Risk-Scenarios Res Eng 0914

RISK
SCENARIOS
Using COBIT® 5 for Risk
Personal Copy of: Mr. Yonscun Yonscun

Risk Scenarios Using COBIT® 5 for Risk
About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology.
ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of
Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association
has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created Risk Scenarios Using COBIT® 5 for Risk (“the Work”) primarily as an educational resource
for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should
apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: www.isaca.org/riskscenarios

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN 978-1-60420-468-1
2
Acknowledgments
Acknowledgments
ISACA wishes to recognize:
Lead Developer
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Fischer IT GRC Beratung & Schulung, Switzerland
Development Team
Evelyn Anton, CISA, CISM, CGEIT, CRISC, UTE, Uruguay
Robert E Stroud, CGEIT, CRISC, CA, USA
Mike Hughes, CISA, CGEIT, CRISC, 123 Consultants GRC Ltd., United Kingdom
Elza Adams, CISA, CISSP, PMP HP, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria
Eduardo Ritegno, CISA, CRISC, QAR (IIA), Banco de la Nacion Argentina, Argentina
Andre Pitkowski, CGEIT, CRISC, APIT Informatica, Brazil
Expert Reviewers
Mohamed Tawfik Abul Farag, KPMG, Egypt
Mark Adler, CISA, CISM, CGEIT, CRISC, CCSA, CFE, CFSA, CIA, CISSP, CRMA, CRP, Wal-Mart Stores, Inc., USA
Gerardo H. Arancibia Vidal, CISM, CRISC, Ernst & Young, Chile
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK
Vilius Benetis , CISA, CRISC, PhD, NRD CS, Lithuania
Jean-Louis Bleicher, CRISC, France
Graham Carter, CISA, CGEIT, ABB Limited, Switzerland
Richard Cartwright, CGEIT, ISP/ITCP, ITIL, PMP, MZP Solutions, Canada
Katalina Coronel Hoyos, CISA, SASCURE Cia. Ltda., Ecuador
Gabriel Croci, CISA, CRISC, SOMOS Consultancy Services, Uruguay
Diego Patricio del Hoyo, CISM, CRISC, CISSP, Westpac Banking Corporation, Australia
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 5 Accredited Trainer, PMP,
Venlee IT Consultancy LLP, India
Joseph Fodor, CISA, CPA, Ernst & Young, LLP, USA
Giovanni Guzman De Leon, CISM, ITIL, CFC, ISO 9001, PhD Candidate, Independent Consultant, Guatemala
Jason Hageman, CISA, ITIL V3, MGM Resorts International, USA
Tomas Hellum, LinkGRC, Denmark
Sharon Jones, CISA, MGM Resorts International, USA
Masatoshi Kajimoto, CISA, CRISC, Independent Consultant, Japan
Satish Kini, CRISC, CISSP, COBIT 5 Certified Assessor, Firstbest Consultants Pvt Ltd., India
Vaman Amarjeet Gokuldas Kini, CISA, CISM, CEH, CISSP, LPT, 27KLA, The World Bank Group, India
Shruti Shrikant Kulkarni, CISA, CRISC, CISSP, CPISI, CCSK, ITIL V3 Expert, Infosys Technologies Limited, India
John W. Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/U, IBM Global Business Services, USA
Michel Lambert, CISA, CISM, CGEIT, CRISC, Ministere de l’Agriculture, des Pecheries et de l’Alimentation du
Quebec, Canada
Romualdas Lecickis, CISA, CISM, CGEIT, CRISC, NRD CS, Lithuania
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA
Sebastian Marondo, CISA, CISM, NRD-EA, National Audit Office- Tanzania, Tanzania
John Simiyu Masika, CISA, CISM, Kenya Airways Ltd., Kenya
Radmila Mihajlovic, CISA, Consultant, Canada
Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, GovernaTI, Colombia
Oscar Moreno Mulas, CISA, OKY Consulting/Zelaya Rivas Asociados, El Salvador
Raphael Otieno Onyango, CISA, BCOM, CPA (K), Ecumenical Church Loan Fund – Kenya, Kenya
Abdul Rafeq, Wincer Infotech Limited, India
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India
Franco Rigante, CISA, CRISC, PMP, Grant Thornton Argentina, Argentina
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Eddy J. Schuermans, CGEIT, ESRAS bvba, Belgium
Paras K. Shah, CISA, CGEIT, CRISC, CA, Vital Interacts, Australia
David Sheidlower, CISM, Health Quest, USA
Emil David Skrdla, CISA, CISM, CGEIT, CRISC, ITIL V3, PCI ISA, PCIP, The University of Oklahoma, USA
Gustavo A. Solís, Grupo Cynthus, S.A. de C.V., Mexico
Mark Stacey, CISA, FCA, BG Group, USA
3
Acknowledgments (cont.)
Expert Reviewers (cont.)
Donald T. Steane, CIA, CMA, CPA, CRMA, DTS Consulting Services, Canada
Dirk Steuperaert, CISA, CGEIT, CRISC, ITIL, IT In Balance BVBA, Belgium
Louis C. Tinto, CISA, CRISC, CFE, CIA, Omnicom Media Group, USA
Alok Tuteja, CGEIT, CRISC, CIA, CISSP, Mazrui Holdings LLC, UAE
Orlando Tuzzolo, CISM, CGEIT, CRISC, World Pass IT Solutions, Brazil
ISACA Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA,
Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co. (retired), USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
Guidance and Practices Committee

Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, CISSP, Deloitte, USA
James Seaman, CISM, CRISC, A. Inst. IISP, CCP, QSA, RandomStorm Ltd., UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CRISC, CISSP, Merck, Germany
Special recognition for financial support:

New Jersey Chapter
4
Table of Contents
Table of Contents
List of Figures............................................................................................................................................................................7
Chapter 1. Introduction............................................................................................................................................................9
Background.............................................................................................................................................................................9
Purpose of This Publication..................................................................................................................................................10
Who Should Use This Guide?..............................................................................................................................................10
Scope and Approach.............................................................................................................................................................11
Prerequisite Knowledge........................................................................................................................................................11
Chapter 2. High-level Description of Risk Management Concepts...................................................................................13
Chapter 3. Risk Scenarios Explained....................................................................................................................................15

Risk Scenarios Defined........................................................................................................................................................15
Developing Risk Scenarios Workflow..................................................................................................................................16
Risk Factors...........................................................................................................................................................................16
IT Risk Scenario Structure....................................................................................................................................................19
Main Issues When Developing and Using Risk Scenarios..................................................................................................20
Characteristics of Good Scenarios........................................................................................................................................22
Chapter 4. Generic Risk Scenarios........................................................................................................................................23
Chapter 5. Using COBIT 5 Enablers to Mitigate IT Risk Scenarios................................................................................31

Risk Scenario Category 1: Portfolio Establishment and Maintenance...............................................................................32
Risk Scenario Category 2: Programme/Project Life Cycle Management..........................................................................34
Risk Scenario Category 3: IT Investment Decision Making..............................................................................................36
Risk Scenario Category 4: IT Expertise and Skills.............................................................................................................37
Risk Scenario Category 5: Staff Operations........................................................................................................................39
Risk Scenario Category 6: Information...............................................................................................................................41
Risk Scenario Category 7: Architecture..............................................................................................................................43
Risk Scenario Category 8: Infrastructure............................................................................................................................45
Risk Scenario Category 9: Software....................................................................................................................................47
Risk Scenario Category 10: Business Ownership of IT......................................................................................................49
Risk Scenario Category 11: Suppliers.................................................................................................................................51
Risk Scenario Category 12: Regulatory Compliance.........................................................................................................52
Risk Scenario Category 13: Geopolitical............................................................................................................................53
Risk Scenario Category 14: Infrastructure Theft or Destruction........................................................................................54
Risk Scenario Category 15: Malware..................................................................................................................................55
Risk Scenario Category 16: Logical Attacks.......................................................................................................................57
Risk Scenario Category 17: Industrial Action.....................................................................................................................59
Risk Scenario Category 18: Environmental........................................................................................................................60
Risk Scenario Category 19: Acts of Nature.........................................................................................................................61
Risk Scenario Category 20: Innovation...............................................................................................................................62
Chapter 6. Expressing and Describing Risk.........................................................................................................................65

Preparation of a Risk Scenario Analysis...............................................................................................................................65
Risk Analysis Methods—Quantitative vs. Qualitative.........................................................................................................67
Expressing Impact in Business Terms..................................................................................................................................68
Expressing Frequency...........................................................................................................................................................72
Risk Scenarios in Risk Response (Reduction).....................................................................................................................72
5
Chapter 7. Risk Scenario Analysis Examples.......................................................................................................................75

How to Read Risk Scenario Analysis...................................................................................................................................75
01 Portfolio Establishment and Maintenance ......................................................................................................................76
02 Programme/Projects Life Cycle Management................................................................................................................85
03 IT Investment Decision Making......................................................................................................................................97
04 IT Expertise and Skills...................................................................................................................................................107
05 Staff Operations.............................................................................................................................................................119
06 Information.....................................................................................................................................................................127
07 Architecture....................................................................................................................................................................137
08 Infrastructure..................................................................................................................................................................146
09 Software.........................................................................................................................................................................159
10 Business Ownership of IT.............................................................................................................................................170
11 Suppliers.........................................................................................................................................................................179
12 Regulatory Compliance.................................................................................................................................................189
13 Geopolitical....................................................................................................................................................................199
14 Infrastructure Theft or Destruction................................................................................................................................209
15 Malware..........................................................................................................................................................................219
16 Logical Attacks...............................................................................................................................................................229
17 Industrial Action.............................................................................................................................................................239
18 Environmental................................................................................................................................................................249
19 Acts of Nature................................................................................................................................................................253
20 Innovation.......................................................................................................................................................................263
Appendix 1. Risk Scenario Analysis Template...................................................................................................................273
Appendix 2. Glossary............................................................................................................................................................277
Appendix 3. Processes for Governance and Management of Enterprise IT...................................................................279
6
List of Figures
List of Figures figures

figures
Figure 1—Risk Scenario Overview...........................................................................................................................................9
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits.....................................................................10
Figure 3—Document Overview and Guidance on its Use......................................................................................................11
Figure 4—IT Risk Categories..................................................................................................................................................13
Figure 5—Risk Duality............................................................................................................................................................13
Figure 6—Two Perspectives on Risk.......................................................................................................................................14
Figure 7—Scope of COBIT 5 for Risk.....................................................................................................................................14
Figure 8—Risk Scenario Overview.........................................................................................................................................15
Figure 9—Risk Factors.............................................................................................................................................................17
Figure 10—Internal Risk Factor Considerations.....................................................................................................................18
Figure 11—Risk Scenarios Structure......................................................................................................................................20
Figure 12—Risk Scenario Technique Main Focus Areas........................................................................................................21
Figure 13—Characteristics of Good Risk Scenarios...............................................................................................................22
Figure 14—Example Risk Scenarios.......................................................................................................................................23
Figure 15—Enterprise Goals...................................................................................................................................................70
Figure 16—Probability Rating.................................................................................................................................................72
Figure 17—Risk Response Workflow......................................................................................................................................73
Figure 18—COBIT 5 Process Reference Model...................................................................................................................279
7
Page intentionally left blank
8
Chapter 1
Introduction
Chapter 1
Introduction
Background
Risk scenario analysis is an important component of enterprise risk management (ERM) (figure 1). This technique is
a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA has
issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping their
enterprises manage their risk portfolios.
Figure 1—Risk Scenario Overview
The Risk Management

Process (AP012)
All Related Enablers

APO12.01 Top Down Risk Factors
Collect Data
Principles, Policies Business Goals
and Frameworks
• Identify business Internal
APO12.02 objectives.
Processes Analyse Risk Environmental
• Identify scenarios with Factors
highest impact on
achievement of
business objectives.
Organisational APO12.03 External
Structures Maintain a Environmental
Risk Profile Factors
Culture, Ethics Risk Scenarios
and Behaviour
Risk
APO12.04 Management
Articulate Risk Capabilities
• Identify hypothetical
Information scenarios.
• Reduce through
high-level analysis.
Services, APO12.05 Define a IT-related
Infrastructure and Risk Management
Action Portfolio Generic Risk Capabilities
Applications Scenarios
People, Skills and Bottom Up

Competencies APO12.06
Respond to Risk
Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34
Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios
that can be used for risk analysis and assessment. Risk Scenarios Using COBIT 5 for Risk provides readers with potential
scenarios to consider in their own organizations—to allow the scenarios to be tailored—this will require that scenarios be
added, removed and amended to provide a focused set of relevant scenarios that fit organizations’ specific risk, risk appetite and
business needs.
Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a
process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk
assessment is slightly broader, and includes the preliminary and ancillary activities of risk analysis, i.e., the identification
of detailed risk scenarios and the definition of responses such as mitigation plans and the description of existing controls.
Risk analysis and assessment is a core approach to bring realism, insight, organizational engagement, improved analysis and
structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and are one of
the key information items needed to identify, analyze and respond to risk (COBIT 5 Process APO12).
9
Purpose of This Publication

Risk Scenarios Using COBIT 5 for Risk focuses on the development of IT-related risk scenarios and should be read in the
context of COBIT 5 for Risk and the COBIT 5 framework. The publication provides a high-level overview of risk concepts,
along with 60 risk scenario examples covering all 20 categories described in COBIT 5 for Risk. An accompanying tool kit
is available on the ISACA web site and contains interactive risk scenario templates for each of the 20 categories.
The main purpose of Risk Scenarios Using COBIT 5 for Risk is to give guidance on the development of IT-related risk
scenarios. These scenarios are based on the determination of the value of an asset or a business process. The potential threats
and vulnerabilities that can lead to a loss event should be considered as well as the potential benefits to more effective and
efficient achievement of business objectives and protection or increase of business value. The secondary purpose of this
publication is to provide guidance on how to respond to risk that exceeds the enterprise’s tolerance level. Special guidance is
given on how the COBIT 5 enablers can help in risk management activities.
Who Should Use This Guide?

The intended audience for Risk Scenarios Using COBIT 5 for Risk is extensive, and includes any person responsible for
helping the enterprise manage risk. Risk management professionals, in particular, can benefit from this publication and
the guidance provided to develop risk scenario analysis to support ERM efforts. IT and business professionals, in general,
benefit from the concepts and practices described in this publication and can understand better the role they can play in the
ERM process.
The adoption of risk scenario analysis can help satisfy requirements from multiple stakeholders. Figure 2 describes the
potential stakeholder benefits that risk scenario analysis can provide.
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits
Role/Function Benefits of Adopting Risk Scenarios Using COBIT 5 for Risk
Board and executive management Better understanding of the implications of IT risk to enterprise strategic objectives and how to better use IT for
successful strategy execution
Chief risk officer (CRO) and Assistance with managing IT risk, in line with generally accepted ERM principles, and incorporating IT risk into
corporate risk managers for enterprise risk
enterprise risk management (ERM)
Operational risk managers Linking their ERM framework to COBIT 5 for Risk; identification of operational losses or development of key risk
indicators (KRIs)
IT management Better understanding of how to identify and manage IT risk and how to communicate IT risk to business
decision makers
IT service managers Enhancement of their view of operational risk
IT security Positioning of security risk among other categories of IT risk
Information security/chief Positioning IT risk within the enterprise information risk management structure
information security officer (CISO)
Chief financial officer (CFO) Gaining a better view of IT risk and its financial implications
Business Better understanding and management of IT risk in line with business objectives
Internal auditors Better analysis of risk in support of audit plans and reports
Compliance Advise the risk function with regards to compliance requirements and their potential impact on the enterprise
General counsel Advise the risk function on regulation-related risk and potential impact or legal implications on the enterprise
Regulators Support assessment of regulated enterprises’ IT risk management approach and the impact of risk on
regulatory requirements
External auditors Additional guidance on exposure levels when establishing an opinion over the quality of internal control
Insurers Help establish adequate IT insurance coverage and obtain agreement on exposure levels
IT contractors and subcontractors Better alignment of utility and warranty of IT services provided; understanding of responsibilities arising from
risk assessment
10
Chapter 1
Introduction
Scope and Approach

The practical guidance in this publication is specifically dedicated to the preparation of IT-related risk scenarios and risk
scenario analysis. Risk Scenarios Using COBIT 5 for Risk describes, at a high level, risk management concepts and the
different steps needed to prepare a complete risk scenario analysis. Figure 3 provides a brief description of each chapter
and appendix.
Figure 3—Document Overview and Guidance on its Use

Chapter Description
Chapter 1. Introduction Presents an overview on who should use this guidance, the scope and approach, and provides prerequisite guidance
Chapter 2. High-level Description of Describes in high level the concepts of risk management on which this guidance is based
Risk Management Concepts
Chapter 3. Risk Scenarios Gives a definition of risk scenarios; explains how a risk scenario workflow can be developed and how risk
Explained factors can be used in the context of risk scenarios; gives the characteristics of good scenarios
Chapter 4. Generic Risk Scenarios Contains example IT-related generic risk scenario categories and some practical advice on how to best use
these examples
Chapter 5. Using COBIT 5 Enablers Provides examples that show how to use COBIT 5 enablers to respond to the risk scenario examples described
to Mitigate IT Risk Scenarios in chapter 4
Chapter 6. Expressing and Describes the additional components necessary to prepare a comprehensive risk scenario analysis; describes
Describing Risk processes that can be used to analyse risk impact and frequency; and describes possible risk response options
Chapter 7. Detailed Example Contains over 50 risk scenario analyses and describes the COBIT 5 enablers that can be used to respond in
Risk Scenarios each particular scenario
Appendix 1. Risk Scenario Provides a comprehensive risk scenario analysis template
Analysis Template
Appendix 2. Glossary Defines the key terms that are used throughout this guide
Appendix 3. Processes for Shows the 37 governance and management processes defined in COBIT 5 and their respective activities as
Governance and Management of defined in COBIT 5: Enabling Processes
Enterprise IT
Prerequisite Knowledge
Risk Scenarios Using COBIT 5 for Risk builds on COBIT 5 for Risk. The key concepts about the use of scenarios from
COBIT 5 for Risk are repeated in this guide, making it a fairly stand-alone guide, in essence not requiring any prerequisite
knowledge. However, an understanding of COBIT 5 for Risk will accelerate the comprehension of the contents of this
guide. In addition, some risk-relevant items that are described in detail in COBIT 5 for Risk are not repeated in Risk
Scenarios Using COBIT 5 for Risk and may require the use of other guides in the COBIT 5 product family.
For risk mitigation, Risk Scenarios Using COBIT 5 for Risk refers mainly to the COBIT 5 enablers and also to the process
reference model and COBIT 5 processes described therein. If readers wish to know more about COBIT 5 enablers, e.g.,
to implement or improve some of them as part of a risk response (mitigation), they are referred to the following COBIT 5
product family guides: the COBIT 5 framework, COBIT 5: Enabling Processes and COBIT 5: Enabling Information.
11
12
Chapter 2
High-Level Description of Risk Management Concepts
Chapter 2
High-level Description of Risk Management Concepts1
Risk is generally defined as the combination of the probability of an event and its consequence (ISO Guide 73).
Consequences are that enterprise objectives are not met. COBIT 5 for Risk defines IT risk as business risk, specifically,
the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an
enterprise. IT risk consists of IT-related events that could potentially impact the business. IT risk can occur with both
uncertain frequency and impact and creates challenges in meeting strategic goals and objectives.
Figure 4 shows that for all categories of downside IT risk (‘Fail to Gain’ and ‘Lose’ business value) there is an equivalent
upside (‘Gain’ and ‘Preserve’ business).
Figure 4—IT Risk Categories
Business Value
Examples
Fail to Gain Gain
• Technology enabler for
IT Benefit/Value new business initiatives
Enablement • Technology enabler for
efficient operations
• Project quality
IT Programme
• Project relevance
and Project Delivery • Project overrun
• IT service interruptions
IT Operations and
• Security problems
Service Delivery • Compliance issues
Lose Preserve
Business Value
It is important to keep this upside/downside duality of risk in mind (see figure 5) during all risk-related decisions.
Figure 5—Risk Duality

Positive Outcomes: Value
Creation or Preservation
Well governed and managed Poorly governed and

information and technology managed information and
delivers business benefits technology will destroy
Negative Outcomes: Value
Destruction or Fail to Gain
and/or preserves value value or fail to deliver benefits.

• New IT-enabled business • Unrealised or reduced
opportunities business value
• Enhanced business • Missed IT-enabled
opportunities business opprtunities
• Sustainable competitive • Adverse IT-related
advantage events destroying value
1
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.
13
COBIT 5 for Risk explains the following two perspectives on how to use COBIT 5 in a risk context (figure 6):
• Risk function perspective—Describes what is needed in an enterprise to build and sustain efficient and effective core
risk governance and management activities.
• Risk management perspective—Describes how the core risk management process of identifying, analysing, responding
to and reporting on risk can be assisted by the COBIT 5 enablers.
Figure 6—Two Perspectives on Risk
Risk Function Risk Management

Perspective Perspective
COBIT 5 Enablers
The risk management
The risk function Organisational Culture, Ethics perspective looks at
Processes
perspective describes Structures and Behaviour core risk governance
how to build and sustain Risk Function Risk Management and risk managment
a risk function in the Perspective Perspective processes and risk
Principles, Policies and Frameworks scenarios. This
enterprise by using the
COBIT 5 enablers. perspective describes
Services, People, how risk can be mitigated
Information Infrastructure Skills and by using COBIT 5 enablers.
and Applications Competencies
Figure 7 shows the scope of COBIT 5 for Risk and the relationship between risk scenarios and the risk management
perspective. Risk scenarios support this perspective by providing a link between the identified risk and the COBIT 5
enablers that can be used to mitigate it.
Figure 7—Scope of COBIT 5 for Risk
COBIT 5 for Risk

COBIT 5 Enablers for the
Risk Function Core Risk
Processes
Organisational Culture, Ethics
Processes
Structures and Behaviour COBIT 5 Framework
Risk Function Risk Management Mapping
Risk Scenarios to
Principles, Policies and Frameworks
Perspective Perspective
COBIT 5 Enablers COBIT 5: Enabling
Processes
Services, People, Skills Risk
Information Infrastructure and Scenarios
and Applications Competencies
COSO ISO 31000 ISO/IEC Others ITIL. ISO/IEC ISO/IEC Others

ERM 27005 20000 27001/2
Enterprise Risk IT Management

Management Standards Frameworks
14
Chapter 3
Risk Scenarios Explained
Chapter 3
Risk Scenarios Explained2
A key information item used in the COBIT 5 core risk management process APO12 is the risk scenario (figure 8).
Figure 8—Risk Scenario Overview
The Risk Management

Process (AP012)
All Related Enablers

APO12.01 Top Down Risk Factors
Collect Data
Principles, Policies Business Goals
and Frameworks
• Identify business Internal
APO12.02 objectives. Environmental
Processes Analyse Risk • Identify scenarios with Factors
highest impact on
achievement of
business objectives.
Organisational APO12.03 External
Structures Maintain a Environmental
Risk Profile Factors
Culture, Ethics Risk Scenarios
and Behaviour
Risk
APO12.04 Management
Articulate Risk Capabilities
• Identify hypothetical
Information scenarios.
• Reduce through
high-level analysis.
Services, APO12.05 Define a IT-related
Infrastructure and Risk Management
Action Portfolio Generic Risk Capabilities
Applications Scenarios
People, Skills and Bottom Up

Competencies APO12.06
Respond to Risk
Risk Scenarios Defined

A risk scenario is a description of a possible event that, when occurring, will have an uncertain impact on the achievement
of the enterprise’s objectives. The impact can be positive or negative.
The core risk management process requires risk needs to be identified, analysed and acted on. Well-developed risk
scenarios support these activities and make them realistic and relevant to the enterprise.
Figure 8 also shows that risk scenarios can be derived via two different mechanisms:
• A top-down approach, where one starts from the overall enterprise objectives and performs an analysis of the most
relevant and probable IT risk scenarios impacting the enterprise objectives. If the impact criteria used during risk
analysis are well aligned with the real value drivers of the enterprise, relevant risk scenarios will be developed.
• A bottom-up approach, where a list of generic scenarios is used to define a set of more relevant and customised
scenarios, applied to the individual enterprise situation.
The approaches are complementary and should be used simultaneously. Indeed, risk scenarios must be relevant and linked
to real business risk. On the other hand, using a set of example generic risk scenarios could assist to identify risk and
reduce the chance of overlooking major/common risk scenarios and can provide a comprehensive reference for IT risk.
However, specific risk items for each enterprise and critical business requirements need to be considered in the enterprise
risk scenarios.
Note: Do not over rely on the list of example generic risk scenarios. The list, although quite comprehensive, broad and
covering most potential risk items, needs to be adapted to the enterprise specific situation. It is not intended that, going
forward, all IT risk management will use the same set of pre-defined IT risk scenarios. Rather, it is encouraged that this list
be used as a basis for the development of specific, relevant scenarios.
2
15
Developing Risk Scenarios Workflow

In practice, the following approach is suggested:
• Use the list of example generic risk scenarios (see figure 14 in chapter 4, Generic Risk Scenarios) to define a
manageable set of tailored risk scenarios for the enterprise. To determine a manageable set of scenarios a business
might begin by considering commonly occurring scenarios in its industry or product area, scenarios representing
threat sources that are increasing in number or severity, and scenarios that involve legal and regulatory requirements
applicable to the business. Another approach might be to identify high-risk business units and assess one or two
high-risk operating processes within each, including the IT components that enable that process. Also, some less
common situations should be included in the scenarios.
• Perform a validation against the business objectives of the entity. Do the selected risk scenarios address potential
impacts on achievement of business objectives of the entity, in support of the overall enterprise’s business objectives?
• Refine the selected scenarios based on this validation; detail them to a level in line with the criticality of the entity.
• Reduce the number of scenarios to a manageable set. ‘Manageable’ does not signify a fixed number, but should
be in line with the overall importance (size) and criticality of the unit. There is no general rule, but if scenarios are
reasonably and realistically scoped, the enterprise should expect to develop at least a few dozen scenarios.
• Keep all scenarios in a list so they can be re-evaluated in the next iteration and included for detailed analysis if they
have become relevant at that time.
• Include in the scenarios an unspecified event, e.g., an incident not covered by other scenarios.
Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenario are
assessed. Important components of this assessment are the risk factors.
The enterprise can also consider evaluating scenarios that have a chance of occurring simultaneously. This is frequently
referred to as ‘stress’ testing and actually entails combining multiple scenarios and understanding what the extra impact
would be of them occurring together.
Risk Factors
Risk factors are those conditions that influence the frequency and/or business impact of risk scenarios. They can be of
different natures and can be classified into two major categories:
•C ontextual factors—Can be divided into internal and external factors, the difference being the degree of control an
enterprise has over them:
– I nternal contextual factors—To a large extent, are under the control of the enterprise, although they may not always be
easy to change
–E xternal contextual factors—To a large extent, are outside the control of the enterprise
• Capabilities—How effective and efficient the enterprise is in a number of IT-related activities. They can be
distinguished in line with the COBIT 5 framework:
– I T risk management capabilities—Indicate to what extent the enterprise is mature in performing the risk management
processes
– I T-related capabilities—Indicate the capability of the IT-related COBIT 5 enablers
The importance of risk factors lies in the influence they have on risk. They are heavy influencers on the frequency and
impact of IT scenarios and should be taken into account during every risk analysis.
Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as vulnerabilities or
weaknesses. These are terms often used in other risk management frameworks.
Scenario analysis should not only be based on past experience and known current events, but should also look forward
to possible future circumstances. Future risk could be related to emerging technologies, new regulations, demographic
changes and new business initiatives.
Risk factors change over time; therefore, scenarios will also change. This change requires an enterprise to perform
continuous risk assessments and risk monitoring. Risk assessment that is based on the scenarios should be performed at
least on an annual basis, and when an important change in internal or external risk factors occurs.
Figure 9 depicts risk factors, which are discussed in more detail in the following paragraphs.
16
Chapter 3
Figure 9—Risk Factors
Risk Factors
• Market and economic factors
• Rate of change in the market/product life cycle
• Industry and competition
External • Geopolitical situation
Context • Regulatory environment
• Technology status and evolution
• Threat landscape
• Enterprise goals and objectives

• Strategic importance of IT for the business
• Complexity of IT
Internal • Complexity of the entity and degree of change
Context • Change management capability
• Operating model
• Strategic priorities
• Culture of the enterprise
• Financial capacity
Risk • Risk governance

