@ISACA Volume 22  31 October 2018

6 Common Risk Factors to Consider When Evaluating Risk

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Common risk factors exist, and almost all the major risk management standards use them when assigning risk to an issue within an organization. The analysis of risk is often dependent upon how these various factors interact within an application or system in the enterprise operating environment. These following factors, along with the associated risk-based questions, can provide potential focal points for consideration when evaluating risk:

  • Asset being protected—What is the asset under review? How important is this asset to enterprise operations? What is the asset value to the organization? How critical is this asset to the organization’s posture? Are the data on the asset valued separately from the asset itself?
  • Threats to the asset—Who can attack the asset, and how can they do it? Is the attack possible through non-human means? Can the attack be accomplished by intentional effort or not? Is the attack natural-event driven, such as a tornado, hurricane, flood or blizzard? How capable are the threat perpetrators if man-made threats are defined?
  • Vulnerabilities of the asset—What are the weaknesses of the asset? Are there any design flaws in the asset or its operations? Is the asset dependent upon external identification of flaws or weaknesses for assignment of vulnerabilities, such as those found in operating systems and applications? Is the asset configured to system specifications?
  • Current mitigation options employed for the asset—What is the level of security needed to protect the asset? What type of security component is currently deployed to protect the asset under review? Is current security sufficient to mitigate all of the exposed risk of operating the asset as normal, or does additional mitigation effort need to be employed for protection?
  • Likelihood of negative occurrence—What is the possible frequency of the negative event? How often and at what speed can it occur? Is there anything that can cause the event to change or alter during its execution? How possible is it to happen in today’s cyberworld?
  • Magnitude of impact on organization—If this event happens, what effect does it have on the enterprise, its operations or its desired results? How big of a problem can this event be for the organization? Is it potentially catastrophic or is it a potentially minor act? Can this event affect the employees, partners, service providers or other associated entities of the enterprise?

All these questions need to be answered and then evaluated by the risk and security personnel of the organization to properly assess and then mitigate the risk of the organization and its activities. Keep these areas in mind as risk is identified, reviewed, prioritized and treated both within and outside the organization during the risk management efforts.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Understanding the Changes: COBIT 2019 Webinar


Source: qrsk;
Getty Images

The COBIT 5 framework has been updated and is now COBIT 2019. The new information and guidance provided in COBIT 2019 makes implementing and facilitating this framework a seamless part of business transformation.

To learn more about the upcoming release of the COBIT 2019 product family, ISACA presents the “Introducing COBIT 2019” webinar. It will dive into the reasons behind the COBIT update, the products included in COBIT 2019, the key concepts of the update and how it differs from COBIT 5. This webinar takes place on 14 November at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Dirk Steuperaert, who will lead this webinar, is an IT and risk governance consultant, coach and trainer in IT risk management, IT governance and all COBIT 5-related matters. He will use his experience with COBIT past and present to teach people how they can benefit from COBIT 2019 and help them apply it in practice pragmatically.

To learn more about this webinar or to register for it, visit the Introducing COBIT 2019 page of the ISACA website.


Avoid Security Fatigue


Source: Carlo
Zamora / Eye Em;
Getty Images

Security fatigue can affect your executive team or board of directors the most. When protecting these two stakeholder groups is a top priority, how do you ensure they are aware of the most relevant threats without being overwhelmed with too much information? You must establish and maintain credibility while also protecting the business. It is crucial to learn how to educate yourself on these threats while also disseminating the pertinent information about threats you uncover.

To help you learn what security fatigue is and what symptoms to be on the lookout for, ISACA and SafeGuard Cyber present the “How to Fight Security Fatigue in Your Enterprise” webinar. It will demonstrate why security fatigue is hard to avoid and how to work with stakeholders to successfully avoid or combat it. This webinar takes place on 6 November at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Maritza Johnson, Ph.D., vice president of privacy and research at SafeGuard Cyber, will lead the webinar. She will use her security and privacy research background to help you design a solution for your enterprise to fight security fatigue.

To learn more about this webinar or to register for it, visit the How to Fight Security Fatigue in Your Enterprise page of the ISACA website.


Assuring Machine Learning


Machine learning is becoming integral at many organizations. It has helped mold new business models, displacing established businesses such as brick and mortar stores and creating new business outlets in areas such as algorithmic advertising. Learning to assure this technology is even more important as more and more enterprises continue to adopt it.

To help you to address the questions of what assurance professionals need to know about this technology and how to provide assurance around machine learning implementations and the unique risk associated with it, ISACA presents the “Machine Learning: What Assurance Professionals Need to Know” webinar. This webinar takes place on 1 November at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Andrew Clark, principal machine learning auditor at Capital One, will lead the webinar. He will use his experience establishing approaches for auditing machine learning solutions to help you develop your own assurance program for machine learning at your enterprise.

To learn more about this webinar or to register for it, visit the Machine Learning: What Assurance Professionals Need to Know page of the ISACA website.


