Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

A leading Big 4 professional services firm in the Middle East was selected by a large retail bank in the region to assist in enabling IT risk management practices to deliver value to the enterprise in a cost-effective manner. The bank was facing and continues to face a growing and ever-changing IT risk landscape. Given the bank is heavily dependent on IT infrastructure and IT application systems to deliver efficient and effective banking experiences to its customers, the risk committee (RC) of the board of directors (BoD) decided that IT risk management practices of the highest order must be implemented at the bank.

The Fundamental Problems Faced

The chief risk officer (CRO) and the RC of the BoD agreed that improvement in IT risk management wasrequired. The following areas required specific attention:

·        Fragmented IT risk management efforts—Over the years, sections within the organization (e.g., information security function, business continuity function, IT governance function, project management office) developed their own IT risk management frameworks and their own IT risk registers. Furthermore, the enterprise risk management (ERM)function also had an enterprise wide ERM framework and facilitated enterprise wide risk self-assessment exercises that included the IT division.Needless to say, this resulted in inefficient and ineffective IT risk management. On many occasions, the variety of risk management frameworks and IT risk registers resulted in the same risk being identified, owned and monitored in different ways at the same time. The IT division employees felt overwhelmed with the number of IT risk management activities being driven by divergent functions and, ultimately, not reaching any conclusive actions or remediation plans to implement.

·        Absence of consolidated reporting—The different risk registers at the bank could not be consolidated into one. Their structures and risk rating methodologies were completely different.Furthermore, a number of risk factors would be repeated. Consolidating all IT risk together into a single IT risk register would be extremely difficult and time-consuming to perform. As a result, the overall impression of the RC and the CRO was that IT risk management activities were unreliable and ineffective.

·        Risk culture—The IT division and the bank as a whole did not have a risk culture. The bank was driven by a culture that encouraged and emphasized service delivery and deploying new and innovative solutions in the shortest amount of time.




To read the rest of the article, click here: http://bit.ly/2reyGjZ 

You must sign in to rate content.
(1 ratings)

Comments

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am seeing other cases of operational overload caused by double evidence requests by compliance activity. Consider that GLBA compliance may ask for evidence of solving TLS/SSL and weak cryptography risks or evidence of use of Multi-Factor Authentication. But, on a separate schedule. PCI DSS compliance will also ask for the same. LEAN Waste in IT Audit practice: - Excess inventory of audit evidence produced - Waiting for dependent evidence as one team asks other teams for supporting evidence - Rework/Defects in evidence collected due to weak specifications and processes - Over processing. IT audit requests tighter in specification than is needed. Two custom pulls of evidence when only one could satisfy two separate requests or requests from other compliance teams. I think there is are some Six Sigma LEAN cost of Quality arguments that IT Audit itself can show cost reduction by reducing such wastes.
Don TurnbladeEnergizer at 6/14/2017 11:31:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

There is also an easy bridge from this report to ISO 31000 risk management integration with the corporate organization. Knowing which persons are risk owners for certain classes and intensities of risk leads to lack of duplication; escalation or subordination to the correct levels; ownership of risk and risk evaluation in the operational sense; traceable risk evaluation methods; and, future state integration with all ISO standards related to Risk Management activity. Also note that COSO ERM at PwC is realigning itself with ISO 31000 risk management guidelines as are all other ISO standards using Risk Management practices. COBIT will need to normally map to ISO 31000 to stay relevant.
Don TurnbladeEnergizer at 6/14/2017 11:39:35 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

COBIT already maps to ISO 31000!
peterhillEnergizer at 6/14/2017 3:08:48 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

The correct framework for establish an IT risk management process is the COBIT 5 Enabling Processes guide. The COBIT 5 for Risk guide is for establishing a risk function.
peterhillEnergizer at 6/14/2017 3:13:10 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
Don TurnbladeEnergizer at 6/14/2017 3:59:34 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am glad that COBIT maps to ISO 31000. Yet, that puzzles me on two points. 1) Why is not the ISO 31000 standards group aware of that map? So COBIT would object to the assignment of risk owners in line with the business organizational structure each with the competence and authority needed to be a risk owner for the class of risk they accept? Or COBIT would object to a sensible set of steps for proper risk evaluation because their in ISO 31000 in stead of COBIT? If not, how is COBIT's sense of risk management at variance with the sensible guidance of the ISO 31000 standard? Somehow, these comments seem more reflexive than thoughtful. 2) If COBIT and ISO 31000 maps, how could the above problem even occur in a COBIT using organization? ISO 31000 guidelines if followed in a strait forward manner would resolve a vast number of the issues listed.
Don TurnbladeEnergizer at 6/14/2017 4:05:47 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Personally. I am not even sure that COBIT has agreement with ISO 31000 on the fundamental notion of the word Risk. ISO Guide 2009 risk effect of uncertainty on objectives Note 1 to entry: An effect is a deviation from the expected — positive and/or negative. Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3 to entry: Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Don TurnbladeEnergizer at 6/14/2017 4:18:27 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

in another point of view, i want to share the differences between the use of ISO 31000 in a Private Sector such a Bank and Civil Governance. In my country (ID), the progress of IT Development is Increase Rapidly (on Civil Governance Sector). based on COBIT and Mr.Carly555 brief explanations, "Organizational Structures", there were highly Gap at civil governance focus on (EDM). and according to ISO 31000:2009 this can be apply in a wide range activities and also 31000 says that it can "improve the identification of opportunities and threads. I have several question about these;
1. How about the Resources (EDM) at the Organization if the Resources at Civil Governance Know Nothing about EA?
2. How about the allocating Resources didnt meet "Right Person On The Right Place"?
3. Talking about the Risk Treatment, how do you implemented it align with COBIT? where the awareness of the Risk IT is still on  the zero level of The Board Leader (EDM) Resources?

A.S.KSocial at 6/14/2017 8:36:33 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Not only does COBIT map very well with ISO 31000, it provides the foundation for  IT risk management enterprise-wide. Every clause of ISO 31000 is addressed within the COBIT framework. In fact, the shortcomings of ISO 31000 are compensated for in COBIT 5. Because of its holistic approach and integrated process model, COBIT provides a practical approach for the implementation of ISO 31000.
peterhillEnergizer at 6/15/2017 8:49:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

