Book Review—Information Technology Risk Management in Enterprise Environments 

Download Article Article in Digital Form

Information Technology Risk Management in Enterprise Environments provides an overview of industry practices and a practical guide to IT risk management frameworks, methodologies and techniques. The proliferation of cyberattacks; compromises of IT systems; and the increasing incidence of security breaches in volume, size, value and number have been a cause of concern in corporate and government circles alike. Business, industry and even nations are alarmed at the systematic attacks of ever-increasing magnitude, scale and frequency. Risk assessment and risk management have acquired an important place in the corporate environment as well as enterprise management and governance framework. A quantitative evaluation of potential vulnerabilities, and the consequences and impact of their exploitation by threats that materialize, has become essential for survival. Post-risk-assessment risk mitigation methodologies have become synonymous with good governance over IT.

Information Technology Risk Management in Enterprise Environments is not industry-specific. It addresses all sectors of business, industry and even public/government sectors because risk, by its nature, and IT risk, due to the use of IT in all organizations, are all-pervasive. The book refers to US and European legislation and standards, but it is nevertheless applicable to all geographic areas.

The book is comprised of two parts of five chapters each:  Part I covers industry practices; Part II provides guidance to develop a risk management program. The material is well organized with appropriate figures and tables. The book also has a useful glossary and an index for ease of reference. One of its strengths is that it provides 10 appendices, a reference section for each of the 10 chapters and a glossary, providing appropriate documentation for the reader. It could have added further value if the text were embellished by interactive case studies.

The book provides a management perspective and a practical approach to implementing a risk assessment and a risk mitigation process using a team approach. It provides a survey of industry practices, and it is a good guide for developing a framework for IT risk assessment and mitigation in the enterprise.

One of the highlights of the book is that it deals with IT risk management methodologies such as COBIT and Octave. COBIT is widely referenced, and the methodology is explained in detail.

Overall, Information Technology Risk Management in Enterprise Environments is a useful book for information security managers, security analysts, systems developers, auditors and consultants, and it even would be of help to academics and students. It is a how-to/ reference book, as well as a useful addition to the business library.

Editor’s Note

Information Technology Risk Management in Enterprise Environments is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
an expert in software valuation, IS security and IS audit. A renowned faculty member at several management institutes, government academies and corporate training programs, Kanhere is a member of the Sectional Committee LITD 17 on Information Security and Biometrics of the Bureau of Indian Standards. He can be contacted at or

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.