Learn About the IT Security Roadmap for 2019


Source: Tetra Images;
Getty Images

Enterprise IT is continuously changing in the face of artificial intelligence (AI), machine learning and big data analytics. Furthermore, security is also evolving from conventional endpoint attack detection methods to endpoint detection and response (EDR). And to complicate things further, users’ log in at endpoints, but their directories are all moving into the cloud, resulting in more opportunities for audit. Wednesday, 7 November, marks ISACA and Tech Target’s free, full-day virtual conference, IT Security Roadmap 2019: How to Survive Emerging Threats and Thrive in Complexity, which will provide the opportunity to learn about common emerging threats. Attend this conference and learn more about the future of IT security from the comfort of your own home. In this virtual event, security and IT professionals will gain insight into where IT security needs to focus most next and will learn more from the following topic sessions:

  • When Worlds Collide: Cybersecurity, Virtualized Infrastructure and Next-Generation Software Development
  • The New IG: The Identity Governance and Compliance Balance
  • Cybersecurity Analytics Meets AI: Network, IT Threat Detection Strategies
  • Putting an End to Endpoint Security Risks With Modern Tools

Earn up to 5 free continuing professional education (CPE) hours by attending this ISACA and Tech Target sponsored virtual conference from 7:15AM-4PM CST (UTC -6 hours). To register or learn more, visit the IT Security Roadmap 2019: How to Survive Emerging Threats and Thrive in Complexity page of the ISACA website.


Coming Soon: COBIT 2019


COBIT 2019 is an evolution of COBIT 5, the most recent version of the globally recognized COBIT Framework. COBIT 2019 offers effective and strategic enterprise governance of information and technology (EGIT), and it provides new information and guidance, implementation resources, and comprehensive training opportunities. COBIT 2019 helps enterprises govern information and technology regardless of where it resides.

COBIT 2019 includes 4 core publications:

  • COBIT 2019 Framework: Introduction and Methodology
  • COBIT 2019 Framework: Governance and Management Objectives
  • COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution
  • COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution

The COBIT 2019 governance framework helps you implement good governance practices for your enterprise, with a further reach than just IT and IT department functions. The path to business transformation success and your career can start with COBIT 2019.

For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit the COBIT page of the ISACA website.


ISACA/CMMI Cybersecurity Culture Report Shows Gap Between the Security Culture Organizations Have and the One They Want to Have


A global study from ISACA and the CMMI Institute found that 95% of organizations say there is a gap between the cybersecurity culture they have and the one they want. Insights from more than 4,800 business and technology professionals are included in the Cybersecurity Culture Report, which looks at the current state of cybersecurity culture, what high-performing organizations are doing right and the business impact of a strong cybersecurity culture.

Widespread employee involvement correlates strongly with the minority of organizations that have achieved strong satisfaction with their cybersecurity culture. Nine in 10 employees (92%) at these organizations say that their C-level executives share an excellent understanding of the underlying issues, which may be why they loop in their employees so well.

Other critical findings include:

  • Many organizations lack the first—and all-important—step toward a cybersecurity culture—42% of organizations do not have an outlined cybersecurity culture management plan or policy.
  • Aligning the entire workforce with the organization’s cybersecurity policies requires significant capital—Organizations that report a significant gap between their current and desired cybersecurity culture are spending just 19% of their annual cybersecurity budget on training and tools; organizations that believe their cybersecurity culture is where it is supposed to be are spending more than twice as much (43%).

“A key motivator for organizations delaying investing in their cybersecurity cultures is a lack of awareness about the attempted threats and ongoing risk, as well as a lack of awareness about the assets at risk to cybersecurity threats,” said Rob Clyde, CISM, NACD Board Leadership Fellow and ISACA Board Chair. “However, individuals tend to underestimate the potential damage and overestimate technology’s ability to limit such incidents. Doing so puts their organizations at serious risk.”

To download the complimentary survey report, visit the Cybersecurity Culture Report page of the ISACA website.


Auditing Your GDPR Implementation


Source: CharlieAJA;
Getty Images

Now that the EU General Data Protection Regulation (GDPR) has taken effect, what must your enterprise do to assure things are in place as expected? Auditors will be indispensable in helping enterprises adhere to the privacy rules and ensuring they maintain compliance. ISACA has developed several new products to serve enterprises and auditors in their new endeavor.

The How to Audit GDPR white paper explores and answers new questions auditors have not historically faced prior to the implementation of GDPR and the role audit will play in the face of this regulation. It also covers how audits can be delivered in an effective and efficient manner.

Additionally, the GDPR Audit Program Bundle, priced at US $49 for members and US $79 for non-members, includes a comprehensive GDPR audit program, the GDPR Audit Program—Enterprise, and a derivative audit program covering only the technical aspects of GDPR, the GDPR Audit Program—Technical. The technical program is designed for auditors tasked with determining the effectiveness of IT controls on data processing, while the comprehensive program covers the full range and depth of enterprise-level auditing for GDPR.

Senior management should ensure GDPR compliance within the enterprise and audit compliance on a regular basis to ensure GDPR-related compliance controls are operating effectively. Protecting personal data and the technology used to maintain this privacy is important, and the GDPR audit can help ensure these things stay secure.

For more resources on GDPR, please visit the GDPR page of the ISACA website.