1) How does COBIT manage gain in its Risk Management as ISO 31000's definition of the effect of uncertainty on objectives includes gain scenarios as a form of Risk Management. 2) What part of the COBIT standard integrates Risk Management not as an Isolated body such as IT audit, but as an integrated activity at every level of organizational structure? I would agree that COBIT can help ISO 31000 work well. But, I believe that a perspective shift inside the use of COBIT is needed to make it work well. I am not saying it cannot be done, I am saying that a bolt on relationship can be ruined by not the standards themselves the but the assumptions made by people using them. IT Audit is not corporate management. But Risk Owners are part of management. Each is competent, required and accountable for the risk they manage. Risk they cannot manage, escalates up the chain of command until it rests by default with the CEO. Risk or aspects of risk that should be delegated drops down to appropriate management. For ISO 31000, Risk gaps in coverage is the same as management gaps in authority, training or responsibility. Duplication of risk coverage is the same as management duplication in authority, training or responsibility. Even surprise emergency of unforeseen risk would default to the CEO as its risk owner until formally delegated to a competent, required and accountable manager of that risk. Such a structure could exist in COBIT, but some thought about how to use COBIT to achieve it is needed. Technically then, there really is not such thing as IT Audit. Under ISO 31000 there is only direct board oversight of Management that is responsible for risk evaluation and suitable escalation or delegation to competent, required and accountable management of those risks. In this good use of COBIT can assist.
Don TurnbladeEnergizer at 6/15/2017 9:16:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even the implementations of InfoSec under ISO 2700x will need to adapt to ISO 31000 notions of risk management. These must not belong to an isolated risk management specialist function. Either, InfoSec integrates with business units as part of competent, responsible and accountable teams for InfoSec risks. Or, InfoSec becomes a management function that is competent, responsible and accountable for the risk it manages. In either case, business units cannot continue to assume that online business is somehow economically separated from InfoSec and that hardening systems is a cost of business service overhead paid to service bureau called InfoSec.
Don TurnbladeEnergizer at 6/15/2017 9:23:25 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Real world examples. In effect PCI DSS Compliance becomes a Risk Manager. Competent: trained in PCI DSS (PCIP, ISA). Required to insure continuous compliance. Accountable for non-compliance. This cannot really be performed by an Audit body as it actually is not independent of business. Rather, it can use the QSA or ISA certification as a kind of external/internal audit function. A firm I know uses an external QSA as a kind of external audit function on an ISA certified internal risk management team that is responsible for continuous compliance and is not a part of internal audit.
Don TurnbladeEnergizer at 6/15/2017 9:30:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhillEnergizer at 6/15/2017 10:04:36 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhill at 6/15/2017 10:04:36 AM
There is a difference between the continuous compliance requirement of PCI DSS and an annual compliance Audit. Deeply week PCI compliance ignores its continuous compliance obligations until just before an annual assessment. Smaller firms can often file a Self Assessment Questionnaire (SAQ). The excellent approach is to build a continuous compliance set of processes that are not audit that sustain compliance through the year and then file strongly representative material when the time for an annual assessment arrives. The PCI authorized external auditor has a QSA certification to assess multiple firms. Internally, it is good to have staff attested to their PCI knowledge assisting with continuous compliance activity. The least expensive certification is called a PCIP. Continuous compliance activity would normally be done by an Auditor but an set of controls performed by staff that are competent, required and accountable for that activity. Larger firms will be required to file a Requirement Of Compliance (ROC) annually. This can either be performed by certified Internal Security Assessors (ISA) or external QSA with a set of executive management. Such efforts are often quite large. Consider that a Tier 1 vendor is often processing no less than 6 million credit card transactions per year at a minimum. Continuous compliance operations for such a firm is often much more industrial in scale and fully integrated into IT Change Management processes. Skipping this step will often lead to profoundly adverse findings from external audit -- the QSA, that typically are not detected early by internal IT Audit. Imagining that such a process for continuous compliance activity with PCI would not have a team that is competent, required and accountable but not part of Audit is an invitation to both adverse findings and worse excess of avoidable vulnerability that removes all protective effects that the PCI DSS standards was created to build.
Don TurnbladeEnergizer at 6/15/2017 1:12:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even ISACA recognized a form of self assessed compliance where a team can simply be checked on their ability to comply with good processes. Such process based activity pre-disposes a team to an overall superior audit outcomes. PCI continuous compliance can be thought of in this way. The team is not Audit, but does follow a set of good processes that lead to favorable periodic audit assessment outcomes. From the PCI DSS point of view the external audit would then be the annual assessment of compliance. The non-audit function would be a ISO 31000 risk owner, a team that competent, required and accountable to manage the continuous compliance risks of daily PCI DSS compliance through out the year. Then, either an internal audit team using ISA certifications or an external auditor with a QSA would assess the continuously self assessed compliance and the annual attestation of even very large firms can go surprisingly well. My favorite quote form a QSA. "You can tell immediately which firms have a good continuous compliance program even before one sees a single bit of evidence." Depending on the size, volume of transactions or sensitivity of the firm, larger operations often benefit from establishing adding members of the continuous compliance team that have ISA certifications -- their training is similar to that of external assessors QSAs. As a result, their ability to do more than functionally focus on external guidance from a QSA once yearly, but actually build control sets that are cost effective and practical to sustain improves and saves substantially on the cost to comply. These can and do tend to apply Six Sigma LEAN waste cost approaches to control set design and operational effectiveness. Recently, I saw an example of a Six Sigma LEAN approach that could save more than 300% in wasted effort hours by IT Staff over 5 years and possibly 1000% in perpetuity with a hurtle rate of 12.5%/yr. The gain was simply related to devising automated collection and grading of technical tests of compliance. The numbers of compliance efforts coordinated Audit that were not coordinating evidence requests and requiring evidence to be pulled by hand that could be automated lead to such a remarkable LEAN waste reduction for the effort.
Don TurnbladeEnergizer at 6/15/2017 1:28:40 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even ISACA recognized a form of self assessed compliance where a team can simply be checked on their ability to comply with good processes. Such process based activity pre-disposes a team to an overall superior audit outcomes. PCI continuous compliance can be thought of in this way. The team is not Audit, but does follow a set of good processes that lead to favorable periodic audit assessment outcomes. From the PCI DSS point of view the external audit would then be the annual assessment of compliance. The non-audit function would be a ISO 31000 risk owner, a team that competent, required and accountable to manage the continuous compliance risks of daily PCI DSS compliance through out the year. Then, either an internal audit team using ISA certifications or an external auditor with a QSA would assess the continuously self assessed compliance and the annual attestation of even very large firms can go surprisingly well. My favorite quote form a QSA. "You can tell immediately which firms have a good continuous compliance program even before one sees a single bit of evidence." Depending on the size, volume of transactions or sensitivity of the firm, larger operations often benefit from establishing adding members of the continuous compliance team that have ISA certifications -- their training is similar to that of external assessors QSAs. As a result, their ability to do more than functionally focus on external guidance from a QSA once yearly, but actually build control sets that are cost effective and practical to sustain improves and saves substantially on the cost to comply. These can and do tend to apply Six Sigma LEAN waste cost approaches to control set design and operational effectiveness. Recently, I saw an example of a Six Sigma LEAN approach that could save more than 300% in wasted effort hours by IT Staff over 5 years and possibly 1000% in perpetuity with a hurtle rate of 12.5%/yr. The gain was simply related to devising automated collection and grading of technical tests of compliance. The numbers of compliance efforts coordinated Audit that were not coordinating evidence requests and requiring evidence to be pulled by hand that could be automated lead to such a remarkable LEAN waste reduction for the effort.
Don TurnbladeEnergizer at 6/15/2017 1:28:40 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhill at 6/15/2017 10:04:36 AM
There is a difference between the continuous compliance requirement of PCI DSS and an annual compliance Audit. Deeply week PCI compliance ignores its continuous compliance obligations until just before an annual assessment. Smaller firms can often file a Self Assessment Questionnaire (SAQ). The excellent approach is to build a continuous compliance set of processes that are not audit that sustain compliance through the year and then file strongly representative material when the time for an annual assessment arrives. The PCI authorized external auditor has a QSA certification to assess multiple firms. Internally, it is good to have staff attested to their PCI knowledge assisting with continuous compliance activity. The least expensive certification is called a PCIP. Continuous compliance activity would normally be done by an Auditor but an set of controls performed by staff that are competent, required and accountable for that activity. Larger firms will be required to file a Requirement Of Compliance (ROC) annually. This can either be performed by certified Internal Security Assessors (ISA) or external QSA with a set of executive management. Such efforts are often quite large. Consider that a Tier 1 vendor is often processing no less than 6 million credit card transactions per year at a minimum. Continuous compliance operations for such a firm is often much more industrial in scale and fully integrated into IT Change Management processes. Skipping this step will often lead to profoundly adverse findings from external audit -- the QSA, that typically are not detected early by internal IT Audit. Imagining that such a process for continuous compliance activity with PCI would not have a team that is competent, required and accountable but not part of Audit is an invitation to both adverse findings and worse excess of avoidable vulnerability that removes all protective effects that the PCI DSS standards was created to build.
Don TurnbladeEnergizer at 6/15/2017 1:12:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhillEnergizer at 6/15/2017 10:04:36 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Real world examples. In effect PCI DSS Compliance becomes a Risk Manager. Competent: trained in PCI DSS (PCIP, ISA). Required to insure continuous compliance. Accountable for non-compliance. This cannot really be performed by an Audit body as it actually is not independent of business. Rather, it can use the QSA or ISA certification as a kind of external/internal audit function. A firm I know uses an external QSA as a kind of external audit function on an ISA certified internal risk management team that is responsible for continuous compliance and is not a part of internal audit.
Don TurnbladeEnergizer at 6/15/2017 9:30:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even the implementations of InfoSec under ISO 2700x will need to adapt to ISO 31000 notions of risk management. These must not belong to an isolated risk management specialist function. Either, InfoSec integrates with business units as part of competent, responsible and accountable teams for InfoSec risks. Or, InfoSec becomes a management function that is competent, responsible and accountable for the risk it manages. In either case, business units cannot continue to assume that online business is somehow economically separated from InfoSec and that hardening systems is a cost of business service overhead paid to service bureau called InfoSec.
Don TurnbladeEnergizer at 6/15/2017 9:23:25 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