Management • Risk management
Capabilities
• Evaluate, direct and monitor (EDM)
IT-related • Align, plan and organise (APO)
Capabilities • Build, acquire and implement (BAI)
• Deliver, service and support (DSS)
• Monitor, evaluate and assess (MEA)
External Context
Contextual IT risk factors, i.e., those circumstances that can increase the frequency or impact of an event and which are not
always directly controllable by the enterprise, include:
•M arket/economic factors—The industry sector in which the enterprise operates, i.e., operating in the financial sector
requires different IT requirements and IT capabilities than operating in a manufacturing environment. Other economic
factors can be included as well, e.g., nationalisation, mergers and acquisitions, consolidations.
• Rate of change in the market in which the enterprise operates—Are business models changing fundamentally? Is the
product or service at the end of an important life cycle moment?
• Competitive environment—Market, industry or region in which the enterprise operates
• Geopolitical situation—Is the geographic location subject to frequent natural disasters? Does the local political and
overall economic context represent an additional risk?
• Regulatory environment—Is the enterprise subject to new or more strict IT-related regulations or regulations
impacting IT? Are there any other compliance requirements beyond regulation, e.g., industry-specific, contractual?
•T echnology status and evolution—Is the enterprise using state-of-the art technology and, more important, how fast
are relevant technologies evolving?
•T hreat landscape—How are relevant threats evolving in terms of frequency of occurring and level of capability?
Risk factors in the external context are outside of an enterprise’s control. Therefore, the enterprise is limited in the direct
actions that it can take to manage such risk. However, the enterprise can deal with the risk by developing strategies
to prevent exposures, avoid risk and respond to an incident efficiently and effectively when the risk materialises, e.g.,
building dikes to prevent flooding, moving to an area not subject to flooding, and procuring insurance can all be used to
contend with natural disasters such as floods.
17
Internal Context
Internal risk factors include:
• Enterprise goals and objectives—What are the needs of the stakeholders and how could these be impacted by risk?
• Strategic importance of IT in the enterprise—Is IT a strategic differentiator, a functional enabler or a supporting function?
•C omplexity of IT—Is IT highly complex (e.g., complex architecture, recent mergers) or is IT simple, standardised
and streamlined?
• Complexity of the enterprise (including geographic spread and value chain coverage, e.g., in a manufacturing
environment)—Does the enterprise manufacture and distribute parts, and/or is it also doing assembly activities?
•D egree of change—What degree of change is the enterprise is experiencing?
• Change management capability—To what extent is the enterprise capable of organisational change?
•T he risk management philosophy—What is the risk philosophy of the enterprise (risk averse or risk taking) and, linked
with that, the values of the enterprise?
•O perating model—The degree to which the enterprise operates independently or is connected to its clients/suppliers, the
degree of centralisation/decentralisation
• Strategic priorities—What are the strategic priorities of the enterprise?
• Culture of the enterprise—Does the existing culture of the enterprise require changing to be able to effectively embrace
risk management?
• Financial capacity—The capacity of the enterprise to provide financial support to enhance and maintain the IT
environment while optimising risk
When considering the internal risk factors during the development and/or refinement of the scenarios the following
considerations should be taken into account (figure 10):
Figure 10—Internal Risk Factor Considerations

Focus/Issue Summary Guidance
Importance of Integrity An enterprise’s strategy and objectives, and the way they are implemented, are based on preferences, value judgments and
and Ethics of Enterprise management styles. Management’s integrity and commitment to ethical values influences these preferences and judgments,
Management which are translated into standards of behavior.
Because an enterprise’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with the
law. Management values must balance the concerns of the enterprise, employees, suppliers, customers, competitors and
the public. Managers of well-run enterprises increasingly have accepted the view that good ethics pay off, and that ethical
behavior is good for the business.
An enterprise that operates with a high degree of ethics may have a lower incidence of risk related to fraud or
misappropriation. Integrity and ethical values are essential elements of an enterprise’s internal environment and affect the
design, administration and monitoring of other enterprise risk management (ERM) components.
Role of Enterprise Top management—starting with the chief executive officer (CEO)—plays a key role in determining the corporate culture or,
Management in as some say, the “Tone at the Top.” As the dominant personality in an enterprise, the CEO often sets the ethical tone. Certain
Determining Enterprise organizational factors also can influence the likelihood of fraudulent and creative accounting. Those same factors are likely
Culture to influence ethical behavior. Individuals may engage in dishonest, illegal or unethical acts simply because the enterprise
gives them strong incentives or temptations to do so. Undue emphasis on results, particularly in the short term, can foster in
inappropriate internal environment.
Management Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how much to invest
Determination of in making sure that tasks are executed properly using skilled resources, equipment and defined processes.
Competency Levels
This requires weighing the enterprise’s strategy and objectives against plans for their implementation and achievement.
A trade-off often exists between competence and cost. The risk of failure is higher with untrained staff, poorly maintained or
old equipment, or undefined procedures.
Board of Directors An enterprise’s board of directors is a critical part of the internal environment and significantly influences its elements. The
Role in the Internal board’s role in risk governance through independent oversight of management, scrutiny of activities, and appropriateness of
Environment the enterprise’s risk appetite and strategy all play a role.
An active and involved board of directors should possess an appropriate degree of management, financial, technical and
other expertise, coupled with the mind-set necessary to perform its oversight responsibilities. This is critical to an effective
ERM environment as the board must be prepared to question and scrutinize management’s activities, present alternative
views, and act in the face of wrongdoing.
Impact of Enterprise An enterprise’s organizational structure provides the framework to plan, execute, control and monitor its activities.
Organizational Whatever the structure, an enterprise should be organized to enable effective ERM and to carry out its activities to achieve
Structure its objectives.
18
Chapter 3
Figure 10—Internal Risk Factor Considerations (cont.)

Assignment of Assignment of authority and responsibility involves the degree to which individuals and teams are authorized (and limited by
Authority and their authority) and encouraged to use initiative to address issues and solve problems. This includes also the development
Responsibility and enforcement of policies for appropriate business practices, the knowledge of key personnel and the resources provided
for carrying out duties.
Impact of Delegation Along with better, market-driven decisions, delegation may increase the number of undesirable or unanticipated decisions.
The internal environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.
This holds true all the way to the chief executive, who, with board oversight, has ultimate responsibility for all activities within
an enterprise.
Impact of Human HR practices pertaining to hiring, orientation, training, evaluating, counseling, promoting, compensating and taking remedial
Resource (HR) actions should send messages to employees regarding expected levels of integrity, ethical behavior and competence.
Practices
Adapted from: ISACA, CRISCTM Review Manual 2014, USA, 2012, pp. 39-41.
Risk Management Capability

Risk management capability is an indication of how well the enterprise is executing the core risk management processes
and the related enablers. This can be measured by using a risk scorecard. The better performing the enablers are, the more
capable the risk management programme is.
This factor is correlated with the capability of the enterprise to recognise and detect risk and adverse events; therefore, it
should not be neglected.
Risk management capability is a very significant element in the frequency and impact of risk events in an enterprise
because it is responsible for management’s risk decisions (or lack thereof), as well as for the presence, absence and/or
effectiveness of controls that exist within an enterprise.
IT Related Capability
IT-related capabilities are associated with the capability level of IT processes and all other enablers. The generic enabler
model in COBIT 5 contains an enabler performance model supporting capability assessments. A high maturity with regard
to the different enablers is equivalent to high IT-related capabilities, which can have a positive influence on:
• Reducing the frequency of events, e.g., having good software development processes in place to deliver high-quality
and stable software, or having good security measures in place to reduce the number of security-related incidents
• Reducing the business impact when events happen, e.g., having a good business continuity plan (BCP)/disaster
recovery plan (DRP) in place when disaster strikes
IT Risk Scenario Structure

An IT risk scenario is a description of an IT-related event that can lead to a business impact, when and if it should occur.
For risk scenarios to be complete and usable for risk analysis purposes, they should contain the following components, as
shown in figure 11:
• Actor—Who generates the threat that exploits a vulnerability? Actors can be internal or external and they can be
human or non-human:
– Internal actors are within the enterprise, e.g., staff, contractors.
– External actors include outsiders, competitors, regulators and the market.
Not every type of threat requires an actor, e.g., failures or natural causes.
• Threat type (the nature of the event)—Is it malicious? If not, is it accidental or is it a failure of a well-defined
process? Is it a natural event?
• Event—Is it disclosure of confidential information, interruption of a system or of a project, theft or destruction?
Action also includes ineffective design of systems, processes, etc., inappropriate use, changes in rules and regulation
that will materially impact a system) or ineffective execution of processes, e.g., change management procedures,
acquisition procedures, project prioritisation processes.
• Asset/resource—On which the scenario acts. An asset is any item of value to the enterprise that can be affected by the
event and lead to business impact. A resource is anything that helps to achieve IT goals. Assets and resources can be
identical, e.g., IT hardware is an important resource because all IT applications use it, and at the same time, it is an
asset because it has a certain value to the enterprise. Assets/resources include:
– People and skills
– Organisational structures
– IT processes, e.g., modelled as COBIT 5 processes, or business processes
19
– Physical infrastructure, facilities, equipment, etc.

– IT infrastructure, including computing hardware, network infrastructure, middleware
– Other enterprise architecture (EA) components, including information, applications
Assets can be critical or not, e.g., a client-facing web site of a major bank compared to the web site of the local garage
or the intranet of the software development group. Critical resources will probably attract a greater number of attacks or
greater attention on failure; therefore, the frequency of related scenarios will probably be higher. It takes skill, experience
and thorough understanding of dependencies to understand the difference between a critical asset and a non-critical asset.
• Time—Dimension, where the following could be described, if relevant to the scenario:
– The duration of the event, e.g., extended outage of a service or data centre
– The timing (Does the event occur at a critical moment?)
– Detection (Is detection immediate or not?)
– Time lag between the event and consequence (Is there an immediate consequence, e.g., network failure, immediate
downtime, or a delayed consequence, e.g., wrong IT architecture with accumulated high costs over a time span of
several years?)
It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk
scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event in
figure 11). The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability.
Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or
by the threat strength. One should not mix these three types of events into one big ‘risk list’.
Figure 11—Risk Scenarios Structure
Event
• Disclosure
• Interruption
• Modification
• Theft
• Destruction
• Ineffective design
Threat Type • Ineffective execution Asset/Resource
• Malicious • Rules and regulations • People and skills
• Accidental • Inappropriate use • Organisational structures
• Error • Process
• Failure • Infrastructure (facilities)
• Nature • IT infrastructure
• External requirement • Information
• Applications
Actor Time
• Internal (staff, contractor) • Duration
• External (competitor, outsider, Risk Scenario • Timing occurrence (critical or non-critical)
business partner, regulator, market) • Detection
• Time lag
Chapter 4 Generic Risk Scenarios and chapter 7 Detailed Example Risk Scenarios contain IT risk scenarios that are built
in line with the model described in the previous paragraphs. The sets of scenarios contain examples of negative outcomes,
but also examples where a risk, when managed well, can lead to a positive outcome.
Main Issues When Developing and Using Risk Scenarios

The use of scenarios is key to risk management, and the technique is applicable to any enterprise. Each enterprise needs to
build a set of scenarios (containing the components described previously) as a starting point to conduct its risk analysis.
Building a complete set of scenarios means—in theory—that each possible value of every component should be
combined. Each combination should then be assessed for relevance and realism and, if found to be relevant, entered into
the risk register. In practice, this is not possible; very quickly, an unfeasible number of different risk scenarios can be
generated. The number of scenarios to be developed and analysed should be kept to a relatively small number in order to
remain manageable.
20
Chapter 3
Figure 12 shows some of the main areas of focus/issues to address when using the risk scenario technique.
Figure 12—Risk Scenario Technique Main Focus Areas

Maintain currency of risk Risk factors and the enterprise change over time; hence, scenarios will change over time, over the course of a
scenarios and risk factors. project or over the evolution of technology.
For example, it is essential that the risk function develop a review schedule and the CIO works with the business
lines to review and update scenarios for relevance and importance. Frequency of this exercise depends on
the overall risk profile of the enterprise and should be done at least on an annual basis, or when important
changes occur.
Use generic risk scenarios as One technique of keeping the number of scenarios manageable is to propagate a standard set of generic scenarios
a starting point and build more through the enterprise and develop more detailed and relevant scenarios when required and warranted by the
detail where and when required. risk profile only at lower (entity) levels. The assumptions made when grouping or generalising should be well
understood by all and adequately documented because they may hide certain scenarios or be confusing when
looking at risk response.
For example, if ‘insider threat’ is not well defined within a scenario, it may not be clear whether this threat includes
privileged and non-privileged insiders. The differences between these aspects of a scenario can be critical when
one is trying to understand the frequency and impact of events, as well as mitigation opportunities.
Number of scenarios should Risk management helps to deal with the enormous complexity of today’s IT environments by prioritising potential
be representative and reflect action according to its value in reducing risk. Risk management is about reducing complexity, not generating it;
business reality and complexity. hence, another plea for working with a manageable number of risk scenarios. However, the retained number of
scenarios still needs to accurately reflect business reality and complexity.
Risk taxonomy should reflect There should be a sufficient number of risk scenario scales reflecting the complexity of the enterprise and the
business reality and complexity. extent of exposures to which the enterprise is subject.
Potential scales might be a ‘low, medium, high’ ranking or a numeric scale that scores risk importance from 0 to 5.
Scales should be aligned throughout the enterprise to ensure consistent scoring.
Use generic risk scenario Similarly, for risk reporting purposes, entities should not report on all specific and detailed scenarios, but could do
structure to simplify risk reporting. so by using the generic risk structure.
For example, an entity may have taken generic scenario 15 (project quality), translated it into five scenarios for its
major projects, subsequently conducted a risk analysis for each of the scenarios, then aggregated or summarised
the results and reported back using the generic scenario header ‘project quality’.
Ensure adequate people and Developing a manageable and relevant set of risk scenarios requires:
skills requirements for developing • E xpertise and experience, to not overlook relevant scenarios and not be drawn into highly unrealistic3 or irrelevant
relevant risk scenarios. scenarios. While the avoidance of scenarios that are unrealistic or irrelevant is important in properly utilising
limited resources, some attention should be paid to situations that are highly infrequent and unpredictable, but
which could have a cataclysmic impact on the enterprise.
• A thorough understanding of the environment. This includes the IT environment (e.g., infrastructure, applications,
dependencies between applications, infrastructure components), the overall business environment, and an
understanding of how and which IT environments support the business environment to understand the
business impact.
• The intervention and common views of all parties involved—senior management, which has the decision power;
business management, which has the best view on business impact; IT, which has the understanding of what can
go wrong with IT; and risk management, which can moderate and structure the debate amongst the other parties.
• The process of developing scenarios usually benefits from a brainstorming/workshop approach, where a
high-level assessment is usually required to reduce the number of scenarios to a manageable, but relevant and
representative, number.
Use the risk scenario building Scenario analysis is not just an analytical exercise involving ‘risk analysts’. A significant additional benefit of
process to obtain buy-in. scenario analysis is achieving organisational buy-in from enterprise entities and business lines, risk management,
IT, finance, compliance and other parties. Gaining this buy-in is the reason why scenario analysis should be a
carefully facilitated process.
Involve first line of defence in the In addition to co-ordinating with management, it is recommended that selected members of the staff who are
scenario building process. familiar with the detailed operations be included in discussions, where appropriate. Staff whose daily work is in the
detailed operations are often more familiar with vulnerabilities in technology and processes that can be exploited.
Do not focus only on rare and When developing scenarios, one should not focus only on worst-case events because they rarely materialise,
extreme scenarios. whereas less-severe incidents happen more often.
3
Unrealistic signifies not fixed in time or static. What used to be unthinkable, mainly because it never happened or because it happened too long ago,
becomes realistic as soon as it occurs again. A striking example is the 11 September 2001 terrorist attacks in the US. It is human nature for things that have
not yet happened, even when they are theoretically possible, to be estimated as not possible or extremely unlikely. Only when they occur will they be taken
seriously in risk assessments. This may be regarded as lack of foresight or lack of due care, but it is actually the essence of risk management—trying to
shape and contain the future based on past experience and future predictions.
21
Figure 12—Risk Scenario Technique Main Focus Areas (cont.)

Deduce complex scenarios from Simple scenarios, once developed, should be further fine-tuned into more complex scenarios, showing cascading
simple scenarios by showing and/or coincidental impacts and reflecting dependencies. For example:
impact and dependencies. • A scenario of having a major hardware failure can be combined with the scenario of failed DRP.
• A scenario of major software failure can trigger database corruption and, in combination with poor data
management backups, can lead to serious consequences, or at least consequences of a different magnitude than
a software failure alone.
• A scenario of a major external event can lead to a scenario of internal apathy.
Consider systemic and Attention should be paid to systemic and/or contagious risk scenarios:
contagious risk. • Systemic—Something happens with an important business partner, affecting a large group of enterprises within
an area or industry. An example would be a nationwide air traffic control system that goes down for an extended
period of time, e.g., six hours, affecting air traffic on a very large scale.
• Contagious—Events that happen at several of the enterprise’s business partners within a very short time frame.
An example would be a clearinghouse that can be fully prepared for any sort of emergency by having very
sophisticated disaster recovery measures in place, but when a catastrophe happens, finds that no transactions
are sent by its providers and hence is temporarily out of business.
Use scenario building to increase Scenario development also helps to address the issue of detectability, moving away from a situation where an
awareness for risk detection. enterprise ‘does not know what it does not know’. The collaborative approach for scenario development assists in
identifying risk to which the enterprise, until then, would not have realised it was subject to (and hence would never
have thought of putting in place any countermeasures). After the full set of risk items is identified during scenario
generation, risk analysis assesses frequency and impact of the scenarios.
Questions to be asked include:

• Will the enterprise ever detect that the risk scenario has materialised?
• Will the enterprise notice something has gone wrong so it can react appropriately?
Generating scenarios and creatively thinking of what can go wrong will automatically raise and, hopefully, cause
response to, the question of detectability. Detectability of scenarios includes two steps: visibility and recognition.
The enterprise must be in a position that it can observe anything going wrong, and it needs the capability to
recognise an observed event as something wrong.
Characteristics of Good Scenarios

Risk scenarios must be realistic, unbiased and reliable to provide assurance that management is making decisions based
on quality information. The benefits of using risk scenarios as part of ERM are significant, and risk professionals should
become proficient in the preparation of this important information item to help management identify, analyze and respond
to risk.
Scenarios should have the following characteristics (figure 13):

Relevance—Scenarios should provide meaningful information to support decisions. Generic (market or industry)
scenarios must be customized to reflect factors that are relevant to the enterprise.
Consistency—Each scenario must be compelling by itself. Adequate management response depends on the credibility and
completeness of the scenarios used to make decisions.
Plausibility—Scenarios must be believable and realistic.
Likelihood—Scenarios must, to a certain extent, be likely to occur.
Timely—Scenarios must be prepared using the must current data to reflect the enterprise environment.
Figure 13—Characteristics of Good Risk Scenarios

Characteristic Explanation
Relevance for decision Scenarios should deliver meaningful information to support decisions. Generic (market or industry) scenarios are
usually not adequate enough and need to be augmented.
Consistency Each scenario has to be compelling by itself. If it is not, the credibility of a scenario can be negatively affected.
Plausibility Scenarios need to be realistic. They must meet principal requirements of basic feasibility.
Likelihood Each scenario should, to a certain extent, be likely to occur.
Timely Scenarios must reflect current events and circumstances.
22
Chapter 4
Generic Risk Scenarios
Chapter 4
Generic Risk Scenarios4
An IT risk scenario is a description of an IT-related event that can lead to a loss event that has a business impact, when
and if it should occur. The generic scenarios serve, after customization, as input to risk analysis activities, where the
ultimate business impact (among others) needs to be established. This chapter contains a set of generic IT risk scenarios
(figure 14), built in line with the model described in the previous sections of this guide. The set of generic scenarios
contains both negative and positive example scenarios.
A word of warning: The table with generic scenarios does not replace the creative and reflective phase that every
scenario-creating exercise should contain. In other words, it is not recommended that an enterprise blindly use this list
and assume that no other risk scenarios are possible, or assume that every scenario contained in the list is applicable to the
enterprise. Intelligence and experience are needed to derive a relevant and customized list of scenarios starting from this
generic list.
The generic risk scenarios in figure 14 include the following information:

• Risk scenario category—High-level description of the category of scenario (e.g., IT project selection). In total, there
are 20 categories.
• Risk type—The type to which scenarios derived from this generic scenario will fit, using the three risk types
explained earlier:
– IT benefit/value enablement risk—Associated with (missed) opportunities to use technology to improve the efficiency
or effectiveness of business processes or as an enabler for new business initiatives
– IT programme and project delivery risk—Associated with the contribution of IT to new or improved business
solutions, usually in the form of projects and programs
– IT operations and service delivery risk—Associated with the operational stability, availability, protection and
recoverability of IT services, which can bring destruction or reduction of value to the enterprise
• Risk scenario outcome—Positive outcomes are scenarios that can result in value creation or preservation. Negative
outcomes are scenarios that can result in value destruction or failure to gain.
A ‘P’ indicates a primary (higher degree) fit and an ‘S’ represents a secondary (lower degree) fit. Blank cells indicate that
the risk category is not relevant for the risk scenario at hand.
• Example scenarios—For each scenario category, one or several small examples are given of scenarios with a negative
outcome, indicating whether it is more of a value destruction or a failure to gain, and/or positive outcome, indicating
value gain. In total, 111 risk scenario examples are included with possible negative and/or positive outcomes.
Figure 14—Example Risk Scenarios

Risk Type Example Scenarios
and Service Delivery
and Project Delivery
IT Benefit/Value
IT Programme
IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0101 Portfolio establishment Wrong programmes are selected for Programmes lead to successful new
and maintenance P P S implementation and are misaligned with business initiatives selected for execution.
corporate strategy and priorities.
0102 There is duplication between initiatives. Aligned initiatives have streamlined
P P S
interfaces.
0103 A new important programme creates long- New programmes are assessed for
P P S term incompatibility with the enterprise compatibility with existing architecture.
architecture.
0104 Competing resources are allocated and
P P S managed inefficiently and are misaligned to
business priorities.
4
23
Figure 14—Example Risk Scenarios (cont.)


IT Benefit/Value
IT Programme
IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
0201 Programme/projects Failing (due to cost, delays, scope creep, Failing or irrelevant projects are stopped on
life cycle management P P S changed business priorities) projects are a timely basis.
(programme/projects not terminated.
initiation, economics,
0202 There is an IT project budget overrun. The IT project is completed within
delivery, quality and S P S
agreed-on budgets.
termination)
0203 There is occasional late IT project delivery Project delivery is on time.
S P
by an internal development department.
0204 Routinely, there are important delays in IT The project critical path is managed
P P S
project delivery. accordingly and delivery is on time.
0205 There are excessive delays in outsourced IT Communication with third parties ensures
P P S development projects. the timely delivery within agreed-on scope
and quality.
0206 Programmes/projects fail due to not Change management is conducted
obtaining the active involvement throughout appropriately throughout the life cycle of the
P P
the programme/project life cycle of all programme/project to inform stakeholders on
stakeholders (including sponsor). progress and train future users.
0301 IT investment Business managers or representatives are There is co-ordinated decision making over
decision making not involved in important IT investment IT investments between business and IT.
P S
decision making (e.g., new applications,
prioritisation, new technology opportunities).
0302 The wrong software, in terms of cost, Upfront analysis is performed and a
P S performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of software.
0303 The wrong infrastructure, in terms of cost, Upfront analysis is performed and a
P P performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of infrastructure.
0304 P P Redundant software is purchased.
0401 IT expertise and skills There is a lack of or mismatched Attracting the appropriate staff increases
P P P IT-related skills within IT, e.g., due to new the service delivery of the IT department.
technologies.
0402 There is a lack of business understanding Correct staff and skill mix supports project
P P P by IT staff affecting the service delivery/ delivery and value delivery.
projects quality.
0403 There are insufficient skills to cover the Correct skill mix and training ensures that
business requirements. there is a thorough understanding of the
P P P
business by staff and allows full coverage
of business requirements.
0404 There is an inability to recruit IT staff. The correct amount of IT staff, with
appropriate skills and competencies
S P P
is attracted to support the business
objectives.
0405 There is a lack of due diligence in the Candidates are screened to ensure that
S P P recruitment process. appropriate skills, competencies and
attitude are present.
0406 There is a lack of training leading to IT staff members are able to determine
IT staff leaving. their own training plan based on their
S P P
aspirations and domains of interest, in
collaboration with their superiors.
0407 There is insufficient return on investment Career development is made formal
regarding training due to early leaving of and individual paths are determined to
S P P
trained IT staff (e.g., MBA). ensure IT staff is motivated to stay for a
considerable amount of time.
24
Chapter 4


IT Benefit/Value
IT Programme
IT Operations
Enablement
0408 IT expertise and skills There is an overreliance on key IT staff. Job rotation ensures that nobody alone
(cont.) S P P possesses the entire knowledge of the
execution of a certain activity.
0409 There is an inability to update the IT skills Training, attending seminars and reading
to the proper level through training. thought leadership ensures that IT staff is
S P P
up to date with the latest developments in
its area of speciality.
0501 Staff operations Access rights from prior roles are abused. HR and IT administration co-ordinate on a
(human error and frequent basis to ensure timely removal of
S S P
malicious intent) access rights, avoiding the possibility
of abuse.
0502 IT equipment is accidentally damaged
S P
by staff.
0503 There are errors by IT staff (during backup, The four-eyes principle is applied,
S P during upgrades of systems, during decreasing the possibility of errors before
maintenance of systems, etc.). moving to production.
0504 Information is input incorrectly by IT staff or The four-eyes principle is applied, decreasing
S P
system users. the possibility of incorrect information input.
0505 The data centre is destroyed (sabotage, Data centre is appropriately secured, only
S P
etc.) by staff. allowing access to authorised IT staff.
0506 There is a theft of a device with sensitive Office premises are secured and monitored
S P
data by staff. for irregular activity.
0507 There is a theft of a key infrastructure Key infrastructure components are
component by staff. monitored 24/7 for performance,
S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
0508 Hardware components were configured An enterprisewide configuration
P S P erroneously. management system is set up, ensuring
aligned configuration across the enterprise.
0509 Critical servers in the computer room were Key infrastructure components are
damaged (e.g., accident, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
immediately.
0510 Hardware was tampered with intentionally Key infrastructure components are
(security devices, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
immediately.
25


IT Benefit/Value
IT Programme
IT Operations
0601 Information (data Hardware components are damaged, Backup procedures, aligned to the business
breach: damage, S P leading to (partial) destruction of data by criticality of the data, are established,
leakage and access) internal staff. ensuring key business data is always
retained at a second location.
0602 The database is corrupted, leading to
S S P
inaccessible data.
0603 Portable media containing sensitive data Portable media are appropriately secured
S S P (CD, USB drives, portable disks, etc.) is lost/ and encrypted to ensure protection of data.
disclosed.
0604 Sensitive data is lost/disclosed through Sensitive data residing in the enterprise
logical attacks. premises are protected appropriately
S S P
behind firewalls and through continuous
network monitoring.
0605 Backup media is lost or backups are not
S S P
checked for effectiveness.
0606 Sensitive information is accidentally Employees are encouraged continuously to
disclosed due to failure to follow be ambassadors of the enterprise culture,
P S P
information handling guidelines. ethics and good behaviours, including
practices around information handling.
0607 Data (accounting, security-related The four-eyes principle is applied for
data, sales figures, etc.) are modified specific data inputs/modifications to create
P S P
intentionally. a peer review and decrease the stimulus
for intentional modification.
0608 Sensitive information is disclosed through Employees are encouraged continuously
email or social media. to be ambassadors of the enterprise
culture, ethics and good behaviours,
P S P
including practices involving distribution
of information through email and social
media.
0609 Sensitive information is discovered due The data retention policy is updated
P S P to inefficient retaining/archiving/disposing regularly and strict compliancy is endorsed
of information. for all employees.
0610 IP is lost and/or competitive information is IP clauses are incorporated in every
leaked due to key team members leaving contract, allowing the enterprise to fully
P S P
the enterprise. reap the benefits of all IP created in the
enterprise.
0611 The enterprise has an overflow of data The enterprise has an effective process
and cannot deduct the business relevant in place to process the data it has into
P S P
information from the data (e.g., big data business relevant information and use that
problem). information to create business value.
0701 Architecture The enterprise architecture is complex Modern and flexible architecture supports
(architectural vision and inflexible, obstructing further evolution business agility/innovation.
P P P
and design) and expansion leading to missed business
opportunities.
0702 The enterprise architecture is not fit for
P S P purpose and not supporting the business
priorities.
0703 There is a failure to adopt and exploit new
P S S
infrastructure in a timely manner.
0704 There is a failure to adopt and exploit new
P S S software (functionality, optimisation, etc.) in
a timely manner.
26
Chapter 4


