Cybersecurity

tips for developing improving metrics

Tips for Developing or Improving Metrics

Tips for Developing or Improving Metrics 1200 628 Lisa Young
Tips for Developing or Improving Metrics

Tips for Developing or Improving Metrics

by Lisa Young, VP of Cyber Risk Engineering

February 6, 2018

Reposted Content from ISACA Newsletter @ISACA Volume 1

Everywhere we turn, vast amounts of facts, figures, numbers, records and files are being processed, interpreted, organized, structured and presented in a way that turns those data bits and bytes into meaningful information. Putting the raw data into context is what makes information useful for business decisions and underlies many dashboards being developed across the enterprise. Data and information are important components for measurement and, if put into a suitable context, may also become meaningful metrics.

Let us begin with a few definitions and examples:

  • Data—Raw, unorganized facts, records, numbers, etc. An example is the number 2 or the letters “e, g, s.” By themselves, it is hard to know what exactly is meant by their use.
  • Information—Data that are structured, organized or presented in context to make them useful. An example is “I had 2 eggs for breakfast.”
  • Measure (or measurement)—Is the value of a specific characteristic of data. An example is “the number of staff that completed information security awareness training.” Without more context, it is hard to know what value is derived from the statement.
  • Metric—The aggregation of one or more measures to create a piece of business intelligence, in context. An example is “percentage of staff trained vs. expected (planned vs. actual numbers)” or “percentage of new users (internal and external) who have satisfactorily completed information security awareness training before being granted network access.” These statements give context for whether or not the information provided is meeting the intended objective. If I have 10 staff members and 9 of them have completed the relevant training, then my percentage of satisfactory completion is 90%. If I have 10,000 staff members and only 900 of them have completed the relevant training, then I know I still have more work to do, especially if the untrained staff have been granted access to the network.

Consistent, timely and accurate metrics are an important feedback mechanism for managing any activity. When seeking to develop or improve metrics, here are some considerations to keep in mind:

  • Establish objectives—What questions are intended to be answered with the metric? Who is the audience for the metric? Which information needs will be satisfied with the metric? Who collects the measurement data? What techniques for analysis and reporting will be used?
  • Prioritize objectives—Data collection and analysis are costly and time consuming. It is important to consider the purpose and intended use of the metrics. What actions or decisions would the metric inform? If no action, decision or behavior change occurs as a result of the metric, then why are you spending resources to collect and analyze the data?
  • Identify candidate metrics—Candidate metrics should be based on documented measurement objectives. Identify existing metrics that may already address the objective. Metrics may already exist to satisfy 1 purpose and may also be used for additional purposes or to answer additional questions.
  • Specify data collection and storage procedures—Procedures should be based on the objective to be satisfied and the capability of the organization for collecting, storing, managing and disposing of data. Remember, data by themselves may not be sensitive or personally identifiable, but when aggregated, there may need to be explicit procedures for protecting and sustaining the information and subsequently developed metrics. Being explicit about data collection and storage may also help with overall data management, maintaining data integrity and governance. Other considerations in this category are frequency of collection and where the source data are created, stored, used, transported, etc. Data flow diagrams are useful for better understanding the data’s unique characteristics and attributes.
  • Update objectives as needed—Do not be afraid to retire a metric if it is not driving decisions, behavior or actions. The most important consideration here is to ask yourself, “What is the value of this metric in comparison to another metric?” If the metric is not meeting the intended objective, then it is no longer useful to collect and maintain. You may need to iterate several times before getting to a small set of meaningful metrics that drive better decisions, actions and behaviors. Often, the best metrics are conveyed by reporting trends over time versus a single point-in-time metric.

