & improve IT

49

Risk IT

• Goal: ensure enterprise governance of IT risk– Connects IT risk with business objectives

– Aligns IT‐related business risk with overall enterprise risk management

• akin to IT‐enabled business investment / value

– Framework specializes the COSO ERM framework to IT risk• Emphasis (but not exclusively) on information security risk

• Framework provides:– Risk management governance practices

– End to end process framework

– Catalog of generic adverse related IT risk

– Tools & techniques

– Roles & responsibilities

50

Page 26: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

26

Risk IT Components

51

Risk IT Process Model

52

Page 27: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

27

Risk IT Process Model : Zoom

53

• For each process, RISK IT provides:– Detailed control activities / objectives

– Inputs – outputs for each activity

– RACI chart

– Goals and metrics (activity, process & ‘domain’)

– Maturity model

Risk IT Companion Document

54

Page 28: cgeit  Risk Management

CGEIT EXAM PREP #3

Copyright ©2011 Tunitas Group.  All rights reserved. This presentation material may be used solely by participants in SF‐ISACA’s 2010 CGEIT Preparation Class.  No other use is permitted without express written authorization.

28

COSO ERM: for more info

55

COSO.org

• http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

• http://www.coso.org/documents/COSO_ERM.ppt

• http://www.coso.org/ERM-IntegratedFramework.htm

especially recommended for security professionals

COSO ERM Entity & Unit Level Risk

Entity‐wide plus unit specific risks

• Unit‐level risk– Risk should be considered and managed at all levels of business

• Follow organization chart?

• Entity level risk– Risk impacting multiple business units

– Roll up of unit level risk with ‘material’ impact

56