ISACA’s IT Risk Framework

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Our next framework we're going to look at
00:00
is going to come straight from ISACA,
00:00
and it's ISACA's IT risk framework.
00:00
Of course, this is going to be
00:00
something that we really want to understand,
00:00
and that's going to lead us to analyzing
00:00
the risk management life cycle
00:00
as we'll do it a little bit later,
00:00
but this is the basic idea
00:00
for what we're trying to establish when we talk
00:00
about a risk-aware environment or having
00:00
a framework in place to base
00:00
our risk management environment upon.
00:00
With IT's risk-management frame
00:00
or with the IT risk management framework,
00:00
we have three main categories.
00:00
We have risk governance, risk evaluation,
00:00
and risk response,
00:00
so you'll often see RG,
00:00
RE, and RR.
00:00
Of course, we have to start with governance.
00:00
The first element with governance,
00:00
we have to establish and maintain a common risk view.
00:00
Our governing entities want to make sure that
00:00
their risk appetite and
00:00
their risk tolerance levels are
00:00
understood throughout the organization,
00:00
that we understand our general approach to risk,
00:00
whether we're risk-seeking or risk averse,
00:00
that's establishing
00:00
a common risk view within the organization.
00:00
Also, that's going to include educating
00:00
our users and making
00:00
sure that we have good communication.
00:00
Next piece is to integrate that with
00:00
our enterprise risk management strategy,
00:00
so we have a common view towards risk,
00:00
let's build that in to the organization as a whole,
00:00
and that's integration with the RAM.
00:00
Then we move to being able to
00:00
make risk-aware business decisions, that's what we want.
00:00
When we go to make a decision,
00:00
do we invest money,
00:00
do we upgrade this equipment,
00:00
how do we respond to this particular threat?
00:00
Those decisions should come based
00:00
on understanding risk and managing risk.
00:00
We start off, we have to have
00:00
governing entities, senior leadership,
00:00
the board, they begin the process of addressing risk.
00:00
Then we have to collect information, like I said.
00:00
If we're going to be able to make
00:00
risk-aware business decisions,
00:00
what information do we use to
00:00
determine what response is appropriate?
00:00
In risk evaluation, we collect data,
00:00
we look at information like
00:00
what assets we're protecting? What are they worth?
00:00
What threats exist?
00:00
What are the vulnerabilities?
00:00
Then we analyze that risk.
00:00
When we analyze the risk,
00:00
we're looking to get a value,
00:00
and that risk value
00:00
is going to tell me my potential for loss,
00:00
so that in a few minutes when we come to risk response,
00:00
we'll be able to choose a solution that
00:00
makes sense from a cost-benefit perspective.
00:00
We collect data, we analyze our risks,
00:00
and we want to be able to maintain our risk profile.
00:00
When we talk about our risk profile,
00:00
we're talking about our exposure to risk,
00:00
so we want to make sure that that risk profile exists or
00:00
stays in a level that's acceptable to senior leadership.
00:00
Now, once we've evaluated our risks,
00:00
we then respond to risks,
00:00
so the risk is articulated.
00:00
We can define the risk that exists,
00:00
we can look at the risk value
00:00
versus the cost of the countermeasure,
00:00
and then we manage that risk by implementing controls.
00:00
Ultimately, allowing us to react to
00:00
events or incidents in a quick and a responsive manner.
00:00
The three elements of the IT risk management framework;
00:00
governance, evaluation, and response.
00:00
You can see over on this chart,
00:00
each of the levels,
00:00
RG1, RG2, RG3,
00:00
and what we're working towards
00:00
a little bit like the maturity model,
00:00
or we had RG1,
00:00
or we had RG2,
00:00
or we had RG3,
00:00
where do we stand?
00:00
Again, this could be used for gap analysis.
00:00
If we're at RE1,
00:00
we may decide we need to be at RE2,
00:00
RE3 each step along the way.
00:00
This is just another framework that defines
00:00
ultimately the goals and
00:00
the structure on which we want to build.
00:00
Now, the principles of the IT risk framework.
00:00
We looked at the principles of COBIT,
00:00
again this is from ISACA,
00:00
so you're not going to see anything in direct contrast,
00:00
but we start at the top just like we would expect,
00:00
connect with business objectives.
