ISACA’s IT Risk Framework
Video Transcript
Our next framework we're going to look at is going to come straight from ISACA, and it's ISACA's IT risk framework. Of course, this is going to be something that we really want to understand, and that's going to lead us to analyzing the risk management life cycle as we'll do it a little bit later, but this is the basic idea for what we're trying to establish when we talk about a risk-aware environment or having a framework in place to base our risk management environment upon.
With IT's risk-management frame or with the IT risk management framework, we have three main categories. We have risk governance, risk evaluation, and risk response, so you'll often see RG, RE, and RR. Of course, we have to start with governance. The first element with governance, we have to establish and maintain a common risk view. Our governing entities want to make sure that their risk appetite and their risk tolerance levels are understood throughout the organization, that we understand our general approach to risk, whether we're risk-seeking or risk averse, that's establishing a common risk view within the organization.
Also, that's going to include educating our users and making sure that we have good communication. Next piece is to integrate that with our enterprise risk management strategy, so we have a common view towards risk, let's build that in to the organization as a whole, and that's integration with the RAM. Then we move to being able to make risk-aware business decisions, that's what we want. When we go to make a decision, do we invest money, do we upgrade this equipment, how do we respond to this particular threat? Those decisions should come based on understanding risk and managing risk.
We start off, we have to have governing entities, senior leadership, the board, they begin the process of addressing risk. Then we have to collect information, like I said. If we're going to be able to make risk-aware business decisions, what information do we use to determine what response is appropriate? In risk evaluation, we collect data, we look at information like what assets we're protecting? What are they worth? What threats exist? What are the vulnerabilities? Then we analyze that risk. When we analyze the risk, we're looking to get a value, and that risk value is going to tell me my potential for loss, so that in a few minutes when we come to risk response, we'll be able to choose a solution that makes sense from a cost-benefit perspective. We collect data, we analyze our risks, and we want to be able to maintain our risk profile.
When we talk about our risk profile, we're talking about our exposure to risk, so we want to make sure that that risk profile exists or stays in a level that's acceptable to senior leadership. Now, once we've evaluated our risks, we then respond to risks, so the risk is articulated. We can define the risk that exists, we can look at the risk value versus the cost of the countermeasure, and then we manage that risk by implementing controls. Ultimately, allowing us to react to events or incidents in a quick and a responsive manner. The three elements of the IT risk management framework; governance, evaluation, and response. You can see over on this chart, each of the levels, RG1, RG2, RG3, and what we're working towards a little bit like the maturity model, or we had RG1, or we had RG2, or we had RG3, where do we stand?
Again, this could be used for gap analysis. If we're at RE1, we may decide we need to be at RE2, RE3 each step along the way. This is just another framework that defines ultimately the goals and the structure on which we want to build. Now, the principles of the IT risk framework. We looked at the principles of COBIT, again this is from ISACA, so you're not going to see anything in direct contrast, but we start at the top just like we would expect, connect with business objectives. It's in compliance with COBIT, but the principles aren't the same, we're trying to accomplish something a little bit different here. With this framework, we're going to support the structure for security, so what are your business objectives? Are our objectives to increase profit? Are they to increase customer confidence? Are they to reduce man-hours lost? What in relation to information security are the objectives?
Then we're going to make sure that our risk management within IT is aligned with enterprise risk management. Anything you would see on this exam or anything you could think about or analyze where IT is doing something different than the rest of the organization, that's always going to be wrong. At one point in time, that really was the way we did business. We had the organization operating and they did the business of the company, they made the money, and then the folks in IT, were in the basement somewhere doing nerdy things, and never the two would meet.
You only talked about the IT team and something went wrong, but based on that idea, that indicates that IT risks are over here and business risks are over there, but an IT risk is a business risk. We're enablers of the business and if we can't provide the right support at the right time with the right availability, then the business suffers, so we're part of a greater whole, but we're part of the whole. Another big point, balance cost-benefit. I got to tell you this is one of those things that's just always going to be right on the exam, a cost-benefit analysis. What are the pros, what are the cons?
Do the benefits outweigh the cost? We can't forget everything with security costs something, whether it's availability, ease of use, user acceptance, so we've got to find that perfect balance. Rarely, or IT security people going to be the ones that know what that perfect balance is. By that I mean, security professionals are going to err on the side of security, but operations may complain, hey, we can't even do our jobs, we've got so much security, we can't get past Step 1, so we have to have senior leadership that's going to help us prioritize and determine what the right amount of security is. Fair and open communication, of course, transparency, establish tone at the top, as well as accountability, ethics, culture behavior flows downward.
If you want to change employee action, culture, how they do their jobs, start at the top. The function should be part of daily activities, we use risk management as part of our jobs, it's what we do from day to day, it's incorporated as a function of performance. That's ISACA's IT risk management framework, and I think that between that and ISO 27001, we looked at some risk management frameworks as well, I think those would be the frameworks I would focus on. Now, there are other frameworks, we're certainly not going to get into all of these. SABSA, TOGAF, you could come across those in your reading, but I just don't see those making it to the test. COBIT, high level because it comes from ISACA. I think you'll see some questions may be from NIST publications as special publications and standards. Not anything too detailed or nitpicky, but to the degree that we talked about them earlier, I think that's really appropriate to have a good understanding.
This says ISO standards on quality and references ISO 9001. In that realm, for quality, you can substitute quality for security, and you'll see it's very heavy on documentation and very much a methodical set of processes. But again, what I would focus on, I would know the CMMI, I would know ISO 27001, I would know the NIST standards like 830 and 800-39, I would be able to reference the risk management framework as well as ISACA's IT risk framework. I think that's it, those would be the ones that I would focus on.
