Using COBIT 5 for risk - Pr Marc-Andre Leger

This article was originally published in 2013

In 2009, ISACA launched a first information risk repository: Risk IT. Risk IT relies on COBIT 4, the IT governance framework that, according to ISACA, provides the missing link between traditional business risk management and information risk management and control.

One of the main ideas behind ISACA’s approach is that companies get a return on investment (ROI) by taking risks, but sometimes they try to eliminate risks that really contribute to the creation of a profit. Risk IT was designed to help companies maximize their return on opportunities by managing risks more effectively than trying to eliminate them entirely.

In April 2012, ISACA released the new COBIT 5 version of its repository. She presented this new version as a major evolution of the IS governance and management framework. One of the main novelties of COBIT 5 is to approach the Information System (IS), beyond the processes already put forward by COBIT 4.1, through complementary themes, as part of a holistic approach (holistic or systemic). As part of this upgrade, the COBIT 5 processes were adapted to better converge with other repositories such as ISO 27002, CMMI and ITIL.

With COBIT 5, Risk IT was integrated with COBIT 5 for Risk Management ( COBIT 5 for risk or COBIT 5GR in this text). In the spirit of COBIT, this version defines computer risk as an element of business risk, in particular, business risk related to the use, possession, exploitation and adoption of the business. in a company. COBIT 5GR is interested in:

to enable stakeholders to gain a better understanding of the current state and effects of risk across the enterprise
advise on how to manage risk at all levels, including a broad set of risk mitigation measures
to advise on how to put the appropriate risk culture in place
Risk assessment guidance that allows stakeholders to consider the cost of mitigation measures and the resources needed to counter the risk of loss
opportunities to integrate IT risk management with enterprise risk management.
Improving communication and understanding between all internal and external stakeholders

In this text, I propose a technique to apply COBIT 5GR to perform a risk analysis in an organization. This technique is based on the use of generic risk indicators (KRIs) that will need to be adapted for use in a specific context. This text is presented here for training purposes and to stimulate discussion with ISACA members and information risk managers. The full text will be presented in the next edition of my book on Information Risk Management. If you have comments: marcandre@leger.ca

Application of the method

As mentioned in my risk management courses and in my publications, from a theoretical point of view, risk management is accomplished through an IPM process. Identification (I) and prioritization (P) are risk analysis processes. The third phase, mobilization (M), is the implementation of the decisions of the
identification (I) and prioritization phases (P). He’s from adding an Audit Phase to these phases to complete the process. The first actions to take are in the identification phase (I). These tasks are performed during the risk analysis.

In this text we present the stages of application of ISACA’s COBIT 5GR information risk analysis methodology. The elements presented here should be considered as the list of activities that the organization in general and the risk analyst in particular must perform to use the COBIT 5 for Risk methodology. This activity list can be used to create a project plan or checklist to carry out the risk analysis.

As with any risk analysis process, the main organizational benefit of using it in a different context than the one for which it was produced is the improvement in organizational maturity resulting from introspection and risk thinking.

Read also:

Prepare the terrain

The activity EDS03 Ensure the optimization of the risk of Cobit 5GR (EDM03 Area: Governance, Domain: Evaluate, Direct and Monitor) must be carried out initially before starting the risk analysis. In particular, the organization must put in place a risk governance framework that will be used in the risk analysis. In the context of COBIT 5GR, this is to complete the tasks EDM03.1 and EDM03.2. This exercise can be
do it by doing appeal to an information risk governance committee.

EDM03.1 Evaluate risk management : The organization must constantly review and make judgments about the effect of risk on the current and future use of IT in the organization. Ask yourself if the risk appetite of the organization is appropriate and whether the organization’s risks related to the use of IT are identified and managed.
EDM03.2 Direct risk management : The organization shall direct the implementation of best risk management practices that may provide reasonable assurance that its information risk management practices are appropriate to ensure that the actual information risk does not exceed the organization’s risk tolerance, as determined by the board of directors.

Before the risk analysis begins, it is also necessary to identify the analyst who will be responsible for conducting the study. The analysis will be responsible for completing the study, creating the documents, communicating with the participants and managing the project. Thus, the risk analysis is managed as a project using project management techniques, which are not addressed in this course. He must have the necessary skills and training to carry out the risk analysis (APO12.02.4.5).

If you have not done so already, it is necessary to complete the following steps before you can do the risk analysis:

Inventory of information assets : Before starting, it is necessary to carry out an inventory of the information assets of the organization. This corresponds to activity APO12.03.1. That is, the organization must make an inventory of business processes, including processes for supporting human resources, applications, infrastructures, facilities, critical registries, suppliers and sub-contractors. contractors. It must understand and document the interdependencies between IT service management processes, information systems and technology infrastructure ( APO12.03.1.1).
Categorization of information assets : Information assets must be categorized, which is not defined in this course.Categorization should be done using an appropriate measurement scale based on the organization’s security objectives.At a minimum, it is recommended that the information asset be defined based on its availability, integrity, and confidentiality (DIC) attributes using a nominal ordinal scale (for example, low, medium, high).
Setting up a project committee : In order to monitor the risk analysis, it is recommended to set up a project monitoring committee. In addition, once the risk analysis has been completed, in order to successfully implement the risk mitigation measures and related actions, the organization will have to set up a project committee. The project committee members can be the same as the project governance committee with the addition of an experienced project manager and trained IT staff on the mitigation measures selected.
Project Plan Creation and Approval : To successfully complete an Information Risk Management (IRM) Master Plan, the organization should manage this exercise as a project. In this way, it is possible to use project management expertise and techniques to maximize the chances of success.
Determination of management frameworks : This step consists of identifying the information risk management frameworks, standardized and other, that the organization wishes to use for the management of its information assets. In this step, the use of standardized management frameworks, such as COBIT or ISO 27002, is recommended.
Current status : This step consists of identifying, in relation to the risk mitigation measures associated with each of the standard management frameworks that the organization wishes to put in place or that are already in place, the state (in place or the cost (cash and human resources or effort, measured in equivalent of an individual working full-time), management controls to ensure the effectiveness of the risk mitigation measure and to perform audits (audits) and the alleged effectiveness of the measure. It is also possible to attach notes on the risk mitigation measure or its implementation, as well as to attach attachments, such as network diagrams, PDF documents or other documents use for the understanding of users, managers or possibly auditors.

Subsequently, the analyst can begin by identifying the organization and setting the objectives for information security. The analyst will then proceed with the steps of APO12 Risk-Specific Process Practices, Inputs / Outputs, Activities and Detailed Activities . It starts with APO 12.01.

Identification phase

APO12.01 Collect data

In the identification phase, according to the IPM risk management model, the organization must identify and collect the data needed to perform risk analysis and effective reporting of information risks. More specifically, it is necessary to carry out the steps APO12.01.1, APO12.01.2, APO12.01.3 and APO12.01.4:

APO12.01.1. Establish and maintain a method for the collection, classification and analysis of data related to computer risks, which can accommodate several types of hazards, several categories of computer risks and multiple risk factors.

APO12.01.1.1 Establish and maintain a model for the collection, classification and analysis of information risk data. The aim is to identify the hazards and vulnerabilities that must be considered in the scope of the risk analysis, to define a formal approach that will allow them to be grouped into categories and to determine how they will be analyzed.
APO12.01.1.2 Predict the presence of several types of hazards and multiple categories of information risk. The analyst must put in place an approach that will ensure that there is a good coverage of the different types of risks that may influence the information risk within the scope of the analysis. The analyst must plan an approach to ensure that the risk scenarios that will be created are within the scope of the risk analysis that was determined by the Governance Committee.
APO12.01.1.3 Include filters and views to help determine how specific risk factors may affect risk. In order to limit the bias introduced by the analyst and the participants in the risk analysis, the organization must put in place a systematic approach. It is only through the implementation of a systematic approach that she can hope to approach the scientific nature of her approach. Where possible, the organization should seek sources of evidence, science and reliability as inputs to the process. One of these sources may be incident logs and other records in place. Logs, servers, or detection equipment can also be sources of evidence.
APO12.01.1.4 Establish criteria to ensure that the model can support the measurement and assessment of risk attributes across information risk domains and provide useful data to promote a risk-aware organizational culture.

Several strategies can be implemented to accomplish these activities. Depending on whether the problem is approached by hazards or vulnerabilities, it is possible to set up a watch strategy that seeks to identify various sources of hazards from literature, industry journals, business registers incidents, standards, management frameworks, focus groups or other sources. In a vulnerability approach, it is the results of the vulnerability analysis, producing evidence based on a real situation, that will generate scenarios. The important thing is to choose a systematic approach that is well documented and can be justified later in an evaluation of the risk analysis and results.

APO12.01.2. Identify relevant data on the organization’s internal and external operating environment that could play an important role in informational risk management.

APO12.01.2.1 Record data on the organization’s operating environment that could play an important role in information risk management.
APO12.01.2.2 Consult sources within the organization, legal department, audit, compliance and the IOC office.
APO12.01.2.3 Identify major revenue sources, external computer systems, product-related legal liability, regulatory landscape, industry competition, trends in the computer industry, alignment of competitors with competitors key metrics, the relative maturity of core business and IT capabilities and geopolitical issues.
APO12.01.2.4 Identify and organize historical information risk data and loss experience of industry peers through industry-based incident records, databases and industry regarding the disclosure of frequent hazards.

This work will be the result of an analysis work based on the chosen data collection methods. This work can and should be done in collaboration with the financial services, IT teams and managers of the organization. Here again, the important thing is to choose a systematic approach that will be well documented and can be justified later in an evaluation of the risk analysis and results.

APO12.01.3. Identification and analysis of data on historical information risks and the organization’s experience with data loss, available trends, peers through hazard registers and industry incidents, databases and other industry sources regarding the disclosure of known hazards.

APO12.01.3.1 Using the data collection model, record data on hazards that have caused damage or may affect the profit / value ratio of information assets, activities, projects, operations and IT service delivery organisation.
APO12.01.3.2 Enter relevant information on issues related to information asset management. In particular, keep information about incidents, problems and investigations involving information assets.

This involves doing a literature review, researching available documents from sources like Gartner Group or industry journals. Other sources of data may be internal records of incidents or risks. Finally, IT teams can be consulted for historical data.

