@ISACA Volume 4  22 February 2017

Five Primary Risk Factors

By Leighton Johnson, CISA, CISM, CIFI, CISSP

There are numerous factors that influence risk and risk management in an organization. The Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM) certifications categorize this risk into 5 primary areas for consideration and review by security and risk professionals. A risk factor is defined as a condition that can influence the frequency, magnitude and, ultimately, the business impact of IT-related events/scenarios.

The 5 primary risk factors are:

  1. External environmental risk factors—The external risk context is the external environment in which an enterprise seeks to achieve its objectives. One must ensure that the external stakeholders, including their objectives and concerns, are considered when developing risk criteria. These factors can include such areas as the organization’s industry, the financial markets in which the organization operates, the rate of change in the operational industry, the organization’s regulatory environment and the technology used by the organization.
  2. Internal environmental risk factors—The internal environment is the basis for all other components of any risk management process or program by providing discipline and structure. Since the internal risk factors influence everything about how the organization or company is operated, internal areas of consideration include:
    • How strategies and objectives are established
    • How business activities are structured
    • How risk factors are identified, assessed and acted on
    • The design and functioning of control activities
    • The design of information and communication systems
    • The design of how activities are monitored
    The internal organizational management criteria for risk considerations must balance the concerns of the enterprise, employees, suppliers, consumers, competitors and the public.
  3. Risk management capability—This indicates how well the enterprise is executing the organizational core risk management practices. Capability, in part, is based on the maturity of processes (including the effectiveness or absence of key controls) and the capability to recognize and detect risk and adverse events.
  4. IT capability—The organizational IT capability is related to the maturity level of its (the organizational) IT processes and IT controls. Mature and well-controlled IT processes are equivalent to high IT capabilities. Overall, the maturity of IT processes and IT controls helps reduce the likelihood and impact of adverse events.
  5. IT-related business capability—The degree to which management is capable of managing the direction and performance of IT is a primary risk factor related to IT benefit and IT value realization for every organization. The more mature the IT/business connection, the fewer missed opportunities for growth and positive returns. This leads organizations to likely make better IT investments, select better IT business partners, and select and manage the appropriate programs.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Mitigating Cloud Security Threats


Source: Yagi Studio/
Getty Images

Cloud-based operations offer numerous benefits, including lower costs and easy deployment. But as more and more data are moving to the cloud, cloud security is becoming a bigger concern. To help enterprises better secure the data in the cloud, ISACA and Bitglass have partnered to present the “Mitigating the Top 5 Cloud Security Threats” webinar. This webinar will take place at 11AM CST (UTC -6 hours) on 28 February. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Shalmali Rajadhyax, product manager at Bitglass, will lead this webinar. In it, Rajadhyax will discuss the top 5 security threats related to the cloud and how they can best be mitigated. This webinar will also explain how cloud security brokers can provide end-to-end data protection.

For more information on this webinar or to register for it, visit the Mitigating the Top 5 Cloud Security Threats page of the ISACA website.


Audit Cyber Security Controls to Keep Information Safe


Data breaches and the negative publicity associated with them have made cyber security a great concern to boards of directors. Spending on infrastructure is increasing to help limit the damage of cyberattacks. But having these controls in place is not enough; it is necessary to conduct management review, risk assessment and audits of these cyber security controls.

To help enterprises understand the assurance of cyber security controls, ISACA has released the Auditing Cyber Security: Evaluating Risk and Auditing Controls white paper. This white paper explains the importance of investing in cyber security controls and how to audit these controls to better protect the enterprise. It explains how various frameworks, such as COBIT 5 for Information Security, ISO/IEC 27001 and the NIST Cybersecurity Framework, can be leveraged for better management of cyber security controls. The white paper also goes in depth on how to conduct cyber security risk assessment, the steps involved in an internal audit and steps to take when implementing corrective action plans.

This complimentary white paper can be downloaded from the Auditing Cyber Security: Evaluating Risk and Auditing Controls page of the ISACA website.


Learn to Overcome Career Hurdles at Self-empowerment Webinar


Professional opportunities in technology abound due to the accelerating pace of growth in the technology sector. But to succeed in the industry, it is necessary to be able to show the results of your work. To help professionals better identify and share their accomplishments, ISACA is presenting the “Self-Empowerment in Technology: Bootstrapping and Belief” webinar. This webinar will take place on 23 February at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz. This webinar is part of ISACA’s Women in Technology program.

Melanie Mecca, director of data management products and services at CMMI Institute, will lead this webinar. In it, she will discuss how to be recognized and receive credit for your contributions, tips for negotiating salary increases, and creating a body of achievements that enhance career advancement. The webinar will also cover attitudinal shifts that can increase confidence, balance collaboration and assertiveness, and help professionals discover their voice.

To learn more about this webinar or to register for it, visit the Self-Empowerment in Technology: Bootstrapping and Belief page of the ISACA website.


CISA Online Review Course Now Available


Source: baona/
Getty Images

The Certified Information Systems Auditor (CISA) Online Review Course, a new offering that prepares learners to pass the CISA exam using proven instructional design techniques and interactive activities, is now available.

The online, self-paced course allows learners to prepare for the exam at a time and location that suits their needs. The course includes a video, interactive content, downloadable workbooks and job aids, case study activities, and a practice exam. The course keeps track of where learners last left off and takes approximately 24 hours to complete.

Each of the course’s 5 sections contain individual modules related to CISA tasks and the CISA job practice.

More information on the CISA Online Review Course can be found on the CISA Online Review Course page of the ISACA website. The CISA, Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) certification exams will utilize computer-based testing, with the first testing window being 1 May-30 June. For more information, visit the Certification page of the ISACA website.