1) How does COBIT manage gain in its Risk Management as ISO 31000's definition of the effect of uncertainty on objectives includes gain scenarios as a form of Risk Management. 2) What part of the COBIT standard integrates Risk Management not as an Isolated body such as IT audit, but as an integrated activity at every level of organizational structure? I would agree that COBIT can help ISO 31000 work well. But, I believe that a perspective shift inside the use of COBIT is needed to make it work well. I am not saying it cannot be done, I am saying that a bolt on relationship can be ruined by not the standards themselves the but the assumptions made by people using them. IT Audit is not corporate management. But Risk Owners are part of management. Each is competent, required and accountable for the risk they manage. Risk they cannot manage, escalates up the chain of command until it rests by default with the CEO. Risk or aspects of risk that should be delegated drops down to appropriate management. For ISO 31000, Risk gaps in coverage is the same as management gaps in authority, training or responsibility. Duplication of risk coverage is the same as management duplication in authority, training or responsibility. Even surprise emergency of unforeseen risk would default to the CEO as its risk owner until formally delegated to a competent, required and accountable manager of that risk. Such a structure could exist in COBIT, but some thought about how to use COBIT to achieve it is needed. Technically then, there really is not such thing as IT Audit. Under ISO 31000 there is only direct board oversight of Management that is responsible for risk evaluation and suitable escalation or delegation to competent, required and accountable management of those risks. In this good use of COBIT can assist.
Don TurnbladeEnergizer at 6/15/2017 9:16:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Not only does COBIT map very well with ISO 31000, it provides the foundation for  IT risk management enterprise-wide. Every clause of ISO 31000 is addressed within the COBIT framework. In fact, the shortcomings of ISO 31000 are compensated for in COBIT 5. Because of its holistic approach and integrated process model, COBIT provides a practical approach for the implementation of ISO 31000.
peterhillEnergizer at 6/15/2017 8:49:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