APO12.01.4. Record data on the hazards that caused or may cause impacts to the benefit / value ratio of information assets, the delivery of IT programs and projects, the IT operations and the service delivery of the organization. Enter relevant data on related issues, incidents, problems and investigations.

APO12.01.4.1 Organize collected data and highlight contributing factors.
APO12.01.4.2 Determine what specific conditions existed or did not exist when the hazards occurred and how the conditions might have affected the frequency of the hazards and the extent of the loss.
APO12.01.4.3 Determine the common factors that contribute across multiple hazards. Conduct periodic vulnerability analysis to identify new or emerging risks and to gain an understanding of the associated internal and external vulnerabilities.

This work (APO12.01.3 and APO12.01.4) is, here again, essentially carried out by the risk analyst, using the data of the steps APO12.01.1 and APO12.01.2. Always, the work is done according to a systematic approach which will be well documented and that it will be possible to justify later, during an evaluation of the risk analysis and the results.

Risk analysis

The previous steps involved the preparation and identification of the risk analysis framework. Once these steps are completed, this is where the risk analysis with COBIT 5GR actually begins in activities APO12.02 to. APO12.04.

APO12.02 Risk Analysis

The organization needs to deepen the information needed to support risk decisions that take into account the relevance for the organization of vulnerabilities.

APO12.02.1. Define depth ( Scope ) appropriate risk analysis efforts taking into account all the vulnerabilities and criticality of information assets in achieving business objectives. Define the scope of the risk analysis after performing a cost / benefit analysis.

APO12.02.1.1 Define the scope of the risk analysis. The organization must decide on the expected depth of the risk analysis efforts. It is necessary to consider a wide range of options that will allow the organization to have in hand all the elements that will enable it to make decisions on risk, given its level of maturity in information risk management.
APO12.02.1.2 Identify relevant vulnerabilities, the criticality of the information assets for the organization and the triggers of the hazards in the field.
APO12.02.1.3 Set objectives to optimize risk analysis efforts by fostering an expanded view based on the organization’s business processes and outputs (products and services offered) and internal structures that are not directly related to the results.
APO12.02.1.4 Define the scope of the risk analysis after a criticality review for the organization, the cost of the measures against the expected value of the information assets, the reduction of the uncertainty and its requirements global regulatory requirements.

APO12.03.2. Define and obtain an organizational consensus on IT services and IT infrastructure resources that are critical to support the smooth running of the organization’s business processes. Analyze dependencies and identify weak links.

APO12.03.2.1 Determine which IT services and IT infrastructure resources are required to maintain the functioning of the critical services and critical processes of the organization.
APO12.03.2.2 Analyze IT dependencies and weak links in all business processes and process flows.
APO12.03.2.3 Obtain consensus of business units and IT managers on the organization’s most valuable information and related technology assets.

Creating risk scenarios

APO12.02.2. Create and regularly update risk scenarios, including scenarios of hazard sequences or threat coincidences, expectations for specific controls, detection capabilities, and other incident management measures. Start with the generic risk scenarios of COBIT 5.

APO12.02.2.1 Estimate the likely frequency and probable magnitude of loss or gain associated with each of the information risk scenarios. Consider the influence of scenario vulnerabilities.
APO12.02.2.2 Estimate the maximum amount of damages that may be suffered or gains from opportunities.
APO12.02.2.3 Consider scenarios composed of hazard sequences and threat coincidences.
APO12.02.2.4 Based on the most important scenarios, identify organizational expectations for specific controls, the ability to detect hazards, and other incident management measures.
APO12.02.2.5 Evaluate known operational controls and their effect on frequency (probability), likely magnitude of damage and applicable vulnerabilities.
APO12.02.2.6 Estimate exposure levels and residual risk. Compare the residual risk with the risk tolerance of the organization and the level of acceptable risk. This exercise will help the organization to identify risks that may require special treatment

APO12.02.3. Estimate the frequency, probability and magnitude of losses or gains associated with information risk scenarios. Take into account all applicable vulnerabilities, evaluate known operational controls and estimate residual risk levels for each scenario.

APO12.02.3.1 Identify risk response options. Examine the range of risk response options (risk mitigation measures), for example: avoid, mitigate (mitigate, mitigate), transfer (outsourcing, insurance), accept risk.
APO12.02.3.2 Document the rationale and potential tradeoffs across the range of risk response options.
APO12.02.3.3 Specify high level requirements and parameters for projects or programs that, based on risk appetite, mitigate risks to acceptable levels. Identify costs, benefits and shared responsibility for project execution.
APO12.02.3.4 Develop in greater detail the organizational requirements and expectations for appropriate controls.Determine where and how they are supposed to be implemented to be effective.

The organization should create a sufficient number of scenarios to carry out its risk analysis. There is no ideal number. The number of scenarios used will depend on several factors, such as the scope of the risk analysis, the budget and time allocated to achieve it, the level of maturity of the organization in information risk management, and many others. factors.As a first step, it is suggested that a brainstorming group meeting be held with the participants in the risk analysis to identify candidate scenarios. Scenarios from a scenario bank or those included in COBIT 5 can also be used.

It should be noted that what is presented here is a reference model that can be used as a basis for risk analysis. In an application in a real situation, this model will have to be adjusted or improved to take into account the actual situation of the organization.

For each scenario, it is first of all the identifiers in a summary way. For example, the risk scenario Ζn (A, ψ, δ), where n is a single sequential integer, includes a brief description of the hazard (A) and random events or sequences, actions, decisions and related factors that made it possible to exploit a vulnerability (ψ) whose outcome is damage (δ). For example, a scenario number Z301 that deals with the hazard (A) Virus , the vulnerability (ψ) CVE1999-233 and whose damage (δ) is the loss of confidentiality, would be identified Z301 (Virus, CVE1999-233, Confidentiality ) . These summary descriptions are then enriched.

Once the scenarios have been identified and briefly described during the group meeting with the participants, the analysis will have to carry out an analysis and documentation of each of the scenarios. To this end, it is proposed to use a standard form for the documentation of information risk scenarios. The purpose of this work of analysis and documentation and to bring a greater level of detail. The minimum information required for each scenario is:

Scenario name: A name that describes the scenario. For example, a risk scenario for identity theft of an organization’s customer might be called identity theft.
Organization Name: The name of the organization for which the scenario is created.
Scenario creation date: The creation date of the scenario.
Owners cause: the individuals involved in the scenario, who should include the owners of the informational assets involved and those involved in the asset-related business processes.
Description of the risk or hazard scenario: a detailed description of the hazard (A) and the hazards or sequences of hazards, actions, decisions and related factors that made it possible to exploit a vulnerability ( ψ) whose result is damage (δ). This is to describe in more detail what will be developed with the participants in the previous step.
Vulnerability: A description of the vulnerability, vulnerability or weakness that makes this scenario possible.
Historical Data: Documentation of historical data available on situations similar to what is described in the scenario and sources of such data, such as an incident log or customer support reports.
Target of this scenario: availability, integrity, confidentiality, continuity, other.
Impacts of the realization of the scenario: descriptions of the impacts and damages that would result from the realization of the hazard that is reduced in the scenario.
Mitigation measures in place or envisaged: description of the risk mitigation measures envisaged.
Management controls in place or proposed: description of the management controls in place or proposed.
Scenario change history: Track changes to the scenario document.

It is likely, once the scenarios are detailed, that the similarities between some of the scenarios will reduce the number of scenarios by combining similar scenarios. In general, it is common to reduce by 20% the number of scenarios by the combination of similar scenarios. Then, the analysis will have to meet the participants individually in order to validate the detailed scenarios. It will be necessary to make adjustments according to the comments of the participants. The scenario creation will end with the identification of the data that will allow the organization to measure the level of risk and, more specifically, to create risk indicators based on, among other things, available evidence (incident log and others). sources of evidence) or estimates from participants in the risk analysis. In particular, it will be necessary to identify:

the probability of realization of the hazard: Pb (A) , a value between 0.01 and 0.99
the presence of the vulnerability: Pb (ψ) , usually 0 (no vulnerability) or 1 (present vulnerability)
the probability of exploitation of the vulnerability by the hazard: Pb (ψ, A) , a value between 0.01 and 0.99
the estimated damage and the maximum damage in this scenario: δ (ψ, A) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
the resilience level of the organization in this scenario: θ (ψ, A), a value between 0.01 and 0.99
the expected utility (the contribution to the organization’s profits) of the business processes or information assets involved in the risk scenario: μ (ψ, A) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)

See also the section on KRIs for examples of indicators.

Prioritization phase

APO12.02.4. Compare the residual risk to the organization’s risk tolerance and identify exposures that may require a risk response.

APO12.02.4.1 Conduct a Peer Review of Information Risk Analysis.
APO12.02.4.2 Confirm that the analysis is adequately documented according to the needs of the organization.
APO12.02.4.3 Review the basis of estimates of probabilities, impacts, damages and opportunities (gains).
APO12.02.4.4 Verify that all risk analysis participants who participated in the estimation of probabilities and the quantification of metrics were not influenced by bias (if necessary ensure that mechanisms to control bias). Check that there has been no manipulation of the process to obtain a predetermined result. Verify that, where possible, a search for evidence was conducted.
APO12.02.4.5 Verify that the level of experience and qualifications of the risk analyst were appropriate for the magnitude and complexity of the risk analysis.
APO12.02.4.6 Provide an opinion on the risk analysis process, the expected reduction of unacceptable risks and whether the cost of the risk analysis process is reasonable in relation to the cost of the risk mitigation measures and the risk reduction of the foreseeable risk.

From the risk scenarios that were created during of activity 12.02.3, it is necessary to quantify them. This can be done in different ways, as discussed in the course (interviews, focus group, group meetings, etc.). The results must then be validated by all participants in the risk analysis. It is essential to conduct a peer review exercise (participants) of the results of the risk analysis before sending them to management for approval (risk governance committee) and before using them in the decision-making process. decision. This revision process reduces the bias introduced in the risk analysis and increases the reliability and the scientificity of the results.

APO12.04.1. Transmit the results of the risk analysis to all parties involved to support the organization’s decisions. Include estimates of probabilities and damage or gain with confidence levels.

APO12.04.1.1 Coordinate additional risk analysis activities as required by managers as required (eg, reports of non-compliance or changes in the scope of the risk analysis).
APO12.04.1.2 Clearly communicate context and results to assess cost / benefit ratios.
APO12.04.1.3 Identify the negative impacts of the hazards and scenarios that should guide risk mitigation decisions and the positive effects of hazards and scenarios that represent the management of opportunities that may have an impact on the strategy and objectives organizational.

