@ISACA Volume 9  6 May 2015

Tips for Effective Risk Identification

By Lisa Young, CISA, CISM

Organizations spend a lot of time trying to identify their top risk or most important risk factor that needs to be managed. I am often asked by my customers to provide them with the top risk about which they should be concerned. Most risk registers contain a large number of entries, but often no one can readily explain how those particular risk items came to be included or the explanation is often, “Those entries are the findings from our last audit.” If your risk register only contains findings from previous audits, there might be hidden risk that could prove detrimental to your organization if not uncovered and managed appropriately. There are other organizations that consider risk management only as a compliance activity rather than part of the strategic planning process.

Risk management is the process of identifying, analyzing and responding to risk that has the ability to prevent an organization from meeting its objectives. To successfully achieve objectives, organizations must manage both common and unique risk depending on the industry, competitors, geography and markets served. There are many different methods and techniques for the management of risk, and each begins with the identification of risk. Risk Scenarios Using COBIT 5 for Risk provides information on using risk scenarios for risk identification, and it is available to ISACA members as a free download.

Here are some considerations and practices for effective risk identification, which is usually the first, and most important, step in the risk management process:

  • Risk should be identified based on the objectives of the organization and described using business terms (either qualitatively or qualitatively) through a common risk taxonomy. For each potential risk identified, ask the question, “Would this risk, if it materialized, impact our ability to meet a stated objective?”
  • Operational risk emanates from the frontlines of the business where the products and services of the organization meet the customers. Survey, poll, interview or question employees, contractors or staff who are closest to the frontline of the business about what concerns they see in the day-to-day operations of their work. This may be done with attribution or anonymously. This technique often uncovers things that everyone knows are detrimental, but for which they may not have a way to report to someone who can take appropriate action.
  • When implementing a control or new management practice, ask the question, “What risk is this control or practice designed to address?” If there is no correlation between a control and a risk, what is the reason for the control or the new management practice?
  • Understand the sources of risk for your unique industry, geography and markets served. Taking the time to identify risk that has materialized in your competitors and across the industry will assist in providing context as risk is identified in your environment.
  • If there is risk that has been realized (e.g., security incidents, sabotage or insider threats) perform an after-action review to see if there were early-warning indicators or triggers that were missed. Lessons learned can be a powerful way to prevent the same or similar type of risk from happening again.

Robust risk identification can go a long way to prevent disruptions or breaches, reduce the impact of realized risk, and keep the organization out of news headline.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Explore Findings on the State of Cybersecurity


Cybersecurity threats are not slowing down according to a recent study completed by the RSA Conference and ISACA. State of Cybersecurity: Implications for 2015, based on a survey that targeted individuals with cybersecurity-related job responsibilities, provides the detailed results of this study. The in-depth study looks at various aspects of cybersecurity, including budgets, hacks, threats, Internet crime, social media, and organizational security and governance.

The survey provides negative and positive news: While attacks are increasing, so are the amounts of resources and support dedicated to cybersecurity initiatives. Organizations are beginning to think about cybersecurity from a business perspective.

To read the full study, visit the State of Cybersecurity: Implications for 2015 page of the ISACA web site. To find more cybersecurity-related resources, visit the Cybersecurity Nexus page of the ISACA web site.


Cyber News Converges in New Cybersecurity Newsletter


A new cybersecurity-focused newsletter has been launched to bring you up-to-date information on cybersecurity. The Nexus, part of ISACA’s Cybersecurity Nexus (CSX) program, is a monthly newsletter where all things cybersecurity converge.

The Nexus contains valuable information on cybersecurity, including original CSX thought leadership and knowledge, news and updates on CSX, and a collection of the best cybersecurity articles from around the web. This newsletter will provide you with the latest cybersecurity information from CSX leaders and key cybersecurity innovators around the world. The Nexus also contains information on the newest CSX resources available for your use.

Visit The Nexus subscription page of the ISACA web site to subscribe now.


