Risk Identification

Overview
 Risk Management Life Cycle

IT Risk Identification

Risk and Control Monitoring and

IT Risk Assessment
Reporting

Risk Response and Mitigation

IT Risk Identification Objectives

Identify the universe of IT risk

Contribute to the execution of the IT
risk management strategy
Support of business objectives and
in alignment with the enterprise risk
management (ERM) strategy
 Key Topics
1. Collect and review information, including existing
documentation, regarding the organization’s internal
and external business and IT environments to identify
potential or realized impacts of IT risk to the
organization’s business objectives and operations.
2. Identify potential threats and vulnerabilities to the
organization’s people, processes and technology to
enable IT risk analysis.
3. Develop a comprehensive set of IT risk scenarios
based on available information to determine the
potential impact to business objectives and
operations.
 Key Topics
4. Identify key stakeholders for IT risk scenarios to help
establish accountability.
5. Establish an IT risk register to help ensure that
identified IT risk scenarios are accounted for and
incorporated into the enterprise-wide risk profile.
6. Identify risk appetite and tolerance defined by senior
leadership and key stakeholders to ensure alignment
with business objectives.
7. Collaborate in the development of a risk awareness
program, and conduct training to ensure that
stakeholders understand risk and to promote a risk-
aware culture.
Learning Objectives

Identify relevant frameworks,

standards, and practices
Apply risk identification techniques
Distinguish between threats and
vulnerabilities
Identify relevant stakeholders
Discuss risk scenario development
tools and techniques
Learning Objectives

Explain the meaning of key risk

management concepts, including
risk appetite and risk tolerance
Describe the key elements of a risk
register
Contribute to the creation of a risk
awareness program
 The Methodology of Risk Management

CONSISTENT

STRUCTURED

RISK
MANAGEMENT

ENTERPRISE-WIDE

CONTINUOUSLY
IMPROVING
Risk Practitioner Responsibilities

Evaluate the effectiveness of

the organization’s current risk
management processes
Based on acceptable and
recognized good practices:
- COBIT 5 for Risk
- COSO
- ISO 31000
- NIST SP800-39
- ISO 27005
 Risk Identification

To identify the risk is to:

- Asset value
DETERMINE - Threats
- Vulnerabilities
DOCUMENT

UNDERSTAND
Document controls

Understand the consequences

of risk events
Risk Identification Output

A list of incident scenarios

with their consequences
related to assets and business
processes
 Indicators of a Good IT Risk Management
Program
COMPREHENSIVE ENFORCED

COMPLETE UP-TO-DATE

AUDITABLE MANAGED

JUSTIFIABLE Legal MONITORED

The Methodology of Risk Identification
 Methods to Identify Risk

HISTORICAL SYSTEMATIC INDUCTIVE

Changes to Changes in Changes with

market business IT systems
operations
IT Risk Identification Objectives

Investment – provide value for

money
Access and security – loss of
sensitive data
Integrity – risk of inaccurate data
Relevance – wrong information at
wrong time
IT Risk Identification Objectives

Availability – loss of critical

systems/data
Infrastructure – legacy, inflexible
Project ownership – lack of project
support
Risk Register

Document and track all identified risk

in one place. Risk may have been
identified in:
- Audit reports
- Incident management
- Public media
- Annual reports
- Public releases
Risk Register

Document and track all identified risk

in one place. Risk may have been
identified in:
- Vulnerability assessments and
penetration tests
- Business continuity and disaster
recovery plans
- Interviews and workshops
- Threat intelligence services
Gathering Risk Data and Culture
Gathering Risk Data and Culture

Risk Good Practice

Inaccurate information Do research first
Exaggeration Time limits
Prepare questions in
advance
Talk to all levels of staff
Risk Culture and Communication

Do risk practices align with

organizational culture?
Is compliance enforced?
Tendency to hide mistakes?
Attitude/appetite towards risk:
- Embrace risk
- Discourage risk
- Ignore risk
 Communicating Risk

Provides ability of
management to provide
Avoid a false sense of security
governance and effective risk
response