APO12.04.2. Provide decision makers with the data to understand worst-case and most likely scenarios, due diligence risks, significant reputational risks, and legal or regulatory considerations.

APO12.04.2.1 In this effort are:
- Key risk elements (eg frequency, magnitude, impact), vulnerabilities and their estimated effects
- Magnitude of estimated probable loss or probable future gain
- Maximum estimated losses based on potential gain for a scenario and the most likely losses based on earnings.
- Additional relevant information to support the conclusions and recommendations of the analysis

APO12.03 Maintain a risk profile

The organization should maintain an inventory or register of known risks and risk components, ie hazards (threats), vulnerabilities and impacts (damage). These must include the estimation of their probability, the intended impact and the risk mitigation measures in place. The organization should document the associated resources, the organizational capabilities for information risk management, and the controls in place.

APO12.03.3. Aggregate the current risk scenarios (which have materialized) by category, business sector and functional area.

APO12.03.3.1 Inventory and evaluate the process capacity, skills and knowledge of the individuals in the organization.Evaluate results and performance across the information risk spectrum (eg, ROI, OCL, delivery costs, project costs, IT operations costs, and IT service delivery).
APO12.03.3.2 Determine whether the normal execution of processes can or can not provide the right controls and the ability to take acceptable risks.
APO12.03.3.3 Identify where the variability of results associated with a process can contribute to a more robust internal control structure, improve information and performance of the organization, and help seize business opportunities.

APO12.03.4. On a regular basis, the organization should identify and enter all relevant information about its risk profile.The organization must then consolidate this information into a global risk profile. This work is often done by the risk analyst in conjunction with the organization’s risk management group in a risk governance context.

APO12.03.4.1 Examine the collection of attributes (variables) and values (metrics) through which the components of the risk scenario are quantified. Examine their interconnections inherent in the impact categories of the organization.
APO12.03.4.2 Adjust data according to evolving risk conditions and emerging threats to maximize the benefits and competitive advantages of IT by considering their cost of implementation (TCO), implementation efforts the delivery of IT programs and IT projects, the cost of operating and managing IT operations and service delivery.
APO12.03.4.3 Evaluate the cost of updating information systems and information assets based on asset criticality, operating environment data and hazard data. Make links between risks that are similar to categories of risk and impact categories of the organization.
APO12.03.4.4 Catalog and aggregate hazard types by category, business sector and functional area of the organization.
APO12.03.4.5 At a minimum, update the information risk scenarios in response to significant internal or external changes and revise them annually.

APO12.03.5. Based on all risk profile data, define a set of key risk indicators (KRIs) that enable rapid identification and monitoring of risks and trends.

APO12.03.5.1 Capture the risk profile within tools such as an information risk register and enterprise risk mapping (ERM).
APO12.03.5.2 Enhance the risk profile by the results of the IT portion of the Enterprise Risk Assessment (ERM), risk scenario components, hazard data collection, continuous risk analysis risks and the results of the assessment of interdependencies.
APO12.03.5.3 For individual elements of the information risk register, update key attributes such as name, description, owner, stakeholders, actual and potential frequency, magnitude of associated scenarios, potential and real impact, and risk mitigation measures.

APO12.03.6. Gather information on the hazards of IT that have materialized, for inclusion in the information risk profile of the organization.

APO12.03.6.1 Create metrics and key risk indicators (KRIs) that can target IT hazards and incidents that can significantly affect the organization’s bottom line.
APO12.03.6.2 Base these indicators on a model that provides an understanding of the variables that may impact exposure and the organization’s capabilities for risk management in general and information risks in particular.
APO12.03.6.3 Ensure understanding of Key Risk Indicators (KRIs) by all stakeholders in the organization.
APO12.03.6.4 Regularly review the KRIs used and recommend adjustments to keep track of internal and external conditions.

Here is a selection of KRIs that are likely to be used as a starting point for the implementation of COBIT 5GR. It should be noted that these KRIs should be enriched, adapted or modified to take into account the particularities of each organization.

Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence).This is where the opportunity created by the risk element will be taken into account.
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)

Using these indicators, the organization could make a qualitative risk estimate by performing an indicator estimate in collaboration with stakeholders and risk analysis participants. In such a case, the choice of measurement scales and data collection are likely to have an effect on the degree of scientificity of the results. In the best cases, the organization will have evidence that can be used.

APO12.04.4. Review the results of objective third-party risk assessments, internal audit, and quality assurance reviews to match the organization’s risk profile. Identify gaps and risks to determine the need for additional risk analysis.

APO12.04.4.1 Take the gaps and exposures of the organization to assess risk transfer requirements or the need for additional or deeper risk analysis.
APO12.04.4.2 Help the organization understand how corrective action plans will affect the overall risk profile.
APO12.04.4.3 Identify opportunities for integration with ongoing risk management projects and activities.

APO12.04.5 . Identify, on a periodic basis, for areas of high relative risk and taking into account the risk appetite of the organization, opportunities that would allow for higher risk acceptance and increased growth.