00:00
It's in compliance with COBIT,
00:00
but the principles aren't the same,
00:00
we're trying to accomplish
00:00
something a little bit different here.
00:00
With this framework, we're going to
00:00
support the structure for security,
00:00
so what are your business objectives?
00:00
Are our objectives to increase profit?
00:00
Are they to increase customer confidence?
00:00
Are they to reduce man-hours lost?
00:00
What in relation to
00:00
information security are the objectives?
00:00
Then we're going to make sure that our risk management
00:00
within IT is aligned with enterprise risk management.
00:00
Anything you would see on
00:00
this exam or anything you could think about or
00:00
analyze where IT is doing
00:00
something different than the rest of the organization,
00:00
that's always going to be wrong.
00:00
At one point in time,
00:00
that really was the way we did business.
00:00
We had the organization
00:00
operating and they did the business of the company,
00:00
they made the money,
00:00
and then the folks in IT,
00:00
were in the basement somewhere doing nerdy things,
00:00
and never the two would meet.
00:00
You only talked about the IT team
00:00
and something went wrong,
00:00
but based on that idea,
00:00
that indicates that IT risks
00:00
are over here and business risks are over there,
00:00
but an IT risk is a business risk.
00:00
We're enablers of the business and if
00:00
we can't provide the right support at
00:00
the right time with the right availability,
00:00
then the business suffers,
00:00
so we're part of a greater whole,
00:00
but we're part of the whole.
00:00
Another big point, balance cost-benefit.
00:00
I got to tell you this is one of
00:00
those things that's just always going to be
00:00
right on the exam, a cost-benefit analysis.
00:00
What are the pros, what are the cons?
00:00
Do the benefits outweigh the cost?
00:00
We can't forget everything with security costs something,
00:00
whether it's availability, ease of use,
00:00
user acceptance, so we've got
00:00
to find that perfect balance.
00:00
Rarely, or IT security people going to
00:00
be the ones that know what that perfect balance is.
00:00
By that I mean,
00:00
security professionals are going to
00:00
err on the side of security,
00:00
but operations may complain, hey,
00:00
we can't even do our jobs,
00:00
we've got so much security,
00:00
we can't get past Step 1,
00:00
so we have to have senior leadership that's going to
00:00
help us prioritize and determine
00:00
what the right amount of security is.
00:00
Fair and open communication, of course,
00:00
transparency, establish tone at the top,
00:00
as well as accountability,
00:00
ethics, culture behavior flows downward.
00:00
If you want to change employee action,
00:00
culture, how they do their jobs, start at the top.
00:00
The function should be part of daily activities,
00:00
we use risk management as part of our jobs,
00:00
it's what we do from day to day,
00:00
it's incorporated as a function of performance.
00:00
That's ISACA's IT risk management framework,
00:00
and I think that between that and ISO 27001,
00:00
we looked at some risk management frameworks as well,
00:00
I think those would be the frameworks I would focus on.
00:00
Now, there are other frameworks,
00:00
we're certainly not going to get into all of these.
00:00
SABSA, TOGAF,
00:00
you could come across those in your reading,
00:00
but I just don't see those making it to the test.
00:00
COBIT, high level because it comes from ISACA.
00:00
I think you'll see some questions may be from
00:00
NIST publications as special
00:00
>> publications and standards.
00:00
>> Not anything too detailed or nitpicky,
00:00
but to the degree that we talked about them earlier,
00:00
I think that's really appropriate
00:00
to have a good understanding.
00:00
This says ISO standards on
00:00
quality and references ISO 9001.
00:00
In that realm, for quality,
00:00
you can substitute quality for security,
00:00
and you'll see it's very heavy on
00:00
documentation and
00:00
very much a methodical set of processes.
00:00
But again, what I would focus on,
00:00
I would know the CMMI,
00:00
I would know ISO 27001,
00:00
I would know the NIST standards like 830 and 800-39,
00:00
I would be able to reference
00:00
the risk management framework as well as
00:00
ISACA's IT risk framework.
00:00
I think that's it,
00:00
those would be the ones that I would focus on.
Up Next