Improve Security With Risk-aware Session Management


While strong authentication and single sign-on can be useful to mitigate data breaches, these may not be enough to prevent data breaches. To help enterprises better prevent data breaches, ISACA has partnered with CA Technologies to present the “Preventing Data Breaches With Risk-aware Session Management” webinar. This webinar will take place on 14 May at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Carol Alexander, head of product marketing for authentication solutions at CA Technologies, and Russell Miller, director, security solutions at CA Technologies, will lead this webinar. They will discuss how to improve security using intelligent authentication and single sign-on, while also covering how risk-aware session management can be used to prevent data breaches.

To learn more about this webinar or to register for it, visit the Preventing Data Breaches With Risk-aware Session Management page of the ISACA web site.


Vote Now on ISACA’s Revised Bylaws


ISACA members who have paid their membership dues should have received an email notification about voting on ISACA’s proposed bylaws. The proposed bylaws have been updated to align with the applicable laws in the state where ISACA is incorporated, California, USA. The new bylaws were approved unanimously by the ISACA Board of Directors on 28 February 2015 at the Board meeting in Mumbai, India.

The online election will be open until 6 June 2015 at 2AM CDT (UTC -5 hours). All ballots must be received by Votenet, ISACA’s vendor for this election, by the close of the balloting on 6 June in order to be counted. ISACA members should have received an email from Votenet requesting that you create a username and provide an activation code to access the ballot. In addition, ISACA members can vote at ISACA’s annual membership meeting on 6 June 2015 at the following location: Steigenberger Grandhotel, 71 Avenue Louise, 1050 Brussels, Belgium, beginning at 8AM CEST until 9AM CEST. If for any reason you are not able to vote electronically, ISACA will provide a paper ballot. The deadline to request a paper ballot is 15 May. To request a paper ballot, please contact bylaws@isaca.org. Only one vote per ISACA member is allowed.

Questions? Contact bylaws@isaca.org.


This Is Your ISACA Membership!


“Joining ISACA almost 10 years ago as a young professional has had a great impact on my IT career,” says Kaushal Kumar Sharma, silver member, CISA, CISM, CGEIT, CRISC. “While access to extensive knowledge in the areas of risk, security, governance and audit was the key driver at the time of my joining, I discovered that a powerful international network of outstanding people would help me achieve professional goals and drive value for my career.”

Whether you download white papers, attend almost every chapter meeting or actively post in the Knowledge Center, your ISACA membership is customizable to your needs.

For members who are avid learners, ISACA produces research that can help you avoid big data blunders, increase asset protection, respond to cyberattacks and more. COBIT 5, the only business framework for governance and management of enterprise IT (GEIT), can help you achieve operational excellence through reliable, efficient application of technology. ISACA membership gives you discounted rates for COBIT-related products.

For those who joined ISACA for networking opportunities, space is provided for you to connect, share and lead. If you do not have a local chapter, or if you are unable to attend chapter meetings, log in to the Knowledge Center. The Knowledge Center is a meeting place for IT professionals to exchange experiences and expertise, build new relationships through collaboration, and lead discussions on various topics related to your profession.

For those who joined for the certification program, your ISACA membership supports you the entire way. If you are taking the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) exam in June (or have plans to in the future), membership provides you with a discount on the exam and review materials. Plus, the eLibrary may have additional study materials for upcoming exams. After you pass the exam, apply for certification and become certified, your ISACA membership provides you with more than enough free continuing professional education (CPE) hours to meet your annual and 3-year requirements. You also receive the member rate for the certification maintenance fee.

Your ISACA membership will continue to fill the knowledge and experience gaps in your career. Questions? Contact membership@isaca.org or +1.847.660.5600.  