APO12.04.5.1 Look for opportunities that allow:
- Use the organization’s resources to create leverage that creates a competitive advantage.
- Reduce coordination costs
- Take advantage of economies of scale by using strategic resources common to several sectors of activity.
- Take advantage of structural differences with competitors.
- Integrate activities between business units or components of the organization’s value chain.

Mobilization phase

APO12.05 Define a Portfolio of Risk Management Projects

It is through the implementation of risk mitigation actions, in the form of projects, that the organization will be able to manage its risks. This is to reduce the unacceptable risks to an acceptable level, taking into account its risk tolerance as expressed. The identification of a set of projects for the reference period under consideration (the next budget year, for example) is in the form of a portfolio of projects.

APO12.04.3.
Communicating the risk profile to all stakeholders, including the effectiveness of risk management processes, the effectiveness of controls, gaps, inconsistencies, risk acceptance, mitigation measures and their impact on the risk profile.

APO12.04.3.1 Identify the needs of different stakeholders for risk change reporting by applying the principles of relevance, effectiveness, frequency and accuracy of reporting.
APO12.04.3.2 Include the following in the statement: effectiveness and performance, issues and deficiencies, status of mitigation measures, hazards, incidents and their impact on risk profile and performance risk management processes.
APO12.04.3.3 Contribute to integrated enterprise risk management reporting.

APO12.05.1. Maintain an inventory of control activities that are in place to manage risks in line with the organization’s risk appetite and tolerance. Classify control activities and match them to specific hazards or scenarios and aggregations of information risks. Use COBIT 5 or other standards (ITIL, ISO, etc.) as a guide to determine management controls that are relevant or useful to your organization.

APO12.05.1.1 Throughout the area of risk intervention, the inventory of controls in place to manage risks and allow risk to take in line with the appetite for risk and tolerance.
APO12.05.1.2 Categorize controls (eg, predictive, preventative, detective, corrective) and identify them to specific informational risk statements (scenarios and hazards) and aggregate informational risks.

APO12.05.2. Determine whether each organizational unit monitors risk and accepts responsibility for operations within its individual tolerance levels and portfolio.

APO12.05.2.1 Monitor operational alignment with risk tolerance thresholds.
APO12.05.2.2 Ensure that each line of business accepts responsibility for operations within its individual and portfolio tolerance levels and for the integration of monitoring tools into key business processes.
APO12.05.2.3 Monitor the performance of each control, and measure the variance of thresholds against objectives.

APO12.05.3. Define a balanced set of risk reduction project proposals and projects that provide strategic opportunities, taking into account the cost / benefit ratio, the effect on the risk profile and the current risk.

APO12.05.3.1 Respond to risk exposure to discover and opportunity.
APO12.05.3.2 Choose candidate IT controls based on specific threats, the degree of risk exposure, the probable loss and the mandatory requirements specified in the IT standards.
APO12.05.3.3 monitor the evolution of the underlying operational business risk profiles and adjust the ranking of risk response projects.
APO12.05.3.4 Communicate with key stakeholders early in the process.
APO12.05.3.5 Conduct pilot testing and review of performance data to verify operation against design.
APO12.05.3.6 Plan for new and updated operational controls to mechanisms that will measure control performance over time, and prompt management of corrective actions in case of need for monitoring.
APO12.05.3.7 Identify and train staff on new procedures as they are deployed.
APO12.05.3.8 Report IT risk action plan progress. Monitor the IT risk of action plans at all levels to ensure the effectiveness of required actions and determine whether residual risk acceptance has been achieved.
APO12.05.3.9 Ensure that actions initiated are owned by the affected process owner and any discrepancies are reported to senior management.

APO12.06 Risk Mitigation

Resolutely in phase M of the IPM process. APO12.06 consists of the implementation of the risk mitigation measures adopted following the identification and prioritization of risk, in a project framework, which will allow the organization to respond to risks beyond its scope. tolerance threshold in a timely manner, by effective measures to limit the extent of damage. You can use a standard such as ISO27002: 2013 to find risk mitigation measures to implement.

Other elements of COBIT 5 will also be useful or even necessary for the risk management that must take place. Among others:

EDM03.03 Monitor risk management.
APO13.01 Establish and maintain an ISMS.
APO13.02 Define and manage an information security risk treatment plan.
APO13.03 Monitor and review the ISMS.
BAI01.10 Manage program and project risk.
BAI02.03 Manage requirements risk.
BAI04.04 Monitor and review availability and capacity.
BAI06.02 Manage emergency changes
DSS02.02 Record, classify and priority requests and incidents.
DSS02.03 Verify, approve and fulfill service requests.
DSS02.04 Investigate, diagnosis and allocate incidents.
DSS02.05 Resolve and recover from incidents.
DSS02.06 Close service requests and incidents.
DSS03.01 Identify and classify problems.
DSS03.02 Investigate and diagnose problems.
DSS03.03 Raise known errors.
DSS03.04 Resolve and close problems.
DSS03.05 Perform proactive problem management.
DSS04.01 Define the business continuity policy, objectives and scope.
DSS04.02 Maintain a continuity strategy.
DSS04.03 Develop and implement a business continuity response.
DSS04.04 Exercise, test and review the BCP.
DSS04.05 Review, maintain and improve the continuity plan.
DSS04.06 Conduct continuity plan training
DSS04.07 Manage backup arrangements.
DSS04.08 Conduct post-resumption review.
DSS05.01 Protect against malware.
DSS05.02 Manage network and connectivity security.
DSS05.03 Manage endpoint security.
DSS05.04 Manage user identity and logical access.
DSS05.05 Manage physical access to IT assets.
DSS05.06 Manage sensitive documents and output devices.
DSS05.07 Monitor the infrastructure for security-related events.
The set of controls of Monitor, evaluate & Assess (MEA)

The organization will have to put in place an audit process to retroactively validate the results of previous risk analyzes. It will also have to repeat the risk analysis process when there are major changes in its environment, situation, information assets or when it becomes necessary to do so. At a minimum, it should have a risk analysis by budget cycle and at least once a year.