in another point of view, i want to share the differences between the use of ISO 31000 in a Private Sector such a Bank and Civil Governance. In my country (ID), the progress of IT Development is Increase Rapidly (on Civil Governance Sector). based on COBIT and Mr.Carly555 brief explanations, "Organizational Structures", there were highly Gap at civil governance focus on (EDM). and according to ISO 31000:2009 this can be apply in a wide range activities and also 31000 says that it can "improve the identification of opportunities and threads. I have several question about these;
1. How about the Resources (EDM) at the Organization if the Resources at Civil Governance Know Nothing about EA?
2. How about the allocating Resources didnt meet "Right Person On The Right Place"?
3. Talking about the Risk Treatment, how do you implemented it align with COBIT? where the awareness of the Risk IT is still on  the zero level of The Board Leader (EDM) Resources?

A.S.KSocial at 6/14/2017 8:36:33 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Personally. I am not even sure that COBIT has agreement with ISO 31000 on the fundamental notion of the word Risk. ISO Guide 2009 risk effect of uncertainty on objectives Note 1 to entry: An effect is a deviation from the expected — positive and/or negative. Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3 to entry: Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Don TurnbladeEnergizer at 6/14/2017 4:18:27 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am glad that COBIT maps to ISO 31000. Yet, that puzzles me on two points. 1) Why is not the ISO 31000 standards group aware of that map? So COBIT would object to the assignment of risk owners in line with the business organizational structure each with the competence and authority needed to be a risk owner for the class of risk they accept? Or COBIT would object to a sensible set of steps for proper risk evaluation because their in ISO 31000 in stead of COBIT? If not, how is COBIT's sense of risk management at variance with the sensible guidance of the ISO 31000 standard? Somehow, these comments seem more reflexive than thoughtful. 2) If COBIT and ISO 31000 maps, how could the above problem even occur in a COBIT using organization? ISO 31000 guidelines if followed in a strait forward manner would resolve a vast number of the issues listed.
Don TurnbladeEnergizer at 6/14/2017 4:05:47 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
Don TurnbladeEnergizer at 6/14/2017 3:59:34 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

The correct framework for establish an IT risk management process is the COBIT 5 Enabling Processes guide. The COBIT 5 for Risk guide is for establishing a risk function.
peterhillEnergizer at 6/14/2017 3:13:10 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