Advance Your Career With Knowledge and Certification

Jaewon Lee, CISA, CGEIT, CRISC, CIA, CRMA, Vice President at Morgan Stanley, Shares How ISACA Certifications Shaped His Career

In 2004, Jaewon Lee held multiple IT certifications, but he wanted to broaden his knowledge of IT risk and control. This interest led him to learn more about ISACA and its certifications. After earning the Certified Information Systems Auditor (CISA) certification, Lee joined Citibank’s IT audit department. “Having the CISA certification proved valuable as I made the transition from IT management to IT audit,” he says. “ISACA certifications are a reflection of one’s industry and professional knowledge and the continuing professional education (CPE) hours required to maintain these certifications ensure your knowledge is current.”

Lee says that when he became an auditor about a decade ago, the IT audit function was still in its infancy in Korea, but now it has become a critical part of IT departments, especially within the finance industry.

In 2007, ING Group offered Lee a position when the organization found itself looking for an IT auditor who was certified and experienced. While Lee finds his certifications valuable, he says that having relevant experience is just as important. “As far as IT audit is concerned, even if you are not an auditor, you can gain the relevant experience through ISACA conferences (e.g., Computer Audit, Control and Security [CACS] conferences) and seminars (e.g., e-learning opportunities, ISACA Training Week offerings). These are effective ways of gaining the latest, most relevant industry knowledge. Attending these events is also a good way to build your professional network. One thing I have learned is that one should not limit oneself to a current role or industry.”

Lee continued to challenge himself and earned the Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations. Having these certifications, in addition to his professional experience, gave Lee the opportunity to rewrite the existing IT risk policy within the group and further advance his career.

Earlier this year, Morgan Stanley hired Lee to oversee its IT risk governance—a priority for the firm. “ISACA certifications combined with up-to-date knowledge and professional experience helped me to get the job at Morgan Stanley. The firm also supports continuing learning and encourages employees to acquire relevant certifications to excel in their jobs,” he says. “I strongly believe that these certifications not only demonstrate technical knowledge, but also build trust and confidence for those looking to advance or make changes in their careers.”

Lee advises fellow IT colleagues to act immediately to acquire these skills and certifications. “When I look back at my career path, including my current assignment, it is clear that opportunities were more readily available to me because I was well prepared,” he says. “There is no such thing as a coincidence or luck. You should continuously ask yourself questions such as, ‘What are your professional goals and how are you preparing for them?’ Have you acquired industry knowledge from associations such as ISACA and utilized it? If you have not started yet, it is time to act.”


Book Review: Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security

Reviewed by Dauda Sule, CISA

Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security by Gary M. Jackson is based on 2 decades of research on how to catch malicious attackers. The usual practice had been that organizations responded to an attack only after it had occurred. The rise in more advanced attacks has rendered such reactive responses obsolete. Trying to get into the mind of attackers before they strike provides a much better response.

The author of Predicting Malicious Behavior seeks to bring to light current technology that predicts human behavior by combining behavioral science and computer science. It has become imperative for organizations to be prepared for malicious attacks and also to put measures in place to protect against such attacks. Being able to predict what a malicious attacker might do goes a long way to help mitigate such an attack.

The book comes with a supplementary DVD containing instructional videos on using automated behavior analysis tools and how they work. The DVD is divided into 2 sections: The 1st part covers use of automated behavior analysis tools (e.g., ThemeMate and AutoAnalyzer), and the 2nd shows cyber-based network protection tools (e.g., CheckMate and InMate).

The book is based on a wealth of experience in predictive behavioral analysis, which can be beneficial in protecting networks from malicious attackers. Although the topic might seem theoretical, it has been tried, tested and proven to be effective in the fight against crime. This book can be of immense benefit to those in law enforcement and security, as it can help to prevent and protect against potential cyberattacks. Researchers and academics in behavioral analysis and information security will also benefit from the book.

Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Dauda Sule, CISA, is currently marketing manager at Audit Associates Limited, which is a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. He has more than 5 years of experience in the Nigerian Banking industry and also worked at Gtech Computers (a computer and allied services company) as a systems security and assurance supervisor.