Metric and KRI

Here is a selection of KRIs that are used as a starting point for the implementation of COBIT 5GR. It should be noted that these KRIs must be enriched, adapted or modified to take into account the particularities of each organization.

Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)

Risk appetite of the organization

Symbol: Ar (organization)

Description: Risk appetite represents the aggregate level of risk that an organization agrees to take in order to continue its business and achieve its strategic objectives. It is necessary to identify the risk appetite of the organization to adjust the damage and utility to obtain the expected utility as perceived by the organization. Low appetite means risk aversion.The result is an increase in the expected utility of the element at risk, that is, it is more valuable to the organization and its decision-makers than its real or book value. On the other hand, a propensity to risk, which signifies a high appetite for risk, results in a decrease in the expected utility.

Qualitative value: between 0.01 and 0.99

Qualitative Data Source: The slider scale can be used to assess risk appetite. The neutral value is 0.5, a value of more than 0.5 is used to indicate risk aversion. A value between 0.01 and 0.49 represents a risk propensity.

Quantitative value: This variable can not be measured quantitatively.

Quantitative data sources: None

Risk scenario

Symbol: Zn (A, ψ, δ)

Description: The risk scenario is a document that tells a story. It describes in a structured approach, the history of a hazard or sequence of hazards and threats, which exploits a vulnerability of an informational asset causing harm.

Risk element

Symbol: In

Description: Information asset that is subject to a risk scenario

Qualitative value: Unique nominative code that identifies each information asset or risk element that is included in a risk analysis.

Qualitative data source: Determined by the risk analyst or assigned during an inventory of information assets.

Probability of realization of the hazard

Symbol: Pb (A)

Description: During the meetings the analysis will also have to evaluate, with the participants, the probability of the realization of a scenario. To do this, he will use slider scales to evaluate the damage and probability of scenario realization.Slider scales are printed and distributed to participants.

The presented cursor scale is used to the evaluation of the probability of realization of the presented scenario.

Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high).The central, neutral or average value is located at the center of the scale of measurement, which represents 0.5, or 50%.

Qualitative data source: The evaluation of the probability of occurrence of hazards can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.

Quantitative value : real number

Quantitative data sources: historical data or evidence from research or data collection.

Presence of the vulnerability

Symbol: Pb (ψ)

Description: The objective of this indicator is to assess the presence (Pb (ψ) = 1) or the absence (Pb (ψ) = 0) of vulnerability under consideration in a risk scenario.

Value: 0 (absence) or 1 (presence)

Qualitative Data Source: Analysis by Specialist

Quantitative Data Source: Scan Analysis (NVAS) or another tool

Probability of exploiting vulnerability by hazard

Symbol: Pb (ψ, A)

Description: This indicator is used to estimate the probability that the hazard considered in the risk scenario could exploit the vulnerability.

Qualitative value: between 0.01 and 0.99

Qualitative data source: The probability assessment can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Estimated damage

Symbol: δe (ψ, A)

Description: Measurement of the impact of the achievement of the most likely scenario. If sources of evidence or historical data are available, these data should be preferred. Otherwise, the slider scale can be used. The slider scale presented is used to assess the impact of the presented scenario.

Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high). The central, neutral or average value is located at the center of the scale of measurement, which represents 0.5, or 50%.

Qualitative data source: The impact evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Maximum damage

Symbol: δm (ψ, A)

Description: Measurement of the impact of scenario realization in the worst case. If sources of evidence or historical data are available, these data should be preferred. Otherwise, the slider scale can be used. The slider scale presented is used to assess the impact of the presented scenario.

Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Resiliency level

Symbol: θ (ψ, A)

Description: The level of individual or organizational resilience in relation to the risk scenario presented.

Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high).The central, neutral or average value is located in the center of the scale of 0.5, or 50%

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Here again, the slider scale can be used.

Expected utility

Symbol: μ (E)

Description: The value of the risk element, its contribution to the business objectives of the organization or its replacement value.

Qualitative value: between 0.01 and 0.99

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Mitigation measures

Symbol: MMn (Zn)

Description: Risk mitigation measures.

Qualitative value: between 0.01 and 0.99

Quantitative value: real number

Quantitative data sources: historical data or evidence from research or data collection.

Reduction of damage caused by exploitation of vulnerability by hazard with the mitigation measure in place

Symbol: δr (ψ, A, MMn)

Description: Existing risk mitigation measures.

Qualitative value: between 0.01 and 0.99

Quantitative value: real number

Quantitative data sources: validation by an information security expert, historical data or evidence from research or data collection.

