Using Risk Scenarios for COBIT 5 to Help Achieve Business Success

If I had a £1 for every time a client said “it won’t happen to us,” I would be a very rich man and probably would not be writing this blog!

Risk management is about minimizing the chance that it will happen to us, by anticipating what might occur to affect the successful delivery of an enterprises’ business goals or objectives and to implement an appropriate risk response to minimize the risk of an adverse business impact materializing.

This is how risk management is usually seen. However, a good risk management process can also be used to help achieve the successful delivery of a business goal or objective.

In life, we all make mistakes, but the important thing is to learn from the experience. Even better is to learn from the mistakes of others. The use of risk scenarios in an enterprise’s risk management process helps us do just that.

Building a library of risk scenarios will help an enterprise foresee potential risk and select suitable risk responses to reduce the impact to within its risk appetite and risk tolerance. The ISACA publications COBIT 5, COBIT 5 for Risk, and Risk Scenarios for COBIT 5 for Risk provide some very helpful tools to the risk practitioner.

COBIT 5 defines two risk-related process enablers:  EDM03, a governance process, and APO12, a management process.

COBIT 5 for Risk Expands on Process Enablers
A key tool in the risk management process is the use of risk scenarios. COBIT 5 for Risk, which expands upon EDM03 and APO12 process enablers, also has a small section providing some generic risk scenarios. However, the risk professional should arm themselves with Risk Scenarios Using COBIT 5 for a comprehensive library of risk scenarios.

Risk Scenarios Using COBIT 5
But what is a risk scenario? A risk scenario is a description of a possible event that, if it occurs, will have an uncertain impact on the enterprise. The core of a risk management process requires risk to be identified and assessed and a suitable risk response to be implemented. Well-developed risk scenarios support these activities and make them realistic and relevant to the enterprise.


Source: ISACA, COBIT 5 for Risk, USA, 2013

Scenarios Inform on Suitable Risk Response
The risk scenario then provides some guidance on a suitable risk response. When a risk assessment identifies that risk is not within the risk appetite and tolerance of the enterprise, then one of four risk responses is required:

  • Avoid:  Stop doing that activity.
  • Mitigate:  Implement mitigation actions to reduce the inherent risk.
  • Share/Transfer:  Transfer the risk, such as the use of insurance.
  • Accept:  Do nothing and live with the risk.

If the selected risk response is mitigate, then the risk scenario gives some pointers to the COBIT 5 process enablers that could be implemented to appropriately manage the risk.

Risk Mitigation in an Elevator
One final thought:  even risk professionals get it wrong. Risk Scenarios for COBIT 5 for Risk was developed by a group of nine risk professionals from around the world. Just imagine that these nine arrive at ISACA headquarters 08.00 one Sunday morning and all step into the same elevator to go up the 10th floor. There is no one else expected in the building until 07.00 the following morning.

These nine highly experienced risk professionals failed to effectively assess the risk of all getting into the same elevator, and, yes, you’ve guessed it—the elevator jammed just past the 2nd floor. Fortunately, after only few minutes (which seemed a lot longer) of panic, they were able to pry open the doors and the lift so everyone was able to easily step out. But like all good risk professionals, they then learned from their experience and broke into two groups and took two separate lifts to continue their journey to the 10th floor.

How do I know? I was one of the nine! If only we had had a book of risk scenarios we could have consulted.

As part of your member benefits, Risk Scenarios Using COBIT 5 for Risk is available as a no cost pdf download.

Editor’s Note:  Risk Scenarios Using COBIT 5 for Risk is the ISACA Bookstore’s June Book of the Month. Click here to download.

Mike Hughes, CISA, CGEIT, CRISC, ISACA Central UK Immediate Past President, Principal Director, HWgrc

[ISACA Now Blog]

Verizon DBIR Says You Can’t Stop the Storm—But You Can See It Coming

The 2016 Verizon Data Breach Investigations Report (DBIR) paints a grim picture of the unavoidable enterprise data breach. But accepting the inevitability of breaches doesn’t mean accepting defeat. It’s like severe weather: you can’t prevent a tornado or hurricane. But with the right visibility tools, you can recognize patterns and mitigate your risk.

