@ISACA Volume 12  17 June 2015

Risk Aggregation:  A Challenge to Risk Practitioners

By Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP

One of the main roles of risk practitioners is to communicate risk information at the right level to enable risk-informed decision making. A risk practitioner gets information from risk assessments, which are performed by various risk owners. After updating the risk register, the practitioner prepares a risk profile and risk report for stakeholders at various levels. While doing so, one needs to understand how to aggregate the assessed risk.

Risk aggregation happens at 2 levels:

  1. Risk owners assess the same risk with varying likelihood and impact, depending upon the nature of vulnerabilities and impact on business activity. The assessment is done based on relevance to their respective business area. The factors that affect risk aggregation include geographic distribution, nature of activities and business function technological difference, distributed IT processes, and manned versus unmanned operations. Senior management needs to review the aggregated impact of the risk to the entire enterprise, not view it as just a risk for one location or one business unit.
  2. Each level of management desires risk aggregate at a different level. For example, the chief information security officer (CISO) may need more granular information on technical vulnerabilities and incidents, which may not be relevant for the IT steering committee.

A risk practitioner must note that:

  1. Aggregated risk must not hide the root causes of the risk
  2. An end-to-end (business activity) view of IT risk, beyond the technical issues, must be considered to prevent false assurance or urgency
  3. An IT risk view allows for a proper review of risk tolerance, instead of having only silo views of individual or partial risk
The situation does not have impact when the risk profiles are considered independently for each risk owner or business function. The challenge is when risk practitioners need to represent the aggregated result for the organization as a whole.

To address this issue, a risk practitioner should consider the following:

  • While forming the risk policy, ask senior management how they wish to address this issue at the organizational level.
  • Prepare different formats for risk aggregation based on various attributes such as geographical distribution, technical variances, criticality of business functions and the nature of activities.
  • Periodically review the risk policy for the impact of risk factors on the initially agreed-upon aggregation method.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.

 

ISACA Webinar:  Learn to Keep Smart Devices Secure

ISACA News

The Internet of Things (IoT) and the proliferation of smart devices have created new challenges for security professionals to address. To help people better keep their devices secure, ISACA has partnered with CA Technologies to create the “Securing Smart Devices: Cybersecurity in the Age of the Internet of Things” webinar. This webinar will take place on 25 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Ed Moyle, ISACA’s director of emerging business and technology for research/standards and academics, will moderate this webinar. Moyle will be joined by Scott Morrison, senior vice president and a distinguished engineer at CA Technologies; Chris Poulin, research strategist for X-Force at IBM; and Gunnar Petersen, founder/principle at Arctec Group and visiting scientist at Carnegie Mellon University. During this webinar, they will discuss the implications of connected devices and how security professionals can keep their organizations safe as the IoT grows.

To register for or learn more about this webinar, visit the Securing Smart Devices: Cybersecurity in the Age of the Internet of Things page of the ISACA web site.

 

ISACA’s Proposed Bylaws Have Been Approved

ISACA News

The updated ISACA bylaws have been approved by ISACA’s membership and are effective immediately. Details and a summary of the newly adopted bylaws are available on the Bylaws and Articles of Incorporation page of the ISACA web site.

ISACA opened voting on the proposed bylaws on 27 April 2015, and the voting closed at the end of the Annual General Meeting in Brussels, Belgium, on 6 June 2015 at 9AM (CEST). All ballots have been tabulated by ISACA’s vendor, Votenet. The number of ballots cast was 15,870, with 95% of voting ISACA members approving the proposed bylaws.

Questions? Contact bylaws@isaca.org.

 

ISACA Congratulates 2014-15 Award Winners

ISACA News

ISACA would like to congratulate the winners of the 2014-15 awards, many of which were presented in June at the Annual Meeting of the Membership in Brussels, Belgium.

Professional Awards

Michael Cangemi Best Book/Article Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the field of IS audit, control and/or security. This year, the award was presented to Tommie Singleton, CISA, CGEIT, CPA, for his ISACA Journal “IS Audit Basics” columns.

