Transcription
THE RISK ITPRACTITIONERGUIDERisk Universe, Appetite and ToleranceRisk Awareness, Communication and ReportingExpressing and Describing Risk, Risk ScenariosRisk Responses and PrioritisationUsing COBIT and Val ITTM
THE RISK IT PRACTITIONER GUIDEISACA With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, andIT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA Journal, anddevelops international information systems auditing and control standards. It also administers the globally respected CertifiedInformation Systems Auditor (CISA ), Certified Information Security Manager (CISM ), and Certified in the Governanceof Enterprise IT (CGEIT ) designations.ISACA developed and continually updates the COBIT, Val IT and Risk IT frameworks, which help IT professionals and enterprise leadersfulfil their IT governance responsibilities and deliver value to the business.DisclaimerISACA has designed and created The Risk IT Practitioner Guide (the ‘Work’) primarily as an educational resource for chief informationofficers (CIOs), senior management and IT management. ISACA makes no claim that use of any of the Work will assure a successfuloutcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information,procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information,procedure or test, officers and managers should apply their own professional judgement to the specific control circumstances presented bythe particular systems or information technology environment.Reservation of Rights 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored ina retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the priorwritten authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal andnon-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right orpermission is granted with respect to this work.ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: 1.847.253.1545Fax: 1.847.253.1443E-mail: info@isaca.orgWeb site: www.isaca.orgISBN 978-1-60420-116-1The Risk IT Practitioner GuidePrinted in the United States of AmericaCGEIT is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.2 2009 ISACA. AL LRI G H T SRE S E R V E D.
AcknowledgementsAcknowledgementsISACA wishes to recognise:Development TeamSteven De Haes, Ph.D., University of Antwerp Management School, BelgiumGert du Preez, CGEIT, PricewaterhouseCoopers, BelgiumRachel Massa, CISSP, PricewaterhouseCoopers LLP, USABart Peeters, PricewaterhouseCoopers, BelgiumSteve Reznik, CISA, PricewaterhouseCoopers LLP, USADirk Steuperaert, CISA, CGEIT, IT In Balance BVBA, BelgiumIT Risk Task Force (2008-2009)Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland, ChairSteven Babb, CGEIT, KPMG, UKBrian Barnier, CGEIT, ValueBridge Advisors, USAJack Jones, CISA, CISM, CISSP, Risk Management Insight LLC, USAJohn W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USAGladys Rouissi, CISA, MComp, Commonwealth Bank of Australia, AustraliaLisa R. Young, CISA, CISSP, Carnegie Mellon University, USAExpert ReviewersMark Adler, CISA, CISM, CGEIT, CFE, CFSA, CIA, CISSP, Commercial Metals, USASteven Babb, CGEIT, KPMG, UKGary Baker, CGEIT, CA, Deloitte & Touche LLP, CanadaDave H. Barnett, CISM, CISSP, CSDP, CSSLP, Applied Biosystems, USABrian Barnier, CGEIT, ValueBridge Advisors, USALaurence J. Best, PricewaterhouseCoopers LLP, USAPeter R. Bitterli, CISA, CISM, Bitterli Consulting AG, SwitzerlandLuis Blanco, CISA, Citibank, UKAdrian Bowles, Ph.D., Sustainability Insights Group (SIG411), USADirk Bruyndonckx, CISA, CISM, CGEIT, MCA, KPMG Advisory, BelgiumOlivia Xardel-Burtin, Grand Duchy of LuxembourgM. Christophe Burtin, Grand Duchy of LuxembourgRahul Chaurasia, Student, Indian Institute of Information Technology, Allahabad U.P, IndiaRichard H. Chew, CISA, CISM, CGEIT, Emerald Management Group, USAPhilip De Picker, CISA, MCA, Nationale Bank van Belgie, BelgiumRoger Debreceny, Ph.D., FCPA, University of Hawaii-Manoa, USAHeidi