@ISACA Volume 14  11 July 2018

Tips for Embedding Risk Management Practices Into the First Line Business Operations

By Lisa Young, CISA, CISM

A primary objective of risk management is to identify, assess, monitor and report on risk that would have the greatest impact on an organizations’ ability to meet its mission and strategic objectives. To successfully and efficiently manage risk, it is necessary to integrate risk activities as part of day-to-day operations rather than as add-ons or a separate set of tasks. This is known as “embedding” risk management. Embedded risk management can enable the enterprise to demonstrate a cohesive, consistently applied and repeatable structure that becomes part of the operations and business processes.

Many organizations, no matter their size, often do not have a large staff dedicated to risk management in proportion to the changing risk landscape in which they operate. To make the most of the resources available to manage risk, here are some considerations that organizations can employ to better communicate risk management concerns, improve employee awareness and, in turn, improve the first line business operations’ ability to better perform risk tasks:

  • Develop a risk management curriculum and training for the risk landscape in which your enterprise operates. This curriculum can be as simple as a set of presentation slides that raises awareness of specific risk factors that have impacted organizations similar to yours or an in-depth, multimedia, computer-based training on the 3 lines of defense (3LoD) structure used by many global financial institutions. One innovative approach is to use case studies of real events. In 2 short hours, perhaps as a monthly lunch-and-learn session, a group of business professionals can read a case study, perform the role of a risk owner, and have a lively discussion on actions that would have prevented the risk from being realized or decisions that would have improved the response and/or decreased the impact after the risk was realized.
  • Cultivate an early-warning, neighborhood-watch-like alert system comprised of staff on the frontline of defense. Often the people closest to the day-to-day operations of the business are the first ones to notice that something is not quite right or that policies and rules are often set aside or ignored to meet project deadlines or reduce operating costs. Catastrophic operational risk events are often the result of a series of cascading smaller failures or breakdowns in communication. As part of the risk management training curriculum, invest time in creating job aids, such as a laminated card with a reporting hotline phone or web address, that indicate where areas of concern can be reported anonymously. It is often easier to learn about these areas of concern early so appropriate action can be taken. To mature risk management practices, the line of sight from business operations execution to the board of directors or a senior governing body will require greater transparency.
  • Create a risk liaison role or leverage an existing liaison role, such as compliance or information security, as an advocate for risk management that lives in the business. Risk liaisons, or staff who work in the business line and help translate the organization’s risk management policies, frameworks, and approaches into day-to-day advice and guidance, are a cost-effective way to increase impact beyond a central risk team. The continued contact between the risk liaison and business leaders enables the dialogue necessary to challenge the assumptions of each viewpoint and contribute to translating the language of risk into the language of the business and vice versa.

For additional insights on risk management, read the latest ISACA publication Getting Started With Risk Management.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Continuing GDPR Compliance for Your Enterprise


Source: CharlieAJA;
Getty Images

According to ISACA’s recent General Data Protection Regulation (GDPR) Readiness Survey, prioritizing GDPR compliance was one of the top 3 challenges business leaders face today. Even though the 25 May deadline has passed, many organizations are still working toward becoming GDPR compliant, and many that are compliant today are struggling with sustained compliance.

To see how sustained GDPR compliance is possible, ISACA and TITUS present the “Key Strategies for Maintaining GDPR Compliance” webinar. The session will show you how to secure organizational buy-in for built-in data protection, how to design an effective and inclusive change management process to support privacy by design and by default, and how to educate and empower employees to identify and protect personal data as a part of business as usual. This webinar takes place on 19 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Doug Snow, vice president of customer success at TITUS, offers insights and best practices for identifying and protecting personal data, engaging your organization, and reaching sustained GDPR compliance through organizationwide involvement.

To learn more about this webinar or to register for it, visit the Key Strategies for Maintaining GDPR Compliance page of the ISACA website.


The State of California Follows GDPR Lead


Late last month, the state of California (US) legislature approved groundbreaking consumer privacy legislation that mirrors the General Data Protection Regulation (GDPR) in the European Union in several ways. AB 375, officially known as the California Consumer Privacy Act of 2018, allows consumers to see what information is being collected about them and the groups to which the information is being sold. The legislation also provides consumers an opportunity to stop the sale altogether.

