//
you're reading...
Information Security, IT & TECHNOLOGY

8 Practical Steps to Starting Risk Identification


ISACA-Logo

Optimizing business risks associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise is a key component in an enterprise’s ability to create value. This will allow the enterprise to reach the main objectives and it will most likely result in expansion.

Optimizing IT risks not only requires key practices of the company governance, such as the definition of risk appetite and policies, but also a continuous management process to identify, analyze, evaluate and treat IT risks covering the whole enterprise end-to-end.

However, a frequent issue is that organizations are limited in essential resources for IT risk management—for example, staff-related gaps (quantity and skills), lack of automated tools, restricted budget, incomplete inventories of IT assets and absence of historical data of loss events related with IT risks.

Although all these limitations are solvable, the solution may not come up immediately. As a result, an organization would still be exposed to unidentified IT risk scenarios that could overcome the established appetite or even the capacity to resist losses, compromising the sustainability of the company.

Therefore, the priority is to start as soon as possible by defining valid criteria to identify the IT risk scenarios and determine an optimized scope for the IT risk management process depending on the resources and capabilities available. To start the primary identification of the risk scenarios, the following eight steps are suggested:

  1. Consider internationally recognized standards and guidance, such as:
    1. COBIT 5 for Risk—provides 111 examples of IT risk scenarios
    2. MAGERIT—includes numerous threats for each type of assets/resources with their corresponding safeguards
    3. Additional documents from ISACA on topics such as big data, cloud computing, vendor management and social media
  2. Analyze business objectives of the organization to identify IT-related risks that could jeopardize its success.
  3. Collect the know-how of the experts within the organization scope (e.g., CISO, DBA and CTO) to engage them in the process of IT risk management.
  4. Assess news of vulnerabilities of the IT assets/resources adopted by the company.
  5. Apply “reverse engineering” over controls required by the ongoing regulations to infer/detect possible threats from those controls.
  6. Analyze the events of operational risk loss database to detect materialized IT risk scenarios.
  7. Once you have collected a considerable universe of scenarios, the organization´s possible scope of analysis should be formally defined. This will require a formal approval from the relevant bodies (e.g., risk committee).
  8. Approved register of IT risk scenarios should be enriched periodically, depending on: what actually happened about threats, updates of standards, new technological developments and improvement of the capacity level of the facilitators required for risk management.

Once the registry of risk scenarios is formally approved, the universe of assets/IT resources to analyze could be defined assigning priority to the most critical ones in terms of their support for the business processes. After this, the phase of IT risk analysis within the company could already be started with the most appropriate scope.

Franco Rigante, CISA, CRISC, PMP
IT – GRC Specialist
ISACA Communities Committee

[ISACA]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 113,291 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,953 other followers

Twitter Updates

Archives

July 2015
M T W T F S S
« Jun   Aug »
 12345
6789101112
13141516171819
20212223242526
2728293031  
%d bloggers like this: