Digital risk & security samenvatting

Digital risk and security
Inhoud
1. Introduction................................................................................................................................................. 4
1.1 Risk a short introduction ....................................................................................................................... 4
1.2 Risk management – context .................................................................................................................. 6
Risk- the big picture................................................................................................................................. 6
IT governance definitions ........................................................................................................................ 7
2. Risk & security Standards and Frameworks ................................................................................................ 8
2.1 risk & security references: Terminology and definitions .................................................................... 17
2.2 risk & security issues are real .............................................................................................................. 20
2.4 Risk & security references: A risk ontology: Fair ( factor analysis of information risk) ...................... 22
3. COBIT 2019 refresher ............................................................................................................................ 27
3.1 cobit as an I&T framework .................................................................................................................. 28
3.2 COBIT 2019 product architecture........................................................................................................ 30
3.2 Designing a tailored governance system: impact of design factors ................................................ 46
3.3 Designing a tailored governance system: Governance System Design Workflow ......................... 47
3.4 Performance management overview .................................................................................................. 53
Process performance: capability level................................................................................................... 54
Organisational structure performance management ........................................................................... 55
3.5 Information quality management ....................................................................................................... 57
4. The risk function and the security function .......................................................................................... 59
Practical COBIT Guidance for Risk & Security Management ................................................................. 59
4.1. The risk function ................................................................................................................................. 60
4.1.1. COBIT 2019 Governance Component Organisational structures ................................................ 60
4.1.2. COBIT 2019 Governance Component: Supporting Processes ..................................................... 61
4.1.3. COBIT 2019 Governance Component: Culture, Ethics & Behaviour ........................................... 62
4.1.5. COBIT 2019 Governance Component: Information .................................................................... 67
4.1.6. COBIT 2019 Governance Component: Services, Infrastructure, Applications ........................... 68
4.1.6. COBIT 2019 Governance Component: : People, Skills & Competences ...................................... 69
4.2. The security function .......................................................................................................................... 71
4.2.1. COBIT 2019 Information Security FA – Information Security Organisational Structures ........... 71


1

, 4.2.2. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures -
CISO ....................................................................................................................................................... 72
4.2.3. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures
............................................................................................................................................................... 73
4.2.4. COBIT 2019 Information Security FA – Information Security: Processes .................................... 74
4.2.5. COBIT 2019 Information Security FA: Culture, Ethics & Behaviour............................................. 76
4.2.6. COBIT 2019 Information Security FA: Information...................................................................... 79
4.2.7. COBIT 2019 Information Security FA: Services ............................................................................ 80
5. Risk Governance .................................................................................................................................... 82
COBIT 2019 – EDM03: Ensure Risk Optimisation ...................................................................................... 82
SFIA V7 – responsibility levels ............................................................................................................... 86
COBIT 2019 – EDM03: Ensure Risk Optimisation SFIA V7 – BURM (Business Risk Management) ....... 86
COBIT 2019 – EDMO3 – ensure risk optimisation ................................................................................. 87
5.1. Risk taxonomy .............................................................................................................................. 87
5.1.1. Risk taxonomy: expressing and describing risk .................................................................... 87
5.1.2. Quantitative vs qualitative ................................................................................................... 87
5.1.3. Frequent vs Bayesian views ................................................................................................. 88
5.1.4. A simple view?...................................................................................................................... 89
5.1.5. Example sets of business impact criteria ............................................................................. 89
5.2. Risk taxonomy, risk appetite, risk capacity................................................................................... 93
5.2.1. Definitions risk appetite – tolerance- capacity..................................................................... 93
5.2.2. Risk map & risk appetite....................................................................................................... 94
6. Risk management .................................................................................................................................. 95
6.1. Risk management process ............................................................................................................ 95
6.1.1. AP012: managed risk ............................................................................................................ 95
6.1.2. SFIA V7 – responsibility levels .............................................................................................. 99
6.1.3. COBIT 2019 – APO12: Managed Risk SFIA V7 – INAS (Information Assurance) .................. 99
7. Risk identification ................................................................................................................................ 102
7.1. Risk scenarios.............................................................................................................................. 102
7.1.1. COBIT 2019 – Components of risk scenarios...................................................................... 102
7.1.2. COBIT (and FAIR) risk scenarios .......................................................................................... 104
7.1.3. COBIT 2019 Risk scenario categories ................................................................................. 104
7.1.4. FAIR risk scenarios .............................................................................................................. 106
7.2. Generic guidance on working with risk scenarios ...................................................................... 107
Risk scenario guidance (1) ................................................................................................................... 107