Eugene M. Frank Award for Meritorious Performance
This award is named after ISACA’s first president and recognizes individuals for outstanding contributions to ISACA/ITGI. This award is for performance that far exceeds the norm, and nominations are accepted only from a current board member or past international president. The award is granted with input from the international president and approved by two-thirds support from the ISACA/ITGI Board of Directors/Trustees. This year, ISACA presented the award to Ron Saull, CGEIT, CSP.

John Kuyers Best Speaker/Conference Contributor Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions in the development of ISACA global conference(s) and/or outstanding speaking achievements. This year’s award was presented to Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP.

John Lainhart Common Body of Knowledge Award
This award was instituted during the 1996-97 year to recognize individuals for major contributions to the development and enhancement of the common body of knowledge used by the constituencies of the association in the field of IS audit, security and/or control; IS audit certification; and/or IS audit standards. It is not intended to be an annual award, but is presented only when individuals far exceed the norm. This year, ISACA presented the award to Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA.

Harold Weiss Award for Outstanding Achievement
This award was instituted in 1985 to recognize individuals for dedication to the IT governance profession. It is for achievement that far exceeds the norm. This year’s award was presented to Francisco Javier Peris Montesinos, CGEIT, CRISC, ITIL Expert, PRINCE2.

Paul Williams Award for Inspirational Leadership
This award is given to an ISACA volunteer to recognize strategic leadership accomplishments on ISACA’s behalf. The recipient must have contributed to ISACA over the course of several years and far exceeded the norm in achieving strategic results and/or driving ISACA’s strategy forward. This year, the award was presented to Gregory Grocholski, CISA.

Chapter Awards

K. Wayne Snipes Award
This award was established in 1989 to recognize chapters that demonstrate excellent service to their members and communities. Performance is assessed on several criteria, including membership growth, educational events, member communication, promotion of ISACA certifications, involvement with ISACA and involvement with other professional organizations. Winners are selected in each size category in each region. From those, 1 chapter in each size category is selected as the worldwide winner.

This year’s worldwide winners are:

  • Small: Sofia (Bulgaria)
  • Medium: Venice (Italy) and Quebec City (Quebec, Canada)
  • Large: Athens (Greece)
  • Very large: Denver (Colorado, USA)

The 2014 regional winners are:

Asia

  • Medium: Muscat (Oman)
  • Large: Pune (India)
  • Very large: Tokyo (Japan)

Latin America

  • Medium: Quito (Ecuador)
  • Large: Costa Rica

Europe/Africa

  • Small: Sofia (Bulgaria)
  • Medium: Venice (Italy)
  • Large: Athens (Greece)
  • Very large: South Africa

North America

  • Small: Springfield, Missouri (USA)
  • Medium: Quebec City (Quebec, Canada)
  • Large: Middle Tennessee (USA)
  • Very large: Denver (Colorado, USA)

Oceania

  • Medium: Wellington (New Zealand)
  • Large: Canberra (Australian Capital Territory, Australia)
  • Very large: Sydney (New South Wales, Australia)

The Chapter Support Committee is proud to also note honorable mentions for the K. Wayne Snipes Award. Honorable mention was given to chapters that did not win the award, but still excelled as top chapters throughout the year.

2014 K. Wayne Snipes honorable mentions:

  • Asia: Chennai (India), China Hong Kong, Manila (Philippines), Singapore and Taiwan
  • Latin America: Santiago (Chile)
  • Europe/Africa: Barcelona (Spain), Estonia, Slovenia
  • North America: Boise (Idaho, USA), Detroit (Michigan, USA), Houston (Texas, USA), Montreal (Quebec, Canada), National Capital Area (Washington DC, USA), Northeast Ohio (USA) and South Carolina Midlands (USA)

Chapter Communications Awards
This award recognizes chapters that plan and execute great communications with their members. Winners are selected in each size category. This year’s communications top excellence award winners are:

  • Small chapter: Springfield, Missouri (USA)
  • Medium chapter: Slovenia
  • Large chapter: Central Ohio (USA)
  • Very large chapter: Los Angeles (California, USA)

In addition to the Communications Excellence Award winners, ISACA’s Chapter Support Committee is recognizing top contenders for the award. Commendations were given to chapters that did not win the Excellence Award, but still proved to have an outstanding communication plan. This year’s Communications Commendations are:

  • Large chapters: Middle Tennessee (USA), Pittsburgh (Pennsylvania, USA), Pune (India) and Vancouver (British Columbia, Canada)
  • Very large chapters: Chennai (India), New Jersey (USA) and South Africa

Membership Growth Awards
The award for the highest percentage of growth is presented to 4 different chapters based on size. The chapters that earned the award for the highest percentage growth are:

  • Small chapter: La Paz (Bolivia)—84% growth
  • Medium chapter: Quito (Ecuador)—45% growth
  • Large chapter: Athens (Greece)—18% growth
  • Very large chapter: The Netherlands—13% growth

Starting this year, in addition to the respective winners, ISACA’s Chapter Support Committee is recognizing top contenders for the Chapter Growth Award. Honorable mentions are given to chapters that did not win an award, but still had significant growth. This year’s Chapter Growth Honorable Mentions are:

  • Small chapters: Tunis (Tunisia) and Papua New Guinea
  • Medium chapters: Lusaka (Zambia) and Venice (Italy)
  • Large chapters: Sacramento (California, USA) and Central Florida (USA)
  • Very large chapters: London (UK), Atlanta (Georgia, USA), Greater Houston (Texas, USA) and North Texas (USA)

Certification Awards

Each year, a variety of awards relating to the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certification exams are presented. Worldwide top and second highest scorers on the June, September and December exams and the highest scorer in each geographic area for each exam are recognized.

Thomas H. Fitzgerald Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2014 CISA examinations. The award was earned by:

  • June—Benjamin Huber
  • September—Stephen Kohlmeyer, CISA
  • December—Justin J. Williams, CGEIT, CA(SA), CISSP

CISA Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September and December 2014 CISA examinations. This award was earned by:

  • June—Steven Galea and Joseph Bower, ACA (tie)
  • September—Urban Zsolt
  • December—Antony Williams, CISA, CISM, CCP, CISSP, CLAS, and Anthony Tagallie, CISA, CRISC, CISSP (tie)

CISM Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June, September and December 2014 CISM examinations. This award was earned by:

  • June—Stephen George Boyd, CISA, CISM, GSEC
  • September—Sean Malone, CISA, CISM, CCNA, CISSP, G2700
  • December—Geraldo Magela Lopes De Freitas, CISA, CISM, CISSP, and Jason Baczynski, CISM, CISSP, GISP (tie)

CISM Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June, September and December 2014 CISM examinations. This award was earned by:

  • June—Marc Hanlon, CISA, PRINCE2, and Chris Knox, CISA, CISM (tie)
  • September—Jonathan E. McMahon, CISM

CGEIT Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June and December 2014 CGEIT examinations. This award was earned by:

  • June—Tim Sattler, Ph.D., CISA, CISM, CGEIT, CRISC, CCSK, CISSP
  • December—Bob Swan, CGEIT

CGEIT Worldwide Achievement Award
This award is given in recognition for achieving the highest worldwide score on the June and December 2014 CGEIT examinations. This award was earned by:

  • June—Simon Rawlings, CGEIT, Colleen Amanda Connick, CGEIT, Steen Petersen, CISA, CGEIT, and Mohamed S. El-Deeb, CGEIT, CMC, DPSM (tie)
  • December—John Dempsey, CISA, CGEIT, ITIL V3, ISO 27001

CRISC Worldwide Excellence Award
This award is given in recognition for achieving the highest worldwide score on the June and December 2014 CRISC examinations. This award was earned by:

  • June—Ross Nicholas Visscher, CISA
  • December—Jessica L. H. Chia, CISA, CRISC, ITIL V3, PMP

CRISC Worldwide Achievement Award
This award is given in recognition for achieving the second highest worldwide score on the June and December 2014 CRISC examinations. This award was earned by:

  • June—Christopher Oswald, CISA, CRISC, CISSP, GCFE, MCSE
  • December—Benjamin Goodman, CRISC

CISA Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September and December 2014 CISA examinations. This award was earned by:

June

  • Area 2—Marcos Goncalves da Silva, CISA
  • Area 4—Shannon M. Smith, CISA, CISM
  • Area 5—Chris Mewett, CISA, CISSP, GCIA, GSNA