L. Erchinger, CISA, CISSP, System Security Solutions Inc., USARobert Fabian, Ph.D., I.S.P., Independent Consultant, CanadaUrs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, SwitzerlandShawna Flanders, CISA, CISM, ACS, PSCU Financial Services, USAJohn Garms, CISM, CISSP, ISSEP, Electric-Tronics Inc., USADennis Gaughan, AMR Research, USAYalcin Gerek, CISA, CGEIT, TAC, TurkeyEdson Gin, CISA, CFE, CIPP, SSCP, USAPete Goodhart, PricewaterhouseCoopers LLP, USAGary Hardy, CGEIT, IT Winners, South AfricaWinston Hayden, ITGS Consultants, South AfricaJimmy Heschl, CISA, CISM, CGEIT, KPMG, AustriaFrancisco Igual, CISA, CGEIT, CISSP, SOAProjects Inc., USAMonica Jain, CGEIT, CSQA, CSSBB, USAJohn E. Jasinski, ITIL Service Manager, Six Sigma Black Belt, USAJack Jones, CISA, CISM, CISSP, Risk Management Insight LLC, USADharmesh Joshi, CISA, CGEIT, CA, CIA, CIBC, CISSP, CanadaCatherine I. Jourdan, PricewaterhouseCoopers LLP, USAKamal Khan, CISA, CISSP, MBCS, Saudi Aramco, Saudi ArabiaMarty King, CISA, CGEIT, CPA, BCBSNC, USATerry Kowalyk, Credit Union Deposit Guarantee Corporation, CanadaDenis Labhart, Swiss Life, SwitzerlandJohn W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USAPhilip Le Grand, Datum International Ltd., UKBrian Lind, CISA, CISM, Topdanmark A/S, DenmarkBjarne Lonberg, CISSP, A.P. Moller—Maersk, DenmarkJo Lusk, CISA, Federal Government, USACharles Mansour, CISA, Charles Mansour Audit & Risk Service, UKMario Micallef, CGEIT, CPAA, FIA, Ganado & Associates, MaltaJohn Mitchell, Ph.D., CISA, CGEIT, CFE, FBCS, LHS Business Control, UKJack Musgrove, CGEIT, CMC, BI International, USA 2009 ISACA. AllRi g h t sRe s e r v e d.3
THE RISK IT PRACTITIONER GUIDEACKNOWLEDGEMENTS (cont.)Expert Reviewers (cont.)Paul Phillips, Barclays Bank Plc, UKAndre Pitkowski, CGEIT, OCTAVE, APIT Informatica, BrazilFelix Ramirez, CISA, CGEIT, Riebeeck Associates, USAMartin Rosenberg, Ph.D., IT Business Management, UKClaus Rosenquist, CISA, PBS, DenmarkGladys Rouissi, CISA, MComp, Commonwealth Bank of Australia, AustraliaDaniel L. Ruggles, CISM, CGEIT, CISSP, CMC, PMP, PM Kinetics LLC, USAStephen J. Russell, PricewaterhouseCoopers LLP, USADeena Lavina Saldanha, CISA, CISM, Obegi Chemicals LLC, UAEMark Scherling, CanadaWilliam D. Sewall, CISSP, ISRMC LLC, USAGustavo Adolfo Solis Montes, Grupo Cynthus SA de CV, MexicoJohn Spangenberg, SeaQuation, The NetherlandsRobert E. Stroud, CGEIT, CA Inc., USAJason B. Taule CISM, CGEIT, CDPS, CHSIII, CMC, CPCM, NSA-IAM, General Dynamics Information Technology-Health IT Solutions; USAJohn Thorp, CMC, I.S.P., The Thorp Network, CanadaLance M. Turcato, CISA, CISM, CGEIT, CPA, CITP, City of Phoenix, USAKenneth Tyminski, Retired, USAE.P. van Heijningen, Ph.D., RA, ING Group, The NetherlandsSylvain Viau, CISA, CGEIT, ISO Lead Auditor, 712iem Escadron de Communication, CanadaGreet Volders, CGEIT, Voquals NV, BelgiumThomas M. Wagner, Marsh Risk Consulting, CanadaOwen Watkins, ACA, MBCS, Siemens, UKClive E. Waugh, CISSP, CEH, Intuit, USAAmanda Xu, CISA, CISM, Indymac Bank, USALisa R. Young, CISA, CISSP, Carnegie Mellon University, USAISACA Board of DirectorsEmil D’Angelo, CISA, CISM, Bank of Tokyo Mitsubishi UFJ, USA, International PresidentGeorge Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA-NV, Belgium, Vice PresidentYonosuke Harada, CISA, CISM, CGEIT, CAIS, InfoCom Research Inc., Japan, Vice PresidentRia Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice PresidentJose Angel Pena Ibarra, CGEIT, Alintec, Mexico, Vice PresidentRobert E. Stroud, CGEIT, CA Inc., USA, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice PresidentRolf von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice PresidentLynn Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG LLP, UK, Past International PresidentEverett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International PresidentGregory T. Grocholski, CISA, The Dow Chemical