2

, Risk scenario guidance (2) ................................................................................................................... 107
Risk scenario guidance (3) ................................................................................................................... 107
Risk scenario guidance (4) ................................................................................................................... 108
Risk scenario guidance (5) ................................................................................................................... 108
Risk scenario guidance (6) ................................................................................................................... 109
Risk scenario guidance (7) ................................................................................................................... 109
Risk scenario guidance (8) ................................................................................................................... 110
Risk scenario guidance (9) ................................................................................................................... 110
8. Risk analysis ......................................................................................................................................... 112
8.1. Qualitative risk analysis ................................................................................................................... 113
8.1.1. risk analysis flow........................................................................................................................ 113
8.2.2. Some examples .................................................................................................................. 114
8.2. Quantitative risk analysis ............................................................................................................ 120
8.2.1. Measuring risk .................................................................................................................... 120
8.2.2. Calibration .......................................................................................................................... 121
8.2.3. The risk analysis process in FAIR ........................................................................................ 123
Tools .................................................................................................................................................... 128
8.3. Risk aggregation ......................................................................................................................... 129
9. Risk response ....................................................................................................................................... 133
9.1. risk response options ....................................................................................................................... 134
9.1.1. risk response parameters .......................................................................................................... 136
9.1.2. Risk response: mitigation ( COBIT 2019) ................................................................................... 136
9.2. Business case for risk response .................................................................................................. 139
9.3. Risk reporting/communication ................................................................................................... 141
9.3.1. Components of I&T risk communication............................................................................ 142
9.3.2. Quality requirements for I&T risk reporting ...................................................................... 143
9.4. Examples of risk related information items ............................................................................... 145
9.4.1. Risk profile .......................................................................................................................... 145
9.4.2. Risk factors ......................................................................................................................... 145
9.4.3. Inputs/outputs AP012 ........................................................................................................ 146
9.5. key risk indicators ....................................................................................................................... 146
9.5.1. key risk indicators – definition ........................................................................................... 146
9.5.2. Leading and lagging indicators ........................................................................................... 147
9.5.3. Selection criteria ................................................................................................................ 147


3

, 9.5.4. Key risk indicators benefits ................................................................................................ 148
9.5.5. Challenges for key risk indicators ....................................................................................... 148
9.5.6. Source of KRI’s .................................................................................................................... 149




1. Introduction
1.1 Risk a short introduction

Risk is one of these things that many people define in different ways. Things will happen (u don’t know
what, when and which impact), but you can’t just stay home because bad things will happen (even though
there are risks, the enterprise still has to complete their missions).

Risk is about uncertainty:

➢ Uncertainty over
o What is going to happen?
o When it is going to happen?
o How big the impact will be?
➢ Yet, organisations need to manage this uncertainty, because:
o NOT travelling the road is not an option
o Risk should not distract us from our goals…

Highly publicised risk is not always the most important risk, there is need a consistent and systematic
overview of all risks.

The real cause of the problem is quit important.

➢ Need for a method for consistently analysing risk down to root cause
➢ Need for a mechanism to distinguish small from big risk
➢ If we quantify risk we need solid methods and reliable data to do so

Risks relates to objectives

➢ Example: if you want to cross a bridge safely and dry there is much risk
But if the objective is to have fun there probably won’t be a lot of risk

Detectability

➢ You know what to look for, i.e. what constitutes risk for you and what not…
o In other words: what are the relevant risk scenarios for your organisation?
➢ Once known, risk can be analysed, controls can be implemented, monitoring is applied to
recognise risk occurrence and to respond as appropriate

 U have to able to detect risk, have to know what can happen, knowing what to look for. Only
then u can see how bad they are and take counter measures


4