The measure originally started as a ballot initiative and had already received more than 600,000 signatures, nearly twice what is required to qualify to be on the ballot in California elections this November.

The new law is set to be enacted 1 January 2020. Learn more as Bill Bonney, CISA, programs director from the ISACA San Diego (California, USA) Chapter, explores the new legislation and offers his perspective on its impact in his ISACA Now blog post.


How to Build an Insider Threat Program


Insider threats are quickly becoming the greatest cybersecurity threat organizations face, especially considering the millions of records stolen each day. Unfortunately, the contractors, vendors, privileged users and business users we often trust also often create the most risk. Whether insider threats are unintentional or malicious, the secret to quickly identifying and eliminating them starts with a people-centric approach.

To learn more about best practices and to hear customer case studies based on real-life examples of building and maintaining effective insider threat programs, ISACA and ObserveIT present the “Best Practices for Building an Effective Insider Threat Program” webinar. The session will explore the following: Why insider threats are prevalent; how to stop insider threats in their tracks; and why you need to focus on people, process and technology. This webinar takes place on 12 July at 7AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Mayank Choudhary, vice president of products at ObserveIT, will lead the webinar. Choudhary will use his experience as a technology leader in the cybersecurity and content management industries to help you determine how to build the best insider threat program for your enterprise.

To learn more about this webinar or to register for it, visit the Best Practices for Building an Effective Insider Threat Program page of the ISACA website.


Using Active Defense to Keep Your Enterprise Email Secure


Source: MirageC;
Getty Images

Business email compromise (BEC) scams cost organizations billions of US dollars and affected and targeted organizations usually only have a defensive position implemented, which does little to deter future attackers. While it is illegal in the United States to hack back at BEC actors, organizations can do more to remain secure by implementing an active defense plan.

See the results of numerous active defense operations as ISACA and Agari present the “Active Defense: Why Duck When You Can Hit Back?” webinar. The session will also allow you to view findings from exfiltrated scammer mailboxes, even showing how BEC actors target their victims. This webinar takes place on 24 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

John Wilson, field chief technology officer (CTO) at Agari, has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions. Wilson continues his mission to rid the world of email fraud at Agari. Using his extensive background in combating email fraud, Wilson will lead this webinar and help you determine how to implement an active defense for your own organization.

To learn more about this webinar or to register for it, visit the Active Defense: Why Duck When You Can Hit Back? page of the ISACA website.


Data Threat Modeling and Your Organization


Data are an important commodity and key considerations in enterprise risk management and monitoring. Changes that happen over time can affect data risk and should be evaluated and monitored continuously to ensure the risk level is within the enterprise’s risk management plan guidelines. Using application threat modeling is one way to guarantee enterprise data are accounted for and their safety is prioritized.

ISACA’s Continuous Assurance Using Data Threat Modeling white paper provides information on data threat modeling to help your organization continuously monitor and safeguard data. An analyst can methodically analyze an application to identify and map likely post-deployment application threats. This information allows application specialists to establish a baseline and mechanisms to address those threats and to monitor conditions that can impact the application over time, resulting in a way to monitor data risk in an ongoing fashion.

To learn more, you can access the complimentary ISACA white paper on the Continuous Assurance Using Data Threat Modeling page of the ISACA website.


CISA Certification Continues to Encourage High-Caliber Professionals After 40 Years


More than 140,000 individuals have earned ISACA’s Certified Information Systems Auditor (CISA) certification since its inception in 1978. ISACA marked the 40th anniversary of CISA this year. See the news release and infographic highlighting CISA’s impact on the audit, control and security community, and its sustained relevance among hiring managers and industry recruiters in our increasingly technology-dependent world.

“I have worked in several countries across 3 continents, with a wide variety of clients spanning several industry sectors during my professional career over the last three decades,” said Nancy Onyango, DBA, CISA, and director of internal audit for the International Monetary Fund. “The 1 constant that I have always observed, and have been struck by, is the caliber of staff who hold ISACA’s CISA certification. From Nairobi to London, Johannesburg to Washington DC, I can always count on these professionals to deliver quality work and bring strong insights into governance, risk management and controls in the information and technology arenas.”

For more information on CISA’s 40th anniversary and 2018 exam opportunities, visit the CISA page of the ISACA website.