@ISACA Volume 15  27 July 2016

Tips for Improving Your Risk Assessment Process

Lisa Young, CISA, CISM

The risk landscape in which organizations operate is continuously expanding and increasing in complexity. Boards are starting to ask tough questions about the current risk and emerging risk that may impact the organization’s ability to meet strategic and financial objectives. Here are some considerations for maturing your risk assessment process.

First of all, it is important to define the word “risk.” I prefer to use the ISO 73 risk management definition, which defines risk as the effect of uncertainty on objectives. This definition provides the context for an organization to pursue, retain (accept), or take risk to achieve its objectives and manage the risk factors that have the greatest potential negative impact on objectives should the risk materialize. This definition also allows an organization to leverage control objectives, rather than specific controls, to meet management’s goals. For many organizations, managing the risk of noncompliance and information security has shortened the risk assessment process to identifying control deficiencies and the subsequent application of controls to remedy the deficiency. This shortcut has been a major factor in the misalignment of strategic goals and objectives with operations activities and contributes to the build-up over time of excessive numbers of controls. Here are some considerations for improving the risk assessment process:

  • Risk assessment consists of the identification, analysis and evaluation steps in the risk management process.
  • Identification of risk factors should be done as close to the front lines of the business as possible. There needs to be a way for the operational staff, contractors or suppliers to identify areas of concern and bring them to management’s attention. This risk identification process could take many forms, such as interviews, web self-reporting or surveys, and it needs to be part of the standard workflow process, not an add-on job.
  • Remember that vulnerability identification is one area of concern, but is not the same as a risk assessment. Vulnerabilities and threats should be considered inputs to the risk identification process, but not as shortcuts for conducting a robust assessment and identification of risk.
  • Once areas of concern are identified, they should be sent to a centralized group for analysis. Often in the standard workflow of larger organizations, there is a project or program management office (PMO). The PMO is a good central intake point that has the visibility to look across projects and programs for a horizontal view of risk. The centralized group should have a standard evaluation process for deciding whether the identified area of concern needs more detailed analysis and what type of analysis (quantitative or qualitative) is needed. This standard evaluation process could be a quick checklist or questionnaire that includes such risk factors as type of information (e.g., personally identifiable information, intellectual property, export controls) created or used in the business process, what type of authentication is required to access the information, or the number of data records stored or transmitted by the application.
  • The risk analysis group needs a set of organizational risk measurement criteria to determine if the identified areas of concern are within the risk tolerances of the organization. Without a set of organizational risk thresholds, there is no way to objectively evaluate the identified risk. The risk analysts may also need specialized training in the techniques that would assist in quantifying risk in a way that is meaningful to the organization.
  • Evaluate risk that has undergone some analysis to assist with the rank-stacking or prioritization of the risk. This process is fairly easy to do if the organization has a set of risk measurement criteria. If the enterprise does not have these criteria, then this step of the process is not very meaningful to actually understand which risk factors have the greatest potential impact to prevent meeting management goals and objectives.

As risk management is very much concerned with enabling the strategic objectives of the organization, the risk assessment process should seek to improve confidence in the identification of risk factors that could get in the way of meeting such objectives.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Accepting Mobile Payments to Stay Secure


Source: ©iStock.com/

Accepting credit card payments presents several challenges for organizations, including the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Enterprises that accept credit card payments must be mindful of fraudulent transactions, how cardholder data are stored, and the security and compliance status of service providers.

But mobile payment acceptance is a way for enterprises to help their customers’ data remain safe while paying for services. Mobile payments, in addition to potentially being more secure than traditional credit card payments, allow businesses to provide a convenient and valuable service for their customers.

The ISACA white paper Is Mobile the Winner in Payment Security? can help risk and security practitioners leverage mobile payments while being mindful of security concerns. The white paper discusses in depth how mobile payments work, which can help practitioners discover how to optimize mobile payment security. To download the white paper, visit the Is Mobile the Winner in Payment Security? page of the ISACA web site.


Help Support and Strengthen the COBIT Community


One of the best ways to support and strengthen the COBIT community is through knowledge sharing. COBIT users worldwide add to the COBIT body of knowledge by sharing case studies, practical use articles and tips from COBIT trainers in ISACA’s weekly, peer-reviewed e-magazine, COBIT Focus.

If you have experience working with COBIT, consider contributing an article about your work. Writing for COBIT Focus is a flexible process that is intended to accommodate, to the greatest degree possible, the needs and preferences of you and your enterprise. Your contribution can connect the global community of COBIT users in a new way that benefits everyone.

For more information, visit the COBIT Focus Submit an Article page of the ISACA web site. To submit an article, contact mjasper@isaca.org.


Add Variety to Your Career With a CISA

Kyle Miller, CISA, QSA, Shares His Experience as a CISA

Kyle Miller enjoys variety. When he is not working as a senior consultant with Plante Moran, PLLC, he enjoys teaching students to play percussion instruments, hiking or exploring new attractions. It is this desire for variety that has made the Certified Information Systems Auditor (CISA) certification so beneficial for Miller. “I have had many opportunities to work on client engagements that I would not have been qualified for had I not had my CISA,” he says. “Those engagements have involved a diverse range of clients providing unique opportunities to apply and continue to hone the skill set offered by the CISA designation.”

Having the CISA certification helped Miller overcome age bias he experienced early in his career. “My age relative to the clients I was working with could sometimes make establishing credibility a little more difficult. The CISA helps show right from the first introduction that I have confirmed knowledge and experience related to information systems audit and security.”

Miller believes that professionals at any stage of their career can benefit from the recognition the CISA certification provides. “It provides a great common body of knowledge for those in the field of IS audit and security,” he says. “It is also a great way to advance your career through instant confirmation of your knowledge and experience.”

Miller’s involvement with ISACA has allowed him to think of IS audit from a broader perspective. He has been able to network and exchange ideas with IS auditors around the world. “Not only have I been able to grow my personal and professional network through the people I have interacted with on the CISA Certification Working group, but I have also been able to contribute to the IS audit profession. Having connections with other CISAs across the world has provided me with great perspective on the IS audit profession globally.”

To learn more about CISA and the other ISACA certifications, visit the Certification page of the ISACA web site.