Avoid inconsistent approach Avoid accusations that the

to risk management and organization is trying to hide
acceptance something
Risk Communications

Assist with:
- Business continuity and disaster
recovery
- Compliance and policy reviews
- Security awareness programs
- Ensuring that risk management is
built into all new business
processes, applications and ventures
 RACI Models

Responsible Accountable
the individual responsible for managing the individual that ensures the job was
the risk – getting the job done done – oversight of responsible person

Consulted Informed
provides advice, feedback, input not directly responsible for the task but
are informed of status and progress
aging the risk – getting the job done
Determination of Risk Acceptance Levels

A Senior Management decision

What level of risk is management will
to ‘live’ with
• Greater risk means greater reward
• Less risk is more comfortable, stability
• ‘How fast would you drive on an icy
road?’
- A personal opinion
- Opinions can change with age,
experience
Effect of Culture on Risk

Influence behaviors
- Openness?
- Fear?
- Blame?
- Ruthless?
- Careless?
Ethics, Laws and Standards
 Ethics

Personal beliefs of ‘right and wrong’

- Organizational ethics
- Law
May lead to fraud
Perception of being treated ‘fairly’ or
‘unfairly’
 Compliance with Laws and Regulations

Vary by country/ Know which laws Liability if not

jurisdiction/ that apply compliant
industry
Industry Standards

Standards for industry sectors –

not laws
• PCI-DSS
(Payment card industry – data security
standard)
- Contractual
- Financial penalties
 Information Security
Risk to information are often described using:

Confidentiality Integrity

Availability Authentication
Risk Practitioner Concerns

Protecting data, information

systems, and business processes
requires:
- Separation of duties
- Least privilege/need to know
- Job rotation
- Mandatory vacations
- Maintaining data in a secure
condition
IAAA – Identity Management

Manage identities of personnel

that have access to data,
information systems, buildings,
etc.
- Identification
- Authentication
- Authorization
- Accounting/Auditing
Asset Values, Threats & Vulnerabilities
Asset Value

Tangible assets
- Cash, equipment, buildings
Intangible assets
- Reputation, brand, morale
Change in asset value
 Threat Identification

Intentional Internal
Accidental External
Circumstantial Supply chain
Natural Market conditions
Utilities Financial conditions
Equipment New technologies
Man-made
Vulnerability Identification

Weaknesses, gaps, missing or

ineffective controls
Network vulnerabilities
Buildings
Staff inexperience
Culture
Applications
Inefficient processes
Vulnerability Assessments – Pen Tests
Seek out potential points of failure

Try to ‘break-in’
Simulate the approach
of an attacker

Compare against known

problems
Test effectiveness of controls
and response procedures
Risks Related to Business Processes

People related risks Technology related risks

Staff Acquisition, Maintenance

Operational risk Protection of intellectual

Fraud property
Risk Scenario Development

Scenario are often used to

understand and evaluate risk
A risk scenario is a description of
a possible event that, when
occurring, will have an uncertain
impact on the achievement of
the enterprise’s objectives
The impact could be positive or
negative
Risk Scenarios

Possible risk
- Creative
- Threat modeling
- Realistic
- Top-down approach – risk to
business
- Bottom-up approach – IT risk
Management Responsibilities and
Awareness
Risk Ownership

Management must accept

ownership for risk
- Responsible to ensure risk is
acknowledged and managed
properly
- Update risk register
 Management Responsibility

Determine risk acceptance Ensure controls are adequate

level Provide budget
Risk tolerance (deviation from risk Support
acceptance level) Enforcement
Risk Acceptance

Risk acceptance may be

influenced by:
- Regulation
- Cost/benefit analysis
- Availability of controls
- Risk versus reward considerations
Risk Awareness

Awareness affects:
- Culture
- Ethics
- Direction and guidance
Risk Awareness Topics

Ensure risk is understood and

well-known
IT risks are identified
The enterprise recognizes and
manages risk
- Risk factors
- Risk impacts
- Risk controls
 Summary

Support the following steps of risk

assessment and response
Understanding business goals,
management priorities and
operational risks
Creation of risk register