@ISACA Volume 9  1 May 2019

What Is There in Terminology? Risk Analysis, Risk Assessment and Risk Evaluation


Determining risk is common sense, and risk management is “common sense formalized.” Many times, we subconsciously determine risk to make decisions. The difficulty arises when a group of people must agree on what risk is, perceived or otherwise. To get a group of people to agree on anything, a certain approach is required to reach consensus. In the case of risk, this approach must utilize a risk management framework. To ensure interpretation of the framework is consistent, it is critical to develop a taxonomy.

Taxonomy is important in risk management because many terms associated with risk are defined and categorized differently by different risk professionals. In an organization, it is expected that risk owners make risk-informed decisions, which is only possible if they understand terms related to risk in the same way. This makes taxonomy the most essential part of a risk management framework.

However, while attempting to define the risk management framework taxonomy, I was challenged by 3 terms—risk analysis, risk assessment and risk evaluation—because these terms are often used interchangeably by risk practitioners. This may be because we perform risk analysis, risk assessment and risk evaluation simultaneously in practice. However, when risk owners adhere to different term meanings, the outcome of risk management efforts may differ across risk owners. Although differing understandings of term meanings by different risk practitioners might not affect an organization’s risk management process, especially since these 3 terms are performed simultaneously, we must differentiate them to approach risk management fully.

Since emphasis is placed on ensuring that the interpretation of these terms is consistent, instead of trying to define these terms according to various risk management resources, it may be best to use the clear and comprehensive definitions in ISACA’s CRISC Review Manual. Let us examine risk analysis, assessment and evaluation in this context:

Risk analysis—1. A process by which frequency and magnitude of IT risk scenarios are estimated.

2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats

Scope notes: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event

Risk assessment—A process used to identify and evaluate risk and its potential effects

Scope note: Includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Risk evaluation—The process of comparing the estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2002)

As a risk practitioner, I have found that when the risk owner clearly understands these definitions and underlying activities, they are less confused when performing risk analysis, assessment and evaluation. As a result, risk management efforts are more consistent across the organization and risk is more comprehensively addressed.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Auditing Amazon Web Services


Source: Ostapenko
Olena Getty Images

With more and more organizations continuing to adopt cloud services and hosting on public cloud platforms, knowing how to audit these platforms becomes crucial. Amazon Web Services (AWS) is not the only public cloud platform, but it is used prevalently throughout many industries. Organizational use of AWS as well as operational, security and compliance elements of AWS, are all critical for IT auditors to understand when considering specific risk areas to audit.

To help auditors determine if AWS supports operational and compliance objectives, ISACA has released the Amazon Web Services (AWS) Audit Program, which covers considering AWS in terms of:

     • Governance
     • Network configuration and management
     • Asset configuration and management
     • Logical access control
     • Data encryption control
     • Security incident response
     • Security logging and monitoring
     • Disaster recovery

Conducting a formal assessment of an organization’s use of AWS, access to the AWS environment, and management and interrelationships of AWS allows auditors to develop an evaluation of how effectively AWS applications and containers function.

To download this audit program, visit the Amazon Web Services (AWS) Audit Program page of the ISACA website.


What Your Organization Can Do About Insider Threats


Source: LeoWolfert;
Getty Images

Insider threats hamper many organizations that find themselves unprepared to detect the threats posed by personnel they trust. Knowing the top motives for insider threats can help organizations be more prepared to implement the correct countermeasures.

To learn what motivates insider threat actors, ISACA and ObserveIT present the “The Insider’s Motive: Defending Against the 7 Most Common Insider Threats” webinar. Security expert Chris Bush will introduce webinar attendees to the 7 most common insider threat focus areas and lead attendees through the top strategies to prevent both accidental and malicious insider threats. This webinar takes place on 7 May at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Bush is head of security at ObserveIT and is a dedicated and passionate security professional with more than 20 years of IT security industry experience. He is responsible for ObserveIT’s information and operational security strategy and has served as both vice president and head of security at organizations in the past, managing information security, risk and security operations. Bush will help you recognize the signs of insider threats so you can better help to protect your organization.

To learn more about this webinar or to register for it, visit the The Insider’s Motive: Defending Against the 7 Most Common Insider Threats page of the ISACA website.


Meeting Consumers’ Demand for Data Privacy


Consumers around the world are demanding better privacy rights and data protection. Many organizations are prepared for the EU General Data Protection Regulation (GDPR), but there are many more data privacy regulations on the horizon. The US California Consumer Privacy Act (CCPA) of 2018 is one such regulation. Through there are many similarities between the GDPR and the CCPA, enterprises cannot assume that GDPR compliance automatically means CCPA compliance.

In a recent ISACA Podcast episode, Dave Brunswick, author of the ISACA Journal, volume 2, 2019, article “Another Win for Global Consumer Data Rights: California Data Privacy Law” discusses the key differences between GDPR and CCPA. In his podcast, Brunswick discusses how GDPR-compliant organizations can become CCPA compliant, why there is a growing emphasis on consumer data rights and what that means for organizations that collect data.

This episode, Another Win for Global Consumer Data Rights, along with dozens of other podcast episodes, is available on the ISACA Podcast page of the ISACA website and can be streamed or downloaded from iTunes, Google Play or SoundCloud.