September

  • Area 1—Louis Lam Sau Chun, CISSP
  • Area 2—Jorge Augusto Salazar Mendoza, CISA, CRISC, ABCP, CISSP
  • Area 5—Cindy Tran

December

  • Area 1—Jeongyoon Lee
  • Area 2—Gustavo Adolfo Pulgar Marin, CISA, ITIL
  • Area 5—Malcolm Young, CISA, and Dominik Gundacker (tie)

CISA Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2014 CISA examinations. This award was earned by:

June

  • Area 1—Nino Marlou Augustin Cabos Gonzales, CPA
  • Area 2—Marcos Roberto Cavallim, CISA
  • Area 4—Craig Blackbourn and Jason W. Lulay (tie)
  • Area 5—John Hall, CISA, CISSP

September

  • Area 1—Frank Migge, CISA, CISM, CISSP
  • Area 2—Jose Angel Cruz Hernandez, CISA
  • Area 3—Olufunmilayo Abimbola Adewole
  • Area 4—Leo Yu
  • Area 5—Jonathan ORourke, CISA, CISSP

December

  • Area 1—Kok Hwee Lim
  • Area 2—Nestor O. Sarita, CISA
  • Area 4—Mark D. Wilkins, CISA, CFE, CIA, CPA, and Ila Dawn Saunders (tie)

CISM Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June, September and December 2014 CISM examinations. This award was earned by:

June

  • Area 1—Syed Adnan Shahab, CISA, CISM, CGEIT, CRISC, TOGAF9
  • Area 2—Ana Elena Chia Koo and Himanshu Nautiyal, CISM (tie)

September

  • Area 2—Fredy Alonso Cardona, CISM
  • Area 3—Wouter Beens, CISA, CISM
  • Area 5—Kieran McNamee, CISA, CISM

December

  • Area 1—Ronald Tse, CISA, CISM, and Viktor Pozgay, CISM (tie)
  • Area 3—Andrew Sands, CISA, CISM, ACA, and Miklos Danis, CISA, CISM, CISSP (tie)
  • Area 5—Daniel Meakins, CISA, and Carsten Boeving, CISM, CISSP, MCSE (tie)

CISM Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June, September and December 2014 CISM examinations. This award was earned by:

June

  • Area 1—Krystian Dawiec, CISM, CCDP, CCNP, CISSP, and Abdul Jaleel, CCNA, CEH, ITIL, VCP (tie)
  • Area 3—Beat A. Keusch, CISA, ITIL
  • Area 4—Brian Kruse, CISM, CEH, CISSP
  • Area 5—Akshaya Nirvikar, CISM, CISSP, ISO 27001 LA

September

  • Area 1—Siew Ting Kang, CISA, CISM, CISSP
  • Area 2—Humberto Padilla Loza, CISM, PMP
  • Area 3—Francesco Volani, CISA, CISM, CITP, CPMA, IPMA, MBCS
  • Area 5—Damitha Hewage, CISA, CISM, CISSP

December

  • Area 2—David A. Gutierrez, CISA,CISM, and Jair Andres Moreno, CISA, CISM, CEH, CFC (tie)
  • Area 4—Karen Smithson, CISM, and Joseph McComb, CISA, CISM, CISSP, GSEC (tie)

CGEIT Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2014 CGEIT examinations. This award was earned by:

June

  • Area 1—Saskia Cremelie, CGEIT
  • Area 2—Wesley Vaz, CISA, CGEIT
  • Area 5—Peter Bridges, CGEIT, CRISC

December

  • Area 1—Yen-Chuan Chen
  • Area 2—Andrei Ferrari Monteiro, CGEIT, PMP
  • Area 5—John O'Driscoll, CISA, CISM, CIA

CGEIT Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2014 CGEIT examinations. This award was earned by:

June

  • Area 1—Kwai Chaw Wong, CISA, CISM, CRISC, MCSA, MCSE
  • Area 2—Anderson Itaborahy, CGEIT
  • Area 4—Patrick Shon Finn, CISA, CGEIT, CRISC, CCNA, CISSP, GPEN
  • Area 5—Kurt Heinrich, CISA, CGEIT, CRISC