IT Benefit/Value
IT Programme
IT Operations
Enablement
0801 Infrastructure New (innovative) infrastructure is installed Appropriate testing is conducted before
(hardware, operating and as a result systems become unstable setting infrastructure into the production
P S P
system and controlling leading to operational incidents, e.g., Bring environment to ensure the availability and
technology) your own device (BYOD) programme. proper functioning of the entire system.
(selection/
0802 implementation, The systems cannot handle transaction
P S P
operations and volumes when user volumes increase.
0803 decommissioning) The systems cannot handle system load
P S P when new applications or initiatives
are deployed.
0804 Intermittently, there are failures of utilities Second line utilities are foreseen and
P S P (telecom, electricity). stand by 24/7 to support the continuous
execution of business critical transactions.
0805 The IT in use is obsolete and cannot satisfy IT is an innovator, ensuring a two-way
P S P new business requirements (networking, interaction between business and IT.
security, database, storage, etc.).
0806 P Hardware fails due to overheating.
0901 Software There is an inability to use the software The software in use stimulates the
to realise desired outcomes (e.g., failure generation of new ideas.
P S
to make required business model or
organisational changes).
0902 Immature software (early adopters, bugs,
P S
etc.) is implemented.
0903 The wrong software (cost, performance, Upfront analysis is performed and a
P S features, compatibility, etc.) is selected for business case is prepared to ensure the
implementation. adequate selection of software.
0904 There are operational glitches when new User adapted training and user acceptance
P S
software is made operational. testing is performed before the go-live
decision to ensure the smooth transition
0905 Users cannot use and exploit new to new software and that generation of
P S application software. business value continues.
0906 Intentional modification of software leading The four-eyes principle is applied for
P S
to wrong data or fraudulent actions. specific data inputs/modifications to
create a peer review and decrease the
0907 Unintentional modification of software leads stimulus for fraudulent actions or simply
P S to unexpected results. unexpected results.
0908 Unintentional configuration and change Enterprisewide configuration management
P S management errors occur. decreases resolution time for incident and
problem management.
0909 Regular software malfunctioning of critical Appropriate testing is conducted before the
P S
application software occurs. go-live decision to ensure the availability
and proper functioning of the software.
0910 Intermittent software problems with
P S
important system software occur.
0911 Application software is obsolete (e.g., old IT is an innovator, ensuring a two-way
technology, poorly documented, expensive interaction between business and IT.
P S
to maintain, difficult to extend, not
integrated in current architecture).
0912 There is an inability to revert back to former Backup and restore points are established
P S versions in case of operational issues with in accordance with business criticality of
the new version. software to ensure roll-back procedures.
27


IT Benefit/Value
IT Programme
IT Operations
1001 Business ownership Business does not assume accountability Business assumes appropriate
of IT over those IT areas it should, e.g., accountability over IT and co-determines
P P S functional requirements, development the strategy of IT, especially application
priorities, assessing opportunities through portfolio.
new technologies.
1002 There is extensive dependency and use of
end-user computing and ad hoc solutions
for important information needs, leading
P S S
to security deficiencies, inaccurate data
or increasing costs/inefficient use of
resources.
1003 Cost and ineffectiveness is related to A business case is always prepared
P S S IT related purchases outside of the to ensure optimal cost and effective
procurement process. purchasing of software.
1004 Inadequate requirements lead to ineffective
P
service level agreements (SLAs).
1101 Supplier (selection/ There is a lack of supplier due diligence Third party acts as strategic partner.
performance, regarding financial viability, delivery
S P
contractual compliance, capability and sustainability of supplier’s
termination of service service.
and transfer)
1102 Unreasonable terms of business are
S P
accepted from IT suppliers.
1103 Support and services delivered by vendors Appropriate key performance indicators
S P
are inadequate and not in line with the SLA. (KPIs), linked to rewards and penalties,
ensure adequate service delivery and
1104 Outsourcer performance is inadequate
support.
S P in a large-scale long-term outsourcing
arrangement.
1105 There is non-compliance with software Contractual arrangements are agreed on
S P licence agreements (use and/or distribution concerning the use of third-party software
of unlicenced software, etc.). and proprietary software.
1106 There is an inability to transfer to A phase-out and knowledge transfer clause
alternative suppliers due to overreliance on is added to the contract with the supplier,
current supplier. requiring them to do a handover with
new suppliers.
S P
A mix of internal and external employees
is set up for each process, avoiding full
knowledge of the process only residing
with external employees.
1107 Cloud services are purchased by the business
without the consultation/involvement of IT,
S P
resulting in inability to integrate the service
with in-house services.
1201 Regulatory compliance There is non-compliance with regulations, Full compliance with regulations is
P S S e.g., privacy, accounting, manufacturing. exploited towards clients to generate extra
business value.
1202 Unawareness of potential regulatory The enterprise sets up a legal and
changes have an impact on the operational compliance department to follow up on
P S S
IT environment. regulatory changes and to ensure the
continuation of business value generation.
1203 The regulator prevents cross-border
P S S
dataflow due to insufficient controls.
28
Chapter 4


IT Benefit/Value
IT Programme
IT Operations
Enablement
1301 Geopolitical There is no access due to disruptive Clear compliance with national policies and
P
incident in other premises. support of local initiatives ensures support
by local government and generation of
1302 Government interference and national
P business value.
policies limit service capability.
1303 Targeted action against the enterprise
P
results in destruction of infrastructure.
1401 Infrastructure theft or There is a theft of a device with Key infrastructure components are
S S P
destruction sensitive data. monitored 24/7 for performance,
availability, etc. Alarm bells are raised
1402 There is a theft of a substantial number of
S S P in case of irregularities and acted on
development servers.
immediately.
1403 Destruction of the data centre (sabotage, Data centre is appropriately secured, only
S S P
etc.) occurs. allowing access to authorised IT staff.
1404 There is accidental destruction of individual
S S P
devices.
1501 Malware There is an intrusion of malware on critical IT infrastructure will be appropriately
S P
operational servers. protected behind firewalls and through
continuous monitoring of the network
1502 Regularly, there is infection of laptops with
S P to ensure the execution of day-to-day
malware.
activities.
1503 A disgruntled employee implements a time
S P
bomb that leads to data loss.
1504 Company data are stolen through
S P unauthorised access gained by a
phishing attack.
1601 Logical attacks Unauthorised users try to break into
S P
systems.
1602 There is a service interruption due to
S P
denial-of-service attack.
1603 S P The web site is defaced.
1604 S P Industrial espionage takes place.
1605 S P There is a virus attack.
1606 S P Hacktivism takes place.
1701 Industrial action Facilities and building are not accessible A business continuity plan foresees action
because of a labour union strike. to be taken to always ensure the execution
S S P
of business critical tasks in case the
building is not accessible anymore.
1702 Key staff is not available through industrial A flexible work policy, allowing employees
action (e.g., transportation strike). to work from another location other than
S S P
the office building simulates freedom and
creates a positive work atmosphere.
1703 A third party is not able to provide services
S S P
because of a strike.
1704 There is no access to capital caused by a
S S P
strike of the banking industry.
29


IT Benefit/Value
IT Programme
IT Operations
1801 Environmental The equipment used is not environmentally Being awarded for environmental
friendly (e.g., power consumption, friendliness creates positive media
S S P
packaging). attention, attracts new customers and
employees, and ensures value creation.
1901 Acts of nature S S P There is an earthquake.
1902 S S P There is a tsunami.
1903 There are major storms and tropical
S S P
cyclones.
1904 S S P There is a major wildfire.
1905 S S P There is flooding.
1906 S S P The water table is rising.
2001 Innovation New and important technology trends are Innovation and trend watch are endorsed
not identified. and encouraged, ensuring new technology
P S S
(trends) are timely assessed for business
impact and adopted if required.
2002 There is a failure to adopt and exploit new Innovation and trend watch are endorsed
P S software (functionality, optimisation, etc.) in and encouraged, ensuring new technology
a timely manner. (trends) are timely assessed for business
impact and adopted if required.
2003 New and important software trends are not
P S
identified (consumerisation of IT).
Chapter 5, Using COBIT 5 Enablers to Mitigate IT Risk Scenarios, provides a set of examples that show how COBIT 5
enablers can be used to respond to the risk scenarios described in figure 14. Other IT management frameworks, such as
Information Technology Infrastructure Library (ITIL), and International Organization for Standardization (ISO)
and International Electrotechnical Commission (IEC) 27001/2, can also be used for that purpose, but no detailed
links/mappings are included.
30
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios5
During the risk response process, risk mitigation is one of the options that can be used to respond to risk. IT-related risk
mitigation is equivalent to implementing a number of IT controls. In COBIT 5 terms, IT controls can be any enabler,
e.g., principles, policies and frameworks; processes; organisational structures; culture, ethics and behaviour; information;
services, infrastructure and applications; or people, skills and competencies.
This chapter provides examples that show how COBIT 5 enablers can be used to respond to risk scenarios. For each of
the risk scenario categories identified in chapter 4, potential mitigating actions relating to all seven COBIT 5 enablers are
provided, with a reference, title and description for each enabler.
When using the examples in this chapter, the reader should keep in mind that:
• The examples do not replace the risk analysis exercise. The risk scenario categories presented here are generic and, in
themselves, can cover many derived and varying scenarios. Every enterprise first needs to customize and define its own
set of risk scenarios.
• The examples need to be customized to include every risk and all surrounding risk factors that should be considered
before risk mitigation measures are defined.
• The suggested IT controls/enablers are not absolute. They need to be weighed in terms of cost and benefit, i.e.,
how effective they will be in addressing risk and the cost to implement them. The effect of the mitigating action on
potential impact and frequency of the risk should be estimated and depends on the maturity of the IT control/enabler
implementation, the context of the enterprise, etc. When effect on impact and frequency is estimated to be “high,” the
action can be considered “essential” for the enterprise.
• The suggested list of IT controls/enablers may not be complete for a particular situation, so the user should be prepared
to carefully analyze whether any controls need to be added or removed based on each situation. For some scenarios,
additional and more detailed guidance may be required. Examples are information security risk items and controls such
as vulnerability management or application security scanning.
The value of this section ties into:

• Risk assessment and analysis—When frequency and impact need to be assessed, IT controls/enablers need to be taken into
account to determine the impact and a realistic frequency assessment. Enabler maturity is a very important risk factor.
• Risk mitigation—When risk can be mitigated, i.e., IT controls/enablers need to be defined, assessed and implemented.
The examples in this chapter provide a number of suggested IT controls/enablers for each risk in the examples.
Note: The tables linking each risk scenario category to a set of mitigating enablers stay at a very generic level, thus
providing a starting point for to prepare mitigation plans. Each enterprise will need to tailor the set of enablers required to
analyze and mitigate each specific risk scenario in scope.
5
31
Risk Scenario Category 1: Portfolio Establishment and Maintenance

Risk Scenario Category Portfolio establishment and maintenance
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Program/project management policy To enforce the use of the overall program/project methodology including corporate policy on business case
or due diligence in order to improve the visibility of the relative value of programs (compared to each other).
This policy should describe approval investment thresholds for program value.
Process Enabler
Reference Title Governance and Management Practices
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled investments, services and assets to determine the likelihood
optimization. of achieving enterprise objectives and delivering value at a reasonable cost. Identify and make judgment on
any changes in direction that need to be given to management to optimize value creation.
EDM02.02 Direct value Direct value management principles and practices to enable optimal value realization from IT-enabled
optimization. investments throughout their full economic life cycle.
EDM02.03 Monitor value Monitor the key goals and metrics to determine the extent to which the business is generating the expected
optimization. value and benefits to the enterprise from IT-enabled investments and services. Identify significant issues
and consider corrective actions.
APO01.01 Define the Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put
organizational in place the required management structures (e.g., committees) that enable management decision making
structure. to take place in the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and
management users throughout the enterprise.
objectives and
direction.
APO02.03 Define the target Define the target business and IT capabilities and required IT services. This should be based on the
IT capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
the technology technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
environment. costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
APO05.01 Establish the target Review and ensure clarity of the enterprise and IT strategies and current services. Define an appropriate
investment mix. investment mix based on cost, alignment with strategy, and financial measures such as cost and expected
return on investment (ROI) over the full economic life cycle, degree of risk, and type of benefit for the
programs in the portfolio. Adjust the enterprise and IT strategies where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix requirements, evaluate and prioritize program business cases,
programs to fund. and decide on investment proposals. Allocate funds and initiate programs.
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and projects, IT services and IT assets.
APO06.02 Prioritize resource Implement a decision-making process to prioritize the allocation of resources and rules for discretionary
allocation. investments by individual business units. Include the potential use of external service providers and consider
the buy, develop and rent options.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, specify and agree on business information, functional,
business functional technical and control requirements covering the scope/understanding of all initiatives required to achieve
and technical the expected outcomes of the proposed IT-enabled business solution.
requirements.
Organisational Structures Enabler
Program and project management office Responsible for the quality of the business cases
(PMO)
Board of directors Approval is required when programs surpass a certain value threshold and risk level.
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs.
32
Chapter 5
Risk Scenario Category 1: Portfolio Establishment and Maintenance (cont.)

Culture, Ethics and Behaviour Enabler
Program selection includes Decisions should be objective, nonbiased and based on supported information.
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when selecting programs.
Focus on enterprise objectives Ensure alignment with corporate strategy and priorities.
Information Enabler
Program business case Improves the visibility of the relative value of programs (compared to each other)
Defined investment mix Improves the visibility of the relative value of programs (compared to each other)
Services, Infrastructure and Applications Enabler
Portfolio management tools Decrease complexity and increase overview on programs and projects.
People, Skills and Competencies Enabler
Program/project finance skills Create visibility on program value.
Business requirements analysis Transparency on enterprise strategy, related business requirements and priorities
Marketing-related skills Create visibility on program value.
33
Risk Scenario Category 2: Programme/Project Life Cycle Management

Risk Scenario Category Program/project life cycle management
Scope: Program/project initiation, economics, delivery, quality and termination
Program/project management policy Measuring visibility and true status for decision makers should be based on common language
and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep, changed business priorities,
etc.) and create information flows to induce corrective action.
• To prevent failure, scope changes to existing projects need to be managed strictly
Process Enabler
EDM02.03 Monitor value Monitor the key goals and metrics to determine the extent to which the business is generating the expected
optimization. value and benefits to the enterprise from IT-enabled investments and services. Identify significant issues
and consider corrective actions.
APO06.04 Model and allocate Establish and use an IT costing model based on the service definition, ensuring that allocation of costs for
costs. services is identifiable, measurable and predictable, to encourage the responsible use of resources including
those provided by service providers. Regularly review and benchmark the appropriateness of the cost/
chargeback model to maintain its relevance and appropriateness to the evolving business and IT activities.
APO06.05 Manage costs. Implement a cost management process comparing actual costs to budgets. Costs should be monitored
and reported and, in the case of deviations, identified in a timely manner and their impact on enterprise
processes and services assessed.
BAI01.01 Maintain a standard Maintain a standard approach for program and project management that enables governance and
approach for management review and decision making and delivery management activities focused on achieving value
program and project and goals (requirements, risk, costs, schedule, quality) for the business in a consistent manner.
management.
BAI01.02 Initiate a program. Initiate a program to confirm the expected benefits and obtain authorization to proceed. This includes
agreeing on program sponsorship, confirming the program mandate through approval of the conceptual
business case, appointing program board or committee members, producing the program brief, reviewing
and updating the business case, developing a benefits realization plan, and obtaining approval from
sponsors to proceed.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely
engagement. information that reaches all relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations.
BAI01.04 Develop and maintain Formulate a program to lay the initial groundwork and to position it for successful execution by formalizing
the program plan. the scope of the work to be accomplished and identifying the deliverables that will satisfy its goals and
deliver value. Maintain and update the program plan and business case throughout the full economic life
cycle of the program, ensuring alignment with strategic objectives and reflecting the current status and
updated insights gained to date.
BAI01.05 Launch and execute Launch and execute the program to acquire and direct the resources needed to accomplish the goals and
the program. benefits of the program as defined in the program plan. In accordance with stage-gate or release review
criteria, prepare for stage-gate, iteration or release reviews to report on the progress of the program and to
be able to make the case for funding up to the following stage-gate or release review.
BAI01.06 Monitor, control and Monitor and control program (solution delivery) and enterprise (value/outcome) performance against plan
report on the program throughout the full economic life cycle of the investment. Report this performance to the program steering
outcomes. committee and the sponsors.
BAI01.07 Start up and initiate Define and document the nature and scope of the project to confirm and develop among stakeholders a
projects within a common understanding of project scope and how it relates to other projects within the overall IT-enabled
program. investment program. The definition should be formally approved by the program and project sponsors.
BAI01.08 Plan projects. Establish and maintain a formal, approved integrated project plan (covering business and IT resources) to
guide project execution and control throughout the life of the project. The scope of projects should be clearly
defined and tied to building or enhancing business capability.
BAI01.09 Manage program and Prepare and execute a quality management plan, processes and practices, aligned with the quality
project quality. management system (QMS) that describes the program and project quality approach and how it will be
implemented. The plan should be formally reviewed and agreed on by all parties concerned and then
incorporated into the integrated program and project plans.
34
Chapter 5
Risk Scenario Category 2: Programme/Project Life Cycle Management (cont.)

Process Enabler (cont.)
BAI01.10 Manage program and Eliminate or minimize specific risk associated with program and projects through a systematic process
project risk. of planning, identifying, analyzing, responding to and monitoring and controlling the areas or events that
have the potential to cause unwanted change. Risk faced by program and project management should be
established and centrally recorded.
BAI01.11 Monitor and control Measure project performance against key project performance criteria such as schedule, quality, cost and
projects. risk. Identify any deviations from the expected. Assess the impact of deviations on the project and overall
program, and report results to key stakeholders.
BAI01.12 Manage project Manage project work packages by placing formal requirements on authorizing and accepting work
resources and work packages, and assigning and coordinating appropriate business and IT resources.
packages.
BAI01.13 Close a project or At the end of each project, release or iteration, require the project stakeholders to ascertain whether
iteration. the project, release or iteration delivered the planned results and value. Identify and communicate any
outstanding activities required to achieve the planned results of the project and the benefits of the program,
and identify and document lessons learned for use on future projects, releases, iterations and programs.
Organizational Structures Enabler
Program and project management Ensure consistency of approach within program/project monitoring.
office (PMO)
Chief information officer (CIO) Take corrective action, if required.
Program/project sponsor Overall accountable for budget tracking and value demonstration
Program/project manager Overall responsible for budget tracking and value demonstration
Program/project monitoring includes Decisions should be objective, nonbiased and based on supported information.
data-driven activities
Admitting to bad news is supported by Enables earlier decision making and minimizes impact
senior management
Information Enabler
Program benefit realization plan This input will provide the necessary data to track the progress and estimate potential overrun.
Program budget and benefits register This input will provide the necessary data to track the progress and estimate potential overrun.
Program status report Measuring visibility and true status for decision makers should be based on common language and
methodology.
Portfolio management tools Increase transparency on budgetary status.
Performance and budget control skills The correct analytical skills will allow estimation of the consequences of failing projects such as potential
budget overruns.
35
Risk Scenario Category 3: IT Investment Decision Making

Risk Scenario Category IT investment decision making
Program/project management policy The policy should define who needs to be involved in investment decisions and the chain of approval.
Process Enabler
APO05.06 Manage benefits Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the
achievement. agreed-on and current business case.
APO06.02 Prioritize resource Implement a decision-making process to prioritize the allocation of resources and rules for discretionary
allocation. investments by individual business units. Include the potential use of external service providers and consider
the buy, develop and rent options.
APO06.03 Create and maintain Prepare a budget reflecting the investment priorities supporting strategic objectives based on the portfolio of
budgets. IT-enabled programs and IT services.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or IT
appropriate staffing. environments to ensure that the enterprise has sufficient human resources to support enterprise goals and
objectives. Staffing includes both internal and external resources.
BAI03.04 Procure solution Procure solution components based on the acquisition plan in accordance with requirements and detailed
components. designs, architecture principles and standards, and the enterprise’s overall procurement and contract
procedures, quality assurance (QA) requirements, and approval standards. Ensure that all legal and
contractual requirements are identified and addressed by the supplier.
Board of directors Accountable for proper investment decision making
Chief information officer (CIO) Responsible for proper investment decision making
Chief financial officer (CFO) Responsible for proper investment decision making
Decision-making process is data driven Decisions should be objective, nonbiased and based on supported information.
Information Enabler
Business cases Clarify the purpose, cost and return on investment of IT initiatives.
Prioritization and ranking of IT initiatives Overview of IT initiatives to facilitate selection
IT budget and plan Overview on available IT budget and guidelines
Cost allocation and budgeting Ability to detail financial aspects of IT initiatives
Business case analysis Clarify the purpose, cost and return on investment of IT initiatives.
36
Chapter 5
Risk Scenario Category 4: IT Expertise and Skills

Risk Scenario Category IT expertise and skills
HR policy Describes the requirements development for selecting and evaluating IT profiles throughout the entire
career.
Process Enabler
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and
management users throughout the enterprise.
objectives and
direction.
APO02.01 Understand enterprise Consider the current enterprise environment and business processes, as well as the enterprise strategy
direction. and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant
regulations, basis for competition).
APO03.01 Develop the enterprise The architecture vision provides a high-level description of the baseline and target architectures, covering
architecture vision. the business, information, data, application and technology domains. The architecture vision provides the
sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise.
The architecture vision describes how the new capability will meet enterprise goals and strategic objectives
and address stakeholder concerns when implemented.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or IT
appropriate staffing. environments to ensure that the enterprise has sufficient human resources to support enterprise goals and
objectives. Staffing includes both internal and external resources.
APO07.02 Identify key IT Identify key IT personnel while minimising reliance on a single individual performing a critical job function
personnel. through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies required of personnel. Regularly verify that personnel
and competencies of have the competencies to fulfill their roles on the basis of their education, training and/or experience, and
personnel. verify that these competencies are being maintained, using qualification and certification programs where
appropriate. Provide employees with ongoing learning and opportunities to maintain their knowledge, skills
and competencies at a level required to achieve enterprise goals.
APO07.04 Evaluate employee job Perform timely performance evaluations on a regular basis against individual objectives derived from
performance. the enterprise’s goals, established standards, specific job responsibilities, and the skills and competency
framework. Employees should receive coaching on performance and conduct whenever appropriate.
APO07.05 Plan and track the Understand and track the current and future demand for business and IT human resources with
usage of IT and responsibilities for enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT
business human recruitment processes sourcing plans, and business and IT recruitment processes.
resources.
Chief information officer (CIO) Responsible for gap analysis regarding IT skills and competencies
Head of HR Accountable for establishing expectations toward staff
Specific IT management functions Responsible for identifying specific requirements
Awareness of business activities by IT staff should know the core business activities of the enterprise they support.
IT staff
Foster competency development with Continuous development of existing IT skills.
IT staff
37
Risk Scenario Category 4: IT Expertise and Skills (cont.)

Information Enabler
Skills and competencies matrix Describe the existing skills and competencies within the IT organization and allow for gap analysis
Competency and career/skills Describe the required evolution of specific IT profiles.
development plans
Generic job function descriptions Describe skills/experience and knowledge requirements for generic profiles within the IT organizations.
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing knowledge regarding processes,
technology, etc.
Human resources management skills Hire qualified personnel and manage the skills development process.
Business analysis Matching the business needs to the required IT skills
38
Chapter 5
Risk Scenario Category 5: Staff Operations

Risk Scenario Category Staff operations
Scope: Human error and malicious intent
HR policy Describes the continued restrictions after leaving the organization
Information security policy Defines technical limitations on sharing and using information
Ethics policy Rules of behavior, acceptable use of technology and required precautions
Process Enabler
APO07.01 Maintain adequate Evaluate staffing requirements on a regular basis or upon major changes to the enterprise or operational or
and appropriate IT environments to ensure that the enterprise has sufficient human resources to support enterprise goals
staffing. and objectives. Staffing includes both internal and external resources.
APO07.03 Maintain the skills and Define and manage the skills and competencies required of personnel. Regularly verify that personnel
competencies have the competencies to fulfill their roles on the basis of their education, training and/or experience, and
of personnel. verify that these competencies are being maintained, using qualification and certification programs where
appropriate. Provide employees with ongoing learning and opportunities to maintain their knowledge, skills
and competencies at a level required to achieve enterprise goals.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel who support the enterprise with IT skills know and comply
with the organization’s policies and meet agreed-on contractual requirements.
BAI03.07 Prepare for solution Establish a test plan and required environments to test the individual and integrated solution components,
testing. including the business processes and supporting services, applications and infrastructure.
DSS01.01 Perform operational Maintain and perform operational procedures and operational tasks reliably and consistently.
procedures.
DSS01.04 Manage the Maintain measures for protection against environmental factors. Install specialized equipment and devices
environment. to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
DSS04.03 Develop and Develop a business continuity plan (BCP) based on the strategy that documents the procedures and
implement a business information in readiness for use in an incident to enable the enterprise to continue its critical activities.
continuity response.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined
review the BCP. outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will
work as anticipated.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
DSS06.02 Control the processing Operate the execution of the business process activities and related controls, based on enterprise risk, to
of information. ensure that information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate
and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support
responsibilities, the business process objectives. Authorize access to any information assets related to business information
access privileges and processes, including those under the custody of the business, IT and third parties. This ensures that the
levels of authority. business knows where the data are and who is handling data on its behalf.
Information security manager Responsible for technical protection of assets and information
Head of HR Responsible for establishing expectations about staff
Head of IT operations Accountable for managing the operational environment
Everybody is responsible for the Leading by example
protection of information within the
enterprise
People respect the importance of policies Preventing errors and accidents
and procedures
39
Risk Scenario Category 5: Staff Operations (cont.)

Information Enabler
Staffing contract Contractual obligations, restrictions and rights of the staff
Access and event logs Detect wrongful activity.
Allocated roles and responsibilities/levels Provide clarity on organizational distribution.
of authority
Access control To prevent unauthorized logical access
Alarm and monitoring security system To prevent unauthorized physical access
Security skills Prevent malicious intent.
40
Chapter 5
Risk Scenario Category 6: Information

Risk Scenario Category Information
Scope: Damage, leakage and access
Physical security policy Access should only be provided to authorized staff.
Backup policy Backups are available and usable.
Business continuity and disaster Validate recoverability of data.
recovery policy
Information security policy Defines limitations on sharing and using information.
Process Enabler
APO01.06 Define information Define and maintain responsibilities for ownership of information (data) and information systems. Ensure
(data) and system that owners make decisions about classifying information and systems and protecting them in line
ownership. with this classification.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, specify and agree on business information, functional,
requirements
BAI04.05 Investigate and Address deviations by investigating and resolving identified availability, performance and capacity issues.
address availability,
performance and
capacity issues.
DSS01.01 Perform operational Maintain and perform operational procedures and operational tasks reliably and consistently.
procedures.
implement a business information in items that enable the enterprise to continue its critical activities after an incident.
DSS05.02 Manage network and Use security measures and related management procedures to protect information over all methods of
connectivity security. connectivity.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, accounting practices and inventory management over sensitive
documents and output IT assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.
devices.
DSS06.04 Manage errors and Manage business process exceptions and errors and facilitate their correction. Include escalation of
exceptions. business process errors and exceptions and the execution of defined corrective actions. This provides
assurance of the accuracy and integrity of the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced to the originating business event and accountable parties.
Information events and This enables traceability of the information through its life cycle and related processes. This provides
accountabilities. assurance that information that drives the business is reliable and has been processed in accordance with
defined objectives.
Information security manager Provide guidance on proper controls and measures to protect data and hardware.
Head of IT operations Responsible for implementing proper controls to protect data and hardware
41
Risk Scenario Category 6: Information (cont.)

Information security is practiced in daily Always select the safest option with regard to daily operations.
operations
Need to access only Limit the access of staff without affecting performance.
Everybody is responsible for the Management provides training to create awareness and accountability.
protection of information within the
enterprise
Information Enabler
Backup reports Describes the status regarding backups.
Data loss prevention campaigns Increase awareness within the enterprise.
Nondisclosure agreements Contractually protect intellectual property (IP) by deterring staff from disclosing IP to unauthorized parties.
Access and event logs Detect suspicious activity.
Backup systems Ensure proper recovery in case of loss, modification or corruption of data.
Data protection infrastructure and Encryption, passwords, email monitoring, etc., to apply the need-to-know principle
applications
Technical skills Regarding the proper controls and measures to protect data and hardware (e.g., data backup, storage)
42
Chapter 5
Risk Scenario Category 7: Architecture

Risk Scenario Category Architecture
Scope: Architectural vision and design
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of
all IT resources and assets across the enterprise.
Exceptions procedure In specific cases exceptions to the existing architectural rules can be allowed. Specific cases and the
procedure to follow for approval should be described.
Process Enabler
APO02.03 Define the target IT Define the target business and IT capabilities and required IT services. This should be based on the
capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
The architecture vision describes how the new capability will meet enterprise goals and strategic
objectives and address stakeholder concerns when implemented.
APO03.02 Define reference The reference architecture describes the current and target architectures for the business, information,
architecture. data, application and technology domains.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target architectures, taking both business and technical
solutions. perspectives, and logically group them into project work packages. Integrate the project with any related
IT-enabled investment programs to ensure that the architectural initiatives are aligned with and enable
these initiatives as part of overall enterprise change. Make this a collaborative effort with key enterprise
stakeholders from business and IT to assess the enterprise’s transformation readiness, and identify
opportunities, solutions and all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration plan in alignment with the program and project portfolios.
implementation. Ensure that the plan is closely coordinated to ensure that value is delivered and the required resources are
available to complete the necessary work.
APO03.05 Provide enterprise The provision of enterprise architecture services within the enterprise includes guidance to and monitoring
architecture services. of implementation projects, formalizing ways of working through architecture contracts, and measuring
and communicating architecture’s value-add creation and compliance monitoring.
APO04.03 Monitor and scan the Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
technology environment. technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
APO04.04 Assess the potential of Analyze identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders
emerging technologies to validate assumptions on the potential of new technologies and innovation.
and innovation ideas.
APO04.06 Monitor the Monitor the implementation and use of emerging technologies and innovations during integration,
implementation and use adoption and for the full economic life cycle to ensure that the promised benefits are realised and to
of innovation. identify lessons learned.
Architecture board Ensure compliance with the target architecture and grant exceptions only when needed.
Respect agreed-on standards The enterprise should encourage the use of agreed-on standards.
Information Enabler
Architecture model Target architecture model
43
Risk Scenario Category 7: Architecture (cont.)