Make sure your questions are the ones most important to your target audience (management, operations, strategic) and your assumptions are stated. If there are estimates used in the metric calculations (because you do not have a piece of data or have just started collecting and have no trends in the data), make sure to state that somewhere in your visualization. Good metrics are those that are used often, answer important business questions, cost little to collect in relation to their value, are easily collected and do not require extensive manual intervention or manipulation. There is a difference between metrics and metrics that matter. Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

cybersecurity supply chain risk management

Cybersecurity Supply Chain Risk Management – Deconstructing the Root Causes Behind the Spectre and Meltdown Vulnerabilities

Cybersecurity Supply Chain Risk Management – Deconstructing the Root Causes Behind the Spectre and Meltdown Vulnerabilities 1200 628 Axio Global
Cybersecurity Supply Chain Risk Management

Cybersecurity Supply Chain Risk Management

Deconstructing The Root Causes Behind The Spectre And Meltdown Vulnerabilities

by Dan Phillips, Director of Cyber Risk Engineering

January 22, 2018

It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities . Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues.

Make no mistakes folks, these are serious vulnerabilities that impact nearly every computer and device with a modern computing processor; and there is a particular concern for virtualized or cloud based systems because of their ability to bypass memory isolation controls. In the coming weeks, many security leaders will be asked to make decisions about when or whether to patch the vulnerabilities on company assets. When we consider that the patches are degrading performance of certain software functions anywhere between 5 to 25% causing unwanted reboots, and the vulnerability is present in billions of devices, it seems likely that we will be living with components that are vulnerable to Spectre and Meltdown for quite some time.

Several of the articles and blog posts that I have been reading touch on the reasons that these vulnerabilities were overlooked for such a long period of time. But what I find missing from these discussions is a really honest conversation about why we keep having major hardware/software vulnerabilities like these pop up every few years. If we are being honest with ourselves, we should acknowledge that as consumers, we are often complicit in creating these vulnerabilities. Too often, we fail to recognize the true cost of rapid product development in the value chain; we don’t ask the right questions during product design and procurement, we don’t recognize the hidden costs of remediation, and we often make value judgements that emphasize lowest cost over security.

I have been working on cybersecurity supply chain issues for years, and I have yet to discover an easy solution to this problem. We have had tools at our fingertips for some time now that would help the community to better manage cyber supply chain concerns – Common Criteria Standard NIST SP-800-161 , and DOE procurement language .  But the problem with these tools, is that there is often not enough appetite or cohesion at the consumer level to leverage them effectively. To focus product improvement efforts, large portions of the customer base need to be on the same page about their expectations for disclosures, security features, and security testing. We also need mechanisms to discourage free riders. There are ways of dealing with the scalability and free rider problems through regulation such as FERC’s recent notice of proposed rulemaking on cyber supply chain standards and DFARS regulations . However, most industries lack an appropriate vehicle to coordinate consumer and vendor behavior.

At Axio, we find that education is often the best tool for managing cyber security risks. Our experience has shown that to manage cybersecurity supply chain risk effectively, organizations must:

  1. Understand the nature of their exposure to supply chain and third-party cyber security incidents and,
  2. Understand their security program’s capabilities to address these types of risks.

Using tools such as the Cybersecurity Capability Maturity Model (C2M2) the NIST Cybersecurity Framework (CSF) , and peer benchmarking data, we have been helping our clients to develop roadmaps to mature their cyber supply chain risk management practices.  The best solutions often involve a combination of the following:

  • Procedural controls (e.g. secure patch delivery processes, contractual obligations)
  • Technical controls (e.g. technology enforced vendor enclaves, functional testing)
  • Financial controls (e.g. insurance policies)

It is my belief that we can greatly reduce the number/severity of critical vulnerabilities in the future by encouraging technology consumers to use simple, risk informed strategies during the procurement, design, and system integration stages of the product lifecycle. By articulating our security expectations early and often to our suppliers, we can ultimately incentivize suppliers to give equal weight to performance and security as they design and integrate new products.

one thing your utility cybersecurity program is missing

The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing 1200 628 Axio Global
The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing

by Jason Christopher, Axio Chief Technology Officer

January 12, 2018

Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?

