Summary - Digital Risk & Security (2013TEWMHB)

DIGITAL RISK AND SECURITY
TABLE OF CONTENTS

Practical .......................................................................................................................................................................... 3
Chapter 1: Fundamentals on Risk & Security (Management) ............................................................................................. 5
1.1 – Introduction ......................................................................................................................................................... 5
1.2 – Definition of Terms ............................................................................................................................................... 7
Risk .......................................................................................................................................................................... 7
Risk Management ..................................................................................................................................................... 8
Information Security & Information Security Risk ....................................................................................................... 8
Cybersecurity ........................................................................................................................................................... 8
1.3 – Risk and Security are real … .................................................................................................................................. 9
1.4 – Risk and Security in their (IT) Governance Context............................................................................................... 10
IT Governance Definitions ....................................................................................................................................... 11
Chapter 2: Relevant Risk & Security Framework & Standards .......................................................................................... 13
2.1 – COSO ............................................................................................................................................................. 13
COSO ERM 2017 ..................................................................................................................................................... 13
COSO ERM: 2004 versus 2017 ................................................................................................................................ 14
COSO ERM 2017 ..................................................................................................................................................... 14
COSO Enterprise Risk Management ........................................................................................................................ 14
2.2 – ISO/IEC 31000 .................................................................................................................................................... 17
2.3 – FAIR ................................................................................................................................................................... 20
2.4 – COBIT (Refresher) .............................................................................................................................................. 23
2.5 – ISO/IEC 27001 & 27002 ...................................................................................................................................... 45
2.6 – NIST CSF 2.0 ...................................................................................................................................................... 51
2.7 – CCB CyberFun ................................................................................................................................................... 55
Chapter 3: Risk & Security Runctions in Organisations .................................................................................................... 59
3.1 The Risk Functions ................................................................................................................................................ 59
3.2 The Security Function........................................................................................................................................ 69
Chapter 4: Risk Governance & Risk Management............................................................................................................ 76
4.1 – Risk Governance ................................................................................................................................................ 76
4.2 – Risk Taxonomy ................................................................................................................................................... 78
4.3 – Risk Appetite ...................................................................................................................................................... 82
4.4 – CCB Cyber Fundamentals Revisted .................................................................................................................... 83
4.5 – The Risk Management Process ........................................................................................................................... 85
Chapter 6: Security Governance & Management ............................................................................................................. 88
6.1 – Security Governance .......................................................................................................................................... 88
6.2 – Security Management......................................................................................................................................... 91




1

,Chapter 7: Relevant regulations ..................................................................................................................................... 94
7.1 NIS2 ..................................................................................................................................................................... 94
7.2 DORA ................................................................................................................................................................... 97
Chapter 8: Practical Risk & Security Management .......................................................................................................... 99
8.1 – IT Risk Scenarios ................................................................................................................................................ 99
8.1 (extra) – Introduction & Recap Risk Taxonomy ..................................................................................................... 105
8.2 – Risk Analysis (QUALITATIVE) ............................................................................................................................. 106
8.3 – FAIR: Quick Recap ............................................................................................................................................ 108
8.4 – Risk Analysis (QUANTITATIVE) .......................................................................................................................... 113
Tools ........................................................................................................................................................................ 115
8.5 – Risk Aggregation ............................................................................................................................................... 116
8.6 – Risk Response .................................................................................................................................................. 118
8.6.1 – Risk Response Options (COBIT 5) ............................................................................................................... 119
8.6.2 – Risk Response Portfolio & Business Case ................................................................................................... 122
8.7 Risk Reporting & Communication........................................................................................................................ 125
8.7.1 Examples of Risk Information Items .............................................................................................................. 126
8.8 Key Risk Indicators ............................................................................................................................................. 128
Guest Lectures ............................................................................................................................................................ 131
Managint IT and cyber risk in practice (ING)............................................................................................................... 131
Cybercrime in practice (Catherine Van de Heyning) .................................................................................................. 135
Chapter 9: Current IT Risk & Security Topics ................................................................................................................. 138




