ISACA CRISC – IT Risk Identification

12. How can the risk professional avoid being seen as obstructive?

Risk management depends on the goals and objectives of the business. The risk professional should take care not to consider a risk only from the perspective of a department or process without also considering the risk to other departments, partners, or general business objectives.

Because risk management serves the organisation as a whole, executives will often choose a path that seems to offer the best perspective for value creation and can do so despite the resistance of those involved in risk management. Here we will see some attitudes that professionals in the field of risk management must cultivate to avoid being seen as obstructive.

They must understand business in order to build a relationship with managers and be accountable for it. Be aware of the company’s strategy and consider it in risk management, making clear the reason for the suggestions made and proactively seeking ways to ensure the security of new technologies and business processes. Build relationships and communication infrastructure to include risk management in each business process and new project. Be aware of the risks of change in the environment and work to mitigate them. Create a culture that encourages the integration of risk management into business processes. Identify realistic ways that would make yes align with your risk appetite instead of saying no.

What we should draw from these lessons is that information security and risk professionals are there to add value to the company. It must be a facilitator, someone who is helping to create risk awareness, someone who is helping to find the best way to support a value creation activity using existing tools, how best to design a risk mitigation process, and so on. So the risk professional will be seen as someone who really wants to help add value, not as someone who is obstructive and should be avoided. The risk professional is critical in assisting in the development of a sound and functional risk.

13. What are the roles involved in the risk management process?

The effectiveness of the risk management effort is often influenced by the positioning of the risk management function within the organization’s structure. Ideally, risk management should be a function within the corporate scope as a whole, capable of reaching all parts of the organisation and providing leadership, advice, and direction. To answer the question, what are the roles involved in the risk management process? Isaac states that there are four main roles.

Which are? One individual is responsible for risk management; two individuals are responsible for the risk management effort; three individuals are consulted and provide support and assistance to the risk management effort; and four individuals are informed about the risk management effort but may not necessarily be involved in its execution. Next, we will use the Hacimatrix model to illustrate the definition of roles and responsibilities among various stakeholders. For those who are not accustomed to the hasimatrix, I will briefly explain what the letters mean.

The R is responsible for actually executing the work and carrying out the execution effort to meet the stated objectives. It means accountable, and it implies that the only person who must account for the activity for which authority should be delegated should be a single individual. To be effective, there should never be more than one accountable person per task. The C comes from concerted, which represents individuals who provide data, advice,  feedback, or approvals for the activity. People concluded that they could be from other departments or from outside the company.

And finally, the I means informant, presenting the individuals who must be informed of the status or deliveries made by the activity but who are not directly responsible for the execution of the work. This is an example matrix for risk management. For each company, the roles and responsibilities will change. To collect risk data, for example, senior management should be informed by the authority of the risk committee, our department managers should be consulted, and the risk professional should be actually responsible for the implementation. In order to deliver the risk reports, the only difference is that no one is consulted because it’s a delivery. Who should receive this information? Is that already the responsibility of senior management and department heads? The response to risks is the responsibility of the department managers. The risk professional acts as a consultant, the risk committee is only informed of the decisions made by the department managers, and senior management is the one who has authority over the task. Finally, the task of monitoring risks is also the responsibility of senior management. The risk profile professional also acts as a consultant, but the monitoring authority is the risk committee, and senior management is only informed of what is being monitored.

14. What are the methods of identifying risks?

What are the methods for identifying risks? The purpose here is not to list all available methods but rather to identify broadly the groups of methods that should be sought by the risk professional. They are survey or evidence-based methods. Some examples are analogous and instant reports, public media, and even company annual reports. The name is self-explanatory and consists of searching for existing documentation for risk identification. The second option is a systematic approach expert opinion, in which risk is systematically considered and questions about a business process are asked in order to identify potential failure points. This can be done in many ways too, such as through expert review of business continuity or disaster recovery plans. Vulnerability assessments also fall into this category, as do interviews and workshops. When a team has a process to determine the possibility of an attack or compromise, such as a penetration test, inductive methods are used.