Late last year, SANS announced a new certification for electric grid stakeholders interested in verifying their CIP chops—the GIAC Critical Infrastructure Protection (GCIP) certification (https://www.giac.org/certification/critical-infrastructure-protection-gcip ). The multi-hour exam tests participants on all the necessary knowledge and skills needed to execute a successful utility security program, including:

  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability
  • Strategic implementation approaches for supporting technologies
  • Recurring tasks and strategies for CIP program maintenance

The exam is great for life-long CIP experts and newbies who want to take that next step in their career. Moreover, it covers the entire CIP universe—so you know any GCIP certified personnel will be a well-rounded security professional with an understanding of compliance, technical aptitude, and all the various components to not just be compliant, but to be secure.

The certification is accompanied by a course from SANS, the foremost leader in security training, which I also teach—ICS456: Essentials for NERC CIP (https://www.sans.org/course/essentials-for-nerc-critical-infrastructure-protection ). The course is not a prerequisite for taking the certification, but the amount of information we give you over 5 days (and 25 hands-on labs!) will definitely help out any one looking to prove themselves with the GCIP.

The GCIP officially goes live in February, just in time for my next run of ICS456 in Anaheim, CA (https://www.sans.org/event/southern-california-anaheim-2018/course/essentials-for-nerc-critical-infrastructure-protection) !

nist updates for critical infrastructure security

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know 1200 628 Axio Global
NIST Updates Guidance for Critical Infrastructure Security What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

by Jason Christopher, Axio Chief Technology Officer

December 18, 2017

NIST releases the Cybersecurity Framework V1.1 Draft 2 with new guidance.

In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

Axio has worked alongside this team in many ways over the last three years. Several members of our team, including Dave White, Nader Mehravari, Lisa Young, and Pamela Curtis, participated in the original NIST CSF drafts and workshops for transportation, healthcare, and financial sector perspectives across industry and academia. At the time, my role at the US Department of Energy was to ensure the NIST CSF would not conflict with existing efforts, like the mandatory compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards or the voluntary Cybersecurity Capability Maturity Model (C2M2) efforts. Moreover, I collaborated with industry members across the electric and oil and natural gas sectors to ensure the CSF would work for their operating environments, regardless of size, function, or ownership. This critical work led to the Energy Sector Implementation Guidance document for using the NIST CSF.

Over nearly four years, industry has grown with the CSF. We have seen its adoption across multiple sectors, especially finance, healthcare, and water. While we have personally seen great success with measuring the CSF through the C2M2, many organizations have adopted different methods for assessing their adoption of the CSF. Moreover, we have seen more organizations talk about CSF functions when working across their cybersecurity supply chain, including asking suppliers to provide evidence that they are meeting contractual cybersecurity obligations. Critical infrastructure cybersecurity programs have matured as a result of the CSF dialogue since the first version was released.

The latest draft update attempts to codify some of the lessons learned since the release of V1.0, including:

  • Self-assessment guidance for measuring an organization’s cybersecurity program improvement;
  • Using the CSF for procurement and other supply chain decisions;
  • Examining a “cyberattack lifecycle” to provide further context to the CSF;
  • New subcategories (and informative references) for authentication and coordinated vulnerability disclosure; and
  • A roadmap of additional discussion topics.

These new additions are meant to augment the existing CSF, meaning there is no gigantic overhaul for organizations that want to incorporate the new recommendations. That being said, without a preferred method to self-assess to the CSF, most organizations will need to either create their own metrics program or leverage a facilitator or third-party tool.

There’s a lot to consider with this new update. Axio will be working with our clients to ensure industry benefits from clear, concise, and actionable guidance. In the coming weeks we will examine the latest draft and provide our thoughts on some of the key topics, including security metrics and supply chain considerations.

Until then we’re here to help— and if your organization has any questions about the latest draft, feel free to reach out to us at info@axio.com .

 

Summary

In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

biggest data breach in us history

The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What? 1200 628 Jason Christopher
The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What?

Suggestions forProtecting Your Credit and Your Identity

by Jason Christopher, Axio Chief Technology Officer

November 3, 2018

Being first is usually thought of as a good thing. Except when it’s not.

Take the recent Equifax data breach, for example. It’s the first of its kind in many ways—not the least of which is its overall impact on the average American—but in no way is this a good thing.