Company, USA, DirectorTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, DirectorHoward Nicholson, CISA, CGEIT, City of Salisbury, Australia, DirectorJeff Spivey, CPP, PSP, Security Risk Management, USA, TrusteeFramework CommitteePatrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associes SAS, France, ChairGeorge Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA-NV, Belgium, Vice PresidentSteven A. Babb, CGEIT, United KingdomSergio Fleginsky, CISA, Akzonobel, UruguayJohn W. Lainhart, IV, CISA, CISM, CGEIT, IBM Global Business Services, USAMario C. Micallef, CGEIT, CPAA, FIA, MaltaDerek J. Oliver, CISA, CISM, CFE, FBCS, United KingdomRobert G. Parker, CISA, CA, CMC, FCA, CanadaJo Stewart-Rattray, CISA, CISM, CGEIT, RSM Bird Cameron, AustraliaRobert E. Stroud, CGEIT, CA Inc., USARolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, GermanySpecial RecognitionTo the following members of the 2008-2009 IT Governance Committee who initiated the project and steered it to a successful conclusion:Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, ChairSushil Chatterji, Edutech Enterprises, SingaporeKyung-Tae Hwang, CISA, Dongguk University, KoreaJohn W. Lainhart IV, CISA, CISM, CGEIT, IBM Business Consulting Services, USAHugh Penri-Williams, CISA, CISM, CCSA, CIA, Glaniad 1865 Eurl, FranceGustavo Adolfo Solis Montes, CISA, CISM, Grupo Cynthus SA de CV, MexicoRobert E. Stroud, CGEIT, CA Inc., USAJohn Thorp, CMC, I.S.P., The Thorp Network Inc., CanadaWim Van Grembergen, Ph.D., University of Antwerp Management School and IT Alignment and Governance Research Institute, Belgium4 2009 ISACA. AL LRI G H T SRE S E R V E D.
TABLE OF CONTENTSTABLE OF CONTENTSIntroduction to the Practitioner Guide . 7Structure of the Document . 7The Risk IT Process Model . 7Risk IT Positioning With Respect to COBIT and Val IT . 8Overview of the Guide—Mapping Against the Process Model . 81. Defining a Risk Universe and Scoping Risk Management . 11Risk Universe . 11Enterprise IT Risk Assessment. 12Scoping IT Risk Management . 142. Risk Appetite and Risk Tolerance . 15Risk Appetite and Risk Tolerance Defined . 15Risk Appetite . 15Risk Tolerance . 173. Risk Awareness, Communication and Reporting. 19Introduction . 19Risk Awareness and Communication . 19Key Risk Indicators and Risk Reporting . 22Risk Profile. 24Risk Aggregation . 25Risk Culture. 294. Expressing and Describing Risk . 31Introduction . 31Expressing Impact in Business Terms . 34Describing Risk—Expressing Frequency. 37Describing Risk—Expressing Impact . 38COBIT Business Goals Mapping With Other Impact Criteria . 42Risk Map . 46Risk Register . 475. Risk Scenarios . 51Risk Scenarios Explained . 51Risk Factors . 53Example Risk Scenarios . 57Capability Risk Factors in the Risk Analysis Process . 69Environmental Risk Factors in the Risk Analysis Process . 716. Risk Response and Prioritisation . 75Risk Response Options. 75Risk Response Selection and Prioritisation . 777. A Risk Analysis Workflow . 818. Mitigation of IT Risk Using COBIT and Val IT . 83Appendix 1. Risk Concepts in Risk IT vs. Other Standards and Frameworks . 111Comparison of Major Features . 111Appendix 2. Risk IT and ISO 31000 . 113ISO 31000 Risk Management—Guidelines on Principles and Implementation of Risk Management . 113Appendix 3. Risk IT and ISO 27005 . 117ISO/IEC 27005:2008, IT—Security Techniques—Information Security Risk Management . 117Appendix 4. Risk IT and COSO ERM . 119COSO Enterprise Risk Management—Integrated Framework . 119Appendix 5. Vocabulary Comparisons: Risk IT vs. ISO Guide 73 and COSO ERM . 123Risk IT and ISO Guide 73 on Risk Management Vocabulary. 123Risk IT and COSO ERM on Risk Management Vocabulary . 125Appendix 6. Risk IT Glossary . 129List of Figures . 131Other ISACA Publications . 133 2009 ISACA. AL LRI G H T SRE S E R V E D.5
THE RISK IT PRACTITIONER GUIDEPage intentionally left blank6 2009 ISACA. AL LRI G H T SRE S E R V E D.