15. What is the risk identification process?

So what is the risk identification process at this point of the training? This process should already be clear to most people, but we should remember to make sure that there are no gaps of understanding. The first step is to identify the assets, followed by identifying the threats, then identifying the existing controls, followed by education about the vulnerabilities, and finally identifying the consequences. It is important that the process be followed in a structured way so that it can be more effective.

The risk professional must ensure that risks are properly identified and that they can be properly addressed by the next phase of the risk management lifecycle. Now that we have a clear view of the concepts, it is easier to understand this process, which is basically the summary of this module. When all of these points are meticulously carried out and documented, a clear picture of risk will be available for risk assessment, which is the next stage of the life cycle. But first, let’s look at the concept of a risk scenario. That helps a lot with the risk visualisation for our stakeholders. Regardless of skill or ease with the subject

16. What is a “risk scenario”?

What is a risk scenario? The name is suggestive, and we have also seen early in this training that they are narratives designed to illustrate the risks to the stakeholders. The official definition is that a “risk scenario” is a description of a possible event whose occurrence will have an uncertain impact on achieving the company’s goals, which may be positive or negative.

Each identified risk should be included in one or more scenarios, and each scenario should be based on an identified risk to give greater visibility to a critical risk from different perspectives. It is common for multiple risk scenarios to be created for a single critical risk. Being a narrative, the development of risk scenarios solely from the imagination is an art that often requires creativity, reflection, research, and questioning. Incidents that have occurred in the past should also be used as the basis for risk scenarios that might lead to their development. Risk scenarios based on past events, on the other hand, should be fully utilized to ensure that similar situations do not take advantage of ways that can be avoided. Risk scenarios can be developed from a top-down approach, where they are built from the perspective of business objectives, or from a bottom-up approach, where they are developed from the perspective of empirical scenarios. At the end of the day, risk scenarios are a communication tool at the disposal of the risk professional that aims to facilitate communication in risk management by providing a narrative that can inspire people to take action.

This is where the risk professional can best sell your idea and convince people of the value it can generate for the company. In addition to helping explain the risk, risk scenarios also help the risk team better understand the risk. As part of the effort to create the scenario, we will review questions and abstractions about the risk itself. A risk scenario has the following basic structure: enactor which is an internal or external part that generates the thread a type of threat that represents the nature of the threat, even such as malicious or accidental a natural event, equipment, or process failure an event, which is a secured incident itself.

It could be, for example, theft, improper modification of data or processes, inappropriate use of resources, changes in regulation, or a lack of change management. The assets are resources affected by the risk event, such as people, organisational structures, IT processes, physical infrastructure, information or applications, and finally, time if relevant. For example, the duration, the critical moment, whether the detection should be immediate or not, or the lag between the event and its consequence The risk scenario is part of the risk register and must be available to the stakeholders as needed.

17. What is the risk register?

After all, what is the risk register? As we have seen, it is the central repository that organisations use to consolidate all risk information and make it available to stakeholders. It allows managers and top management of each department to obtain the status of the risk management process from a single source, which in turn makes it possible to better manage and report risks and coordinate risk response activities. The risk register allows the risk to be tracked.

An increasing risk register shows the severity, source, and potential impact of a risk as well as the person responsible for the risk and the current status of the risk. As you can see, the risk register is not only a tool for risk identification, but also for risk management. Identifying risks is the first step in generating information that will be completed by other processes, needless to say. But in order to be effective, the risk register must be kept up to date. On the internet, we find several models of risk registers. One is showing COBIT-5 for risk. However, if the company also uses risk management, templates are likely to be available.

18. What are risk awareness programs?

As stated, most risks are due to a lack of knowledge, not a lack of tools. This is why risk awareness programmers are such important tools that risk professionals should not ignore. Due attention must be drawn to this process in a way that brings value to the company’s needs and makes risk management more efficient. But after all, what are the risk awareness programs? According to the official definition, awareness is a powerful tool for creating future ethical training and influencing the behaviour of members of an organization.