COBIT already maps to ISO 31000!
peterhillEnergizer at 6/14/2017 3:08:48 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

There is also an easy bridge from this report to ISO 31000 risk management integration with the corporate organization. Knowing which persons are risk owners for certain classes and intensities of risk leads to lack of duplication; escalation or subordination to the correct levels; ownership of risk and risk evaluation in the operational sense; traceable risk evaluation methods; and, future state integration with all ISO standards related to Risk Management activity. Also note that COSO ERM at PwC is realigning itself with ISO 31000 risk management guidelines as are all other ISO standards using Risk Management practices. COBIT will need to normally map to ISO 31000 to stay relevant.
Don TurnbladeEnergizer at 6/14/2017 11:39:35 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am seeing other cases of operational overload caused by double evidence requests by compliance activity. Consider that GLBA compliance may ask for evidence of solving TLS/SSL and weak cryptography risks or evidence of use of Multi-Factor Authentication. But, on a separate schedule. PCI DSS compliance will also ask for the same. LEAN Waste in IT Audit practice: - Excess inventory of audit evidence produced - Waiting for dependent evidence as one team asks other teams for supporting evidence - Rework/Defects in evidence collected due to weak specifications and processes - Over processing. IT audit requests tighter in specification than is needed. Two custom pulls of evidence when only one could satisfy two separate requests or requests from other compliance teams. I think there is are some Six Sigma LEAN cost of Quality arguments that IT Audit itself can show cost reduction by reducing such wastes.
Don TurnbladeEnergizer at 6/14/2017 11:31:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am seeing other cases of operational overload caused by double evidence requests by compliance activity. Consider that GLBA compliance may ask for evidence of solving TLS/SSL and weak cryptography risks or evidence of use of Multi-Factor Authentication. But, on a separate schedule. PCI DSS compliance will also ask for the same. LEAN Waste in IT Audit practice: - Excess inventory of audit evidence produced - Waiting for dependent evidence as one team asks other teams for supporting evidence - Rework/Defects in evidence collected due to weak specifications and processes - Over processing. IT audit requests tighter in specification than is needed. Two custom pulls of evidence when only one could satisfy two separate requests or requests from other compliance teams. I think there is are some Six Sigma LEAN cost of Quality arguments that IT Audit itself can show cost reduction by reducing such wastes.
Don TurnbladeEnergizer at 6/14/2017 11:31:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

There is also an easy bridge from this report to ISO 31000 risk management integration with the corporate organization. Knowing which persons are risk owners for certain classes and intensities of risk leads to lack of duplication; escalation or subordination to the correct levels; ownership of risk and risk evaluation in the operational sense; traceable risk evaluation methods; and, future state integration with all ISO standards related to Risk Management activity. Also note that COSO ERM at PwC is realigning itself with ISO 31000 risk management guidelines as are all other ISO standards using Risk Management practices. COBIT will need to normally map to ISO 31000 to stay relevant.
Don TurnbladeEnergizer at 6/14/2017 11:39:35 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

COBIT already maps to ISO 31000!
peterhillEnergizer at 6/14/2017 3:08:48 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

The correct framework for establish an IT risk management process is the COBIT 5 Enabling Processes guide. The COBIT 5 for Risk guide is for establishing a risk function.
peterhillEnergizer at 6/14/2017 3:13:10 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
Don TurnbladeEnergizer at 6/14/2017 3:59:34 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

I am glad that COBIT maps to ISO 31000. Yet, that puzzles me on two points. 1) Why is not the ISO 31000 standards group aware of that map? So COBIT would object to the assignment of risk owners in line with the business organizational structure each with the competence and authority needed to be a risk owner for the class of risk they accept? Or COBIT would object to a sensible set of steps for proper risk evaluation because their in ISO 31000 in stead of COBIT? If not, how is COBIT's sense of risk management at variance with the sensible guidance of the ISO 31000 standard? Somehow, these comments seem more reflexive than thoughtful. 2) If COBIT and ISO 31000 maps, how could the above problem even occur in a COBIT using organization? ISO 31000 guidelines if followed in a strait forward manner would resolve a vast number of the issues listed.
Don TurnbladeEnergizer at 6/14/2017 4:05:47 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Personally. I am not even sure that COBIT has agreement with ISO 31000 on the fundamental notion of the word Risk. ISO Guide 2009 risk effect of uncertainty on objectives Note 1 to entry: An effect is a deviation from the expected — positive and/or negative. Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3 to entry: Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Don TurnbladeEnergizer at 6/14/2017 4:18:27 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