Unless you have been spending time with Gilligan and his fellow castaways lately, you have by now heard of the massive Equifax data breach. While we will undoubtedly learn more about this incident in the coming months, as it now stands over 143 million records may have been compromised. This means that the names, Social Security Numbers, addresses and, in some instances, driver’s license numbers of almost every American adult have been laid bare.

This is a big deal.

If credit card numbers are compromised, they can be changed. The same is not true for your birth date or SSN. Putting that aside for a minute, this means that should your identity be compromised, proving you are who you say you are will be very difficult going forward.

In order to help you, we have compiled a list of actions you can—and should—undertake immediately to protect yourself and your family. We highly recommend that everyone follow these steps. It is additional work, but it could potentially save you years of headaches if your information is ever used against you.

Six steps to staying safe from the Equifax Hack

  1. Obtain your credit report immediately. If you have not requested your free report this year, you are entitled to it. You can use this to track any changes post-Equifax breach
  2. Sign up for free credit monitoring as part of the breach.
  3. Get a security freeze with every credit bureau. This is your best bet at protecting yourself. Pro tip: Brian Krebs has a great guide.Security freezes have been around for years—I personally have leveraged it in the past. While there are minor charges associated with freezing/unfreezing your credit (fees are decided on a state-by-state basis) it’s money well spent. You can also request freezes on your children’s accounts—they may not have been impacted by the incident, but better safe than sorry.Luckily, it’s all a simple phone call. Unluckily, since our financial systems revolve around credit, you’ll need to unfreeze it before you buy a car, house, or perform any other credit check-based function.For easy reference, here are the numbers to call. Make sure you call all three.
    • TransUnion: 1-888-909-8872
    • Equifax: 1-800-349-9960
    • Experian: 1-888-397-3742
  4. Monitor your financial accounts and change any shared passwords—especially if you have an online account with Equifax. As always, if your accounts offer two-factor authentication, you should have it enabled.
  5. Up your social engineering awareness game. Now that all of your information is in the open, experts are expecting an uptick in social engineering attacks, including phishing emails, texts, and calls.
  6. File your taxes immediately from here on out. With your credit frozen your biggest risk of direct impact is going to come from a fraudulent tax return.Unfortunately, the IRS only requests your SSN to verify your identity—which is now out in the open. If somebody files with your SSN, you will be locked out from filing yourself. This is a common financial attack. Keep in mind that the IRS will never ask for your personal information on the phone—if someone calls you from the IRS, hang up and call your local office to verify any request. To be proactive, you can register with the IRS for additional protection.

Don’t stop now …

Finally, there are a few additional steps you can take to further protect yourself in the unfortunate event that your identity is stolen. For example, if you only have a copy of your birth certificate, look up your County of Birth’s rules on requesting a new one and keep it safe. This will help prove that you are… well… “you” if you are handling fraud. Likewise, if you don’t have a passport, consider getting one. Having both of these can help you get out of a bad situation if you need to prove that you are who you say you are.

SANS recently gave a webinar that covered some of these steps, along with information about the data breach. In the event you missed it, you can listen to the recorded version at your convenience. (We recommend sooner rather than later.)

We hope you find these tips helpful. We want to make sure everyone is safe.

It’s what we do.

isaca tips

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach 1200 628 Axio Global
ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

by Lisa Young, VP of Cyber Risk Engineering

November 1, 2017

Reposted Content from ISACA Newsletter @ISACA Volume 22

In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day. Professionals who are innovative, forward-thinking and fearless in the face of mental model adjustments will be the leaders of tomorrow. Mental models are the paradigms, or lenses, through which we view the world, and they can serve to limit our thinking if we are not receptive to hearing new views or thinking critically about our current practices.