An organization’s employees and operational teams are often the first to recognize the abnormal problems or activities going on. Through our earnest programs, it is possible to develop a team approach to risk management that allows each member of an organisation to indemnify and participate for risks and work to defend systems and networks from attacks. It basically means engaging people for the purpose of risk management. Through these awareness programs, the risks are well understood and known, the problems are identifiable, and the organisation recognises and uses the best means to manage risks. Finally, education and awareness training can serve to mitigate some of the greatest organisational risks and achieve the most cost-effective improvement in risk management and information security.

19. Key Points

Well, we have completed the second module of IT risk identification. Here, in addition to deepening our fundamental concepts, we learn about the process and the ways of identifying risks. At the end of the module, we hope that each student is able to answer the questions that have been asked and is clear about the reason for each answer. The first question was, “What does risk identification mean?” Here we have seen that it is not enough to discover risk.

We also have to recognise which assets can be impacted, the vulnerability of those assets, and the threat that can exploit those vulnerabilities. In addition to recognizing risks, risk identification also means creating risk documentation, which will be essential for the next phase of the risk management life cycle. What we see next is the difference between risk capacity, appetite, and tolerance. Here, risk capacity is the maximum loss the company tolerates without endangering its continued appetite; it is the amount of risk a company is willing to accept in pursuit of its mission; and tolerance is the variation in relation to risk appetite but below the capacity of risks that the company can accept in a specific case.

Then we saw the risky future of a company. It is the will, conscious or unconscious, that senior management develops and conveys to COBIT to cautiously accept or avoid risk. That is the set of shared values and beliefs that governs attitudes toward taking risks. Risk future is the primary indicator of a company’s risk management maturity because, in companies where employees are aware that there is no bright future, they support risk identification. Following, we discuss the essential principles for information security risks: confidentiality, integrity, availability, and nonrepudiation, as discussed in information security in general. Then we saw that the risk professional, in order to avoid being seen as obstructive, must understand the business and the strategy and be proactive to add value by giving visibility to the risks and allowing managers to make the best decisions, even if that means assuming more dynamic positions for activity risks.

The focus is to increase visibility, not to impede the business and its activities. The next question was about the roles involved in the risk management process. Here we saw that they are the individuals responsible for risk management, the individuals responsible for the risk management effort, the individuals who are consulted and provide support and assistance to the effort of risk management, and the individuals who are informed about the risk management effort but who may not necessarily be involved in its execution. The methods of identifying risks in general are first historical or evidence-based methods based on a systematic approach and expert opinion in which a risk team systematically examines and questions a business process to determine the potential failure. Points. Third, there are inductive methods of theoretical analysis in which a team process, such as a penetration test, should determine the possible point of attack or compromise. The following question is: What is the risk identification process? We have seen that the fundamental segments of risk identification are to first identify the assets, then identify the threats, then identify the existing controls, then identify the vulnerabilities, and finally identify the consequences.

Then we realised that a risk scenario is a narrative, and that many servers should communicate risks with real-life examples to increase visibility for everyone involved. It usually consists of an actor, the type of threat, the risk event itself, the assets or resources impacted, and the time in which the event may occur. Finally, we have seen that the risk range is the central report that organisations maintain in order to consolidate our risk information in the activities of outer modules. We will use a risk register template, and this is a fundamental concept for any risk management initiative.

20. Thank you!

Well, that’s the end of the second module, risk identification. Next, we go to module three of the training, which is the IT risk assessment, where we will understand that to evaluate means to understand the levels of IT risk in terms of their impact on the business. Also, we will understand the factors that affect the calculation of the types of security controls that can be implemented, such as verifying the current state of information, security controls, how risk assessment is done, the methodologies for risk assessment, and how risk classification is performing. I hope you’re having as much fun as Ido, and I’m looking forward to seeing everyone in module three. See you there! Bye.