2

,PRACTICAL

• Lecturer: Dirk Steuperaert
• Overview of the Course
o The course is structured as follows, taking into account the (high) number of students who enrolled this
year:
▪ Lectures (8), during which theory is explained, illustrated with examples.
• In Lecture Session 2 a COBIT 2019 refresher is planned for those who want to refresh
their COBIT 2019 knowledge or for whom COBIT has not been part of their curriculum
yet.
▪ Guest Lecture (1) on Law enforcement of Cybercrime and Security Governance
▪ Lecture on current topics in IT Risk & Security Management
▪ Group assignment
o A detailed agenda is included further in this presentation, and is posted on Blackboard - Please check
Blackboard regularly for any changes that might occur
• Course Grading
o 2/3 based on the individual exam – the individual exam will consist of two parts, each counting for 50% of
the exam grade:
▪ Multiple Choice written exam, testing the understanding and insight in the materials covered
during the course sessions. This exam will be open book and will not test memorization of the
course contents. The exam will consist of 50 multiple choice questions. A standard setting of
70% will apply.
• Open book, but no use of ChatGPT
▪ Oral individual exam, consisting of:
• The opportunity to explain your answers on the multiple choice exam (Optional)
• An exercise whereby you will be asked to apply the acquired knowledge to a risk
management problem (quantitative risk methodologies)
o 1/3 based on the group assignment
▪ The group assignment will be explained during the session of April 2nd and is to be handed in by
May 31st.
o Students must pass the individual exam in order to achieve a passing score for the whole course. A failing
grade for the individual exam automatically becomes the final grade for the whole course.
o The scores for the group assignment are final and also count for the second exam period.
• Course Agenda 2024-2025

Date Week Digital Risk & Security – 8u30-10u15 (B.003)
Course Introduction
Chapter 1: Fundamentals on risk management and security
• What is risk and risk management
12/02/2025 21 • What is security and security management
• Risk and Security management in IT governance context
Chapter 2: Relevant Risk & Security Framework & Standards
• FAIR
Chapter 2: Relevant Risk & Security Framework & Standards
19/02/2025 22
• COBIT 2019
Chapter 2: Relevant Risk & Security Framework & Standards
• ISO/IEC 27001 & ISO/IEC27002
26/02/2025 23
• NIST CSF2.0
• CCB CyberFun
05/03/2025 24 NO CLASS
12/03/2025 25 Chapter 3: The Risk and Security Function(s) in an organization
19/03/2025 26 Chapter 4: Risk Governance and Risk Management


3

, Chapter 5: Security Governance and Security Management
Chapter 6: Most relevant risk & security regulations
26/03/2025 27
• NIS2
• DORA
Chapter 7:Practical Risk & Security Management:
02/04/2025 28 • Risk Analysis methodologies
Briefing Group Assignment
09/04/2025 29 NO CLASS – EASTER HOLIDAYS
16/04/2025 30 NO CLASS – EASTER HOLIDAYS
Chapter 7: Practical Risk & Security Management:
• Risk and Incident Response
o Risk Mitigation
23/04/2025 31
o Risk sharing/transfer
• Risk Communication
Group Assignment Working Session
Guest Lectures:
30/04/2025 32 • Cybercrime in Belgium: a view from law enforcement
• Security governance in a financial institution
Current Topics in Risk Management and Security
07/05/2025 33
Group Assignment Working Session
14/05/2025 34 Exam Briefing (including previous years’ exam questions)
21/05/2025 35 Multiple choice exam
June Oral Exam
• Course Materials
o Slides –slides contain the main lines of the course; course notes will complement the slides, and the
reference material contains details where necessary. -
o Case Study text for the Group Assignment
o Reference Materials
▪ ISACA Publications (see also Blackboard):
• COBIT 2019 Framework
• COBIT 2019 Governance and Management Objectives
• COBIT 2019 Information Security Focus Area
• COBIT 2019 I&T Risk Focus Area
• RiskITFramework 2nd Edition
▪ Other References
• COSO ERM 2017
• FAIR
• NIST
• DORA & NIS2
• CCB CyberFun




4