Escolar Documentos
Profissional Documentos
Cultura Documentos
Abstract—A low-level code of practice is presented in this Risk [5]. According to the market survey conducted by ISACA
paper to help information security (IS) risk management [6] to identify what guidance COBIT5 users most needed to
professionals manage enterprise IS risks effectively and help them obtain maximum value from the use of COBIT 5
efficiently using COBIT 5 framework1. The proposed code of framework, two main areas were highlighted, namely the need
practice is the result of the experience gained by the authors over for more guidance related to the COBIT 5 enablers and specific
years through working with clients in many industries topics where practical guidance related to COBIT 5 would be
implementing IS risk management using different international most helpful. The authors believe that the practical guidelines
standards and frameworks. COBIT 5 is supposed to serve as an presented in this paper serve this purpose.
umbrella framework that integrates knowledge and practice of
many other standards and frameworks. However, COBIT 5, like The remainder of this paper is organized as follows: section
many other frameworks, lacks detailed guidelines at the low-level 2 highlights the high-level ISRM processes; section 3 presents
activities carried out during IT risk management. This code of details of the ISRM process and its sub-processes; finally,
practice is proposed to fill in this gap. The recommended section 4, puts forward some conclusions and future research
guidelines and activities have been successfully used in real-world opportunities in relation to our work.
IS risk management projects.
III. LOW LEVEL PROCESSES Description: In order to have insights on the IS risks, and to
take into consideration the nature of the business and industry,
the ISRM team to survey available public information related
This section presents the low level processes used in the IS to IS risks in peer companies, analyze published IS risk trends,
risk management along with their corresponding activities and and outreach to similar other companies to understand the IS
guidelines to implement them. Each of the following sub- risks associated with similar environments.
sections introduces the high level and middle level processes to
which the low level sub-processes belong and a table to Outcome: Understanding of IS risks associated with similar
describe and detail the activities of the low level sub-process. industry. This should be maintained in the risk register.
The process ID and Practice ID references in the tables refer to Sub-Process [1.1.4]: “Record data on risk events that have
COBIT 5 for Risk processes [5]. caused or may cause impacts to Information Security
benefit/value enablement, Information Security program and
A. Establish Scope and Boundaries project delivery, and/or Information Security operations and
service delivery.”
TABLE I. COLLECT DATA Description: In addition to considering the IS risks associated
Practice [1.1] Collect Data with the industry, ISRM team needs also to capture IS risks
COBIT 5.0 Process ID APO12 Process Manage Risk that already exist in the enterprise that were previously
Reference identified as part of an internal assessment or an external audit
Input Management direction of a compliance check. Also, data recorded on incidents,
Output Detailed Information Security Risk Assessment Scope problems and investigations should be taken into consideration.
References None Outcome: Inventory of potential IS risks based on previously
Sub-Process [1.1.1]: “Establish and maintain a method for conducted assessments. This should be maintained in a risk
collection, classification, and analysis of Information Security register format.
risk-related data.” Sub-Process [1.1.5]: “Organize and categorize the collected
Description: The quality of the data collected and used for the Information Security risk data.” & “Determine the specific
IS risk assessment is a critical success factor for the conditions that existed or were absent when risk events
assessment. Accordingly, the step of data collection should be occurred and the way the conditions affected event frequency
properly planned for. The ISRM team must agree on the and loss magnitude.”
methods to be used for data collection that best fit into the Description: Based on the data collected on IS risks from
enterprise environment. This includes questionnaires, on-site similar enterprises and the enterprise specific previous
interviews, document review and use of automated scanning experience, ISRM team to analyze this data and provide
what controls are associated with them in terms of Practice [2.1] Analyze Risk
ownership and maintenance. COBIT 5.0 Process ID APO12 Process Manage Risk
o If there is no assets inventory in place, ISRM team to Reference
coordinate with concerned team(s) to create the assets Input Detailed Information Security risk assessment scope
inventory. Output Completed risk assessment registers
• For the IS assets in the inventory, ISRM team needs to References (1) Customized work plans, (2) Risk register template, (3)
Risk assessment map
select a subset for assets valuation and criticality
assessment. This subset has to be approved by the IS Risk Sub-Process [2.1.1]: “Define the appropriate breadth and
Manager. depth of risk analysis efforts, considering all risk factors and
• Conduct criticality and valuation assessment for the the business criticality of assets.”