At the North America and European CACS Conferences, ISACA holds 2 invitation-only IT Audit Leaders Forums and publishes the results for those who were not in attendance. This article contains my interpretation and guidance in applying one of the IT Audit Leader forum’s discussion topics to your enterprise. Challenges in the audit field are not only limited to the audit field; they are shared across many other disciplines and professional domains. If you are a security, governance, risk management or IT professional, consider these tips and how this challenge applies to your enterprise. The first challenge is moving from a controls-based, or checklist, approach to a risk-based approach:

  • The controls-based approach — This approach is well-defined in the audit and assurance discipline. Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure guidance is being followed, records are accurate and effectiveness targets are being met. I know there are some nuances between types of engagements, but for the purposes of this article, it is assumed that audit and assurance professionals are tasked with ensuring and evaluating that things are operating according to a prescribed or bounded set of criteria. Many of the criteria that are audited or for which assurance is provided have already occurred, meaning that we look to the past to evaluate what has previously happened. This means that the online transaction has been performed, the security control is implemented and operating, or the financial statement has been attested to. There is no uncertainty in the result of the transaction (pass or fail), if the control is implemented or not, or if the financial statement is finalized. The primary risk in audit and attestation is in reaching an incorrect conclusion from the engagement or the risk of noncompliance if controls and practices are not operating as intended. Organizations spend a lot of time and money on implementing and testing controls rather than managing risk.
  • The risk-based approach — This is a forward-looking view of uncertainty. In the landscape in which an organization operates, there are many things that impede an enterprise from accomplishing its objectives, achieving its financial or operational targets, or meeting its mission. A risk-based approach is best paired with a strategic view of the organization to understand which potential uncertainties or risk factors have the highest potential to prevent the organization from meeting its intended targets, objectives, mission, etc. A thoughtful risk assessment will consider the general things that can affect all organizations (about 80% of an enterprise risk) and will also consider those things that are specific to your individual type of business or organization (about 20% of an enterprise risk). The reason there are so many compliance regulations, control catalogs or best practices is that many organizations do not perform risk assessments with the rigor, depth or thoughtful analysis (qualitative and quantitative) that is needed to really understand where to focus the appropriate resources to manage the uncertainties that may materialize in a given day.

Implementing a set of prescribed controls or compliance regulations will generally protect an organization from about 75-85% of the risk in the environment, and it can be put into effect without the benefit of a comprehensive risk assessment. It is far easier to report on gaps in controls, security incidents or phishing attempts as risk events because they have already happened. Reporting on the uncertainty of what might or might not happen is a discipline that takes an investment of education, time and resources to report to management in a way that improves decision-making and does not rely solely on guessing, previous audit findings or reporting realized risk.

So, in the absence of a mature risk management program and process, the organization can be generally effective in preventing realized risk with a robust compliance or controls program. However, to ensure that you are managing the risk factors that have the most relevance to your organization, thoughtful risk identification, risk analysis, risk management and risk monitoring processes must be defined, implemented and measured for effectiveness. In general, an effective risk management process is comprised of the following components:

  • Establish the organizational context — What are the mission, objectives and strategy?
  • Identify risk — To meeting the objectives, mission and strategy
  • Analyze risk — Qualitative and quantitative; not guesswork
  • Evaluate and prioritize risk — Based on analysis, not on what is in the news
  • Respond to or treat risk — With projects that are managed to completion
  • Measure and control the risk management process — By defining the processes and procedures and using standard templates and measurement scales

Here is one example to sum up the recommendations in this article:

  • Conclusion: Looking backward, as a result of [audit finding], the company lost US $3 million in revenue during the third quarter.
  • Risk: Looking forward, without a strategic plan to correct [audit finding], the company could potentially lose an additional US $3 million in the fourth quarter and US $4 million in the first quarter of the new year.

If you are interested in learning more about risk management, there are many quality ISACA publications that cover the topic in more detail. I will also be delivering a workshop on risk assessment and risk management at the upcoming 2018 North America CACS in Chicago, Illinois, USA.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

understanding the impact of the krack attack

Understanding the Impact of the KRACK Attack

Understanding the Impact of the KRACK Attack 1200 628 Axio Global
Understanding the Impact of the KRACK Attack

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Brendan Fitzpatrick, VP of Cyber Risk Engineering

October 25, 2017

I am writing to give you the skinny on KRACK, the attack, and to provide some of the “facts” along with some recommendations for what to do now. The bottom line is that your devices ARE vulnerable to this newly discovered attack. Practically every WiFi enabled device is affected. Computers and mobile devices will likely get updates in the near future, though IoT and embedded devices may be a different story. You will want to update your devices as vendors release patches. You may also consider getting in compliance with your backup policies now to save frustration later.