Architecture modeling software Modeling application will optimize the architecture development and minimize the effort of analyzing
impact to architecture in case of exceptions or changes.
Leadership and communication Clarify the rationale for the architecture and the potential consequences.
Architecture skills Develop efficient and effective architecture aligned to the business requirements.
44
Chapter 5
Risk Scenario Category 8: Infrastructure

Risk Scenario Category Infrastructure
Scope: Hardware, operating system and controlling technology; selection/implementation, operations and
decommissioning
Architecture principles Define the underlying general rules and guidelines for the use and deployment of all IT resources and assets
across the enterprise.
Change management policy Define the rules and guidelines to change infrastructure components in a controlled and safe way.
Process Enabler
APO02.03 Define the target IT Define the target business and IT capabilities and required IT services. This should be based on the
capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
BAI03.03 Develop solution Develop solution components progressively in accordance with detailed designs following development
components. methods and documentation standards, quality assurance (QA) requirements, and approval standards.
Ensure that all control requirements in the business processes, supporting IT applications and infrastructure
services, services and technology products, and partners/suppliers are addressed.
BAI04.01 Assess current Assess availability, performance and capacity of services and resources to ensure that cost-justifiable
availability, performance capacity and performance are available to support business needs and deliver against service level
and capacity and create agreements (SLAs). Create availability, performance and capacity baselines for future comparison.
a baseline.
BAI04.02 Assess business Identify important services to the enterprise, map services and resources to business processes, and identify
impact. business dependencies. Ensure that the impact of unavailable resources is fully understood and accepted by the
business owner. Ensure that, for critical business functions, the SLA availability requirements can be satisfied.
BAI04.03 Plan for new or changed Plan and prioritize availability, performance and capacity implications of changing business needs and
service requirements. service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review availability, performance and capacity. Identify deviations
availability and from established baselines. Review trend analysis reports identifying any significant issues and variances,
capacity. initiating actions where necessary, and ensuring that all outstanding issues are followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving identified availability, performance and capacity issues.
availability, performance
and capacity issues.
BAI10.04 Produce status and Define and produce configuration reports on status changes of configuration items.
configuration reports.
BAI10.05 Verify and review Periodically review the configuration repository and verify completeness and correctness against the desired
integrity of the target.
configuration repository.
Head of IT operations Accountable for the proper management and maintenance of the IT infrastructure
Head of architecture Designing architecture in an optimal way
Respect the available assets All staff is required to maintain the assets in an appropriate manner
45
Risk Scenario Category 8: Infrastructure (cont.)

Information Enabler
(Updates to) asset inventory Tracking all assets throughout the enterprise
Maintenance plan Planning the maintenance of the IT infrastructure
Configuration status reports Tracking changes to configuration
Configuration management database Assists in identifying areas for improvement.
(CMDB)
Technical skills Managing the different infrastructure components
46
Chapter 5
Risk Scenario Category 9: Software

Risk Scenario Category Software
Scope: Selection/implementation, operations and decommissioning
Change management policy Define the rules and guidelines to change infrastructure components in a controlled and safe way.
Fallback procedures Guidelines in case rollback is necessary
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of all
IT resources and assets across the enterprise.
Process Enabler
BAI03.01 Design high-level Develop and document high-level designs using agreed-on and appropriate phased or rapid agile
solutions. development techniques. Ensure alignment with the IT strategy and enterprise architecture. Reassess
and update the designs when significant issues occur during detailed design or building phases or as the
solution evolves. Ensure that stakeholders actively participate in the design and approve each version.
BAI03.02 Design detailed Develop, document and elaborate detailed designs progressively using agreed-on and appropriate phased or
solution components. rapid agile development techniques, addressing all components (business processes and related automated
and manual controls, supporting IT applications, infrastructure services and technology products, and
partners/suppliers). Ensure that the detailed design includes internal and external service level agreements
(SLAs) and operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively in accordance with detailed designs following development
components. methods and documentation standards, quality assurance (QA) requirements, and approval standards.
Ensure that all control requirements in the business processes, supporting IT applications and infrastructure
services, services and technology products, and partners/suppliers are addressed.
BAI03.05 Build solutions. Install and configure solutions and integrate with business process activities. Implement control, security
and auditability measures during configuration, and during integration of hardware and infrastructural
software, to protect resources and ensure availability and data integrity. Update the services catalog to
reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a quality assurance (QA) plan aligned with the quality management system
assurance (QA). (QMS) to obtain the quality specified in the requirements definition and the enterprise’s quality policies
and procedures.
BAI03.08 Execute solution Execute testing continually during development, including control testing, in accordance with the defined
testing. test plan and development practices in the appropriate environment. Engage business process owners and
end users in the test team. Identify, log and prioritize errors and issues identified during testing.
BAI03.09 Manage changes to Track the status of individual requirements (including all rejected requirements) throughout the project life
requirements. cycle and manage the approval of changes to requirements.
BAI03.10 Maintain solutions. Develop and execute a plan for the maintenance of solution and infrastructure components. Include periodic
reviews against business needs and operational requirements.
BAI05.05 Enable operation and Plan and implement all technical, operational and usage aspects such that all those who are involved in the
use. future state environment can exercise their responsibility.
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the impact on business processes and IT services, and to
and authorize change assess whether change will adversely affect the operational environment and introduce unacceptable risk.
requests. Ensure that changes are logged, categorized, assessed, authorized, prioritized, planned and scheduled.
BAI06.02 Manage emergency Carefully manage emergency changes to minimize further incidents and make sure the change is controlled
changes. and takes place securely. Verify that emergency changes are appropriately assessed and authorized after
the change.
BAI06.03 Track and report Maintain a tracking and reporting system to document rejected changes, communicate the status of
change status. approved and in-process changes, and complete changes. Make certain that approved changes are
implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update accordingly the solution and user documentation and the
the changes. procedures affected by the change.
BAI07.01 Establish an Establish an implementation plan that covers system and data conversion, acceptance testing criteria,
implementation plan. communication, training, release preparation, promotion to production, early production support, a
fallback/backout plan, and a postimplementation review. Obtain approval from relevant parties.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide standards that define roles, responsibilities, and entry and exit
criteria. Ensure that the plan is approved by relevant parties.
47
Risk Scenario Category 9: Software (cont.)

BAI07.05 Perform acceptance Test changes independently in accordance with the defined test plan prior to migration to the live
tests. operational environment.
BAI07.08 Perform a Conduct a postimplementation review to confirm outcome and results, identify lessons learned, and develop
postimplementation an action plan. Evaluate and check the actual performance and outcomes of the new or changed service
review. against the predicted performance and outcomes (i.e., the service expected by the user
or customer).
BAI08.01 Nurture and facilitate Implement processes and tools that facilitate a knowledge-sharing culture.
a knowledge-sharing
culture.
BAI08.04 Use and share Propagate available knowledge resources to relevant stakeholders and communicate how these resources
knowledge. can be used to address different needs (e.g., problem solving, learning, strategic planning and decision
making).
BAI10.04 Produce status and Define and produce configuration reports on status changes of configuration items.
configuration reports.
BAI10.05 Verify and review Periodically review the configuration repository and verify completeness and correctness against the
integrity of the desired target.
configuration
repository.
Head of software development Responsible for the proper design and development of the software components
Head of architecture Designing architecture in an optimal way
Testing is performed on all Users and developers cooperate in testing the software components.
appropriate levels
Information Enabler
Design specifications Clarifying the needs of the users
Quality assurance (QA) plan (test plan Defining the steps to take in order to assure quality
and procedures)
Maintenance plan Planning the maintenance of the software
Integrated development environment (IDE) Facilitating development and consisting of a source code editor, build automation tools and a debugger
Knowledge repositories Sharing and coordinating knowledge regarding development activities
Architecture skills Develop efficient and effective architecture aligned to the business requirements
Technical skills Designing and developing the proper software components
48
Chapter 5
Risk Scenario Category 10: Business Ownership of IT

Risk Scenario Category Business ownership of IT
Enterprise governance guiding principles Involving business and IT
Reporting and communication principles Clarifying the means of communication
Process Enabler
EDM01.01 Evaluate the Continually identify and engage with the enterprise’s stakeholders, document an understanding of the
governance system. requirements, and make a judgment on the current and future design of governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and
system. practices for the governance of IT in line with agreed-on governance design principles, decision-making
models and authority levels. Define the information required for adequate decision making.
EDM01.03 Monitor the Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the
governance system. governance system and implemented mechanisms (including structures, principles and processes) are
operating effectively and provide appropriate oversight of IT.
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to stakeholders throughout
management the enterprise.
objectives and
direction.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the
achievement. agreed-on and current business case.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based on the options in the service catalogues. Include
service agreements. internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide reports that management can use to make decisions and
service levels. manage future requirements for performance.
BAI02.01 Define and maintain Based on the business case, identify, prioritise, specify and agree on business information, functional,
requirements.
Program and project management Provide a common methodology, used by business and IT, to define proper requirements.
office (PMO)
Finance Provide a common methodology, used by business and IT, to assess opportunities in terms of value for
the enterprise.
Strategy (IT executive) committee Key structure that should take accountability over IT and business cooperation
Board of directors Accountable for the governance framework setting and maintenance
Business and IT work together Business takes into account the difficulties IT faces, IT learns the business issues to find common solutions
as partners
Information Enabler
IT strategy Aligning IT plans with business objectives for a more efficient monitoring of the business over IT.
Authority levels Clarifying the decision-making responsibilities
Service level agreements (SLAs) Describe the service level objectives to meet business expectations.
49
Risk Scenario Category 10: Business Ownership of IT (cont.)

Relationship management skills IT employees should have the proper skills to build relations with relevant business stakeholders
IT-related skills/affinity Business employees should be trained to have a minimal affinity with IT
50
Chapter 5
Risk Scenario Category 11: Suppliers

Risk Scenario Category Suppliers
Scope: Selection, performance, contractual compliance, termination of service and transfer
Procurement policy Providing a formal approach to selecting suppliers including the acceptance criteria by the business
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of all
IT resources and assets across the enterprise.
Information security policy Defines technical limitations on sharing and using information.
Process Enabler
APO10.02 Select suppliers. Select suppliers according to a fair and formal practice to ensure a viable fit based on specified
requirements. Requirements should be optimized with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage the supplier relationships for strategic supplier. Manage, maintain and monitor
relationships and contracts and service delivery. Ensure that new or changed contracts conform to enterprise standards and
contracts. legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the ability to continually provide secure, efficient and effective
service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of suppliers, compliance to contract requirements, and value
performance and delivery, and address identified issues promptly.
compliance.
Legal group Review of proposed terms of business
Business process owners Setting requirements, performance indicators and ensure proper expectations are incorporated in the
contracts
Procurement department Provide the support and approach to efficiently engage with suppliers.
Chief information officer (CIO) Accountable for managing suppliers
Respect procurement procedures Additional effort is required to ensure proper supplier selection.
Transparent and participative culture To optimize the outcome of the vendor relationships
focus.
Information Enabler
Business requirements Used for negotiations and service level definition.
IT strategy Defining boundaries and enterprise objectives to take into account when negotiating contracts
Supplier catalog A structured presentation of known suppliers, including previous performance statistics
Service level agreeements (SLAs) Monitor service levels, identify trends and provide reports that management can use to make decisions and
manage future requirements for performance.
Vendor management system Keep track of the vendor management life cycle
Negotiation skills Ensure that requirements are supported.
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact on the enterprise.
Legal analysis skills Support cooperation with supplier while drafting contracts and SLAs.
51
Risk Scenario Category 12: Regulatory Compliance

Risk Scenario Category Regulatory compliance
Industry/market specific policies Define the rules and guidelines to identify specific compliance requirements and the procedures to meet
applicable requirements.
Compliance policy Guiding the identification of external compliance requirements and procedures to meet applied requirements,
Process Enabler
MEA03.01 Identify external On a continuous basis, identify and monitor for changes in local and international laws, regulations and
compliance other external requirements applicable to the enterprise.
requirements.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, procedures and methodologies to ensure that legal,
external requirements. regulatory and contractual requirements are addressed and communicated. Consider industry standards,
codes of good practice, and best practice guidance for adoption and adaptation of existing plans.
MEA03.03 Confirm external Confirm compliance plans with legal, regulatory and contractual requirements.
compliance.
Privacy officer Identify privacy requirements and ensure compliance.
Regulatory compliance department Provides guidance on legal, regulatory and contractual compliance. Tracks new and changing regulations.
Legal group Legal support during analysis and litigation related to regulatory compliance.
Risk- and compliance-aware culture All members of the enterprise are encouraged to facilitate regulatory compliance.
is present throughout the enterprise
including the proactive identification and
escalation of risk.
Compliance is embedded in daily All members of the enterprise are encouraged to facilitate regulatory compliance.
operations.
Information Enabler
Risk appetite/tolerance Balancing compliance requirements with enterprise risk appetite/tolerance
Assurance reports Internal and external audits
Internal control framework Optimize the efficiency of internal control.
Analysis of new legal and regulatory Helps determine applicability
compliance requirements
Regulatory databases Facilitating the follow-up of compliance requirements
Governance, risk and compliance Overview of controls and practices to ensure compliance
(GRC) tools
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact.
Legal analysis skills Understand expectations of local regulators.
Internal control Evaluate compliance with relevant regulations and report results to management.
52
Chapter 5
Risk Scenario Category 13: Geopolitical

Risk Scenario Category Geopolitical
Safe harbour policies Provide guidance about provisions of a law or regulation that specify that certain conduct will be deemed
not to violate a given rule.
Process Enabler
DSS04.02 Maintain a continuity Evaluate business continuity management options and choose a cost-effective and viable continuity
strategy. strategy that will ensure enterprise recovery and continuity in the face of a disaster or other major
incident or disruption.
MEA03.01 Identify external On a continuous basis, identify and monitor for changes in local and international laws, regulations and
compliance other external requirements applicable to the enterprise.
requirements.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, procedures and methodologies to ensure that legal,
external requirements. regulatory and contractual requirements are addressed and communicated. Consider industry standards,
codes of good practice, and best practice guidance for adoption and adaptation of existing plans.
Privacy officer Identify privacy requirements and ensure compliance.
Regulatory compliance department Guidance on legal, regulatory and contractual compliance requirements
Legal group Legal support during analysis and litigation related to compliance
Business continuity/disaster Maintain detailed plans and resource requirements for continuous service.
recovery plan
Controlled growth and expansion Ensure that the regulations and external requirements are integrated in growth plans.
Information Enabler
Analysis of new regulations Regulations imposed by local government need to be analyzed.
External legal services Gain advice on new regulations from local governments and the impact they have on the enterprise.
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact on the enterprise.
Legal analysis skills Understand expectations of local regulators.
Contingency planning skills Maintain options for continuous service in the event of a disruption.
53
Risk Scenario Category 14: Infrastructure Theft or Destruction

Risk Scenario Category Infrastructure theft or destruction
Information security policy Restricting physical access to infrastructure in order to prevent destruction
Business continuity and disaster Validate recoverability of information, services, applications and infrastructure.
recovery policy
Process Enabler
Information security manager Implementation of security measures to prevent theft or destruction
Head of IT operations Responsible for the protection of the IT environment
Information security is practiced in To prevent unauthorized physical access
daily operations.
People respect the importance of To prevent unauthorized physical access
information security policies and principles.
Stakeholders are aware of how to identify To minimize impact of infrastructure theft and destruction
and respond to threats to the enterprise.
Information Enabler
Access requests Provide information about users authorized to access facilities.
Access logs Reporting on access activity
Facilities assessments reports The enterprise is aware of the state and risk of the facilities.
Alarm and monitoring security system To prevent unauthorized physical access
Information security skills To implement controls that prevent or reduce the impact of infrastructure theft and destruction
54
Chapter 5
Risk Scenario Category 15: Malware

Risk Scenario Category Malware
Information security policy Outlines information security arrangements within the enterprise to prevent malware
Malicious software prevention policy Details the preventive, detective and corrective measures in place across the enterprise to protect
information systems and technology from malware.
Architecture principles Information security requirements are embedded within the enterprise architecture and translated into a
formal information security architecture.
Incident recovery policy Validate recoverability of information, services, applications and infrastructure in case of a security incident.
Process Enabler
APO01.03 Maintain the enablers Maintain the enablers of the management system and control environment for enterprise IT, and ensure
of the management that they are integrated and aligned with the enterprise’s governance and management philosophy and
system. operating style. These enablers include the clear communication of expectations/requirements. The
management system should encourage cross-divisional cooperation and teamwork, promote compliance
and continuous improvement, and handle process deviations (including failure).
APO01.08 Maintain compliance Implement procedures to maintain compliance, performance measurement of policies and other enablers of
with policies and the control framework, and enforce the consequences of noncompliance or inadequate performance. Track
procedures. trends and performance and consider these in the future design and improvement of the control framework.
DSS05.01 Protect against Implement and maintain preventive, detective and corrective measures in place (especially up-to-date
malware. security patches and anti-malware) across the enterprise to protect information systems and technology
from viruses, worms, spyware, spam, etc.
DSS05.07 Monitor the Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that events
infrastructure for are integrated with general event monitoring and incident management procedures.
security-related events.
Information security manager Implementation of security measures
Head of IT operations Management of the incident response team to restore service in a timely fashion
Information security is practiced in daily To prevent the unintentional installation of malware
operations.
People respect the importance of To prevent the unintentional installation of malware
information security policies and
principles.
Stakeholders are aware of how to identify To minimize impact of the installation of malware
Awareness and training regarding To prevent the unintentional installation of malware
malware, email and Internet usage
Information Enabler
Threat information Intelligence regarding types of attacks
Monitoring reports Identification of attack attempts, threat events, etc.
Firewall Protection against malware
System information and event Provides real-time analysis of security alerts generated by network hardware and applications.
management (SIEM)
Malicious software protection tools Protection against malware
Monitoring and alert services Timely notification of potential threats
55
Risk Scenario Category 15: Malware (cont.)

Information security skills Preventing and reducing the impact of malware by implementing controls
IT technical skills Appropriate configuration of IT infrastructure, such as firewalls to prevent unintentional malware installations.
56
Chapter 5
Risk Scenario Category 16: Logical Attacks

Risk Scenario Category Logical attacks
Information security policy Outlines information security arrangements within the enterprise.
Technical security policies and procedure Details the technical consequences of the information security policy.
Architecture principles Information security requirements are embedded within the enterprise architecture and translated into a
formal information security architecture.
Business continuity and disaster Validate recoverability of information, services, applications and infrastructure.
recovery policy
Process Enabler
APO13.01 Establish and maintain Establish and maintain an ISMS that provides a standard, formal and continuous approach to security
an information security management for information, enabling secure technology and business processes that are aligned with
management system business requirements and enterprise security management.
(ISMS).
APO13.03 Monitor and review Maintain and regularly communicate the need for, and benefits of, continuous information security
the ISMS. improvement. Collect and analyze data about the ISMS, and improve the effectiveness of the ISMS. Correct
nonconformities to prevent recurrence. Promote a culture of security and continual improvement.
DSS01.03 Monitor IT Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs
infrastructure. to enable the reconstruction, review and examination of the time sequences of operations and the other
activities surrounding or supporting operations.
DSS05.01 Protect against Implement and maintain preventive, detective and corrective measures in place (especially up-to-date
malware. security patches and anti-malware) across the enterprise to protect information systems and technology
from viruses, worms, spyware, spam, etc.
DSS05.02 Manage network and Use security measures and related management procedures to protect information over all methods of
connectivity security. connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that any
infrastructure for events are integrated with general event monitoring and incident management.
security-related events.
Information security manager Responsible for the implementation of security measures
Head of IT operations Management of the incident response team to restore service in a timely fashion
Service manager In case attacks are successful, communicate with end user and help to manage the response.
Chief security architect Design of security measures
Information security is practiced in To prevent logical attacks
daily operations.
People respect the importance of To prevent logical attacks
information security policies and
principles.
Stakeholders are aware of how to identify To minimize impact of logical attacks
57
Risk Scenario Category 16: Logical Attacks (cont.)

Information Enabler
Incident response plan Detailing the action to be undertaken in case of attack
Threat information Intelligence regarding types of attacks
Monitoring reports Identification of attack attempts, threat events, etc.
Firewall Prevent successful logical attacks.
System information and event Provides real-time analysis of security alerts generated by network hardware and applications.
management (SIEM)
Network management tools/vulnerability Identifying and reporting weaknesses
scanners
Information security skills Preventing and reducing the impact of logical attacks by implementing controls
IT technical skills Appropriate configuration of IT infrastructure such as firewalls, critical network components, etc., to prevent
logical attacks.
58
Chapter 5
Risk Scenario Category 17: Industrial Action

Risk Scenario Category Industrial action
HR policy Define rights and obligations of all staff, detailing acceptable and unacceptable behavior by the
employees, and in doing so managing the risk that is linked to human behavior.
Vendor management policy Define backup or emergency service delivery options.
Process Enabler
APO01.01 Define the organizational Establish an internal and extended organizational structure that reflects business needs and IT priorities.
structure. Put in place the required management structures (e.g., committees) that enable management decision
making to take place in the most effective and efficient manner.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or
appropriate staffing. IT environments to ensure that the enterprise has sufficient human resources to support enterprise goals
and objectives. Staffing includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing reliance on a single individual performing a critical job function
through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
APO07.05 Plan and track the usage Understand and track the current and future demand for business and IT human resources with
of IT and business responsibilities for enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT
human resources. recruitment processes sourcing plans, and business and IT recruitment processes.
Head of HR Responsible for establishing expectations from and about staff
Legal group Support initial contracting and prosecution in case of breach of contract.
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational structure for stakeholder
communication
Business executives Facilitating two-way communication with employees
Transparent and participative culture is an To prevent industrial action from occurring
important focus point.
Information Enabler
Contract agreement with staff Clear definition of responsibilities, rights and obligations for staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific arrangements with suppliers
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing knowledge regarding processes,
technology, etc.
Resource shortfall analysis Clear analysis of critical level of resources
Third-party backup services Temporary support in case of industrial action
HR skills Management of skills and competencies
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal operational requirements are
met after industrial action.
Litigation skills Once prosecution is initiated, the proper skills are required to defend the interests of the enterprise.
59
Risk Scenario Category 18: Environmental

Risk Scenario Category Environmental
Social and environmental policy Environmental awareness should be part of the overall enterprise policy on corporate responsibility.
Vendor management policy Environmental awareness should be included in all contracts and agreements with vendors.
Rules of behavior (acceptable use) Users should be made aware of their individual impact on the environment.
Process Enabler
APO04.03 Monitor and scan the Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
technology environment. technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
BAI03.04 Procure solution Procure solution components based on the acquisition plan in accordance with requirements and detailed
components. designs, architecture principles and standards, and the enterprise’s overall procurement and contract
procedures, QA requirements, and approval standards. Ensure that all legal and contractual requirements
are identified and addressed by the supplier.
DSS01.04 Manage the environment. Maintain measures for protection against environmental factors. Install specialized equipment and devices
to monitor and control the environment.
Head of IT operations Responsible for managing the IT environment and facilities
Head architect Design of environmental friendly measures
A clearly defined structure for ethical People are involved and aware of the consequences of environmental issues and are empowered to
responsibility and a culture that promotes handle according to ethical guidelines.
specific accountability is developed and
supported.
Information Enabler
IT strategy Environmental awareness should be part of the IT strategy.
Asset register To assess the environmental impact of the used technology
Asset inventory Helps identify assets that should be replaced to reduce environmental impact.
Architecture development Architectural development can assist to reduce the environmental impact of technology.
System development Streamlining and optimizing used technology
60
Chapter 5
Risk Scenario Category 19: Acts of Nature

Risk Scenario Category Acts of nature
Backup policy Backups are available.
Business continuity and disaster Validate recoverability of data.
recovery policy
Process Enabler
Business continuity manager Accountable for business continuity plan (BCP)
Head IT operations Responsible for managing the IT environment and facilities
Chief information officer (CIO) Responsible for developing and implementing disaster recovery plans
Business process owners Responsible for developing and implementing business continuity plans
Stakeholders are aware of how to identify People are involved and aware of how to react when an incident occurs.
and respond to threats.
Business management engages in The business is committed and proactively contributes to the preparation of continuity plans.
continuous cross-functional collaboration
to allow for efficient and effective
business continuity programmes.
Information Enabler
Insurance policy Insurance in case of acts of nature is available.
Facilities assessments reports The enterprise is aware of the state and risk of the facilities.
Incident response actions and People are aware of how to react when an incident occurs.
communications
Information risk management Identify and formulate response to information risk related to acts of nature.
Technical understanding Technical expertise regarding specific and relevant acts of nature
61
Risk Scenario Category 20: Innovation

Risk Scenario Category Innovation
IT strategy Define the underlying general rules and guidelines for the use and deployment of all IT resources and assets
across the enterprise.
Process Enabler
The architecture vision describes how the new capability will meet enterprise goals and strategic objectives
and address stakeholder concerns when implemented.
APO04.01 Create an environment Create an environment that is conducive to innovation, considering issues such as culture, reward,
conducive to collaboration, technology forums, and mechanisms to promote and capture employee ideas.
innovation.
APO04.02 Maintain an Work with stakeholders to understand their challenges. Maintain an adequate understanding of enterprise
understanding strategy and the competitive environment or other constraints so that opportunities enabled by new
of the enterprise technologies can be identified.
environment.
APO04.04 Assess the potential of Analyze identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders to
emerging technologies validate assumptions on the potential of new technologies and innovation.
and innovation ideas.
APO04.05 Recommend Evaluate and monitor the results of proof-of-concept initiatives and, if favorable, generate recommendations
appropriate further for further initiatives and gain stakeholder support.
initiatives.
APO04.06 Monitor the Monitor the implementation and use of emerging technologies and innovations during integration, adoption
implementation and and for the full economic life cycle to ensure that the promised benefits are realized and to identify
use of innovation. lessons learned.
Chief executive officer (CEO) Accountable for creating the environment conducive for innovation
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives
Chief information officer (CIO) Accountable for identifying technology-based innovations and for assessing their potential
Innovation group Responsible for identifying innovation opportunities and for developing business cases for
innovation initiatives
Willingness to take risk Innovation by definition is about new technologies and new ways of working, resulting in potential
resistance and unsure benefits. However, not having a willingness to take risk will exclude upfront any
potential for innovation.
Support of senior management for Senior management support is required to fund the innovation initiatives and to support them to overcome
innovation initiatives initial resistance.
“Failure is allowed” Not every innovation project or initiative will be successful, and a certain amount of failure should be
accepted as part of the price to pay for successful initiatives.
62
Chapter 5
Risk Scenario Category 20: Innovation (cont.)