December

  • Area 1—Jeffery Paul, CISA, CISSP, and Tin-Chi Chung, CISA, CGEIT, CISSP (tie)
  • Area 2—Luis Daniel Mateos Ornelas, CGEIT, ITIL Expert, PMP, TOGAF
  • Area 3—Jelle Welvaarts, CISA, CGEIT, ITIL, PRINCE2
  • Area 4—Gord Stevenson, CGEIT
  • Area 5—Greg Jones, CISA, CISM

CRISC Geographic Excellence Award
This award is given in recognition for achieving the highest score in the geographic area on the June and December 2014 CRISC examinations. This award was earned by:

June

  • Area 1—Matthew Nixon, CISA, CISM, CRISC, and Neha Chandra, Archer, CISSP, ITIL (tie)
  • Area 2—Julian Davis, CISA, CISM, CISSP, ITIL V3
  • Area 3—Christoph Gramp, CISA, CISM, CRISC
  • Area 5—Minali Gamage, CISA, CRISC, PRINCE2

December

  • Area 2—Vinicius Andres Strey, CRISC
  • Area 3—Richard Vernon
  • Area 5—Martin K. Littlewood, CISM, Duncan Hall, CGEIT, CRISC, CEng, CSDP, IntPE (NZ), and Lindsay Walker, CISA, CRISC (tie)

CRISC Geographic Achievement Award
This award is given in recognition for achieving the second highest score in the geographic area on the June and December 2014 CRISC examinations. This award was earned by:

June

  • Area 2—Eduardo Luczinski Jr., CISA, CRISC, ITIL, PMP
  • Area 3—Patricia Clair Bonner and Lorenzo Planas, CISA, CISM, CISSP (tie)
  • Area 5—Lyndal Horsley, CRISC, CISSP, and Seyed Emad Shahidi, CISA, CISM, CRISC, ISO 27001 LA (tie)

December

  • Area 1—Peter Crowley, CISA, CISM, CGEIT, CISSP, ISSMP
  • Area 2—Gonzalo Alejandro Riederer Herrera, CISA, CRISC
  • Area 3—Trevor Galloway
  • Area 4—Jeneen Paterson, CISA, CRISC
 

Book Review:  C(I)SO—And Now What?

Reviewed by Maria Patricia Prandini, CISA, CRISC

Many information security professionals dream of becoming a chief information security officer (CISO) at some point in their professional careers. But once that day arrives, the challenges that come with the position are huge. CISOs need to develop and use a wide set of technical and management skills to be able to fulfill the requirements of the job. They are also required to interact and compete for resources with other senior executives within the organization. The sources of advice for CISOs are often scarce.

C(I)SO—And Now What? is meant to fulfill this need for advice by providing practical guidance on how to master the challenges of becoming a successful CISO. Michael Oberlaender, the book’s author, informs readers from the very beginning that the content of his book is not technical. Instead, it contains a vast range of useful recommendations on what is needed to become an information security leader, how to avoid failure and where to focus in the first stages of the job.

The book provides valuable information such as tips on how to build the necessary capabilities for the job, possible organizational structures for the CISO position, the importance of development and application security, advice on conducting a risk assessment, return on investment (ROI) for security projects, and metrics to back improvements. The inclusion of all of this information helps this book show, in a very simple and practical way, how to develop the abilities necessary to become a CISO.

It also contains guidelines on how to develop good presentations and discusses the education, training and certifications recommended for the position of CISO. The book explains the importance of networking inside and outside of the organization.

Written in plain English, the richness of this book comes from the author’s insights, which are based on his experience as an information security executive in companies located in the US and Germany.

The publication contains several real-life cases and examples and visually appealing tables and graphs. Readers are provided with quick and useful facts. This book will be useful to those who face the challenge of being a CISO right now, but it is also for those who are planning to become a CISO in the near future. It could also help executives from other areas of the organization understand the scope of the CISO role and how the CISO can help protect the company’s most valuable asset: information.

Reading this book is easy and interesting. It is like having a security expert coach readers through the first steps on the job. It addresses a very realist fact: the possibility of being appointed as a CISO and not having a clear idea of where to start. This book will certainly be the key that answers the important questions CISOs have and will give readers the head start they need.

C(I)SO—And Now What? is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires Chapter.