in another point of view, i want to share the differences between the use of ISO 31000 in a Private Sector such a Bank and Civil Governance. In my country (ID), the progress of IT Development is Increase Rapidly (on Civil Governance Sector). based on COBIT and Mr.Carly555 brief explanations, "Organizational Structures", there were highly Gap at civil governance focus on (EDM). and according to ISO 31000:2009 this can be apply in a wide range activities and also 31000 says that it can "improve the identification of opportunities and threads. I have several question about these;
1. How about the Resources (EDM) at the Organization if the Resources at Civil Governance Know Nothing about EA?
2. How about the allocating Resources didnt meet "Right Person On The Right Place"?
3. Talking about the Risk Treatment, how do you implemented it align with COBIT? where the awareness of the Risk IT is still on  the zero level of The Board Leader (EDM) Resources?

A.S.KSocial at 6/14/2017 8:36:33 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Not only does COBIT map very well with ISO 31000, it provides the foundation for  IT risk management enterprise-wide. Every clause of ISO 31000 is addressed within the COBIT framework. In fact, the shortcomings of ISO 31000 are compensated for in COBIT 5. Because of its holistic approach and integrated process model, COBIT provides a practical approach for the implementation of ISO 31000.
peterhillEnergizer at 6/15/2017 8:49:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

1) How does COBIT manage gain in its Risk Management as ISO 31000's definition of the effect of uncertainty on objectives includes gain scenarios as a form of Risk Management. 2) What part of the COBIT standard integrates Risk Management not as an Isolated body such as IT audit, but as an integrated activity at every level of organizational structure? I would agree that COBIT can help ISO 31000 work well. But, I believe that a perspective shift inside the use of COBIT is needed to make it work well. I am not saying it cannot be done, I am saying that a bolt on relationship can be ruined by not the standards themselves the but the assumptions made by people using them. IT Audit is not corporate management. But Risk Owners are part of management. Each is competent, required and accountable for the risk they manage. Risk they cannot manage, escalates up the chain of command until it rests by default with the CEO. Risk or aspects of risk that should be delegated drops down to appropriate management. For ISO 31000, Risk gaps in coverage is the same as management gaps in authority, training or responsibility. Duplication of risk coverage is the same as management duplication in authority, training or responsibility. Even surprise emergency of unforeseen risk would default to the CEO as its risk owner until formally delegated to a competent, required and accountable manager of that risk. Such a structure could exist in COBIT, but some thought about how to use COBIT to achieve it is needed. Technically then, there really is not such thing as IT Audit. Under ISO 31000 there is only direct board oversight of Management that is responsible for risk evaluation and suitable escalation or delegation to competent, required and accountable management of those risks. In this good use of COBIT can assist.
Don TurnbladeEnergizer at 6/15/2017 9:16:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even the implementations of InfoSec under ISO 2700x will need to adapt to ISO 31000 notions of risk management. These must not belong to an isolated risk management specialist function. Either, InfoSec integrates with business units as part of competent, responsible and accountable teams for InfoSec risks. Or, InfoSec becomes a management function that is competent, responsible and accountable for the risk it manages. In either case, business units cannot continue to assume that online business is somehow economically separated from InfoSec and that hardening systems is a cost of business service overhead paid to service bureau called InfoSec.
Don TurnbladeEnergizer at 6/15/2017 9:23:25 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Real world examples. In effect PCI DSS Compliance becomes a Risk Manager. Competent: trained in PCI DSS (PCIP, ISA). Required to insure continuous compliance. Accountable for non-compliance. This cannot really be performed by an Audit body as it actually is not independent of business. Rather, it can use the QSA or ISA certification as a kind of external/internal audit function. A firm I know uses an external QSA as a kind of external audit function on an ISA certified internal risk management team that is responsible for continuous compliance and is not a part of internal audit.
Don TurnbladeEnergizer at 6/15/2017 9:30:14 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhillEnergizer at 6/15/2017 10:04:36 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Except in very small organisations, PCI DSS compliance is not a responsibility of the risk manager nor should the risk manager be doing the audit. Ideally there should be proper segregation of duties and clear assignment of responsibilities with appropriate accountability so that the business process, security process, compliance process, quality process, risk management process all function efficiently and effectively. COBIT helps sort this out. Every activity related to processing information is covered by COBIT, so every risk and compliance obligation is covered by COBIT. Consequently, ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000, and all the other management system standards for IT can be addressed through COBIT starting with EDM01 and setting up a governance framework and then with APO01, through deploying a management system. Risks are found in every COBIT process and every COBIT process is impacted by risk management. Consequently, a single holistic and integrated approach is required to delivering services, managing risk and addressing compliance obligations so that wasteful expenditure is avoided and poor corporate governance removed! 
peterhill at 6/15/2017 10:04:36 AM
There is a difference between the continuous compliance requirement of PCI DSS and an annual compliance Audit. Deeply week PCI compliance ignores its continuous compliance obligations until just before an annual assessment. Smaller firms can often file a Self Assessment Questionnaire (SAQ). The excellent approach is to build a continuous compliance set of processes that are not audit that sustain compliance through the year and then file strongly representative material when the time for an annual assessment arrives. The PCI authorized external auditor has a QSA certification to assess multiple firms. Internally, it is good to have staff attested to their PCI knowledge assisting with continuous compliance activity. The least expensive certification is called a PCIP. Continuous compliance activity would normally be done by an Auditor but an set of controls performed by staff that are competent, required and accountable for that activity. Larger firms will be required to file a Requirement Of Compliance (ROC) annually. This can either be performed by certified Internal Security Assessors (ISA) or external QSA with a set of executive management. Such efforts are often quite large. Consider that a Tier 1 vendor is often processing no less than 6 million credit card transactions per year at a minimum. Continuous compliance operations for such a firm is often much more industrial in scale and fully integrated into IT Change Management processes. Skipping this step will often lead to profoundly adverse findings from external audit -- the QSA, that typically are not detected early by internal IT Audit. Imagining that such a process for continuous compliance activity with PCI would not have a team that is competent, required and accountable but not part of Audit is an invitation to both adverse findings and worse excess of avoidable vulnerability that removes all protective effects that the PCI DSS standards was created to build.
Don TurnbladeEnergizer at 6/15/2017 1:12:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 for Risk: Making Sense of IT Risk Management