Information Enabler
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into the enterprise’s
strategic plans.
Recognition program Innovation needs to be adequately rewarded, according to an agreed-on and formalized plan.
Evaluation of innovation initiatives Formal evaluation of innovation initiatives facilitates executive decision making.
Leadership and communication Clarify the rationale for the architecture and the potential consequences.
63
64
Chapter 6
Expressing and Describing Risk
Chapter 6
Expressing and Describing Risk6
Preparation of a Risk Scenario Analysis
Risk scenarios can be used to describe risk and document the risk factors needed to estimate frequency and impact. Appendix 1
contains a generic template that has been developed to facilitate the documentation of information useful for treatment of the
risk scenario under analysis. Chapter 7 provides practical and detailed examples of risk scenarios, which are based on this
template. In total, there are 60 detailed risk scenario examples derived from the 20 risk scenario categories.
The template contains seven sections to document the following information:
•R isk Scenario Title

• Risk Scenario Category
High-level description of the scenario category. In total, there are 20 categories:
– 01 Portfolio establishment and maintenance
– 02 Programme/projects life cycle management
– 03 IT investment decision making
– 04 IT expertise and skills
– 05 Staff operations
– 06 Information
– 07 Architecture
– 08 Infrastructure
– 09 Software
– 10 Business ownership of IT
– 11 Suppliers
– 12 Regulatory compliance
– 13 Geopolitical
– 14 Infrastructure theft or destruction
– 15 Malware
– 16 Logical attacks
– 17 Industrial action
– 18 Environmental
– 19 Acts of nature
– 20 Innovation
• Risk Scenario
A detailed description of the practical risk/opportunity scenario, including a discussion of the potential negative and
positive outcomes.
• Risk Scenario Components
This section of the template clarifies the threat/vulnerability type of the detailed practical risk/opportunity scenario and
includes the following components:
– T hreat Type
The nature of the event, e.g., malicious, accidental, an error, a failure of a well-defined process, a natural event, or an
external requirement.
– Actor
Who or what generates the threat that exploits a vulnerability. Actors can be internal to the enterprise or external,
human or nonhuman.
– E vent
The event that will impact (positively or negatively) the achievement of the enterprise objectives. The event can be
disclosure (of confidential information), interruption or modification (of a system or a project), theft or destruction.
An event can also include ineffective design (of systems, processes, etc.), inappropriate use, changes in rules and
regulation that materially impact a system, or ineffective execution of processes, e.g., change management procedures,
acquisition procedures or project prioritization processes.
6
Content in this chapter is based on the following publications: ISACA, COBIT® 5 (the framework), USA, 2012; ISACA, COBIT® 5 for Risk, USA, 2013;
ISACA, The Risk IT Practitioner Guide, USA, 2009.
65
– A sset/Resource
An asset is something of either tangible or intangible value that is worth protecting, including people, systems,
infrastructure, finances and reputation. A resource is anything that helps to achieve a goal. An asset/resource can be:
. Process
. People and skills
. Organizational structure
. Physical infrastructure (facilities, equipment, etc.)
. IT infrastructure, including computing hardware, networks, middleware
. Information
. Applications
Assets and resources can be identical. For example, IT hardware is an important resource because IT applications use it,
and it is an asset because it has a value to the enterprise.
– Time issues
. Timing of occurrence (critical, noncritical—Does the event occur at a critical moment?)
. Duration (short, moderate, extended—The duration of the event, e.g., extended outage of a service or data center)
. Detection (slow, moderate, instant)
. Time lag (immediate, delayed—Lag between the event and the consequence. Is there an immediate consequence,
e.g., network failure, immediate downtime, or delayed consequence, or an incorrect IT architecture with
accumulated high costs, over a time span of several years?)
• Risk Type
A description of the type of risk to which scenarios that are derived from the generic scenario fit, using the three risk
types explained previously.
A “P” indicates a primary (higher degree) fit, and an “S” a secondary (lower degree) fit. Blank cells indicate that the risk
category is not relevant for the risk scenario at hand.
– IT Benefit/Value Enablement
Associated with opportunities, or missed opportunities, to use technology to improve efficiency or effectiveness of
business processes, or as an enabler for new business initiatives:
. Technology enabler for new business initiatives
. Technology enabler for efficient operations
– IT Programme and Project Delivery
Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and
programs as part of investment portfolios:
. Project quality
. Project relevance
. Project overrun
– IT Operations and Service Delivery:
Associated with all aspects of the business as usual performance of IT systems and services, which can bring
destruction or reduction of value to the enterprise:
. IT service interruptions
. Security problems
. Compliance issues
• Risk Response
Description of how the enterprise will respond to the risk. The purpose of defining a risk response is to bring risk in line
with the defined risk appetite and tolerance for the enterprise. Risk response can be:
– Risk avoidance
– Risk acceptance
– Risk sharing/transfer
– Risk mitigation
• Risk Mitigation Using COBIT 5 Enablers
Description of how the enterprise will work to avoid the risk from materializing. For risk mitigation possibilities, see the
COBIT 5 enablers in chapter 5. Provide the following information:
– Reference, title and description of one or more relevant enablers that can help to mitigate the risk
– The estimated effect that implementing this enabler will have on the frequency and impact of the risk. Possible values
are low, medium or high.
– Based on the two parameters of frequency and impact, indicate whether or not this enabler is essential (a key
management practice to mitigate the risk). An enabler is considered essential if it has a high effect on reducing either
impact or frequency of the scenario.
• Key Risk Indicators
Identification of a number of metrics to detect and monitor the risk scenario and the risk response
66
Chapter 6
Chapter 7 provides 60 detailed examples of risk scenario analysis, which are based on the template in appendix 1.
Important: The detailed scenario examples do not replace the creative and reflective phase that every scenario-creating
exercise should contain. In other words, an enterprise should not blindly use the example scenarios and assume that
no other risk scenarios are possible or assume that every scenario contained in the list is applicable to the enterprise.
Intelligence and experience are needed to derive a relevant and customised list of scenarios, starting from the generic list.
Risk Analysis Methods—Quantitative vs. Qualitative

As mentioned previously, risk analysis is the process of estimating the two essential properties of each risk scenario:
• Frequency—The number of times in a given period (usually in a year) that an event is likely to occur
• Impact—The business consequences of the scenario
Several methods for risk analysis exist, ranging between high-level and mostly qualitative to very detailed and/or
quantitative, with hybrid methods in between. Both forms may be needed at different stages of the risk management
process. For example, qualitative tends to be better at the initial risk assessment stage to establish priorities, and
quantitative can then provide the required rigour and accuracy for the selected high-risk areas.
The enterprise’s culture, resources, skills and knowledge of IT risk management, environment, risk appetite, and its
existing approach to ERM will determine which methodology should be used.
The different methods—quantitative and qualitative—have some common limitations:

• No method is fully objective, and results of risk assessments are always dependent on the person performing them and
his/her skills and views.
• IT-risk-related data (such as loss data and IT risk factors) are very often of poor quality or quite subjective (e.g.,
process maturity, control weaknesses). Using structures or models can help to achieve more objectivity and can
provide at least a basis for discussion in the risk analysis.
• Quantitative approaches run the risk of creating over-confidence in complex models based on insufficient data.
However, over-simplified qualitative or quantitative models can also result in unreliable results.
Qualitative Risk Analysis

A qualitative risk assessment approach uses expert opinions to estimate the frequency and business impact of adverse
events. The frequency and the magnitude of impact are estimated using qualitative labels. These labels can vary depending
on the circumstances and different environments.
When to use, strengths, limitations, and weaknesses:

• In situations where there is only limited or low-quality information available, qualitative risk analysis methods are
usually applied.
• The major disadvantages of using the qualitative approach are a high level of subjectivity, great variance in human
judgements and lack of standardised approach during the assessment.
• However, qualitative risk assessment is usually less complex than quantitative analysis, and consequently is also
less expensive.
Quantitative Risk Analysis

As soon as quantitative values are used (e.g., ranges) to define qualitative values, or when only quantitative values are
used, it is a quantitative analysis. The essence of quantitative risk assessment is to derive the frequency and consequences
of risk scenarios, based on statistical methods and data.
When to Use, Strengths, Limitations, Weaknesses:

• Quantitative risk analysis is more objective because it is based on formal empirical data.
• Using purely quantitative methods requires sufficient, complete and reliable data on past and comparable events.
Obtaining these data is in many cases very difficult unless the enterprise has already embraced process improvement
and follows an approach such as Six Sigma for IT monitoring and productivity improvement.
• Some things are very hard or impossible to quantify—value of human life, cost of terrorist attacks or similar events,
loss of reputation.
67
Combining Qualitative and Quantitative, Moving Toward Probabilistic Risk Assessment

Both techniques have some advantages and disadvantages. Furthermore, neither of the approaches described previously
seems to meet all the requirements for management of IT risk to extensively support the overall ERM processes.
Analysis based on subjective opinions or estimated data may be insufficient. There is still the question of uncertainty.
How certain can one be about the results of risk assessment? Some advanced methods exist to increase reliability of risk
assessments, but these require deep statistical skills. They include:
robabilistic risk assessment—Using a mathematical model to construct the qualitative risk assessment approach
•P
while using the quantitative risk assessment techniques and principles. In a simple way, the statistical models are used
and missing data to populate these models are collected using qualitative risk assessment methods (interviews, Delphi
method, etc.).
onte Carlo simulation—A powerful method for combining qualitative and quantitative approaches, which is based
•M
on normal deterministic simulation model described previously, but iteratively evaluates the model using sets of
random numbers as inputs. While deterministic models will provide the expected value, Monte Carlo simulation will
give the value as a probability distribution based on the quality of the information provided.
Practical Guidance on Analysing Risk

The selection for qualitative or quantitative risk analysis depends on many factors:
• User needs—Is there a need for highly accurate data or is a qualitative approach adequate?
• Availability and quality of the data related to IT-related risk
• Time available for risk analysis
• Level of comfort and expertise of those experts who are giving input
Statistical data may be available in varying quantities and quality, ranging on a continuous scale from almost non-existent
to widely available. At the higher end of the scale, i.e., when a wide choice of statistical data are available, a quantitative
assessment might be the preferred risk assessment method; at the other end of the scale, with very little, incomplete or
poor data, a qualitative assessment may be the only available solution. Hybrid risk assessment methods may be applied to
situations in between both extremes described here.
There are many sources of data that can be leveraged to support risk analysis. Some of these sources can exist already
in the enterprise; for example, business process improvement (BPI), project management office (PMO), enterprise
architecture (EA), quality control (QC) and other organisations that collect similar data to support their functions.
The following section of this chapter describes some suggested techniques that are mostly qualitative techniques and
will be most commonly used. Despite their inherently lower precision, they can provide very insightful and relevant data
because they provide a model by which all risk can be measured and described using the same language and reference
base, eliminating the most notorious cases of subjectivity and ambiguity. For example:
• If a time frame is not specified in a scenario, then a conclusion that the likelihood of an event is ‘high’ may be
interpreted differently by different people. One person might assume that it is highly likely to occur this year, while
another person might assume that it means it is highly likely to happen eventually.
• If scales are not defined for loss magnitude, then one person’s subjective interpretation of ‘severe loss’ can be
significantly different from someone else’s interpretation.
Expressing Impact in Business Terms

Meaningful IT risk assessments and risk-based decisions require that IT risk be expressed in unambiguous and clear
business-relevant terms. Effective risk management requires mutual understanding between IT and the business over
which risk needs to be managed and why. All stakeholders must have the ability to understand and express how adverse
events may affect business objectives. This means that:
• An IT person should understand how IT-related failures or events can impact enterprise objectives and cause direct or
indirect loss to the enterprise.
• A business person should understand how IT-related failure or events can affect key services and/or processes.
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effects of
adverse events. Several techniques and options exist that can help the enterprise to describe IT risk in business terms,
and there is no right or wrong option. One has to choose the option that fits best with the enterprise and complement this
scheme with a range of scales to quantify the risk during risk analysis.
IT-related risk can be translated/expressed into business relevant terms, but a prescription for any single method does not
exist. Some available methods are discussed in the following sections.
68
Chapter 6
The following considerations need to be made, irrespective of the choice of impact description method:
• Define impact scales that are linked to the chosen impact description method so that they are clear and unambiguous
for everyone and truly represent business objectives.
• Ensure that the chosen method and scales allow for the risk appetite to be easily defined, e.g., the acceptable and
unacceptable risk, in the same terms, across the enterprise.
• Ensure that IT-related scenarios are clearly mapped to the business impact descriptions. This means that dependencies
between events (e.g., hardware failure) and ultimate business impact and consequence (e.g., customers cannot place
orders, resulting in customer dissatisfaction) need to be mapped and included in every risk analysis.
Business Requirements for Information

Business requirements for information allow for the expression of business aspects related to the use of IT. They
express a condition to which information (in the widest sense), as provided through IT, must conform for it to be
beneficial to the enterprise.
Business requirements for information are:

• Effectiveness—Information is effective if it meets the needs of the information consumer who uses the information
for a specific task. If the information consumer can perform the task with the information, then the information
is effective. This corresponds to the following information quality goals: appropriate amount, relevance,
understandability, interpretability, objectivity.
• Efficiency—Whereas effectiveness considers the information as a product, efficiency relates more to the process
of obtaining and using information, so it aligns to the ‘information as a service’ view. If information that meets the
needs of the information consumer is obtained and used in an easy way (i.e., it takes few resources—physical effort,
cognitive effort, time, money), then the use of information is efficient. This corresponds to the following information
quality goals: believability, accessibility, ease of operation, reputation.
• Confidentiality—Confidentiality corresponds to the restricted access information quality goal.
• Integrity—If information has integrity, then it is free of error and complete. It corresponds to the following
information quality goals: completeness, accuracy.
• Availability—Availability is one of the information quality goals under the accessibility and security heading.
• Compliance—Compliance in the sense that information must conform to specifications is covered by any of
the information quality goals, depending on the requirements. Compliance to regulations is most often a goal or
requirement of the use of the information, not so much an inherent quality of information.
• Reliability—Reliability is often seen as a synonym of accuracy; however, it can also be said that information is
reliable if it is regarded as true and credible. Compared to integrity, reliability is more subjective, more related to
perception, and not just factual. It corresponds to the following information quality goals: believability,
reputation, objectivity.
The business impact of any IT-related event lies in the consequence of not achieving the information criteria. By describing
impact in these terms, this remains a sort of intermediate technique, not fully describing the business impact, e.g., impact
on customers or in financial terms.
COBIT 5 Enterprise Goals and Balanced Scorecard

A further technique is based on the ‘enterprise goals’ concept of COBIT 5 (figure 15). Indeed, business risk lies in any
combination of those enterprise goals not being achieved. The COBIT 5 enterprise goals are structured in line with the
four classic balanced scorecard (BSC) perspectives: financial, customer, internal and growth.
COBIT 5 defines 17 generic enterprise goals. Figure 15 includes the following information:
• The BSC dimension under which the enterprise goal fits
• The enterprise goal description
• The relationship to the three main governance objectives—benefits realisation, risk optimisation and resource
optimisation. (‘P’ stands for primary relationship and greater impact on achievement and ‘S’ for secondary relationship
and less impact on achievement).
For practical purposes, one can imagine that for each enterprise goal, a translation is possible to express the
non-achievement of the goal in terms of its impact on the overall business.
69
Figure 15—Enterprise Goals

Relation to Governance Objectives
Benefits Risk Resource
BSC Dimension Enterprise Goal Realisation Optimisation Optimisation
Financial 1. Stakeholder value of business investments P S
2. Portfolio of competitive products and services P P S
3. Managed business risk (safeguarding of assets) P S
4. Compliance with external laws and regulations P
5. Financial transparency P S S
Customer 6. Customer-oriented service culture P S
7. Business service continuity and availability P
8. Agile responses to a changing business environment P S
9. Information-based strategic decision making P P P
10. Optimisation of service delivery costs P P
Internal 11. Optimisation of business process functionality P P
12. Optimisation of business process costs P P
13. Managed business change programmes P P S
14. Operational and staff productivity P P
15. Compliance with internal policies P
Learning and Growth 16. Skilled and motivated people S P P
17. Product and business innovation culture P
Source: COBIT® 5 (the framework), ISACA, USA, 2012, figure 5
Extended Balanced Scorecard Criteria

A variant of the approach described in the previous paragraphs goes one step further, linking the BSC dimensions to a
limited set of more tangible criteria. The following criteria are often observed to be used for this purpose:
• Financial
– Share value
– Profit
– Revenue
– Cost of capital
• Customer
– Market share
– Customer satisfaction
– Customer service
• Internal
– Regulatory compliance
• Growth
– Competitive advantage
– Reputation
This set of criteria can be used selectively, and the user should be aware that there are still cause-effect relationships
included in this table (e.g., customer [dis]satisfaction can impact competitive advantage and/or market share). Usually a
subset of these criteria is used to express risk in business terms.
Westerman 4 ‘A’s—An Alternative Approach to Express Business Impact7

Another means of expressing IT risk into business terms is based on the 4A framework. This defines IT risk as the
potential for an unplanned event involving IT to threaten any of four interrelated enterprise objectives:
• Agility—Possess the capability to change with managed cost and speed.
• Accuracy—Provide correct, timely and complete information that meets the requirements of management, staff,
customers, suppliers and regulators.
• Access—Ensure appropriate access to data and systems, so that the right people have the access they need and wrong
people do not.
• Availability—Keep the systems (and their business processes) running, and recover from interruptions.
7
Westerman, G.; Hunter R.‚ IT Risk—Turning Business Threats Into Competitive Advantage, Harvard Business School Press, USA, 2007
70
Chapter 6
COSO ERM
The Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM)—
Integrated Framework lists the following criteria to express business impact:8
• Strategic—High-level goals, aligned with and supporting the enterprise mission. Strategic objectives reflect
management’s choice as to how the enterprise will seek to create value for its stakeholders.
• Operations—These pertain to the effectiveness and efficiency of the enterprise’s operations, including performance
and profitability goals and safeguarding resources against loss.
• Reporting—These pertain to the reliability of reporting. They include internal and external reporting and may involve
financial and non-financial information.
• Compliance—These pertain to adherence to relevant laws and regulations
FAIR (Factor Analysis of Information Risk)9

The FAIR method is security-oriented in origin, but the impact criteria apply to all IT-related risk. The criteria used here are:
• Productivity—The reduction in an enterprise’s ability to generate its primary value proposition (e.g., income,
goods, services)
• Responses—Expenses associated with managing a loss event (e.g., internal or external person-hours, logistical expenses)
• Replacement—The intrinsic value of an asset, typically represented as the capital expense associated with replacing
lost or damaged assets
• Competitive advantage—Losses associated with diminished competitive advantage
• Legal—Legal or regulatory actions levied against an enterprise
• Reputation—Losses associated with an external perception that an enterprise’s value proposition is reduced or
leadership is incompetent, criminal or unethical
Example COBIT 5 Enterprise Goals

Because there are multiple options for expressing IT risk in business terms, and there is no right or wrong option, one has
to choose the option that fits best with the enterprise and complement this scheme with a range of scales to quantify the
risk during risk analysis.
The following example demonstrates how COBIT 5 Enterprise goals can be used to achieve the link between the ‘atomic’
IT scenario and enterprise goals, i.e., how this scenario can jeopardise one or several enterprise goals:
• Impact is expressed in business-relevant terms, using the words of the ‘enterprise goals’ as used in COBIT 5. For
example, the enterprise, running an online travel business, has as its major enterprise goals: ‘Customer-oriented
service culture’ and ‘Business service continuity and availability’.
• The COBIT 5 framework cascades the enterprise goals to IT-related goals (how the goals of the IT department support
the achievement of the enterprise goals), and this link can also be read in the other direction: Not achieving an
IT-related goal might have a negative impact on the achievement of an enterprise goal. In the example, the ‘Business
service continuity and availability’ enterprise goal implies that IT pays importance to some specific IT-related goals,
e.g., alignment of IT and business strategy, managed IT-related business risk, delivery of IT services in line with
business requirements, adequate use of applications, information and technology solutions.
• This cascade is continued down to the IT process level and IT management practice level, using the same principle
that not achieving a ‘lower-level’ goal will jeopardise the achievement of the ‘higher-level’ goal. The IT goals set in
the example would require a number of IT processes to be excellent, including COBIT 5 processes APO09 Manage
Service Agreements, APO11 Manage Quality, BAI02 Manage Requirements Definition, BAI04 Manage Availability
and Capacity and some others. This would require the activities (as described in the process model for each COBIT5
IT process) to be executed well.
• When analysing IT-related risk scenarios, each scenario can be linked to one or more IT processes, e.g., if the process
does not perform, the frequency and/or impact of the scenario will increase (refer also to Capability Risk Factors in part
Risk Factor section page). Applying this cascade backwards, it is possible to trace all potential impact paths that an event
can have on business goals, and use this information in risk analyses. In the example, this means that any disruption of
the mentioned IT processes, e.g., lack of project management (BAI01), inadequate software testing (BAI06), bad
third-party relationship management or service level management (APO09 and APO10), can have a negative impact
on the achievement of the stated service-oriented enterprise goals. However, when these processes are really mature and
being performed, this means that the enterprise is in good shape to achieve the stated enterprise goals.
8
dapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO); COSO Enterprise Risk Management Framework, USA,
A
2004, www.coso.org
9
Jones, Jack A., An Introduction to Factor Analysis of Information Risk (FAIR), Risk Management Insight LLC, 2005
71
Expressing Frequency
Some risk management methods use the terms ‘likelihood’ or ‘frequency’. In Risk Scenarios Using COBIT 5 for Risk, the
term ‘probability’ is preferred, indicating a quantitative measure such as a percentage, frequency of occurrence, or other
numerical metric.
Figure 16 proposes a scheme that can be used for expressing the probability of risk scenarios occurring. The example
uses a 0 to 5 scale, with a probability threshold associated with each scale value. In the example, a logarithmic scale has
been used for probability although, in many cases, this is not mandatory; linear scales can be used as well. Alternatively,
an index scale can be used. Probability is then translated into a number from 0 to 100, e.g., based on a logarithmic scale or
any other sort of scale. The choice for either method depends on how the results of the risk analysis will be presented,
e.g., in a risk matrix. In figure 16, a risk scenario that is estimated to occur five times in a year gets the score of 3.
Figure 16—Probability Rating

Frequency Rating Times Occurring per Year
5 100
4 10
3 1
2 0.1
1 0.01
0 0.001
Source: The Risk IT Practitioner Guide, ISACA, USA, 2009, figure 25
Some enterprises prefer a three-level scale instead of a five-level scale. The advantage of such a scale is that analyses will
go faster and might look a bit easier; however, there is a loss of precision, and using a three-level scale has a tendency to
create a lot of ‘middle’ values because of people being averse to creating extreme cases, leading to even more inaccuracies.
Some enterprises assign labels, e.g., ‘very frequent’, ‘frequent’, ‘infrequent, ‘rare’, to the scales mentioned in figure 16.
The use of only these labels as means of expressing frequency is not advisable because they can mean different things for
different risk scenarios and consequently can generate confusion. For example, an attempt for network intrusion through
the firewall might happen hundreds of times per day, which may be considered ‘average’; an ‘average’ frequency of a hardware
failure (e.g., disk crash) might be once every two or three years. So the word ‘average’ means different frequencies for two
different scenarios and, hence, is not well suited as an objective and unambiguous indicator of frequency.
Risk Scenarios in Risk Response (Reduction)

Risk Response Workflow and Risk Response Options
The purpose of defining a risk response is to bring risk in line with the defined risk appetite for the enterprise. In other
words, a response needs to be defined such that as much future residual risk (current risk with the risk response defined
and implemented) as possible (usually depending on budgets available) falls within risk tolerance limits. The full risk
response workflow is depicted in figure 17.
This risk response evaluation is not a one-time effort; rather, it is part of the risk management process cycle. When risk
analysis of all identified risk scenarios, after weighing risk vs. potential return has shown that risk is not aligned with the
defined risk appetite and tolerance levels, a response is required. This response can be any of the four possible responses
explained in the following sub-sections.
Risk Avoidance
Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk
response is adequate. This is the case when:
• There is no other cost-effective response that can succeed in reducing the frequency and impact below the defined
thresholds for risk appetite.
• The risk cannot be shared or transferred.
• The exposure level is deemed unacceptable by management.
Some IT-related examples of risk avoidance may include:
• Relocating a data centre away from a region with significant natural hazards
• Declining to engage in a very large project when the business case shows a notable risk of failure
• Declining to engage in a project that would build on obsolete and convoluted systems because there is no acceptable
degree of confidence that the project will deliver anything workable
• Deciding not to use a certain technology or software package because it would prevent future expansion
72
Chapter 6
Figure 17—Risk Response Workflow
Risk Scenarios
Risk Analysis Risk Map
Risk Exceeding
Risk Appetite
Risk Response Options Risk Response Parameters
Mitigate Efficiency of Exposure

Avoid Select Risk Response
Response
Options Response Effectiveness
Share/Transfer Accept Implementation of Response
Capability
Risk Responses
Risk Response Prioritisation

Current Risk Level
Prioritise Risk Normal High
Priority Priority
Responses
Low Normal
Priority Priority
Risk Action Plan Benefit/Cost Ratio

With Prioritised
Risk Responses
Risk Acceptance
Acceptance means that exposure to loss is recognised but no action is taken relative to a particular risk, and loss is accepted
when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed
decision has been made by management to accept it as such (e.g., when cost of remediation outweighs the risk).
If an enterprise adopts a risk acceptance stance, it should carefully consider who can accept the risk—even more so with
IT risk. IT risk should be accepted only by business management (and business process owners), in collaboration with and
supported by IT, and acceptance should be communicated (i.e., documented) to senior management and the board (Refer
to EDM3.02 detailed activities 5.3 and 5.4).
Some examples of risk acceptance may include:

• There may be a risk that a certain project will not deliver the required business functionality by the planned delivery
date. Management may decide to accept the risk and proceed with the project.
• If a particular risk is assessed to be extremely rare but very important (catastrophic) and approaches to reduce it are
prohibitive, management may decide to accept it.
Self-insurance is another form of risk acceptance, although this manages only magnitude of the loss and has no
impact on frequency.
73
Risk Sharing/Transfer
Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common
techniques include insurance and outsourcing. Examples include taking out insurance coverage for IT-related incidents,
outsourcing part of the IT activities, or sharing IT project risk with the provider through fixed-price arrangements or
shared-investment arrangements. In both a physical and legal sense these techniques do not relieve an enterprise of the
risk ownership, but can involve the skills of another party in managing the risk and reduce the financial consequence
if an adverse event occurs. Also from a reputation point of view, risk transfer or sharing does not transfer ownership or
accountability over risk.
Some IT-related examples of risk sharing or transfer may include:

• A large organisation identified and assessed the risk of fire to its infrastructure across diverse geographic regions
and assessed the cost of sharing the impact of its risk through insurance coverage. It concluded that, because of the
location of its sites, the incremental cost of insurance and related deductibles was not prohibitive, and insurance
coverage was taken.
• In a major IT-related investment, project risk may be shared by outsourcing the development to an outsourcer for a
fixed price on a risk/reward basis.
• Some enterprises outsource some or all of their IT function to hosting enterprises and contractually share a portion of
the risk.
• Where application hosting is outsourced, the organisation always remains accountable for protecting client privacy, but
if the outsourcer is negligent and a breach occurs, risk (financial impact) might at least be shared with the outsourcer.
Other techniques contributing to risk sharing include:

• Large enterprises with multiple legal entities, where IT risk can be transferred to other divisions within the enterprise
(reinsurance is a common example)
• Statement on Standards for Attestation Engagements No. 16 (SSAE16) reporting, which allows a service organisation
to transfer a portion of a risk back to the client through the user control considerations section of the report
Risk Mitigation
Risk mitigation means that mitigating action is taken to reduce the frequency and/or impact of a risk. The most common
ways of mitigating risk include:
• Strengthening overall IT risk management practices, i.e., implement sufficiently mature IT risk management processes
as defined by the COBIT 5 framework
• Introducing a number of control measures intended to reduce either frequency of an adverse event happening and/or
the business impact of an event, should it happen. Controls are, in the context of risk management, employed to
mitigate a risk, e.g., the policies, procedures and practices, structures, information flows, etc. The COBIT 5 set of
interconnected enablers provides a comprehensive set of controls that can be implemented. It is possible to identify,
for any given risk scenario that would exceed risk appetite, a set of COBIT 5 enablers (processes, organisational
structures, behaviours, etc.) that can mitigate the risk scenario. For a comprehensive list of controls (expressed as
COBIT 5 enablers) that can mitigate risk (list of example generic risk scenarios as defined in chapter 4) refer
to chapter 5.
• Mitigation of risk is possible by other means or methods, e.g., there are well known IT management frameworks
and standards able to assist.
74
Chapter 7
Risk Scenario Analysis Examples
Chapter 7
This chapter contains 60 detailed risk scenario analysis examples that have been prepared using the generic risk scenario
categories and possible outcomes described in figure 14 in chapter 4. The template described in chapter 6 has been used
to conduct the analysis of each risk scenario, and the list of COBIT 5 enablers described in chapter 5 have been used to
complete the risk mitigation section.
How to Read Risk Scenario Analysis

Risk Scenario Title—This is the unique and specific name for the risk scenario analysis example.
Risk Scenario Category—This is a reference to one of the 20 risk scenario categories described in figure 14, chapter 4.
Risk Scenario Reference12—This section is a number composed by the risk scenario category number and the risk
scenario reference number. For example, Risk Scenario Reference 0101 indicates that this particular analysis applies to:
Risk scenario category 01 Risk scenario reference 0101*

“Portfolio establishment and maintenance” “Wrong programmes are selected for “Programmes lead to successful new
implementation and are misaligned with corporate business initiatives selected for execution.”
strategy and priorities.” (negative outcome) (positive outcome)
*P
lease note that there is not one example for every risk scenario reference within a risk scenario category, therefore the
numbers are not sequential.
Risk Scenario—The examples used in this section are comprehensive versions of the generic positive or negative risk
scenarios described in figure 14. These examples have been prepared with more details to add context to the scenario and
help risk professionals explain risk in business terms.
Risk Scenario Components—This section provides examples of the information needed to calculate impact and
frequency and prepare possible risk responses (for detailed descriptions of the different sections in the risk scenario
analysis refer to chapter 6).
• Threat Type
• Actor
• Event
• Asset/Resource (Cause)
• Asset/Resource (Effect)
• Time issues
Risk Type—This describes the relationship between the risk scenario and the three different types of risk described in
COBIT 5 for Risk and chapter 2 of this publication (figure 4).
Possible Risk Responses—These are examples of risk responses that can be used to address the risk scenario.
Risk Mitigation Using COBIT 5 Enablers—This section offers a list of enablers that can be used to mitigate risk
impact or frequency.
Key Risk indicators—This section offers a list of KRIs that have been defined for the IT Goals that can be impacted by
the risk scenario and KRIs defined for the Process enabler included in the risk mitigation section. (The complete list of
KRIs for IT Goals can be found in the COBIT 5 framework, and the complete list of KRIs for the Process enabler can be
found in COBIT 5: Enabling Processes.)
12
isk scenario reference is used in the examples provided in this publication, but it is not included in the template. If necessary, the person preparing the
R
risk scenario analysis can include this section to specify risk scenario category and reference.
75
01 Portfolio Establishment and Maintenance