selected assets. The assets criticality assessment criteria Description: The ISRM team needs to confirm the breadth
must be documented, reviewed at least on an annual basis, and depth of the intended risk assessment. This needs to be
and approved by IS Risk Manager before use. adjusted to emerging needs, management direction and other
• Complete the criticality assessment, discuss results with possible ad-hoc requirements (new systems, infrastructure
assets owners and collect their approval. changes, etc.) Management might decide to do the assessment
TABLE V. DEFINE RISKS ACTION PLAN Sub-Process [3.2.1]: “Prepare and maintain plans that
Practice [3.1] Define Risk Action Plan document the specific steps to take to address and respond to
COBIT 5.0 Process APO12 Process Manage Risk a risk event that may occur.”
Reference ID Description: In order to minimize the impact of a risk on the
Input The enterprise IS risk profile enterprise operations and ensure it is properly planned for, a
Output Detailed risk treatment plan detailed action plan must be documented which would be
References (1) IS Risk Registers, (2) IS Risk Executive Summaries, subject for monitoring in order to ensure: 1) it is adequate and
(3) IS Risk Profile
effectively addressing the risk 2) implemented as planned.
Exceptions to the plan must be justified and shared with IS
Sub-Process [3.1.1]: “Decide on the risk treatment option(s)
Risk Manager for approval.
and consider the activities to address identified risks in line
Outcome: IS Risk response action plan(s).
with the enterprise risk tolerance. Map treatment options to
Guidelines: Ref (3.2.1) – The ISRM team needs to follow up
specific Information Security risk statements.”
with risk owners to provide detailed action plans for risk
Description: ISRM team needs to ensure that risk treatment
remediation. These plans must be provided in reasonable time
plans based on the available risk treatment options are defined.
with reasonable target dates. The risk owners would be liable
This should take into consideration the enterprise IS risk
for timely implementation of the action plans:
tolerance (the enterprise IS risk tolerance is the amount of risk
the company is willing to accept in a certain specific IS • Use the risk register template to document the details of
process). For each identified risk in the risk profile a decision the action plans.
should be made on how to treat the risk. There are several o Check the plans for quality and effectiveness.
treatment options that include: 1) risk avoidance, 2) risk • Closely monitor the performance of the actions plans.
acceptance, 3) risk transfer, 4) risk mitigation. Cost-benefit • Request justifications for exceptions and retargeted dates.
analysis is usually used to select the best option; however, any • Report exceptions to IS Risk Manager for approval.
option to be selected must take into consideration the • Provide a balanced set of proposals and initiatives
enterprise business nature and operating environment. designed to reduce risk considering cost/benefits, effect
Outcome: IS Risk treatment plan documented on the IS risk on current risk profile and regulations.
register template.
Guidelines: Ref (3.1.1) – The ISRM team will use the IS risk D. Communicate Risks
register template to document the risk treatment plans:
• There are usually four options to consider: TABLE VII. COMMUNICATE RISKS
o Risk avoidance: terminate the activity leading to risk.
o Risk acceptance: simply accept the risk Practice [4.0] Communicate Risk
COBIT 5.0 Ref. Process ID APO12 Process Manage Risk
o Risk transfer: transfer risk to another party.
o Risk mitigation: mitigate risk with appropriate Input Detailed IS risk register
control measures or mechanisms Output IS Risk Report
References IS risk register containing risks, risk assessment, risk
• The documented plans need to be created by the IS Risk treatment and response plan
Senior Analyst and approved by IS Risk Manager.
• Since the plans would include actions from other Sub-Process [4.1]: “Report on the risk profile (identified
departments/divisions, ISRM team needs to consider risks, risks assessment, treatment, and overall risk exposure)
sharing these plans with concerned parties for input and and the associated KRI’s to all concerned stakeholders
action as needed. (internal/external).”
• Detailed justification for the selected option must be Description: ISRM team needs to create a report on the risk
documented in the risk register template. assessment that was conducted and communicate it to other
internal/external stakeholders. The report can include in
addition to the details related to the risk values a description of
the scope that was covered, objectives of the assessment,
status of previous assessment results related to the identified
risks and most importantly an introduction to the approach and
methodology that ISRM team adopted in the assessment. The
risk assessment report can also highlight the challenges that