Tips for Prioritizing Risk in Your Risk Register
News outlets across the world report that organizations of all types continue to suffer grave impacts from cyberthreats and incidents. Those organizations that have not yet experienced such an event find themselves wondering if the latest ransomware attack or personally identifiable information (PII) data breach could impact their enterprise.
A threat is not a risk. Just because something can happen does not mean it will happen. Risk is dependent on the vulnerability of the enterprise to the effect of a particular threat or set of conditions. Perhaps as a result of the constant chatter of news outlets reporting cyberthreats that have materialized as realized risk to multiple organizations, a largely reactive system of risk management has been created. True risk-based planning for relevant impact scenarios or selection of controls is often unrewarded or unnoticed. However, it is the job of those tasked with risk management to look past the “cyberevent of the week” and remain focused on managing the risk with the highest impact should it actually materialize. This is where risk prioritization can help.
The Getting Started With Risk Management white paper, available from ISACA®, includes guidance for risk identification, analysis, evaluation and prioritization, reporting on risk, monitoring risk under management, and improving the risk management process. The following tips help prioritize criteria to consider when determining which risk to address first, second, third and so on:
- Focus on the organization’s mission and strategic objectives as the starting point to determine which risk, if realized, would have the greatest impact on the enterprise. Brainstorm until a robust set of plausible and relevant scenarios emerge considering the organization’s business, mission, level of response capability and dependence on third parties.
- Define the enterprise’s most important products and services and the underlying technology that supports the delivery of those product or services. Looking at a technology asset in the context of the mission and strategy helps determine the criticality of an asset. The criticality of an asset is a key criterion to determine which risk to address first.
- From the list of enterprise products and services, make a list of vendors, service providers, suppliers or third parties that provide some or all of the resources needed to deliver the product or service. Looking at service providers and vendors in the context of mission and strategy helps determine the criticality of third parties and, subsequently, helps prioritize the risk.
- Perform research and ask subject matter experts inside and outside the organization to help determine the probability or likelihood of a certain scenario materializing. Some threats are not relevant to the organization or the organization may not possess the vulnerability that allows the threat to materialize.
- Focus on the risk with the most potential impact on the enterprise. Which risk, if realized, would have the greatest impact on the ability of the organization to continue to deliver its products and services?
- Ask the senior leaders or board of directors to vote on which scenarios would have potentially the greatest impact on the enterprise. Their answers may be surprising and may also provide insight to help refine both risk appetite and risk tolerance statements.
- Assess the enterprise’s capability to detect and respond to a given scenario or set of scenarios. Some organizations fall below the cybersecurity poverty line and are not able to adequately respond to one or more scenarios. This is a real risk to many organizations, especially those that continue to operate in deep technical debt. Enterprise senior leadership must be aware of this situation if relevant so they can decide the best course of action.
The main drivers for risk management include the need to improve decision-making in enterprises, align risk management resources to address the risk with the greatest potential impact on the enterprise, and build the capabilities and resources necessary to detect and respond to realized risk.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
Learn, Network and Volunteer With Peers Around the World
Engage—ISACA’s online portal in which professional community members can learn, network and participate—will celebrate its 1-year anniversary in September 2019. The platform offers online discussion boards, global networking and volunteer opportunities. In the 9 months since ISACA transitioned to the new platform, participation has steadily grown. As a participant in the online communities, you can ask your colleagues around the globe for advice.
Many newly certified members credit the Engage Exam Prep Forums with training them for success. Engage also allows you to discuss your thoughts on ISACA publications. For example, with the launch of COBIT 2019, the COBIT and Frameworks Online Forum has been a popular place to discuss the updates and share ideas on implementation.
Interested in getting more involved in ISACA? Engage’s volunteer portal allows you to opt into the volunteer pool, apply for new opportunities, maintain your volunteer profile and track your involvement. This tool helps ISACA connect you and other skilled members with ways in which they can give back. You can also search the events calendar for meetings, networking events or trainings offered by ISACA chapters and connect locally with other professionals.
Log in and become more engaged with the global ISACA community by visiting the Engage website.
Listen and Learn More About the Baltimore Ransomware Attack
A ransomware attack leveraging an unpatched vulnerability affected several of Baltimore (Maryland, USA)’s, government services. In the recent Cyber Pros Exchange episode of the ISACA Podcast, Frank Downs and Dustin Brewer, 2 of ISACA’s in-house security experts, discuss how this ransomware attack occurred, the services it affected and lessons learned from this attack.