0101 Selected programs are not optimizing business benefits
Risk Scenario Title Selected programs are not optimizing business benefits
Risk Scenario Category 01 Portfolio establishment and maintenance
Risk Scenario Reference 0101
Risk Scenario
The individual accountable for the selection of programs (chief executive officer [CEO]) made a questionable decision when selecting programs to fund.
The decision was driven by unclear and biased information that was provided by one of the key stakeholders and the internal and external auditors who
put a focus on fostering security controls and formalizing processes rather than supporting business growth.
Risk Scenario Components
Threat Type
The nature of the event is a failure in the decision-making process to take into account all stakeholder requirements and the ineffective prioritization of
these requirements.
Actor
The actor who generates the threat that exploits a vulnerability is internal—the CEO.
Event
The event is the ineffective execution of the program selection process.
Asset/Resource (Cause)
The resource that leads to the business impact is the program selection process.
Asset/Resource (Effect)
The resources that are affected are various business processes.
Time
The duration of the event is extended lack of supporting business growth. The timing of occurrence is noncritical. The event cannot immediately be
detected, and, therefore, detection is slow. The consequence is delayed because the selected programs will be implemented over a longer time span.
Risk Type
IT Benefit/Value Enablement P The allocation of priorities leads to the assignment of resources to strengthen the security of
existing systems, and key resources are not available for developing new services supporting
business growth. Consequently, new business initiatives are not initiated.
IT Programme and Project Delivery P Ongoing projects need to be rescheduled due to the lack of resources.
IT Operations and Service Delivery S Security problems of (unimportant) services are being addressed.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The CEO is aware of the misalignment and accepts the impacts.
• Risk Sharing/Transfer: The enterprise request third-party service providers to reevaluate contracts and adjust timelines and resources without
additional cost.
• Risk Mitigation: Reprioritization of ongoing projects to optimize business benefit
76
Chapter 7
Risk Mitigation Using COBIT 5 Enablers

Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project To enforce the use of the overall program/project methodology, including High Medium YES
management policy corporate policy on the business case or due diligence in order to improve the
visibility of the relative value of programs (compared to each other). This policy
should describe approval investment thresholds for program value.
Process Enabler
Effect Effect
on on Essential
Reference Title Governance and Management Practices Frequency Impact Control
EDM01.01 Evaluate the governance Continually identify and engage with the High High YES
system. enterprise’s stakeholders, document an
understanding of the requirements and make
a judgment on the current and future design of
governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, High High YES
system. buy-in and commitment. Guide the structures,
processes and practices for the governance of
IT in line with agreed-on governance design
principles, decision-making models and authority
levels. Define the information required for
adequate decision making.
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the High High YES
system. enterprise’s governance of IT. Assess whether
the governance system and implemented
mechanisms (including structures, principles and
processes) are operating effectively and provide
appropriate oversight of IT.
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled High High YES
optimization. investments, services and assets to determine
the likelihood of achieving enterprise objective
and delivering value at a reasonable cost. Identify
and make judgment on any changes in direction
that need to be given to management to optimize
value creation.
EDM02.02 Direct value optimization. Direct value management principles and High High YES
practices to enable optimal value realization
from IT-enabled investments throughout their full
economic life cycle.
EDM02.03 Monitor value optimization. Monitor the key goals and metrics to determine High High YES
the extent to which the business is generating
the expected value and benefits to the enterprise
from IT-enabled investments and services.
Identify significant issues and consider corrective
actions.
APO05.01 Establish the target Review and ensure clarity of the enterprise Medium Medium NO
investment mix. and IT strategies and current services. Define
an appropriate investment mix based on cost,
alignment with strategy, and financial measures
such as cost and expected return on investment
(ROI) over the full economic life cycle, degree of
risk, and type or benefit for the programs in the
portfolio. Adjust the enterprise and IT strategies
where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium Medium NO
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Medium NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.
77

Effect Effect
on on Essential
Reference Title Governance and Management Practices Frequency Impact Control
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and Medium Medium NO
projects, IT services and IT assets.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium Medium NO
achievement. appropriate IT services and capabilities, based on
the agreed-on and current business case.
Effect Effect
on on Essential
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs. High Medium YES
Effect Effect
on on Essential
Program selection includes Decisions should be objective, nonbiased and based on supported information. Medium Medium NO
Stakeholder engagement The full range of success factors will be taken into account when High Medium YES
selecting programs.
Focus on enterprise Ensure alignment with corporate strategy and priorities. High Medium YES
objectives
Information Enabler
Effect Effect
on on Essential
Program business case Improves the visibility of the relative value of programs (compared to each other) High Medium YES
Defined investment mix Improves the visibility of the relative value of programs (compared to each other) High Medium YES
Effect Effect
on on Essential
Portfolio management Decreases complexity and increases overview on programs and projects Medium Low NO
tools
Effect Effect
on on Essential
Business requirements Transparency on enterprise strategy, related business requirements and High Medium YES
analysis priorities
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (06) Percentage of investment business cases with clearly defined and approved expected IT-related costs and benefits
• (06) Satisfaction survey of key stakeholders regarding the level of transparency, understanding and accuracy of IT financial information
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (13) Number of programmes needing significant rework due to quality defects
• (17) Level of business executive awareness and understanding of IT innovation possibilities
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM01) Level of stakeholder satisfaction (measured through surveys)
• (EDM02) Level of stakeholder satisfaction with the enterprise’s ability to obtain value from IT-enabled initiatives
• (EDM02) Percentage of IT initiatives in the overall portfolio where value is being managed through the full life cycle
• (EDM02) Level of stakeholder satisfaction with progress towards identified goals, with value delivery based on surveys
• (EDM02) Percentage of expected value realised
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
78
Chapter 7
0103 Incompatibility of business systems
Risk Scenario Title Incompatibility of business systems

Risk Scenario
In a hospital, the chief of the radiology department decided to purchase a particular x-ray system from a vendor without consulting other departments
or IT. The department chiefs can decide on necessary equipment/programs and frequently make these decisions without considering the enterprise
architecture (EA). As the new system interacts with other systems in the enterprise (e.g., patient records, medication), automated information exchange
cannot be performed to keep the patient records up to date.
Threat Type
The nature of the event is a failure in the processes BAI03 Manage solutions identification and build and APO03 Manage enterprise architecture.
Actor
The actor who generates the threat that exploits a vulnerability is internal—the chief of the radiology department (business process owner).
Event
The event is an ineffective design and, respectively, an ineffective execution of the processes BAI03 Manage solutions identification and build and
APO03 Manage enterprise architecture.
The resources that lead to the business impact are the processes BAI03 Manage solutions identification and build and APO03 Manage enterprise
architecture and the organizational structures because the chief of the department does not consider information as a resource caused by the lack of
a decision-making model.
The asset affected is information. The procured system potentially will be incompatible with other hospital systems, and, therefore, unable to share
information with other systems. Patient records may not be up to date (accuracy of information completeness and lack of consistent representation).
Time
The duration of the event is extended inconsistency in the presentation of patient records. The timing of occurrence is noncritical. Detection will be
instant because the business will recognize immediately the lack of consistent representation. The consequence is delayed because the event needs
proper analysis and changes in the system to make it compliant with the existing systems/architecture.
Risk Type
IT Benefit/Value Enablement P Efficiency of the hospital operations is reduced and affects patients (e.g., no re-use of x-ray
images and time delay in treatments).
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Information cannot be automatically exchanged between the systems, which leads to unmet
resource needs and inconsistent records.
• Risk Acceptance: The CEO and the chief of radiology accept the unaligned system and the additional resources required to update
incompatible systems.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Clarification on decision-making rights for purchasing system, creation of (automated) interfaces and fostering enterprise
architecture principles (e.g., minimum standards for system interoperability).
Effect Effect
on on Essential
Program/project To enforce the use of the overall program/project methodology, including Medium Medium NO
79
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
EDM01.01 Evaluate the governance Continually identify and engage with the Medium Medium NO
system. enterprise’s stakeholders, document an
understanding of the requirements and make
a judgment on the current and future design of
governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, Medium Medium NO
system. buy-in and commitment. Guide the structures,
processes and practices for the governance of
IT in line with agreed-on governance design
principles, decision-making models and authority
levels. Define the information required for
adequate decision making.
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the Medium Medium NO
system. enterprise’s governance of IT. Assess whether
the governance system and implemented
mechanisms (including structures, principles and
processes) are operating effectively and provide
APO05.01 Establish the target Review and ensure clarity of the enterprise Medium Medium NO
investment mix. and IT strategies and current services. Define
an appropriate investment mix based on cost,
alignment with strategy, and financial measures
such as cost and expected return on investment
(ROI) over the full economic life cycle, degree of
risk, and type or benefit for the programs in the
portfolio. Adjust the enterprise and IT strategies
where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Medium NO
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and Medium Medium NO
projects, IT services and IT assets.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium Medium NO
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed by the
supplier.
Effect Effect
on on Essential
Board of directors Require approval when programs surpass a certain value threshold and Medium Medium NO
risk level.
80
Chapter 7

Effect Effect
on on Essential
Program selection includes Decisions should be objective, nonbiased and based on supported information. High Medium YES
Stakeholder engagement The full range of success factors will be taken into account when selecting High Medium YES
programs.
objectives
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Business requirements Transparency on enterprise strategy, related business requirements Medium Low NO
analysis and priorities
• (01) Percentage of IT value drivers mapped to business value drivers
• (03) Percentage of executive management roles with clearly defined accountabilities for IT decisions
• (03) Number of times IT is on the board’s agenda in a proactive manner
• (07) Percentage of users satisfied with the quality of IT service delivery
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes that need significant rework due to quality defects
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied
81
0104 Unaligned Culture
Risk Scenario Title Unaligned Culture

Risk Scenario
In an industrial enterprise, the key IT resources are being used to operate and maintain the financial reporting system; there is no focus on the
maintenance of production planning and production systems, which results in a split in the culture of the IT staff. One part of the department is focused
on the financial reporting system, and is seen as the beneficial and finance/business focus part; the other part is seen as the engineers. For the
engineering part of the staff there are different career paths, a lack of motivation and disengagement, leading to lower productivity and innovation.
Threat Type
The nature of the event is a failure in prioritization.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is responsible for the assignment of IT resources is the
chief financial officer (CFO) function. The CFO puts the financial reporting system at the center of attention. A secondary internal actor is the Human
Resources (HR) department, which does not support staff motivation.
Event
The event is ineffective execution of the APO07 Manage human resources process.
The resource that leads to the business impact is the APO07 Manage human resources process because HR management cannot demonstrate to the
engineers the value that they contribute and because there is a lack of integration of culture and processes.
The resources that are affected are people and skills because the enterprise is losing knowledge and staff.
Time
The duration of the event is extended because the staff is demotivated. The timing of occurrence is noncritical. Because the lack of knowledge and
the rise in fluctuation cannot be detected immediately, the detection is slow. The consequence is delayed because the lack of staff and knowledge will
happen in the future.
Risk Type
IT Benefit/Value Enablement P Potential for innovation is unused because staff members are not involved.
IT Operations and Service Delivery P Investments in HR (knowledge) are ineffective when staff leave the company; service
interruptions and security breaches can result due to disgruntled remaining staff; IT service
interruptions can result due to departing staff.
• Risk Acceptance: N/A
• Risk Mitigation: Communicate the value that the engineers bring to the enterprise and provide individual rewards and motivation.
Effect Effect
on on Essential
Program/project To enforce the use of the overall program/project methodology, including Medium Low NO
82
Chapter 7
Process Enabler
Effect Effect
on on Essential
APO04.01 Create an environment Create an environment that is conducive to Low Medium NO
conducive to innovation. innovation, considering issues such as culture,
reward, collaboration, technology forums, and
mechanisms to promote and capture employee
ideas.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.03 Maintain the skills Define and manage the skills and competencies High Low YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
Effect Effect
on on Essential
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs Medium Medium NO
Effect Effect
on on Essential
Program selection includes Decisions should be objective, nonbiased and based on supported information. High Medium YES
Stakeholder engagement The full range of success factors will be taken into account when selecting High Medium YES
programs.
objectives
Information Enabler
Effect Effect
on on Essential
Program business case Improves the visibility of the relative value of programs (compared to each High Low YES
other)
Defined investment mix Improves the visibility of the relative value of programs (compared to High Low YES
each other)
Effect Effect
on on Essential
N/A N/A
83

Effect Effect
on on Essential
Business requirements Transparency on enterprise strategy, related business requirements and High Medium YES
analysis priorities
• (05) Percentage of IT services where expected benefits are realised
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
• (APO04) Increase in market share or competitiveness due to innovations
• (APO04) Enterprise stakeholder perceptions and feedback on IT innovation
• (APO04) Percentage of implemented initiatives with a clear linkage to an enterprise objective
• (APO04) Inclusion of innovation or emerging technology-related objectives in performance goals for relevant staff
• (APO04) Stakeholder feedback and surveys
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO07) Level of executive satisfaction with management decision making
• (APO07) Number of decisions that could not be resolved within management structures and were escalated to governance structures
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant
84
Chapter 7
02 Programme/Projects Life Cycle Management

0201 Terminate failing projects
Risk Scenario Title Terminate failing projects

Risk Scenario Category 02 Programme/projects life cycle management
Risk Scenario
A company decided to replace its existing enterprise resource planning (ERP) system and allocated a budget of EUR 5 million. The company planned a
two-year project and a big-bang approach to replacement of the existing systems and processes. The plan was based on the estimate prepared by a
provider that became a key stakeholder throughout the project. After spending EUR 50 million and three years of customizing, the enterprise did a
review on the project setup and decided to stop the initiative. The invested resources were lost. The lack of project risk management and benefit
management was obvious. The project could have been stopped in its very early stages, but the enterprise did not apply good management practice in
the project life cycle.
Threat Type
The nature of the event is a failure of the processes APO05 Manage portfolio and BAI01 Manage programmes and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for the monitoring and control of projects,
the Steering (Programs/Projects) Committee.
Event
The event is an ineffective design and/or ineffective execution of the processes APO05 Manage portfolio and BAI01 Manage programmes and projects.
The resources that led to the business impact are the processes APO05 Manage portfolio and BAI01 Manage programmes and projects, which led to
inappropriate decision making. Organizational structure can also be the resource that led to the business impact because of the lack of a
decision-making model to be followed by the Steering (Programs/Projects) Committee.
The assets affected are unimproved business processes due to the stopped initiative.
Time
The duration of the event is extended because a long period of time passes before the project is stopped. The timing of occurrence is noncritical. The
event is detected only after the project has been running for several years and, therefore, detection is slow. The consequence is delayed because a new
project must be started to improve the business processes.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to achieve the planned enterprise benefits such as improved operation of
the enterprise and transparency in planning
IT Programme and Project Delivery P Stranded costs for project delivery with no beneficial outcome
IT Operations and Service Delivery N/A
• Risk Acceptance: Accepting the fact that the enterprise continues without business operation improvement
•R isk Sharing/Transfer: Share responsibility for the project failure with the provider who prepared the estimate, and request a refund for some of the
cost of the project.
•R isk Mitigation: Stop the project (earlier) and applying an agile/staged approach to delivery processes and systems rather than a big-bang replacement
Effect Effect
on on Essential
Program/project Measuring visibility and true status for decision makers should be based on Medium High YES
management policy common language and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep,
changed business priorities, etc.) and create information flows to induce
corrective action
• To prevent failure, scope changes to existing projects need to be
managed strictly
85
Process Enabler
Effect Effect
on on Essential
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Low NO
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects. performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
Effect Effect
on on Essential
Chief information Take corrective action, if required. Medium Medium NO
officer (CIO)
Effect Effect
on on Essential
Program/project monitoring Decisions should be objective, nonbiased and based on supported information. Low Low NO
includes data-driven
activities
Admitting to bad news Enables earlier decision making and minimizes impact. High High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Program benefit realization This input will provide the necessary data to track the progress and estimate Medium Medium NO
plan potential overrun.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Performance to budget The correct analytical skills will allow estimating the consequences of failing Low Medium NO
control skills projects such as potential budget overruns
86
Chapter 7

• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (13) Number of programme/projects on time and within budget
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of active programmes undertaken without valid and updated programme value maps
• (BAI01) Frequency of status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
87
0204 Routine delays in IT projects
Risk Scenario Title Routine delays in IT projects

Risk Scenario
The IT organization of an enterprise initiated an IT security management project (implementing an information security management system [ISMS] with
the objective of obtaining a certificate) and planned a one-year time frame. After six months, the plan had to be rescheduled due to a number of missed
deadlines and a high uncertainty of meeting the project time line. The budget is already fully consumed. The organization does not have a view of a final
outcome and has uncertainty regarding required additional funds. The IT security manager is leading the project and puts more focus on technical issues
than on managing the project and delivering the results. The IT security manager does not see the delay of implementing the ISMS or the overspending
as a concern.
The risk is the possibility of not obtaining the certification, which has a negative impact on the enterprise’s image and ability to meet compliance
requirements. In addition, initial and ongoing costs for the ISMS and the time for successful delivery of the project results are unclear.
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for the monitoring and the control of
projects, the Steering (Programmes/Projects) Committee.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
The resources that lead to the business impacts are the process BAI01 Manage programme and projects and people and skills because the project
manager focuses on project content rather than on managing the project.
The resource/asset that is affected is the process DSS05 Manage security services and the information because the security of information is
in danger.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical. The
event is detected only after the project has been running for some time; therefore, detection is slow. The consequence is delayed because the project
runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to achieve the planned enterprise benefits such as improved operation of
the enterprise and transparency in planning.
IT Programme and Project Delivery P Stranded costs for project delivery with no beneficial outcome
• Risk Acceptance: Accepting the fact that the enterprise continues without business operation improvement can be a possible response. However, the
enterprise has to consider that accepting the fact that it continues without business operation improvement means that the enterprise also accepts the
risk of reputational damage.
• Risk Mitigation: Stop the project (earlier) and apply an agile/staged approach to delivery of processes and systems.
Effect Effect
on on Essential
Program/project Measuring visibility and true status for decision makers should be based on High High YES
corrective action.
managed strictly
88
Chapter 7
Process Enabler
Effect Effect
on on Essential
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
BAI01.08 Plan projects. Establish and maintain a formal, approved Medium High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
projects. performance criteria such as schedule, quality,
key stakeholders.
Effect Effect
on on Essential
Chief information Take corrective action, if required Medium High YES
officer (CIO)
Program/project sponsor Overall accountable for budget tracking and value demonstration Medium Medium NO
Program/project manager Overall responsible for budget tracking and value demonstration Medium Medium NO
Effect Effect
on on Essential
Admitting to bad news Enables earlier decision making and minimizes impact Medium High YES
management
Information Enabler
Effect Effect
on on Essential
Program benefit This input will provide the necessary data to track the progress and estimate High Medium YES
realization plan potential overrun.
Program budget and This input will provide the necessary data to track the progress and estimate High Medium YES
benefits register potential overrun.
Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Effect Effect
on on Essential
Portfolio management tools Increase transparency on budgetary status High Low YES
Effect Effect
on on Essential
Performance to budget The correct analytical skills will allow estimating the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns.
89

• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (APO05) Ratio between funds allocated and funds used
• (APO05) Percentage of changes from the investment programme reflected in the relevant portfolios
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Percentage of outcomes with first-time acceptance
90
Chapter 7
0205 Excessive delays in an IT-enabled business initiative
Risk Scenario Title Excessive delays in an IT-enabled business initiative

Risk Scenario
The board of directors of a government-owned power, supply and distribution (whole cycle) enterprise decided to re-define the customer process
(customer-facing connection, billing, etc.) and to renew the underlying information systems. A one-year program was planned, and first program results
were delivered with a two-year delay, while still suffering from quality issues and a lack of interoperability with other enterprise systems (connection of
new customers, measurement of client’s energy consumption, etc.).
An external provider was hired to support the change of customer processes and the underlying technology, which was new for the enterprise. The
enterprise staff was not convinced of the new system’s adequacy, particularly because the legacy system provided specific functionalities to the business
users that were not considered in the initial program planning and had to be developed in parallel.
The IT assets delivered by the program need to be corrected/amended to meet full functionality. Functional specifications were created, but developers
deviated from those specifications without appropriate approval or feedback. The additional work and inefficiencies in service development caused
delays on the deliveries, exceeding costs on IT and on the provider’s services, and lower service quality to the customers, e.g., from incomplete
information for customer service and support staff. The delay of 200 percent and the excess of 100 percent of the project costs summarize the
performance of the program delivery.
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for monitoring and control of projects, the
Steering (Programs/Projects) Committee or, specifically, the customer chief executive officer (CEO) and the chief information officer (CIO) in charge of
the project.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
The resources that lead to the business impact are the processes BAI01 Manage programme and projects and BAI07 Manage change acceptance and
transitioning by poor testing of deliverables. Another resource is people and skills, because the project manager focuses on project content rather than
on managing the project. Another resource is IT infrastructure because the acquisition of IT assets did not work properly.
The resources that are affected are business processes such as customer-facing connection and billing.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical.
The event is detected only after the project has been running for some time. Therefore, detection is moderate. The consequence is delayed because the
project runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Planned improvement on efficiency was not achieved and was delayed.
P Other initiatives had to be postponed because of the delays, and the corresponding
information systems could not be planned accordingly.
Programme and Project Delivery P Delayed delivery of project results
P Overrun of budget
P Incomplete functionality of the applications delivered and undetected errors in the systems
due to weak testing
IT Operations and Service Delivery S Incomplete/inaccurate information that is provided to customer service, support and customers
P Delays on the service provision to the end customers (e.g., connecting new customers) due to
incomplete/inaccurate information
P Information security problems that are caused by giving access to critical customer
(individuals and enterprises) information due to inadequate security in application
development
• Risk Acceptance: Accept that the enterprise continues without business operation improvement and budget overrun.
• Risk Sharing/Transfer: Share responsibility for the project failure with the provider who prepared the estimate, and request a refund for some
of the cost of the project.
• Risk Mitigation: Use a proper project management office (PMO) and adequate processes to manage the program. Improved testing/quality assurance
(QA) and application security in early phases of the program. Apply a stringent functional and security requirement identification and testing of the
quality delivered.
91

Effect Effect
on on Essential
Program/project Measuring visibility and true status for decision makers should be based on High High YES
corrective action.
managed strictly
Process Enabler
Effect Effect
on on Essential
APO05.03 Evaluate and select Based on the overall investment portfolio mix Low High YES
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an Low High YES
engagement. active exchange of accurate, consistent and
timely information that reaches all relevant
stakeholders. This includes planning, identifying
and engaging stakeholders and managing their
expectations.
BAI01.06 Monitor, control and report Monitor and control program (solution delivery) Medium High YES
on the program outcomes. and enterprise (value/outcome) performance
against plan throughout the full economic life
cycle of the investment. Report this performance
to the program steering committee and the
sponsors.
BAI01.09 Manage program and Prepare and execute a quality management plan, Low High YES
project quality. processes and practices, aligned with the quality
management system (QMS) that describes the
program and project quality approach and how it
will be implemented. The plan should be formally
reviewed and agreed on by all parties concerned
and then incorporated into the integrated
program and project plans.
projects performance criteria such as schedule, quality,
key stakeholders.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, Low High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all
initiatives required to achieve the expected
outcomes of the proposed IT-enabled business
solution.
BAI02.04 Obtain approval of Coordinate feedback from affected stakeholders Low Medium NO
requirements and and, at predetermined key stages, obtain
solutions. business sponsor or product owner approval
and sign-off on functional and technical
requirements, feasibility studies, risk analyses
and recommended solutions.
92
Chapter 7

Effect Effect
on on Essential
BAI03.02 Design detailed solution Develop, document and elaborate detailed Medium Low NO
components. designs progressively using agreed-on and
appropriate phased or rapid agile development
techniques, addressing all components
(business processes and related automated
and manual controls, supporting IT applications,
infrastructure services and technology products,
and partners/suppliers). Ensure that the detailed
design includes internal and external service
level agreements (SLAs) and operational level
agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively Medium High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements
in the business processes, supporting IT
applications and infrastructure services, services
and technology products, and partners/suppliers
are addressed.
BAI03.05 Build solutions. Install and configure solutions and integrate Medium High YES
with business process activities. Implement
control, security and auditability measures during
configuration, and during integration of hardware
and infrastructural software, to protect resources
and ensure availability and data integrity.
Update the services catalogue to reflect the new
solutions.
BAI03.06 Perform quality assurance Develop, resource and execute a quality Medium High YES
(QA). assurance (QA) plan aligned with the quality
management system (QMS) to obtain the quality
specified in the requirements definition and the
enterprise’s quality policies and procedures.
BAI03.07 Prepare for solution Establish a test plan and required environments Medium Medium YES
testing. to test the individual and integrated solution
components, including the business processes
and supporting services, applications and
infrastructure.
BAI03.08 Execute solution testing. Execute testing continually during development, Medium High YES
including control testing, in accordance with the
defined test plan and development practices in
the appropriate environment. Engage business
process owners and end users in the test team.
Identify, log and prioritize errors and issues
identified during testing.
BAI07.05 Perform acceptance tests. Test changes independently in accordance with Medium High YES
the defined test plan prior to migration to the live
operational environment.
Effect Effect
on on Essential
Chief information Take corrective action, if required Medium High YES
officer (CIO)
Program/project sponsor Overall accountable for budget tracking and value demonstration Medium Medium NO
Program/project manager Overall responsible for budget tracking and value demonstration Medium Medium NO
93

Effect Effect
on on Essential
Admitting to bad news Enables earlier decision making and minimizes impact Medium High YES
management
Information Enabler
Effect Effect
on on Essential
Program benefit This input will provide the necessary data to track the progress and estimate High Medium YES
realization plan potential overrun.
Program budget and This input will provide the necessary data to track the progress and estimate High Medium YES
benefits register potential overrun.
Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Effect Effect
on on Essential
Portfolio management tools Increase transparency on budgetary status High Low YES
Effect Effect
on on Essential
Performance to budget The correct analytical skills will allow to estimate the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (12 ) Number of business processing incidents caused by technology integration errors
• (12 ) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12 ) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12 ) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Cost of application maintenance vs. overall IT cost
94
Chapter 7

• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
• (BAI02) Percentage of business case objectives met by proposed solution
• (BAI02) Percentage of stakeholders not approving solution in relation to business case
• (BAI07) Percentage of stakeholders satisfied with the completeness of testing process
• (BAI07) Number and percentage of releases not ready for release on schedule
• (BAI07) Number or percentage of releases that fail to stabilise within an acceptable period
• (BAI07) Percentage of releases causing downtime

95
96
Chapter 7
03 IT Investment Decision Making

0302 Niche software construction
Risk Scenario Title Niche software construction

Risk Scenario Category 03 IT investment decision making
Risk Scenario
A specialized niche market company with many decades of experience and research offers state-of-the-art solutions that are commonly accepted
in the market.
Disregarding this fact, a client with an internal development department and staff, but without the necessary maturity in its processes for the software
development life cycle (SDLC) and its Quality Assurance (QA) department, decides to build its own solution. The client does not consider the advantage of
purchasing this software over developing the solution internally and is without a real understanding of business and compliance requirements.
Threat Type
The nature of the event is a failure of the process BAI03 Manage solutions identification and build, but also could be classified as accidental/error
because an external solution was not considered.
Actor
The actors that generates the threat that exploits a vulnerability are internal—the Steering (Programme/Projects) Committee and the chief information
officer (CIO).
Event
The event can be classified as ineffective design and/or ineffective execution of the process BAI03 Manage solutions identification and build.
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
The affected resources/assets are business processes, information and applications because the internally developed solution does not fit the
business and compliance requirements due to a lack of understanding.
Time
The timing of occurrence is critical because competitors already use solutions that fulfil the compliance requirements. The duration of the event is
extended because the internally developed solution must be amended to fit business and compliance requirements. The detection is slow because the
internally developed solution is misaligned with business and compliance requirements, which is not detected before final acceptance tests or before
the implementation is in production. The consequences are delayed because the internally developed solution must be improved or the external solution
must be implemented.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use state-of-the-art solution to improve efficiency and effectiveness,
IT Programme and Project Delivery S Lack of understanding of business and compliance requirements,
Operations and Service Delivery P Unduly tested systems because of insufficient maturity in QA
• Risk Acceptance: The enterprise accepts that the costs derived from internal development are going to be higher due to the time needed to
understand and develop the SDLC and QA processes and governance framework. The company also accepts the risk that its competitors may gain a
competitive advantage by the early adoption of a package solution while the company designs and builds its own solution. The company also accepts
the risk of penalties imposed by its regulators for non-compliance.
• Risk Mitigation: Develop and maintain a standard approach for program and project management and for solution identification and build
Effect Effect
on on Essential
Program/project The policy should define who needs to be involved in investment decisions High High YES
management policy and what the chain of approval is.
97
Process Enabler
Effect Effect
on on Essential
APO03.01 Develop the enterprise The architecture vision provides a high-level Low High YES
architecture vision. description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
APO06.04 Model and allocate costs. Establish and use an IT costing model based on Low Low NO
the service definition, ensuring that allocation of
costs for services is identifiable, measurable and
predictable, to encourage the responsible use of
resources, including those provided by service
providers. Regularly review and benchmark the
appropriateness of the cost/chargeback model
to maintain its relevance and appropriateness to
the evolving business and IT activities.
APO06.05 Manage costs. Implement a cost management process Low High NO
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
BAI01.01 Maintain a standard Maintain a standard approach for program and High High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI03.03 Develop solution Develop solution components progressively High High YES
standards. Ensure that all control requirements
in the business processes supporting IT
applications and infrastructure services, services
and technology products, and partners/suppliers
are addressed.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High High YES
compliance. contractual requirements.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Decision making process is Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven
98
Chapter 7
Information Enabler
Effect Effect
on on Essential
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Medium NO
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Medium NO
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (06) Percentage of IT services with clearly defined and approved operational costs and expected benefits
• (06) Satisfaction survey of key stakeholders regarding the level of transparency, understanding and accuracy of IT financial information
• (11) Frequency of capability maturity and cost optimisation assessments
• (APO03) Number of exceptions to architecture standards and baselines applied for and granted
• (APO03) Level of architecture customer feedback
• (APO03) Project benefits realised that can be traced back to architecture involvement (e.g., cost reduction through re-use)
• (APO03) Percentage of projects using enterprise architecture services
• (APO03) Number of identified gaps in models across enterprise, information, data, application and technology architecture domains
• (APO03) Level of architecture customer feedback regarding quality of information provided
• (APO03) Percentage of projects that utilise the framework and methodology to re-use defined components
• (APO03) Number of people trained in the architecture methodology and tool set
• (APO05) Ratio between funds available and funds allocated
• (APO06) Number of budget changes due to omissions and errors
• (APO06) Number of deviations between expected and actual budget categories
99
Key Risk Indicators (KRIs) Related to Process Goals (cont.)