Likewise with data security, visibility is critical. “You cannot effectively protect your data if you do not know where it resides,” says Verizon.

Most enterprises plagued by poor data visibility
The report shows that most organizations lack the data visibility tools for effective breach remediation. Hackers gain access more easily than ever, with 93 percent of attacks taking just minutes to compromise the enterprise ecosystem. Yet without the ability to see what’s happening on endpoint devices, 4 in 5 victimized organizations don’t catch a breach for weeks—or longer.

Here’s a look at how data visibility solves many of the major threats highlighted in the 2016 DBIR:

Phishing: See when users take the bait
The report showed users are more likely than ever to fall for phishing. One in ten users click the link; only three percent end up reporting the attack. Instead of waiting for the signs of an attack to emerge, IT needs the endpoint visibility to know what users are doing—what they’re clicking, what they’re installing, if sensitive data is suspiciously flowing outside the enterprise network. The “human element” is impossible to fix, but visibility lets you “keep your eye on the ball,” as Verizon put it, catching phishing attacks before they penetrate the enterprise.

Malware and ransomware: Encryption + endpoint backup
With laptops the most common vector for the growing threats of malware and ransomware, Verizon stresses that “protecting the endpoint is critical.” The report urges making full-disk encryption (FDE) “part of the standard build” to gain assurance that your data is protected if a laptop falls into the wrong hands. Continuous endpoint backup is the natural complement to FDE. If a device is lost or stolen, IT immediately has visibility into what sensitive data lived on that device, and can quickly restore files and enable the user to resume productivity. Plus, in the case of ransomware, guaranteed backup ensures that you never truly lose your files—and you never pay the ransom.

Privilege abuse: “Monitor the heck” out of users
Authorized users using their credentials for illegitimate purposes “are among the most difficult to detect.” There’s no suspicious phishing email. No failed login attempts. No signs of a hack. And for most organizations, no way of knowing a breach has occurred until the nefarious user and your sensitive data is long gone. Unless, of course, you have complete visibility into the endpoint activities of your users. Verizon urges enterprises to “monitor the heck out of authorized daily activity,” so you can see when a legitimate user is breaking from their use pattern and extricating sensitive data.

Forensics: Skip the hard part for big cost savings
The most costly part of most enterprise data breaches—accounting for half of the average total cost—involves figuring out what data was compromised, tracking down copies of files for examination, and other forensic tasks required for breach reporting and remediation. Most often, an organization must bring in legal and forensic consultants—at a steep price. If you have complete visibility of all enterprise data to begin with, including endpoint data, you can skip much of the hard work in the forensics phase. If you already have continuous and guaranteed backup of all files, all your files are securely stored and easily searchable. Modern endpoint backup solutions go a step further, offering robust forensic tools that make it easy and cost-effective to conduct breach remediation, forensics and reporting tasks without eating up all of IT’s time, or requiring expensive ongoing consultant engagement.

See your data, understand your patterns, mitigate your risk
The whole point of the DBIR is to shed light on data to see the patterns and trends in enterprise data security incidents—to mitigate risk through greater visibility. So read the report. Understand the common threats. But make sure you apply this same methodology to your own organization. With the right data visibility tools in place, you can see your own patterns and trends, learn your own lessons, and fight back against the inevitable data breach.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

Watch: Prevention Against Targeted Phishing Attacks

In this Lightboard session, Martin Walter explains how the integration of Palo Alto Networks global URL Filtering service (PAN-DB) works with the single-pass architecture of our next- generation firewalls and our Threat Intelligence Cloud to allow you to safely enable web access while protecting against malware or phishing sites.

Learn more

[Palo Alto Networks Research Center]

English
Exit mobile version