Reduced likelihood of exploitation of vulnerability by hazard with the mitigation measure in place

Symbol: Pb (ψ, A, MMn)

Description: The effect of the risk mitigation measure that reduces the likelihood of exploitation of vulnerability by the hazard with the mitigation measure in place.

Qualitative value: between 0.01 and 0.99

Quantitative value: real number

Quantitative data sources: validation by an information security expert, historical data or evidence from research or data collection.

Example of a qualitative risk calculation

Here is a model for estimating the risk index based on the use of qualitative data. In a real context, the model must be adjusted to take into account the peculiarities of each organization.

The KRIs used in this example:

Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)

Calculation of the estimated risk for the Z001 risk scenario (virus, email, loss of reputation), this is the risk of loss of reputation by the disclosure of private information of clients of the organization caused by a virus a computer sent by e-mail opened by a misguided employee:

Ar (organization) = 0.3 (light)
Pb (A) = 0.7 (high)
Pb (ψ) = 1 (presence)
Pb (ψ, A) = 0.5 (medium)
δe (ψ, A) = 0.4 (medium)
δm (ψ, A) = 0.9 (very high)
θ (ψ, A) = 0.5 (medium)
μ (E) = 0.6 (medium)
MM001 (Z001) = $ 45000 (DLP system)
δr (ψ, A, MM001) = 0.82
Pb (ψ, A, MM001) = 0.75

Qualitative estimate of the estimated risk index:

Re (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * δe (ψ, A) * μ (E)) / θ (ψ, A)

Re (Z001) = (0.7 * 1 * 0.5 * 0.4 * 0.6) / 0.5

Re (Z001) = 0.084 / 0.5

Re (Z001) = 0.168

Qualitative estimate of the maximum risk index:

Rm (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * δm (ψ, A) * μ (E)) / θ (ψ, A)

Rm (Z001) = (0.7 * 1 * 0.5 * 0.9 * 0.6) / 0.5

Rm (Z001) = 0.189 / 0.5

Re (Z001) = 0.378

Qualitative estimate of the tolerated risk index:

Rt (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * Ar (org) * μ (E))) / θ (ψ, A)

Rt (Z001) = (0.7 * 1 * 0.5 * 0.3 * 0.6) / 0.5

Rt (Z001) = 0.063 / 0.5

Rt (Z001) = 0.126

Qualitative estimate of the mixed risk index with the use of risk mitigation measure MM001 (Z001), a data loss prevention (DLP) system that costs $ 45,000:

Rmm001 = Re (Z001) * δr (ψ, A, MM001) * Pb (ψ, A, MM001)

Rmm001 = 0.168 * 0.82 * 0.75

Rmm001 = 0.103

Example of quantitative risk calculation

Here is a model for estimating the risk index based on the use of quantitative data. In a real context, the model must be adjusted to take into account the peculiarities of each organization.

The KRIs used in this example:

Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)

Ar (organization) = 0.3 (light)
Pb (A) = 0.6 (this happened 3 times in the last 5 years in our organization and the industry figures are similar for companies like ours)
Pb (ψ) = 1 (the vulnerability is present in our organization)
δe (ψ, A) = $ 1,000,000 (average of 3 known incidents)
δm (ψ, A) = 4,000,000 (the worst case here)
θ (ψ, A) = 1 (the current resilience has no effect)
μ (E) = $ 10,000,000 (contribution of informational assets to organizational objectives)
MM001 (Z001) = $ 45000 (DLP system)
δr (ψ, A, MM001) = 0.82
Pb (ψ, A, MM001) = 0.75

Quantitative estimate of the estimated risk index:

Re (Z001) = (Pb (A) * Pb (ψ) * δe (ψ, A)) / θ (ψ, A)

Re (Z001) = (0.6 * 1 * 1000000) / 1

Re (Z001) = $ 600,000

Qualitative estimate of the maximum risk index:

Rm (Z001) = (Pb (A) * Pb (ψ) * δm (ψ, A)) / θ (ψ, A)

Rm (Z001) = (0.6 * 1 * 4000000) / 1

Rm (Z001) = $ 2,400,000

Qualitative estimate of the tolerated risk index:

Rt (Z001) = (Pb (A) * Pb (ψ) * Ar (org) * μ (E))) / θ (ψ, A)

Rt (Z001) = (0.6 * 1 * 0.3 * 10,000,000) / 1

Rt (Z001) = $ 1,800,000

Qualitative estimate of the mixed risk index with the use of risk mitigation measure MM001 (Z001), a data loss prevention (DLP) system that costs $ 45,000:

Rmm001 = Re (Z001) * δr (ψ, A, MM001) * Pb (ψ, A, MM001)

Rmm001 = $ 600,000 * 0.82 * 0.75

Rmm001 = $ 369,000

Bibliography

Léger, Marc-André (2013) Introduction to Information Risk Management , Hochelaga-Maisonneuve Research Center, Montreal, Quebec, Canada

ISACA (2013), COBIT 5 for RISK , available online http://www.isaca.org/COBIT/Pages/Risk-product-page.aspx?cid=1002152&Appeal=PR

Application of the method

Identification phase

Prioritization phase

Mobilization phase

Laisser un commentaire Annuler la réponse