• (APO06) Percentage of alignment of IT resources with high-priority initiatives
• (APO06) Number of resource allocation issues escalated
• (APO06) Percentage of overall IT costs that are allocated according to the agreed-on cost models
• (APO06) Percentage of variance amongst budgets, forecasts and actual costs
• (BAI01) Percentage of projects undertaken without approved business cases
• (BAI01) Number of resource issues (e.g., skills, capacity)
• (MEA03) Average time lag between identification of external compliance issues and resolution
• (MEA03) Frequency of compliance reviews
• (MEA03) Number of critical non-compliance issues identified per year
• (MEA03) Percentage of process owners signing off, confirming compliance
100
Chapter 7
0303 Infrastructure platform upgrade
Risk Scenario Title Infrastructure platform upgrade

Risk Scenario
A large enterprise needs to update its branches’ mission-critical software to enhance its functionality with new business functions that are needed to
obtain higher revenues. The company knows in advance that this software update needs a critical upgrade on the branches’ IT infrastructures because
the new software will not work with the current version.
The components of the branches’ IT infrastructures are diverse and require many providers to build the complete architecture. After the request for
proposal (RFP) is constructed, the company does not consider the different schedules that each provider needs to deliver the required hardware. When
the procurement process is initiated, the company finds out that a specific component cannot be provided, which hinders the entire infrastructure
implementation.
Threat Type
The nature of the event is a failure of the management processes BAI03 Manage solutions identification and build, BAI02 Manage requirements
definition and APO03 Manage enterprise architecture and is a failure of the governance process EDM02 Ensure benefits delivery.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee and also the chief
information officer (CIO) and the head architect.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes EDM02 Ensure benefits delivery, BAI03 Manage
solutions identification and build, BAI02 Manage requirements definition and APO03 Manage enterprise architecture.
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
The affected resources/assets are business processes, information, infrastructure and applications because the company cannot update its
branches’ mission-critical systems, and people and enterprise because they must work with the out-of-date applications.
Time
Because the company needs the new systems for its branches to create higher revenues, the timing of occurrence is critical. The duration of the event
is extended because the infrastructure implementation is hindered. The detection is moderate because the event is detected during the procurement
process. The consequences are delayed because the company has to continue its business while using the incorrect IT architecture, with accumulated
high costs, over a time span of several years.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to create more revenue with the new systems for the branches
IT Programme and Project Delivery P Identified solutions do not match the requirements.
IT Operations and Service Delivery P Inflexible architecture with accumulated high costs
• Risk Acceptance: The enterprise accepts and tolerates the inflexible architecture, does not achieve higher revenues and loses
business competitiveness.
• Risk Mitigation: The enterprise considers alternative providers to deliver the required piece of hardware. Additional contracts will be considered, and
the time losses and cost of opportunity will be accepted. The program of work is re-prioritized to ensure that the prerequisites are completed, to allow
for success. The governance framework for the infrastructure upgrades process must be followed and department managers must be trained.
Effect Effect
on on Essential
Program/project The policy should define who needs to be involved in investment decisions Medium Medium NO
101
Process Enabler
Effect Effect
on on Essential
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled Low High YES
optimization. investments, services and assets to determine
the likelihood of achieving enterprise objective
and delivering value at a reasonable cost.
Identify and make judgment on any changes in
direction that need to be given to management
to optimize value creation.
EDM02.02 Direct value optimization. Direct value management principles and Low High YES
practices to enable optimal value realization
from IT-enabled investments throughout their full
BAI01.01 Maintain a standard Maintain a standard approach for program and Low High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI01.08 Plan projects. Establish and maintain a formal, approved Low High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, Low High YES
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed
by the supplier.
Effect Effect
on on Essential
Chief information Accountable for proper investment decision making Medium Medium NO
officer (CIO)
Effect Effect
on on Essential
Decision making process is Decisions should be objective, nonbiased and based on supported information. Low Low NO
data driven
Information Enabler
Effect Effect
on on Essential
N/A N/A
102
Chapter 7

Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (EDM02) Level of stakeholder satisfaction with the enterprise’s ability to obtain value from IT-enabled initiatives
• (EDM02) Percentage of IT initiatives in the overall portfolio where value is being managed through the full life cycle
• (EDM02) Level of stakeholder satisfaction with progress towards identified goals, with value delivery based on surveys
• (EDM02) Percentage of expected value realised
103
0304 Purchase of redundant software
Risk Scenario Title Purchase of redundant software

Risk Scenario
An enterprise purchases redundant software for a key business area. This software is a competing software to software that was purchased previously
and is in production. The new software was purchased without reference to procurement because the purchase was within the person’s budgetary
signature approval process and was for use within the department, for the duration.
This particular purchase represented a lack of conformance with organizational processes and policies. The system was not considered in the enterprise
architecture (EA) and, therefore, lacked interoperability with other systems and software, and its functionality overlapped with other business functions.
The software was purchased by a key business user, and, because the procurement process was immature, the software was not included in the
enterprise strategy for business continuity and disaster recovery planning.
The new purchase required additional training for the department and investment and integration with existing systems.
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation, APO05 Manage portfolio, APO06 Manage budget and cost and
BAI10 Manage configuration.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee, and also the key
business user who purchased the software.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes APO04 Manage innovation, APO05 Manage portfolio,
APO06 Manage budget and cost and BAI10 Manage configuration.
The assets/resources that lead to the business impact are mainly the processes APO04 Manage innovation and BAI10 Manage configuration.
The affected resources/assets are business processes, information, infrastructure and applications because the new software lacks interoperability
with other systems, and people and enterprise because they must use workarounds.
Time
The timing of occurrence is noncritical. The duration is extended, due to the cost associated with this inappropriate purchase and the overburden that
the company had to experience to guarantee interoperability with existing systems. The detection is slow because the redundancy was not detected
before the system was ready to use. The time lag is immediate because of the immature procurement process.
Risk Type
IT Benefit/Value Enablement P Immature procurement process
IT Operations and Service Delivery S Lack of interoperability with other systems
• Risk Mitigation: Train all department heads on a centralized software catalogue for the enterprise. Governance frameworks for the software
procurement process must be improved to be mature and they must be followed. The department managers will be trained. All software purchases
have to be added to the business continuity (BCP) and disaster recovery plan (DRP).
Effect Effect
on on Essential
Program/project The policy should define who needs to be involved in investment decisions High Medium YES
104
Chapter 7
Process Enabler
Effect Effect
on on Essential
APO02.05 Define the strategic plan Create a strategic plan that defines, in Low High YES
and road map. cooperation with relevant stakeholders, how
IT-related goals will contribute to the enterprise’s
strategic goals. Include how IT will support
IT-enabled investment programs, business
processes, IT services and IT assets. Direct IT
to define the initiatives that will be required
to close the gaps, the sourcing strategy and
the measurements to be used to monitor
achievement of goals, then prioritize the
initiatives and combine them in a high-level
road map.
APO05.03 Evaluate and select Based on the overall investment portfolio mix Low High YES
APO06.05 Manage costs. Implement a cost management process Low High YES
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
APO08.04 Coordinate and Work with stakeholders and coordinate the Low High YES
communicate. end-to-end delivery of IT services and solutions
provided to the business.
BAI10.05 Verify and review integrity Periodically review the configuration repository High High YES
of the configuration and verify completeness and correctness against
repository. the desired target.
Effect Effect
on on Essential
Chief information Accountable for proper investment decision making High Medium YES
officer (CIO)
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Low NO
Prioritization and ranking of Overview of IT initiatives to facilitate selection Medium Low NO
IT initiatives
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Low NO
105

• (06) Percentage of IT services with clearly defined and approved operational costs and expected benefits
• (12) Number of business processing incidents caused by technology integration errors
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Percentage of IT initiatives/projects championed by business owners
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO04) Percentage of implemented initiatives that realise the envisioned benefits
• (APO06) Number of budget changes due to omissions and errors
• (APO06) Number of deviations between expected and actual budget categories
• (APO06) Percentage of variance amongst budgets, forecasts and actual costs
• (APO08) Percentage of alignment of IT services with enterprise business requirements
• (APO08) Ratings of user and IT personnel satisfaction surveys
• (APO08) Survey of business stakeholder technology level of awareness
• (APO08) Inclusion rate of technology opportunities in investment proposals
• (BAI10) Number of deviations between the configuration repository and live configuration
• (BAI10) Number of discrepancies relation to incomplete or missing configuration information

106
Chapter 7
04 IT Expertise and Skills

0401 Human resources hiring policies
Risk Scenario Title Human resources hiring policies

Risk Scenario Category 04 IT expertise and skills
Risk Scenario
The Human Resources (HR) department has strict general regulations regarding the maximum age for internal staff recruitment. This particular issue is
affecting technical areas that need to raise that limit to ensure that the right expertise and skills are present in new personnel, due to the technologies
(new and old) that continue to be in use and are relied on in the enterprise architecture (EA).
Currently, the enterprise is expecting that, in the next five years, 35 percent of its specialized professionals are going to retire. The minimum standard
knowledge that is required is the base to start next-level internal training. Due to the complexity of the systems in production, the training process for
new staff to get the necessary expertise to be able to run the daily operations historically has taken three years.
Threat Type
The nature of the event is a failure of the process APO07 Manage human resources, especially the management practices of maintaining adequate and
appropriate staffing and maintaining the skills and competencies of personnel.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the HR function.
Event
The event is an ineffective design of the process APO07 Manage human resources.
The resource that leads to the business impact is the process APO07 Manage human resources.
The resources that are affected are the IT processes in the technical area because of a lack of competent staff, and the IT architecture (information and
applications) because it cannot be maintained and improved adequately due to the lack of expertise and skills.
Time
The duration of the event is moderate because the policy can easily be changed. The timing of occurrence is noncritical. The lack of skills and expertise
will be detected in moderate time. The consequence can easily be delayed because the right staff has to be recruited, and this process can take quite a
long time.
Risk Type
IT Benefit/Value Enablement P Lack of skills and expertise for using technology for new business initiatives
IT Programme and Project Delivery P Lack of skills and expertise may lead to bad quality of projects.
IT Operations and Service Delivery P The technical environment cannot be adequately maintained.
• Risk Acceptance: The enterprise accepts the risk that it may be unable to recruit the right skills and experience, which will limit the enterprise’s
ability to design, build and deliver IT solutions to help deliver business goals. In addition, the enterprise may have to pay a premium for potential
recruits with the required skills and experience.
• Risk Sharing/Transfer: HR and IT are to share their responsibilities for the risk that the enterprise is taking by being unable to hire the right personnel.
• Risk Mitigation: IT can outsource and use contractors to cover critical skills shortages.
Effect Effect
on on Essential
HR policy Describes the requirements development for selecting and evaluating IT High High YES
profiles throughout the entire career
107
Process Enabler
Effect Effect
on on Essential
APO01.01 Define the organizational Establish an internal and extended organizational Low Low NO
structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of Medium Low NO
management objectives IT objectives and direction to stakeholders and
and direction. users throughout the enterprise.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
APO07.05 Plan and track the usage Understand and track the current and future High Low YES
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing
plans, enterprise and IT recruitment processes
sourcing plans, and business and IT recruitment
processes.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel Low Medium NO
who support the enterprise with IT skills know
and comply with the enterprise’s policies and
meet agreed-on contractual requirements.
Effect Effect
on on Essential
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Effect Effect
on on Essential
N/A N/A
108
Chapter 7
Information Enabler
Effect Effect
on on Essential
Skills and competencies Describe the existing skills and competencies within the IT organization and High Low YES
matrix allows for gap analysis.
Competency and career/ Describe the required growth of specific IT profiles. High Medium YES
skills development plans
Generic job function Describes skills/experience and knowledge requirements for generic profiles High High YES
descriptions within the IT organizations
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High YES
knowledge regarding processes, technology, etc.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
HR skills Management of skills and competencies High High YES
• (11) Trend of assessment results
109
0403 Ineffective leadership skills
Risk Scenario Title Ineffective leadership skills

Risk Scenario
The chief information officer (CIO) of a large enterprise has a strong technical operations background; however, he does not communicate regularly with
other business unit managers. He lacks business acumen and, therefore, he does not communicate the business understanding to his staff, nor does he
keep the necessary alignment required for IT governance.
Threat Type
The nature of the event is a failure of the process APO01 Manage the IT management framework, particularly a failure of communication of
management objectives and direction.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the CIO.
Event
The event is an ineffective execution of the process APO01 Manage the IT management framework, but can also eventually be an ineffective design
of the organizational structure.
The assets/resources that lead to the business impact are the process APO01 Manage the IT management framework and also the
organizational structure.
The resources that are affected are business processes because the IT staff does not know about or does not understand the needs from the business.
IT personnel are also affected as they are unsatisfied because they cannot provide the solution and services expected from them.
Time
The duration of the event is extended because it is not expected that the CIO can or will change his behavior soon. The timing of occurrence is
noncritical. The detection is moderate until the behavior of the CIO will be detected. The consequence is delayed because the CIO cannot be
replaced or have his behavior changed immediately.
Risk Type
IT Benefit/Value Enablement P Because IT staff does not understand business needs, IT misses the opportunity to be an
enabler for successful business initiatives.
IT Programme and Project Delivery P Project delivery will affect the quality because the requirements will not be fulfilled
successfully.
IT Operations and Service Delivery S Business stakeholders are not satisfied with IT service delivery.
• Risk Mitigation: Governance board and upper management (C-level) have to be aware of this situation and decide who is the person for the job.
Effect Effect
on on Essential
Human resources (HR) Describes the requirements development for selecting and evaluating IT Medium Medium NO
policy profiles throughout the entire career
110
Chapter 7
Process Enabler
Effect Effect
on on Essential
APO01.01 Define the organizational Establish an internal and extended organizational High High YES
structure. structure that reflects business needs and IT
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding High High YES
management objectives of IT objectives and direction to stakeholders
and direction. throughout the enterprise.
APO03.01 Develop the enterprise The architecture vision provides a high-level Low Low NO
architecture vision. description of the baseline and target
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
APO07.05 Plan and track the usage Understand and track the current and future Low Low NO
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing plans,
and business and IT recruitment processes.
Effect Effect
on on Essential
Head of HR Responsible for establishing expectations about staff High Low YES
111

Effect Effect
on on Essential
Awareness of business IT staff should know the core business activities of the enterprise they support. Medium Medium NO
activities by IT staff
Information Enabler
Skills and competencies Describe the existing skills and competencies within the IT organization and High Medium YES
matrix allow for gap analysis.
Competency and Describe the required growth activities for specific IT profiles. Medium Medium NO
career/skills development
plans
Generic function Describes skills/experience and knowledge requirements for generic profiles High Medium YES
descriptions within the IT organization.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
HR skills Management of skills and competencies Medium Medium NO
• (15) Percentage of stakeholders who understand policies
• (15) Percentage of policies supported by effective standards and working practices
• (APO07) Number of decisions that could not be resolved within management structures and were escalated to governance structures
112
Chapter 7
0404 Critical staff turnover
Risk Scenario Title Critical staff turnover

Risk Scenario
A largely established software company with low personnel turnover did not take into account the necessary time to prepare new specialized human
resources personnel for its impending retirement of a large proportion of its staff. This situation primarily affects the morale of the remaining staff, due to
the necessary overwork to support current operations.
Threat Type
The nature of the event is a failure of the process APO07 Manage human resources, especially the management practices to maintain adequate and
appropriate staffing and maintain the skills and competencies of personnel.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the human resources (HR) function.
Event
The event is an ineffective design and/or ineffective execution of the process APO07 Manage human resources. The event is also an interruption of
the development or/and maintenance of the software with which the company works.
The resource that leads to the business impact is the process APO07 Manage human resources.
The resources that are affected are the development and maintenance processes for the software with which the company works.
Time
The duration of the event is extended because new specialist staff is not easy to get. The timing of occurrence is critical because the company cannot
fulfil customer wishes, but the competitors can. The time to detect lack of skills and expertise will be slow. The consequence can easily be delayed
because the right staff has to be recruited, and this process can take quite some time.
Risk Type
IT Benefit/Value Enablement P Lack of skills and expertise for developing and maintaining the software products
IT Programme and Project Delivery P Lack of skills and expertise may lead to bad quality of projects and customer dissatisfaction.
IT Operations and Service Delivery P The technical environment cannot be adequately maintained to support the development and
maintenance of the software products.
• Risk Sharing/Transfer: Contracting external staff
• Risk Mitigation: The enterprise considers a program to retain critical staff, while transitioning to an effective staff to build a model.
Effect Effect
on on Essential
HR policy Describes the requirements development for selecting and evaluating IT High High YES
profiles throughout the entire career
113
Process Enabler
Effect Effect
on on Essential
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Low NO
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also
the external environment of the enterprise
(industry drivers, relevant regulations, basis for
competition).
APO06.02 Prioritize resource Implement a decision-making process to Medium Low NO
allocation. prioritize the allocation of resources and rules for
discretionary investments by individual business
units. Include the potential use of external
service providers and consider the buy, develop
and rent options.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High Medium YES
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing High Medium YES
Effect Effect
on on Essential
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High Yes
114
Chapter 7

Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
• (APO02) Percentage of objectives in the IT strategy that support the enterprise strategy
• (APO02) Trends in ROI of initiatives included in the IT strategy
• (APO02) Percentage of projects in the IT project portfolio that can be directly traced back to the IT strategy
• (APO02) Number of new enterprise opportunities realised as a direct result of IT developments
• (APO02) Achievement of measurable IT strategy outcomes part of staff performance goals
• (APO02) Frequency of updates to the IT strategy communication plan
115
0408 Pandemic disaster
Risk Scenario Title Pandemic disaster

Risk Scenario
A new strain of avian flu (developed in a secret lab) has occurred at a certain enterprise’s main offices. The flu strain has infected a large number of
employees of the enterprise. This has included a number of the board of directors and the majority of the key IT personnel. The business continuity
program needs to be invoked immediately because governance and key IT services are disrupted due to the absence of decision makers and support
staff, severely impacting business operations.
Threat Type
The nature of the event is the malicious act of developing the new strain of the avian flu and its release to the environment by the secret lab.
Actor
The actor that generates the threat that exploits the vulnerability is the external secret lab.
Event
The event is interruption of IT service and business processes.
The assets/resources that lead to the business impact are the people from the secret lab.
The assets/resources that are affected are the people and the organizational structure, specifically, the key staff/personnel of the main offices of the
company and the business processes.
Time
The duration of the event is extended lack of key personnel because the avian-flu-affected staff will not get well soon, if at all. The timing of occurrence
is critical because it affects most of the board of directors and the C-level at the same time, meaning key personnel and their backup or deputies are not
available. The detection of event can be classified as immediate because the flu-affected personnel do not show up at the offices. For the same reason,
the time lag between event and consequence is immediate.
Risk Type
IT Benefit/Value Enablement S As innovation comes to a standstill, there are missed opportunities to use technology to improve
efficiency and/or effectiveness.
IT Programme and Project Delivery P Programmes and projects are stopped, and there is no contribution of IT to new or improved
business solutions for quite some time.
IT Operations and Service Delivery P The operational stability, availability and protection that can lead to destruction or reduction of value
to the enterprise
• Risk Mitigation: The enterprise needs to update the pandemic disaster plan to guarantee chain of command and the physical site security policy.
Effect Effect
on on Essential
Human resources (HR) Describes the requirements development for selecting and evaluating IT Low Low NO
policy profiles throughout the entire career
116
Chapter 7
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the environment. Maintain measures for protection against Low High YES
environmental factors. Install specialized
equipment and devices to monitor and control
the environment.
DSS01.05 Manage facilities. Manage facilities, including power and Low High YES
communications equipment, in line with
laws and regulations, technical and business
requirements, vendor specifications, and health
and safety guidelines.
DSS04.05 Review, maintain and Conduct a management review of the continuity Low Medium NO
improve the continuity capability at regular intervals to ensure its
plan. continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with
the change control process to ensure that the
continuity plan is kept up to date and continually
reflects actual business requirements.
DSS05.05 Manage physical access to Define and implement procedures to grant, limit High High YES
IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged
and monitored. This should apply to all persons
entering the premises, including staff, temporary
staff, clients, vendors, visitors or any other third
party.
Effect Effect
on on Essential
Chief information Responsible for gap analysis regarding IT skills and competencies Low Medium NO
officer (CIO)
Specific IT management Responsible for identifying specific requirements Low Medium NO
functions
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Low High YES
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Business analysis Matching the business needs to the required IT skills Low Medium NO
117

• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (10) Frequency of security assessment against latest standards and guidelines
• (DSS01) Number of non-standard operational procedures executed
• (DSS01) Number of incidents caused by operational problems
• (DSS04) Number of critical business systems not covered by the business continuity plan
• (DSS04) Percentage of agreed-on improvements to the business continuity plan that have been incorporated
• (DSS04) Percentage of issues identified that have been subsequently addressed in the plan
• (DSS04) Percentage of internal and external stakeholders hat have received business continuity training
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity training materials
• (DSS05) Percentage of periodic tests of environmental security devices
• (DSS05) Average rating for physical security assessments
• (DSS05) Number of physical security-related incidents

118
Chapter 7
05 Staff Operations
0501 Inappropriate access rights
Risk Scenario Title Inappropriate access rights

Risk Scenario Category 05 Staff operations
Risk Scenario
A business user builds up inappropriate access rights over time, from performing different roles within the enterprise. This results in the breakdown of
segregation of duties, allowing the user to commit fraudulent actions. The business user sets up a new supplier, inputs a fictitious invoice and pays the
invoice to an account that belongs to him.
Threat Type
The nature of the event is a failure of the process DSS06 Manage business process controls, especially the management practice manage roles,
responsibilities, access privileges and levels of authority.
Actor
The actor which generates that the threat exploits the vulnerability is internal, the business user.
Event
The event is an ineffective design and/or ineffective execution of the process DSS06 Manage business process controls, which leads to access
controls invoking inadequate and ineffective segregation of duties.
The asset/resource that leads to the business impact is the process DSS06 Manage business process controls.
The assets/resources that are affected are the organizational structures (segregation of duties).
Time
The timing of the event is extended because the business user can fraud the company over a long period of time until the fraud will be detected. The
timing of occurrence is noncritical. The event is not easily detected. Usually it is just by accident that such a fraud is uncovered and, therefore, detection
is slow. The consequences are delayed because the business user has to build up the different inappropriate access rights over time, until he/she can
misuse them to fraud the company.
Risk Type
IT Benefit/Value Enablement N/A
IT Operations and Service Delivery P Security problems and compliance issues
• Risk Mitigation: Frequent review and immediate removal of inappropriate access rights
Effect Effect
on on Essential
Information security policy • Defines limitations on sharing and using information High High Yes
• Rules of behavior, acceptable use of technology and required precautions
such as segregation of duties
Process Enabler
Effect Effect
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High Low YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to business
information processes, including those under the
custody of the business, IT and third parties. This
ensures that the business knows where the data are
and who is handling data on its behalf.
119

Effect Effect
on on Essential
Head of HR Responsible for establishing expectations about staff Medium Medium NO
Effect Effect
on on Essential
Leading by example Everybody is responsible for the protection of information within the enterprise. Medium Medium NO
Information Enabler
Effect Effect
on on Essential
Access and event logs Detecting of wrongful activity Low High YES
Allocated roles and Provide clarity on organizational distribution High Medium YES
responsibilities/levels of
authority
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Security administration Preventing malicious activity Yes Low NO
skills
• (04) Number of significant IT-related incidents that were not identified in risk assessment
Key Risk Indicators (KLRIs) Related to Process Goals
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls within test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered
120
Chapter 7
0503 Backup process failure
Risk Scenario Title Backup process failure

Risk Scenario
The daily backup process fails to successfully back up all data files, and the failure goes undetected. An operational problem occurs, requiring the
backup to be restored. Only then is it discovered that it is not possible to do so, requiring the last successful backup to be restored, which is more than
one week old. This results in the loss of several days of processed transactions and the resulting management information.
Threat Type
The nature of the event is a failure of the processes DSS01 Manage operations and DSS04 Manage continuity. The management practice that fails is to
manage backup arrangements.
Actor
The actor that generates the threat that exploits a vulnerability is internal—a failure of an internal backup process that is not detected by IT
operational staff.
Event
The event is an ineffective design and/or ineffective execution of the processes DSS01 Manage operations and DSS04 Manage continuity. Because it
is a failure of an internal backup process, the system sends an alert about the failure, but the alert is not picked up by IT operational staff.
The assets/resources that lead to the business impact are the processes DSS01 Manage operations and DSS04 Manage continuity and people and
skills, due to the IT operational staff failure to pick up the data backup failure alert.
The assets/resources that are affected are on the business processes in which the processed transactions are lost and the management information
that is also lost.
Time
The duration of the event is extended because it takes quite some time to reprocess the business transactions. The timing of occurrence is noncritical
at the time of the failure. Detection is immediate because it is as soon as the operational staff wants to restore the backup that they discover it is not
possible to do so. The time lag between event and consequence is because the backup failure may not be detected until it is required for recovery from
the backup.
Risk Type
IT Operations and Service Delivery P Security problems—availability of information as well as compliance issues
• Risk Mitigation: Periodically test backups.
Effect Effect
on on Essential
Information security policy Rules of behavior, acceptable use of technology and required precautions Medium Medium NO
121
Process Enabler
Effect Effect
DSS01.01 Perform operational Maintain and perform operational procedures and High High YES
procedures. operational tasks reliably and consistently.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular High High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). pre-determined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS04.07 Manage backup Maintain availability of business-critical information High High YES
arrangements.
Effect Effect
on on Essential
Information security Responsible for technical protection of assets and information High High YES
manager
Head of IT operations Responsible for managing the operational environment High High YES
Effect Effect
on on Essential
Leading by example Everybody is responsible for the protection of information within the enterprise. Medium Medium NO
Culture of preventing People respect the importance of policies and procedures. High High YES
errors and accidents
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
• (14) Number of business process incidents caused by non-availability of information
122
Chapter 7

• (DSS01) Ratio of events compared to the number of incidents
• (DSS01) Percentage of critical operational event types covered by automatic detection systems
• (DSS04) Percentage of successful and timely restoration from back or alternate media copies
• (DSS04) Percentage of backup media transferred and stored securely
• (DSS04) Number of exercises and tests that have achieved recovery objectives
• (DSS04) Frequency of disaster recovery tests
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity plan
• (DSS04) Percentage of internal and external stakeholders that have received business continuity training
123
0506 Disclosure of client data to a competitor
Risk Scenario Title Disclosure of client data to a competitor

Risk Scenario
An internal member of staff, who has authorized access to sales information, makes an unauthorized copy of commercially sensitive data. This sales
representative downloads and copies the customer database to a USB drive, and then gives it to a competitor of the enterprise.
Threat Type
The nature of the event is a malicious action of an employee.
Actor
The actor that generates the threat that exploits the vulnerability is an internal member of staff, who has authorized access to sales information and
makes an unauthorized copy of the information.
Event
The event is theft and disclosure of commercial information.
The resource that leads to the business impact is people, the sales representative.
The asset/resource that is affected is the sensitive business/commercial information.
Time
The duration of the event is likely to be extended because the disclosure of commercial data can continue for a long period of time before it is detected.
The timing of occurrence is noncritical. Because theft of data is usually only detected by accident, the event cannot be detected immediately and
detection is classified as slow. The time lag between event and consequence is delayed, usually more and more customers will move to a competitor.
Risk Type
IT Operations and Service Delivery P Security problems
S Compliance issues
• Risk Mitigation: Recruitment procedures, access controls and data loss prevention (DLP) controls will be implemented and/or improved.
Effect Effect
on on Essential
Information security policy • Defines limitations on sharing and using information High Low YES
•R ules of behavior, acceptable use of technology and required precautions
Process Enabler
Effect Effect
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or Low Low NO
appropriate staffing. upon major changes to the enterprise or operational
or IT environments to ensure that the enterprise has
sufficient human resources to support enterprise
goals and objectives. Staffing includes both internal
and external resources.
APO07.02 Identify key IT Identify key IT personnel while minimizing Low Low NO
personnel. reliance on a single individual performing a
124
Chapter 7