Both Downs and Brewer note that enterprises today need to patch for the EternalBlue cyberattack exploit, the vulnerability that caused this attack. This is the same exploit that was used as part of the WannaCry ransomware attack and the NotPetya cyberattack in 2017. If an enterprise cannot patch due to the use of legacy systems, it should consult freely available frameworks such as the US National Institute of Standards and Technology’s NIST Cybersecurity Framework for how best to mitigate this issue. Patching today is taking the time to respond and learn from previous attacks, including the one in Baltimore, to avoid making the same mistakes. Downs and Brewer note that in situations like these, it is important to focus on how to better the organization to avoid similar fate rather than playing the blame game.
The Examining the Baltimore Ransomware Attack ISACA Podcast episode, along with dozens of other podcast episodes, is available on the ISACA Podcast page of the ISACA website and can be streamed or downloaded from Apple Podcasts, Google Play, Stitcher or SoundCloud.
Five Steps for Effective Auditing of IT Risk Management
What must the third line of defense do to evaluate the effectiveness of the IT risk management program? Regulators already expect that the first and second lines of defense operate mature IT risk management programs around complex IT systems. Failure to design and manage effective IT risk management functions could result in exposure to material business risk, inadequate prioritization of risk remediation efforts and the excessive cost for IT risk mitigation. This means that the third line of defense must consist of regular internal audit reviews of IT risk management to keep the first and second lines fit and healthy and prevent typical slip ups in the IT risk management program. Alexander Obraztsov, CISA, CISSP, PMP, explores these concepts in his COBIT Focus article, “Five Steps for Effective Auditing of IT Risk Management Using ISACA’s IT Risk Management Audit/Assurance Program.”
IS auditors (who make up the third line of defense) must consider many factors adding complexity to planning and execution of audit projects focused on the IT risk management program. Adapting ISACA’s IT Risk Management Audit/Assurance Program and following a clear 5-step process can help enterprises reach comprehensive audit conclusions, add value and improve the organization. Those steps are:
- Step 1: Prepare by mapping to relevant standards—To avoid the associated compliance risk and potential fines, it is important to verify that mandatory regulatory requirements are not overlooked during the planning phase. Thus, as a first step, IS auditors should map the audit program to relevant industry regulation, standards and guidelines. For example, the requirements of the FFIEC IT Examination Handbook are applicable for the financial industry in the United States. The requirements of the US National Institute for Standards and Technology (NIST) Special Publication 800-37 Rev. 2 Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy and International Organization for Standardization (ISO) ISO 31000—Risk Management are used in the public sector. In many cases though, the ISACA IT Risk Management Audit/Assurance Program can be referenced and will not require a lot of changes. It utilizes both COBIT 5 and COBIT 2019.
- Step 2: Adjust for audit scope and objectives—After aligning the program with industry standards and requirements, further adjustment regarding audit scope and objectives should be considered.
- Step 3: Prioritize controls and align to budget—After confirming relevance and completeness of control objectives, IS auditors may proceed with a preliminary analysis of IT risk management processes by identifying existing controls and potential weaknesses. Assessing inherent and residual risk for each process helps to prioritize the areas requiring the most attention and budget.
- Step 4: Test controls—Testing is the most labor-intensive step. Reviewing the controls around the governance control objective and IT risk management framework control objective from ISACA’s IT Risk Management Audit/Assurance Program, IS auditors should ensure that senior IT and enterprise management and the board of directors (BoD) regularly and routinely consider, monitor and review the IT risk management function and define the organization’s appetite for IT risk.
- Step 5: Consolidate and present results—Once control testing is completed, the IS auditor will have a comprehensive view of the IT risk management program, including its integration into the enterprise resource monitoring (ERM) framework; the overall governance, roles and responsibilities of main contributors; and the level of IT risk appetite within the organization. Opinions can be prepared for each of the tested control objectives, and the auditor may inform management of the reasons for passing/failing the sections, highlight any weak areas and demonstrate potential impacts on the organization.
Interested in exploring these 5 steps presented for auditing IT risk management as part of the third line of defense in more depth? Read Obraztsov’s full article, “Five Steps for Effective Auditing of IT Risk Management Using ISACA’s IT Risk Management Audit/Assurance Program” in COBIT Focus.