Even ISACA recognized a form of self assessed compliance where a team can simply be checked on their ability to comply with good processes. Such process based activity pre-disposes a team to an overall superior audit outcomes. PCI continuous compliance can be thought of in this way. The team is not Audit, but does follow a set of good processes that lead to favorable periodic audit assessment outcomes. From the PCI DSS point of view the external audit would then be the annual assessment of compliance. The non-audit function would be a ISO 31000 risk owner, a team that competent, required and accountable to manage the continuous compliance risks of daily PCI DSS compliance through out the year. Then, either an internal audit team using ISA certifications or an external auditor with a QSA would assess the continuously self assessed compliance and the annual attestation of even very large firms can go surprisingly well. My favorite quote form a QSA. "You can tell immediately which firms have a good continuous compliance program even before one sees a single bit of evidence." Depending on the size, volume of transactions or sensitivity of the firm, larger operations often benefit from establishing adding members of the continuous compliance team that have ISA certifications -- their training is similar to that of external assessors QSAs. As a result, their ability to do more than functionally focus on external guidance from a QSA once yearly, but actually build control sets that are cost effective and practical to sustain improves and saves substantially on the cost to comply. These can and do tend to apply Six Sigma LEAN waste cost approaches to control set design and operational effectiveness. Recently, I saw an example of a Six Sigma LEAN approach that could save more than 300% in wasted effort hours by IT Staff over 5 years and possibly 1000% in perpetuity with a hurtle rate of 12.5%/yr. The gain was simply related to devising automated collection and grading of technical tests of compliance. The numbers of compliance efforts coordinated Audit that were not coordinating evidence requests and requiring evidence to be pulled by hand that could be automated lead to such a remarkable LEAN waste reduction for the effort.
Don TurnbladeEnergizer at 6/15/2017 1:28:40 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.