ISAudi, Basics Gestein, MD. 1140 2015, world Septic actors in a cours for more than 50 digital met in the Incorporated autors in the con proses and aty 70, and med cresting domy became out the preda and then thered Nations guitar.computing and date Following his trom the themed the dama the art of the the French Montadt One Tanks to trol wit is our will continue be published in the ce mutposthumously Auditing IS/IT Risk Management, Part 1 There are significant differences between THE PRACTICE conducting an ISIT odit and conducting an Unfortunate this is the case. This IT risk management dit throdited several hogan that merely played lip nice to risk management THE THEORY alk. They went through these IS IT auditions coght to be knowledgeable about opping containstorm a bid wode the risk owned by the chief informatie die on kaphat ked the stato CION and her/his tcum and those that have been develop them quides, put them all is a big file extemoled outsourcing, clood service, the and damed they had don managment providers, vendors, etc.). In an ideal sitio Given thaimman ERM both least some of the ISVIT audit cum should have to provide independent and robust advice to a certification such as ISACA Certified in Risk rap, friction between the and Information Systems ControlCRISC alone and be load for business Those involved in the enterprise risk This article provides a map of the ISIT manent (FRM) function should be able risk management that we ditable to determine the business impact of the risk and shows how to maintain a collaborative cuted with ISTT. Ideale attre of the relationship with the ERM scam while welding team shold have a certification such as Certified conflicts of it Information Systems Auditor (CISA or Conified Information Security Manager (CISM) AUDITABLE ACTIVITIES In 1999, The Institute of Intemal Audio get shows apled map of the thing an (The IIA) published an updated definition odycoder including in a S/Trik of internal auditing, describing its mungement med so be conducted by independent, objective arance and consulting the CO and her his cum activity designed to add value and improve an The organization be continuity and organisation's operations. It helpen omisation accomplish its objectives by bringing a es and are playpdated, the systematic disciplined approach to cause and dos indeling the scope of itthere improve the effectiveness of risk management do no estadt. the first control and governance proces dit recommendation should be that they be The Risk Management Society (RIMSY define conducted as a matter of ERM as a tribine piw, while the Figure is that there are no It defines is a structured consistent and activities to keep aditus buy for quite a while continuous pro cross the whole anda podstart would be to find out which of The CTO should be able to provide them lave bom done by whom when I may appropriate risk assents for system and beudul to identifyinirmwark service. Ideally based on a fomal framework for risk management was adopted by the S/ and, to the extent possible quantified. There IT function which one Same a essments and a related risk register describing simpliste, such as drawing risk maps of link mitigation plans, their ownership and time scales bones colored groom, ydow and red based on should have a clear link to the business act intuition, and others are relatively complex analyses that support business continuity plant. requiring condimetimes Business managers and systems and data COATS for Rand Operationally Critical Owners are responsible for prioritizing rid for Threst. Aset, and Vulnerability Eation appropriate action and thus become the risk LOCTAVE} .ble in venice for large and owners. This implies that in tema di asco an aurace role that excludes consulting and partnering in risk management Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca org journal, find the article and choose the Comments tab to share your thoughts Go directly to the article Amen. 1 Figure 1-Scope of Auditable IS/IT Risk Management Activities COBIT 5 for Risk Future event scenarios NIST SP 800-30 Project/Operations impact OCTAVE Business impact Risk Planning Framework Adopted CRAMM Financial/Legal impact VERIS Others Risk Communication Risk appetite Training Given Definitions Who was trained Quality of material Risk Management Risk Monitoring Active Auditable Activities Inspection IS/IT Business Risk Audit Business impact Corrective action Critical facilities Risk Management Risk Controls Risk identification Reactive Investigation System Risk oversight Risk evaluation Level of uncertainty Analysis Risk intelligence Residual risk ERM framework, e.g., COSO Risk prevention Risk transfer Role of ERM in IS IT assessment Risk reduction Extent of IS/IT integration in ERM Risk detection Risk ownership Contingency plans Source: Ed