Introduction to the Practitioner GuideIntroduction to the Practitioner GuideThe Risk IT Framework describes a detailed process model for the management of IT-related risk. In this model, multiplereferences are made to risk analysis, risk profile, responsibilities, key risk indicators (KRIs) and many other risk-related terms.The Risk IT Practitioner Guide contains practical and more detailed guidance on how to accomplish some of the activitiesdescribed in the process model.In enterprises wishing to enhance maturity of risk management practices, The Risk IT Practitioner Guide can provide a solutionaccelerator, not in a prescriptive manner but as a solid platform upon which an improved practice can be built. The Risk ITPractitioner Guide can be used to assist with setting up an IT risk management framework in the enterprise, as well as to enhanceexisting IT risk management practices.This guide does not claim completeness or comprehensiveness, meaning that besides the techniques and practices describedhere, other viable solutions and techniques exist and may be applied for managing IT risk.Structure of the DocumentThis document contains:1. An introduction containing a general positioning of the practitioner guide and navigation tools to allow the reader to identifyrelevant guidance. The positioning with respect to CobiT and Val IT is also briefly discussed.2. Eight chapters, each of which provides guidance on a particular topic or group of topics. Each chapter has illustrationslike the one shown below, where the highlighted sections indicate where in the risk IT process framework the describedtechnique can be applied or where it is relevant.3. Five appendices, in which the relation between Risk IT and other major (IT) risk management standards and frameworksis discussed.ObjectiveRisk GovernanceDefine and describe the overall environment (riskuniverse) that will be subject to risk management.IntegrateWithERMEstablish andMaintain aCommon MakeRisk-awareBusinessDecisionsReact toEventsCommunicationRiskRisk ResponResponsep ksk EvaluaEvaluationationThe Risk IT Process ModelThe Risk IT framework is described in full detail in The Risk IT Framework publication. For easy reference purposes, figure 1contains a graphic overview of the Risk IT process model and its components. 2009 ISACA. AllRig h t sRes e r v e d.7
THE RISK IT PRACTITIONER GUIDEINTRODUCTION TO THE PRACTITIONER GUIDEFigure 1—Risk IT Process Model OverviewRisk Governance (RG)Ensure that IT risk management practices are embedded in the enterprise,enabling the enterprise to secure optimal risk-adjusted return.Process Goal RG2:Integrate the IT risk strategy andoperations with the businessstrategic risk decisions that havebeen made at the enterprise level.Process Goal RG1:Ensure that risk management activities align withthe enterprise’s objective capacity for IT-relatedloss and leadership’s subjective tolerance of it.Key Activities:RG1.1 Perform enterprise IT risk assessment.RG1.2 Propose IT risk tolerance thresholds.RG1.3 Approve IT risk tolerance.RG1.4 Align IT risk policy.RG1.5 Promote IT risk-aware culture.RG1.6 Encourage effective communication of IT risk.Process Goal RG3:Ensure that enterprise decisions consider thefull range of opportunities and consequences fromreliance on IT for success.Key Activities:RG3.1 Gain management buy-in for the IT riskanalysis approach.RG3.2 Approve IT risk analysis.RG3.3 Embed IT risk considerations in strategicbusiness decision making.RG3.4 Accept IT risk.RG3.5 Prioritise IT risk response activities.Key Activities:RG2.1 Establish and maintain accountability for IT risk management.RG2.2 Co-ordinate IT risk strategy and business risk strategy.RG2.3 Adapt IT risk practices to enterprise risk practices.RG2.4 Provide adequate resources for IT risk management.RG2.5 Provide independent assurance over IT risk management.IntegrateWithERMEstablish andMaintain aCommon RiskViewRisk Response (RR)MakeRisk-awareBusinessDecisionsRisk Evaluation (RE)Ensure that IT-related risk issues, opportunities and events areaddressed in a cost-effective manner and in line with business priorities.Process Goal RR2:Ensure that measures for seizing strategicopportunities and reducing risk to anacceptable level are managed as a portfolio.Key Activities:RR2.1 Inventory controls.RR2.2 Monitor operational alignment withrisk tolerance thresholds.RR2.3 Respond to discovered risk exposureand opportunity.RR2.4 Implement controls.RR2.5 Report IT risk action plan progress.Process Goal RR1:Ensure that information on the true state ofIT-related exposures and opportunities is madeavailable in a timely manner and to the rightpeople for appropriate