What is the KRACK attack?

  • KRACK is short for key reinstallation attacks
  • The vulnerability is within the WPA2 protocol which means all WiFi enabled devices utilizing WPA2 are vulnerable
  • WPA2 is short for Wi-Fi Protected Access 2 and is how the connection to your WiFi access point is secured
  • The attack relies upon the 4-way handshake negotiation at the beginning of WiFi sessions
    • An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults
    • The attack must take place during the 4-way handshake
    • The attack does not reveal the WiFi passphrase and does not allow the attacker to join the network
    • If the attack is successful they can potentially decrypt traffic between the victim client and their access point
    • Currently, the attack is focused only on the client side of the handshake
    • The researcher discovered the vulnerability in May, informed vendors in July, and made it public very recently
    • Most vendors are working diligently on patches
    • The researcher has not released a toolkit or script for the exploit
    • There are no known uses of the attack in the wild

What can you do?

  • Update your devices as vendors release patches
    • Microsoft claims that an update is already available for currently supported Windows versions
    • Apple claims that their update for all currently supported devices is in Beta and will be pushed to the public soon
    • Google Android and other Linux based devices may be the most affected and updates are still being developed
  • Changing your Wi-Fi password or getting a new router won’t protect against Krack attacks, but are never bad ideas
  • Protect sensitive company and client data according to your company policies
  • Enterprise users should ensure you use the your company VPN when on public WiFi and use https enabled websites whenever possible
  • Consider tethering your phone when WiFi networks do not play nice with your corporate VPN, as cellular connections are encrypted

 

Researcher’s site on KRACK
Research paper on KRACK
Great article for the non-techie 1
Great article for the non-techie 2

tips for understanding the role of rcsa in risk management

Tips for Understanding the Role of RCSA in Risk Management

Tips for Understanding the Role of RCSA in Risk Management 1200 628 Lisa Young

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

by Lisa Young, VP of Cyber Risk Engineering

January 1, 2017

Reposted Content from ISACA Newsletter @ISACA Volume 1

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a 4-volume report titled Internal Control—Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved. Around the same time, the Turnbull Report was published and set out internal control best practices for UK-listed companies. After a few years of focus on internal control systems and corresponding internal controls, the management of risk was added to both the COSO and Turnbull reports. This was the genesis of risk and control self-assessment (RCSA) as we now know it.

An RCSA is one tool for surveying or interviewing the business and frontline personnel to understand their view of the risk factors that might impede their progress toward objectives. For the areas of concern identified as a potential risk, a set of corresponding controls that would assist in mitigating the risk or reducing its impact is determined. When an RCSA is used as the only source for risk identification, the organization’s capability to perform risk management is not fully developed, and important risk may go unnoticed. Here are some tips for thinking about how your organization identifies risk that may lead you to a more complete picture of the risk that your organization faces:

  • Do I begin with business goals and objectives and then identify IT-related risk to those business objectives? Many RCSAs are focused on known risk rather than new areas of concern or factors that have not materialized as realized risk yet.
  • Is my organization engaged in actively building skills in risk management? Do we have a common language for risk terms? Risk and controls are complementary, but they are not the same.
  • Do senior leaders in my organization seek out risk management insights to improve performance (not just manage the risk of noncompliance)?
  • Is robust and realistic scenario analysis a primary technique in my risk identification approach? If you are not using the COBIT 5 risk scenarios, consider looking at them and trying to incorporate them into your risk identification process.
  • Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation and operations, along with steps to proactively manage them?
  • When conducting an RCSA, is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
  • Do I align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk.
  • Do I actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organizational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realized risk or incident. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Summary

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.