Gelbstein. Reprinted with permission. Some risk assessment methodologies may be poorly suited including incident management and disaster recovery plans for IS/IT, for example, those specifically designed to assess necessarily focus on the threats and vulnerabilities that can financial risk because they require complex calculations and adversely affect business operations without necessarily being access to historically consistent data. conversant with the contents of the various business impact Adopting a methodology is, in itself, not enough if those analyses carried out on a regular basis, the risk appetite of who need to apply it do not know how. This implies some the organization or the organization's priorities for mitigating kind of training and much study. Study requires time, and business risk. in today's corporate environment it is hard to make time as What often happenis is that, having identified threats (from the "urgent" displaces the important" and the trend toward hackers to earthquakes) and vulnerabilities (the usual triad of open plan accommodation and densely packed cubicles makes people, process and technology), the CIO moves quickly to concentration on learning harder to achieve. address issues that in terms of business impact, may not be at all important and are therefore, a poor use of resources. IS/IT RISK TRANSLATED INTO BUSINESS RISK Achieving a successful translation into business risk requires The Risk IT Practitioner Guide" (issued before COBIT 5 extensive dialog with business process owners, senior for Risk) is a valuable document. Figure 2 presents a variant management and the ERM team, and collaboration toward of one of the guide's figures (figure 5 in chapter 1) that producing an integrated risk register that can then be used to shows how the starting point in the CIO's risk assessments is request the resources needed to mitigate the highest risk to transformed into business risk. the business The CIO and the chief information security officer However, this requires every one of the players to make (CISO), as custodians of the organization's systems and data, time available for such discussions and engage in a spirit of 1 SACA Are www 2. ISACA JOURNAL VOLUME 2016 Figure 2-HOW T Rk Translates to Business Risk Threats: Human accidental, human deliberate, natural forces Vulnerabilities: People, process, technology IT benefit/value enablement risk IT-speak IT program and project delivery risk IT operations and service delivery risk IT risk translated into enterprise risk and its potential impact Strategic Operational Financial Compliance Legal Reputational risk risk risk Business-speak Prioritized business risk Source Ed Geinted within collaboration, not allowing it to be inhibited by unavoidable corporate politics Small organizations may not have a formal ERM team and/or business processes and may, therefore, have limited knowledge of risk and impact asement PRELIMINARY CONCLUSION The reader may find the short article. "Writing Good Risk Statements.*** very helpful. It condims the statement. "If you think this is simple, you just have not looked closely enough Part 2 of this column will camine the remaining branches of the map in figure 1. Lerik controls, risk management system, rok communications and risk scenario planning ENDNOTES ISACA, Certified in Risk and Information Systems Control www.ca.org/Certification/CRISC-Certified-in Risk and Information Systems Control/Pages/default.aspx The Risk and Insurance Management Society and The Institute of Internal Auditors, Risk Management and Inmol Audit Forging a Collaborative Alliance, executive report 2012. http:/o.the.org/standards dance Punic20Documents/RIMS20und 20720 HA2020Repor20Forg.20.20 Collaborati 2011 The Risk and Insurance Management Society www.my The Institute of Intemal Auditors, www.then Gelben. Es Quantifying Information Risk and Security." ISACA" Jumal, vol.4.2013, wc.org Joumaarchives ISACA, COBIT" Sfor Risk. USA. 2015. norg/ COBIT/PopRisk product CERT Division. OCTAVE. Software Engineering Institut Camepie Mellon University, USA, www.o.org/milien products/oct/hod. Adams, S. The Dilbert Principle A Cubicle Eye Vier Bowe, Meeting Management Fons & Other Workplace Afflictions, Harper Busine, USA, 1996 ISACA. RIT Practitioner Guide USA, 2009 https://www.is.com/bookstore/Puped Product Detail Product codeRITIG Power. Benjamin: "Writing Good Rink Statements. " ISACA Journal, vol.5.2014, www.story/ournal/archives 2018 Case Study 1 Read the given article "IS Audit Basics: Auditing IS/IT Risk Management", and answer the following questions Q1. Mention what is meant by ERM (Enterprise Risk Management). Q2. What is risk and who are risk owners? Q3 List out auditable IT risk management activities. 04. Explain why IT risk are translating into business risks with examples