response.Key Activities:RR1.1 Communicate IT risk analysis results.RR1.2 Report IT risk management activities andstate of compliance.RR1.3 Interpret independent IT assessmentfindings.RR1.4 Identify IT-related opportunities.ManageRiskArticulateRiskEnsure that IT-related risks and opportunities areidentified, analysed and presented in business terms.AnalyseRiskBusinessObjectivesReact toEventsCollectDataCommunicationProcess Goal RE1:Identify relevant data to enable effectiveIT-related risk identification, analysis andreporting.Key Activities:RE1.1 Establish and maintain a model fordata collection.RE1.2 Collect data on the operating environment.RE1.3 Collect data on risk events.RE1.4 Identify risk factors.Process Goal RR3:Ensure that measures for seizing immediateopportunities or limiting the magnitude of lossfrom IT-related events are activated in a timelymanner and are effective.Key Activities:RR3.1 Maintain incident response plans.RR3.2 Monitor IT risk.RR3.3 Initiate incident response.RR3.4 Communicate lessons learned fromrisk events. 2009 ISACA. ALMaintainMaintainRiskRProfileofileLRI G H T SRE S E R V E D.Process Goal RE2:Develop useful information to support risk decisionsthat take into account the business relevance of riskfactors.Key Activities:RE2.1 Define IT risk analysis scope.RE2.2 Estimate IT risk.RE2.3 Identify risk response options.RE2.4 Perform a peer review of IT risk analysis.Process Goal RE3:Maintain an up-to-date and complete inventory of knownrisks and attributes (e.g., expected frequency, potentialimpact, disposition), IT resources, capabilities and controlsas understood in the context of business products, servicesand processes.Key Activities:RE3.1 Map IT resources to business processes.RE3.2 Determine business criticality of IT resources.RE3.3 Understand IT capabilities.RE3.4 Update IT risk scenario components.RE3.5 Maintain the IT risk register and IT risk map.RE3.6 Develop IT risk indicators.
The Risk IT Practitioner GuideRisk IT Positioning With Respect to CobiT and Val ITFigure 2—Positioning CobiT, Val IT and Risk ITBusiness Objective—Trust and Value—FocusThe Risk IT Framework document explains that although Risk IT is astand-alone risk management framework, it can be used in conjunctionwith CobiT and Val IT.Val ITRisk ITFigure 2 depicts how these three frameworks relate to each other in thecontext of good IT governance.RiskManagementValueManagementIdentify Riskand OpportunityThe CobiT processes manage all IT-related activities within theenterprise. These processes deal with events internal or external tothe enterprise. Internal events can include operational IT incidents,project failures, full (IT) strategy switches and mergers. Externalevents can include changes in market conditions, new competitors, newtechnology becoming available and new regulations affecting IT.IT-relatedEventsThese events all pose a risk and/or opportunity and need to be assessedIT ProcessManagementand responses developed. The risk dimension, and how to manage it, is themain subject of the Risk IT framework. When opportunities for IT-enabledCOBITbusiness change are identified, the Val IT framework best describes howIT-related Activity Focusto progress and maximise the return on investment. The outcome of theassessment will probably have an impact on some of the IT processes and/oron the input to the IT processes; hence, the arrows from ‘Risk Management’ and ‘Value Management’ link to the ‘IT Process Management’ area.Overview of the Guide—Mapping Against the Process ModelFigure 3 contains an overview of the eight main chapters and select sub-sections of this guide, mapped against the processes of the RiskIT framework. The table identifies the processes to which each section in The Risk IT Practitioner Guide applies.Figure 3—The Risk IT Practitioner Guide OverviewRisk IT Framework Domain and Process Key Risk Indicators and Risk ReportingRE3RR1RR2Risk ProfilesRE31. Defining a Risk Universe and Scoping RiskManagement2. Risk Appetite and Risk Tolerance3. Risk Awareness, Communication andReporting4. Expressing and Describing RiskRG1RG2RG3RG1RG2RG3RG2RG3RE1RG1RE1RR3RR2Risk AggregationRG1RG2Risk CultureRG1RG2IntroductionRG1RG2RE2RR1Expressing Impact in Business TermsRG1RG2RE2RR1Describing Risk—Expressing FrequencyRG1RE2RR1RE2RR1Describing Risk—Expressing ImpactRG1CobiT Business Goal Mapping With OtherImpact CriteriaRG1Risk MapRG1RG3RG2RE3RR1RE3Risk Scenarios ExplainedRG1RE2RE3R
Information Systems Auditor (CISA ), Certified Information Security Manager (CISM ), and Certified in the Governance of Enterprise IT (CGEIT ) designations. ISACA developed and continually updates the C OBI T, Val IT and Risk IT frame