Effect Effect
APO07.04 Evaluate employee job Perform timely performance evaluations on a Medium Low NO
performance. regular basis against individual objectives derived
from the enterprise’s goal, established standards,
specific job responsibilities, and the skills and
competency framework. Employees should receive
coaching on performance and conduct whenever
appropriate.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel Medium Low NO
who support the enterprise with IT skills know and
comply with the enterprise’s policies and meet
agreed-on contractual requirements.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low NO
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.05 Manage physical Define and implement procedures to grant, limit Medium Medium NO
access to IT assets. and revoke access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, Medium Low NO
documents and output accounting practices and inventory management
devices. over sensitive IT assets, such as special forms,
negotiable instruments, special-purpose printers or
security tokens.
DSS06.02 Control the processing Operate the execution of the business process High Low YES
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels Low Low NO
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.
DSS06.06 Secure information Secure information assets accessible by the High Low YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Effect Effect
on on Essential
Information security Responsible for technical protection of assets and information High Low YES
manager
125

Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Allocated roles and Provide clarity on organizational distribution. High Low YES
responsibilities/ levels of
authority
Effect Effect
on on Essential
Access control In order to prevent unauthorized physical access High Low YES
management
Effect Effect
on on Essential
Security management Preventing malicious activity High Medium YES
skills
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (16) Percentage of staff satisfied with their roles
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Percentage of individuals receiving awareness training related to use of endpoint devices
• (DSS05) Number of incidents involving endpoint devices
• (DSS05) Number of unauthorised devices detected on the network or in the end-user environment
• (DSS05) Number of incidents relating to unauthorised access to information
• (DSS06) Percentage of coverage of key controls with test plans

126
Chapter 7
06 Information
0602 Uncontrolled shutdown
Risk Scenario Title Uncontrolled shutdown

Risk Scenario Category 06 Information
Risk Scenario
A company that relies heavily on its e-commerce sales system is not protected by an uninterruptable power supply (UPS), backup generator or database
management system (DBMS) transaction rollback facility. Following a power failure, the server running the e-commerce sales system does not perform a
controlled shutdown, which results in the database tables becoming corrupted.
Threat Type
The nature of the event is a failure of the process DSS06 Manage business process controls. It is the failure of the management practice to control the
processing of information and the respective activity and to maintain the integrity of data during unexpected interruptions in business processing and
confirm data integrity after processing failures.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event is a clear failure of equipment (UPS) or the procedure
‘controlled shutdown’ and there is no actor for this event.
Event
The event is an either an ineffective design or an ineffective execution of a process or operational procedure (system shutdown). However, the event
can also be classified as destruction of the database.
The asset that leads to the business impact is the infrastructure (power supply).
The asset/resource that is affected is information, the corrupted database.
Time
The duration of the event is extended because the database stays corrupted and has to be recovered from the backups. The time of occurrence of the
event (power failure) is critical because, at that time, the equipment was not in a state to perform a controlled shutdown. The detection is immediate
because the lack of integrity of the database is discovered immediately after the restart of the systems. The time lag between event and consequence is
immediate because the database is corrupted directly by the event (uncontrolled shutdown).
Risk Type
IT Operations and Service Delivery P IT service interruption
• Risk Mitigation: Maintain the integrity of data during unexpected interruptions in business processing, and confirm data integrity after processing
failures. Installation of a UPS, backup generator and DBMS transaction rollback facility.
Effect Effect
on on Essential
Backup policy Backups are available Low High YES
Business continuity and Validate recoverability of data High High YES
disaster recovery policy
127
Process Enabler
Effect Effect
BAI04.05 Investigate and address Address deviations by investigating and resolving Low Medium NO
availability, performance identified availability, performance and capacity
and capacity issues. issues.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Low High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). predetermined outcomes and to allow innovative
DSS06.02 Control the processing Operate the execution of the business process Low Medium NO
DSS06.04 Manage errors and Manage business process exceptions and errors Low High YES
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
Effect Effect
on on Essential
Head of IT operations Responsible to implement proper controls and measures to protect data High Medium YES
and hardware
Effect Effect
on on Essential
Information security Always select the safest option to perform daily operations Medium Medium NO
is practiced in daily
operations.
Information Enabler
Effect Effect
on on Essential
Backup reports Describes the status of backups
Effect Effect
on on Essential
Backup systems Ensure proper recovery in case of loss, modification or corruption of data. Low High YES
Effect Effect
on on Essential
Technical skills Implement proper controls and measures to protect data and hardware (e.g., High High YES
data backup, storage)
128
Chapter 7

• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of availability incidents
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues
• (DSS04) Percentage of IT services meeting uptime requirements
• (DSS04) Percentage of successful and timely restoration from back or alternate media copies
• (DSS04) Number of critical business systems not covered by the backup plan
• (DSS04) Frequency of business continuity and disaster recovery tests
• (DSS06) Percentage of completed inventory of critical process and key controls
129
0607 Modification of client data
Risk Scenario Title Modification of client data

Risk Scenario
In an enterprise with poor access rights management procedures, a sales manager is given database administration (DBA) rights in error. This privileged
level of access is then used for unauthorized modification of sales data, which results in the misrepresentation of sales activity and inflates the sales
manager’s sales target bonus. The data modification is not detected, the additional payments of the sales bonuses are issued and the fraudulent
behavior goes undetected.
Threat Type
The nature of the event is a malicious and fraudulent act.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the sales manager (business user).
Event
The event is an unauthorized modification of sales data that was allowed by the ineffective design and/or ineffective execution of the process DSS05
Manage security services, its management practice DSS05.04 Manage user identity and logical access, the process DSS06 Manage business process
controls and its management practice DSS06.05 Ensure traceability of information events and accountabilities, which allowed the sales manager to
inherit DBA access rights.
The assets/resources that lead to the business impact are the process DSS05 Manage security services and its management practice DSS05.04
Manage user identity and logical access and the process DSS06 Manage business process controls and its management practice DSS06.05 Ensure
traceability of information events and accountabilities, which allowed the sales manager to inherit DBA access.
The asset/resource that is affected is information, the sales data.
Time
The duration of the event is extended because the modification of the sales data and the fraudulent behavior can go undetected for a long period of time
before it is detected. Because the bonus was not yet calculated and paid out at the time of the modification of the sales data, the timing of occurrence is
critical. Because such modifications of data and fraudulent actions are usually only detected by accident, the time for detection is classified as slow. For
the same reason, the time between event and consequence is classified as delayed.
Risk Type
S Compliance issues
•R isk Mitigation: The enterprise will implement effective management of privileged access rights, including the periodic review of inherited access
rights and change management over data, which includes the traceability of changes made to data, by whom and when.
Effect Effect
on on Essential
Information security policy • Defines limitations on sharing and using information High Low YES
130
Chapter 7
Process Enabler
Effect Effect
DSS05.04 Manage user identity Ensure that all users have information access rights High Low YES
and logical access. in accordance with their business requirements and
coordinate with business units that manage their
own access rights within business processes.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process Medium Low NO
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High Medium YES
behalf.
DSS06.04 Manage errors and Manage business process exceptions and errors Low Low NO
DSS06.05 Ensure traceability of Ensure that business information can be traced Medium High YES
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
Effect Effect
on on Essential
Information security Provide guidance on proper controls and measures to protect data and Medium Medium NO
manager hardware.
Effect Effect
on on Essential
Information security Always select the safest option with regards to daily operations. Medium Low NO
operations.
Need to access only Limit the access of staff without affecting performance. High Low YES
Everybody is responsible Lead by example. Low Low NO
for the protection of
information within the
enterprise.
131
Information Enabler
Effect Effect
on on Essential
Data loss prevention Increase awareness within the enterprise Medium Low NO
campaigns
Nondisclosure agreements Contractually protect intellectual property (IP) by deterring staff from disclosing Medium Medium NO
information to malicious parties.
Effect Effect
on on Essential
Access control To prevent unauthorized physical access High Low YES
Data protection Encryption, passwords, email monitoring, etc., to enforce least privilege Medium Medium NO
infrastructure and principle
applications
Effect Effect
on on Essential
N/A N/A Medium Medium NO
• (10) Time to grant, change and remove access privileges, compared to agreed-on service levels
• (DSS05) Average time between change and update of accounts
• (DSS05) Number of accounts (vs. number of unauthorised users/staff)
132
Chapter 7
0608 Disclosure of patient data
Risk Scenario Title Disclosure of patient data

Risk Scenario
A clerical assistant at an insurance company creates an email message that contains patient identifiable data, in plain text, that details medical
conditions and sends it to the wrong email distribution list in error. The clerical assistant either does not realize his/her error, or realizes, but keeps quiet
about the error. This results in inappropriate disclosure of patient identifiable information.
Threat Type
The nature of the event is accidental inappropriate disclosure of patient identifiable information.
Actor
The actor that generates the threat that exploits the vulnerability is internal, a business user (the clerical assistant).
Event
The event is disclosure of patient identifiable information.
The asset/resource that leads to the business impact is people and skills because the clerical assistant makes the error. A blaming culture could also
lead to non-disclosure of the error, which would apply to organizational structures.
The resource that is affected is information (the patient data).
Time
Timing is critical. When a user realizes he/she has sent sensitive information to the wrong email address, it is essential that the user informs his/her
supervisor, to allow the situation to be effectively managed. However, in the majority of enterprises, a blame culture exists, and, it is unlikely that the user
will admit to the error. Therefore, the duration is likely to be extended, detection is likely to be slow and the time lag between event and consequence is
delayed because it is likely that the error will not be detected for a long period of time.
Risk Type
IT Operations and Service Delivery P Security problems and compliance issues
• Risk Mitigation: Data classification and security controls are defined, such as sensitive information is encrypted before email messages are sent.
Effect Effect
on on Essential
Information security policy • Defines limitations on sharing and using information Medium Medium NO
133
Process Enabler
Effect Effect
APO01.06 Define information Position the IT capability in the overall organizational Low High YES
(data) and system structure to reflect an enterprise model relevant
ownership. to the importance of IT within the enterprise,
specifically its criticality to enterprise strategy and
the level of operational dependence on IT. The
reporting line of the Chief information officer (CIO)
should be commensurate with the importance of IT
within the enterprise.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, High High YES
security tokens.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process High High YES
DSS06.04 Manage errors and Manage business process exceptions and errors Low Medium NO
DSS06.05 Ensure traceability of Ensure that business information can be traced Low Low NO
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
DSS06.06 Secure information Secure information assets accessible by the Low High YES
Effect Effect
on on Essential
Information security Provide guidance on proper controls and measures to protect data and High High YES
manager hardware.
Effect Effect
on on Essential
Information security Always select the safest option to perform daily operations. High High YES
operations.
Lead by example Everybody is responsible for the protection of information within the enterprise. High High YES
134
Chapter 7
Information Enabler
Effect Effect
on on Essential
Data loss prevention Increase awareness within the enterprise. High High YES
campaigns
Effect Effect
on on Essential
Data protection Encryption, passwords, email monitoring, etc., to enforce lease privilege Medium Medium NO
infrastructure and principle
applications
Effect Effect
on on Essential
N/A N/A Medium Medium NO
• (02) Number of non-compliance issues relating to contractual agreements with IT service providers
• (15) Number of incidents related to non-compliance to policy
• (APO01) Number of risk exposures due to inadequacies in the design of the control environment

135
136
Chapter 7
07 Architecture
0701 Inability to implement mobile banking
Risk Scenario Title Inability to implement mobile banking

Risk Scenario Category 07 Architecture
Risk Scenario
A mid-sized US bank is applying host systems for the core banking applications, in particular, for retail banking. The director for retail banking, a member
of the board, requested that a mobile banking solution (application) be offered for the retail market and expected a return on investment (ROI) within two
years. The core banking system, however, is not capable of handling the communications with a mobile application environment. The chief information
officer (CIO) maintains a good relationship with the host provider and, in a defensive position on new systems, analyzed the requirements. The CIO
came to the conclusion that the solution can be implemented, but only by using new middleware and communications systems. These additions were
exceeding the forecasted budget and were new technologies to the bank. Therefore, the initiative was not deemed to be able to create an acceptable ROI
and was not started.
Competitors, however, currently provide a mobile solution to their customers and the bank’s customers are moving to those other banks.
Threat Type
The nature of the event is failure of the process APO03 Manage enterprise architecture.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the director for retail banking and the CIO.
Event
The event is an ineffective design and/or ineffective execution of the process APO03 Manage enterprise architecture.
The resources that lead to the business impact are the lack of an effective process APO03 Manage enterprise architecture and the IT infrastructure
because the host system is inflexible and unable to meet the customer expectations.
The resource that is affected is the business process retail banking because it is not available for mobile devices.
Time
The duration of the event is extended because the software application for retail banking on mobile devices cannot be delivered. The timing of the
occurrence is critical because the competitors already provide mobile solutions to their customers. The event is detected during the study and before
the project was started and, therefore, is moderate. The consequence is delayed and ongoing because the project cannot be executed.
Risk Type
IT Benefit/Value Enablement P Customer expectations for efficient processes using mobile devices cannot be met.Unsatisfied
customers are leaving the bank.
IT Programme and Project Delivery P New solutions cannot be developed without significantly changing the software and hardware
environment resulting in a lack of agility.
• Risk Acceptance: The board is accepting the inability to apply upcoming technology options. The board also accepts that the enterprise will lose
business competitiveness because competitors are currently providing a similar service to their customers and therefore may lose market share.
• Risk Sharing/Transfer: The chief executive officer (CEO) can outsource the mobile banking infrastructure and transfer the risk through the
outsourcing contract.
• Risk Mitigation: Apply architecture management and scenarios to amend the capabilities of the host and/or to replace the host system.
Effect Effect
on on Essential
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
Exceptions procedure In specific cases, exceptions to the existing architectural rules can be allowed. High High YES
Specific cases and the procedure to follow for approval should be described.
137
Process Enabler
Effect Effect
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Effect Effect
on on Essential
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Effect Effect
on on Essential
Respect agreed-on The enterprise should stimulate the use of agreed-on standards. Medium Medium NO
standards
Information Enabler
Effect Effect
on on Essential
Architecture model Target architecture model High High YES
Effect Effect
on on Essential
Architecture modelling Modelling application will optimize the architecture development and minimize Medium High YES
software the effort of analyzing impact to architecture in case of exceptions or changes.
138
Chapter 7

Effect Effect
on on Essential
Leadership and Clarify the rationale for the architecture and the potential consequences. High High YES
communication
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs)Related to Process Goals
• (APO03) Date of last update to domain and/or federated architectures
139
0702 New products cannot be implemented
Risk Scenario Title New products cannot be implemented

Risk Scenario
The chief executive officer (CEO) of a large insurance company plans to issue eight new products per year to the market. He does not consult the IT
department. Product development starts the project and creates the eight new products. As they involve the IT department in the project, they find out
that, based on the existing architecture and old legacy systems, IT is able to introduce the administration for only four new products per year. Therefore,
at least half of the work of the product development team was wasted.
Threat Type
Actor
The actors that generate the threat that exploits a vulnerability are internal—the CEO and the product development team because they did not involve
the IT department at the start of the project.
Event
The event is an ineffective design or/and ineffective execution of the process APO03 Manage enterprise architecture.
The resources that lead to the business impact are the lack of an effective process APO03 Manage enterprise architecture and the IT infrastructure
because the host system is unable to meet the customer expectations.
The resource that is affected is the business process new products because the company cannot start to sell the new products.
Time
The duration of the event is extended because only four of the new products can be started and the remaining four must be held until the following year.
The timing of the occurrence is critical because the competitors currently offer new products. The event is not detected before the company wants to
start with the new products and, therefore, is slow. The consequence is delayed and ongoing because the project cannot be executed.
Risk Type
IT Benefit/Value Enablement P Customer expectations for issuing new products cannot be met.
P Unsatisfied customers are leaving the insurance company.
IT Programme and Project Delivery P New products cannot be developed without significantly changing the software and hardware
environment, which results in a lack of agility.
•R isk Acceptance: The board is accepting the inability to implement new products as fast as expected, therefore, losing the opportunity to gain
business advantage.
• Risk Mitigation: Apply architecture management and scenarios to amend the capabilities of the host and/or to replace the host system.
Effect Effect
on on Essential
Architecture principles Architecture principles define the underlying general rules and guidelines for Medium Medium NO
140
Chapter 7
Process Enabler
Effect Effect
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Effect Effect
on on Essential
Architecture board Ensure compliance with the target architecture and allow exceptions Low Low NO
when needed.
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Effect Effect
on on Essential
Architecture modelling Modeling application will optimize the architecture development and minimize Medium High YES
141

Effect Effect
on on Essential
communication
requirements.
• (APO03) Date of last update to domain and/or federated architectures
142
Chapter 7
0703 Distribution of mobile devices
Risk Scenario Title Distribution of mobile devices

Risk Scenario
To satisfy requirements of the business management (board members and directors), the chief information officer (CIO) distributed mobile devices
(e.g., smartphones, tablets) so that management can easily have access to the enterprise applications and email from everywhere. The CIO did not
develop a program to address all requirements for mobile devices by following the enterprise architecture good practices (e.g., The Open Group
Architecture Framework [TOGAF]). Appropriate security policies and procedures were not developed. The devices are not equipped with security features
(e.g., encryption of information and secure connection) to preserve the enterprise information in case of security breaches (e.g., stolen/lost devices,
unauthorized access to the devices and their information). Before the devices were distributed, their management was not based on good practice (e.g.,
life-cycle management and baseline configuration).
Threat Type
Actor
The actors that generate the threat that exploits a vulnerability are internal—the CIO and the information security manager.
Event
The event is an ineffective design or/and ineffective execution of the process APO03 Manage enterprise architecture.
The resources that lead to the business impact are the processes BAI09 Manage assets, BAI10 Manage configuration and DSS05 Manage security
services due to a lack of ensuring coverage of all capabilities, such as training, security, replacement and service desk. Another resource is people and
skills because the CIO is trying to fulfil board requirements on short notice, and the information security officer is not stopping the initiative. Information
is also a resource due to the lack of a policy to handle security of information on new technology.
The resource that is affected is information, specifically, the security information on the mobile devices and in transport.
Time
The duration of the event is extended because equipping the devices with appropriate security features requires some time. The timing of the
occurrence is noncritical. The event is detected as the devices start being used and is moderate. The consequence is delayed and ongoing because
the security weaknesses cannot be addressed immediately and need proper analysis.
Risk Type
IT Benefit/Value Enablement S Higher efficiency of management staff
IT Programme and Project Delivery S Delayed delivery of the initiative’s results if all requirements were considered
P The mobile devices delivered are not capable of meeting the enterprise and legal requirements, in
particular, with regards to security baselines.
IT Operations and Service Delivery P Enterprise information can be compromised which lead to potential compliance issues.
• Risk Avoidance: Do not distribute mobile devices until risk mitigation is in place.
• Risk Acceptance: The board accepts the lack of security.
• Risk Sharing/Transfer: Mobile users are held liable for any damage occurred with the mobile device.
• Risk Mitigation: Define a policy to customize the mobile devices before distribution. Implement security features, monitor the devices, and maintain
their security (remote deletion of lost/stolen devices etc.).
Effect Effect
on on Essential
Exceptions procedure In specific cases, exceptions to the existing architectural rules can be allowed. High High YES
Specific cases and the procedure to follow for approval should be described.
143
Process Enabler
Effect Effect
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High High YES
BAI09.03 Manage the asset life Manage assets from procurement to disposal to Low Medium NO
cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
BAI10.02 Establish and maintain Establish and maintain a configuration Low High YES
a configuration management repository and create controlled
repository and baseline. configuration baselines.
BAI10.03 Maintain and control Maintain an up-to-date repository of configuration Medium Medium NO
configuration items. items by populating with changes.
BAI10.05 Verify and review Periodically review the configuration repository and Low Low NO
integrity of the verify completeness and correctness against the
configuration repository. desired target.
DSS05.01 Protect against Implement and maintain preventive, detective and High Low YES
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.02 Manage network and Use security measures and related management Low High YES
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, Low High YES
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events events are integrated with general event monitoring
and incident management procedures.
Effect Effect
on on Essential
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Effect Effect
on on Essential
Respect policies and The enterprise should stimulate the use of agreed-on standards. High High YES
standards
Information Enabler
Effect Effect
on on Essential
Architecture model Target architecture model Medium Medium NO
144
Chapter 7

Effect Effect
on on Essential
Architecture modelling Modelling application will optimize the architecture development and minimize Medium Medium NO
Effect Effect
on on Essential
communication
requirements.
• (BAI09) Number of assets not utilised
• (BAI09) Number of obsolete assets
• (BAI10) Number of deviations between the configuration repository and live configuration
• (BAI10) Number of discrepancies relation to incomplete or missing configuration information
• (DSS05) Number of firewall breaches

145
08 Infrastructure
0802 System not scalable to meet business growth
Risk Scenario Title System not scalable to meet business growth

Risk Scenario Category 08 Infrastructure
Risk Scenario
A small offline trading enterprise operates an online shop, is increasing its customer base and invests heavily in marketing initiatives. All IT equipment
is procured by shop personnel who do not have the appropriate technical skills to apply best practices and vendor usage recommendations. The IT
infrastructure was stable and available in the past, but when the user base and usage of the system increase, the system availability significantly drops,
compromising the service level needed for this vertical market.
Threat Type
The nature of the event is in the inappropriate design of the infrastructure caused by accident/error.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the shop owner (chief executive officer [CEO]).
Event
The event is interruption caused by a significant drop of system availability and ineffective design of the infrastructure.
The resources that lead to the business impact are the process BAI04 Manage availability and capacity and the IT infrastructure servers that are not
capable of meeting the rising demand.
The resources affected are business processes such as the sales process (online shop), which are often not available, and applications because the
online shop is not regularly available.
Time
The duration of the event is extended because as it needs a long period of time to upgrade or replace the infrastructure. The online shop is not regularly
available, so business is missed. Therefore, the timing of occurrence is critical. Because the online shop is not available, the detection is instant.
Because there is momentarily no business, the consequence is immediate.
Risk Type
IT Benefit/Value Enablement P Online sales are not available, resulting in lost business.
IT Operations and Service Delivery P IT service interruptions
• Risk Avoidance: Not offering an online shop
• Risk Acceptance: The shop owner accepts the lost business.
• Risk Sharing/Transfer: Outsourcing of the IT service and agreed-on service level agreement (SLA) availability with appropriate penalties
• Risk Mitigation: Outsourcing of the IT service and agreed-on SLA availability. Upgrade of the existing system to increase the IT capability
Effect Effect
on on Essential
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.
Change Management Define the rules and guidelines to change infrastructure components in a Medium Medium NO
policy controlled and safe way.
146
Chapter 7
Process Enabler
Effect Effect
direction. business processes as well as the enterprise
APO02.02 Assess the current Assess the performance of current internal business High High YES
environment, and IT capabilities and external IT services,
capabilities and and develop an understanding of the enterprise
performance. architecture in relation to IT. Identify issues currently
being experienced and develop recommendations
in areas that could benefit from improvement.
Consider service provider differentiators and options
and the financial impact and potential costs and
benefits of using external services.
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
Effect Effect
on on Essential
Head of IT operations Accountable for the proper management and maintenance of the IT Low Low NO
infrastructure
Head of architecture Design architecture in an optimal way. Medium Medium NO
Effect Effect
on on Essential
N/A N/A
147
Information Enabler
Effect Effect
on on Essential
Configuration status Track changes to configuration. Medium Medium NO
reports
Effect Effect
on on Essential
Configuration management Assists in identifying areas for improvement High High YES
database (CMDB)
Effect Effect
on on Essential
requirements.
• (BAI04) Number of transition peaks where target performance is exceeded
• (BAI04) Number of events where capacity has exceeded planned limits
148
Chapter 7
0804 Secondary utilities
Risk Scenario Title Secondary utilities

Risk Scenario
An particular enterprise is required by industry regulators to have dual data centers to support operations for its 24/7 mission-critical online systems.
Both facilities were built with redundant technology infrastructure and connected using dual ring (redundant) optical fibers. When the request for proposal
(RFP) was written, it did not contain the prerequisite that each communication ring should be offered by different providers. The communications provider
that offered the service tried to reduce its installation costs by taking advantage of existing subway tunnels to deploy the fibers instead of building its
own tunneling system as required by regulations.
During a maintenance shift, local subway train system employees were repairing the rails and accidentally cut off the optical fiber, which caused an
interruption in the service that was offered by the provider. This situation was detected immediately by the enterprise’s remote monitoring system and
alerts were given to the communications provider, which missed its service level agreements (SLAs) and took more than three days to find the spot
where the fiber was cut off.
During that time, the data center operated in yellow alert mode with reduced service and no ability to balance transactions or maintain data replication
between the two existing network attached storage (NAS). Because of the loss of communication, the enterprise invoked data backup procedures on
portable storage media and established four synchronized points per day, which incurred additional service costs.
Threat Type
The nature of the event is an accidental failure of the IT infrastructure. Secondarily, it is also a failure of the procurement process.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the Steering (Program/Projects)
Committee. The external actor is train system employees.
Event
The event is primarily a destruction of the IT infrastructure (network), which caused the interruption of the IT services. The event is also ineffective
design and/or ineffective execution of the process BAI01 Manage programmes and projects, specifically, the management practices Maintain a
standard approach for programme and project management and Manage project resources and work packages; and ineffective design
and/or ineffective execution of the process BAI03 Manage solutions identification and build, specifically, the management practice Procure
solution components.
The assets/resources that lead to the business impact are the processes BAI01 Manage programmes and projects and BAI03 Manage solutions
identification and build and the people from the train system.
The assets/resources that are affected by the event are the physical and IT structure that was destroyed and the information and applications that
are interrupted.
Time
The duration of the event is extended, because the provider missed its SLAs and took more than three days to find the spot where the fiber was cut off.
The time of occurrence is critical because the company currently has no redundant communication lines. The event was detected immediately by the
company’s remote monitoring system and alerts were given to the communications service provider. The time lag between event and consequences is
also immediate because at the moment that the fiber was cut, there was no network access.
Risk Type
IT Benefit/Value Enablement P Because the IT infrastructure cannot be used for innovation, there are missed opportunities to use
technology to improve efficiency and/or effectiveness.
IT Programme and Project Delivery S Because the IT infrastructure cannot be used to support programs and projects, there is no contribution
of IT to new or improved business solutions for quite a while.
IT Operations and Service Delivery P The operational stability, availability and protection are affected, which can lead to destruction or
reduction of value to the enterprise.
• Risk Mitigation: Ensure that the programs and projects are correctly defined, with specific requirements, including all environmental concerns.
149

Effect Effect
on on Essential
Architecture principles Define the underlying general rules and guidelines for the use and deployment High High YES
Process Enabler
Effect Effect
APO02.03 Define the target IT Define the target business and IT capabilities and Low High YES
capabilities. required IT services. This should be based on the
understanding of the enterprise environment and
requirements; assess the current business process
and IT environment and issues; and consider
reference standards, best practices and validated
emerging technologies or innovation proposals.
BAI01.01 Maintain a standard Maintain a standard approach for program and Medium Low NO
approach for project management that enables governance
program and project and management review and decision making
management. and delivery management activities focused on
achieving value and goals (requirements, risk, costs,
schedule, quality) for the business in a consistent
manner.
BAI01.12 Manage project Manage project work packages by placing formal Medium Low NO
resources and work requirements on authorizing and accepting
packages. work packages, and assigning and coordinating
appropriate business and IT resources.
BAI03.04 Procure solution Procure solution components based on the Low High YES
and detailed designs, architecture principles and
standards, and the enterprise’s overall procurement
and contract procedures, quality assurance (QA)
requirements, and approval standards. Ensure that
all legal and contractual requirements are identified
and addressed by the supplier.
guidelines.
Effect Effect
on on Essential
Head of IT operations Accountable for the proper management and maintenance of the IT Medium Medium NO
infrastructure
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Architecture model Target architecture model Medium Medium NO
Current asset inventory Track all assets throughout the enterprise. High High YES
150
Chapter 7

Effect Effect
on on Essential
Configuration management Assists in identifying areas for improvement Medium Medium YES
database (CMDB)
Effect Effect
on on Essential
requirements.
Technical skills Manage the different infrastructure components. Medium Medium NO
151
0805 Inappropriate segregation of networks
Risk Scenario Title Inappropriate segregation of networks

Risk Scenario
The network of a telecommunications (telecom) company consists of two key networks: an office network dedicated to corporate processes and an
operations network for the provision of telecom services. The networks are managed by separate IT departments with different baselines and procedures
that are driven by different requirements. Telecom systems cannot, for technical reasons, be patched on short notice to maintain the service level. The
company does not have a common incident and event management process in place that addresses both networks, which would ensure the handling
and resolution of incidents in an appropriate length of time.
Some users, due to their job description, need access to both networks. This access is realized with two network interface cards in the end-user
computer. However, these computers are not adequately patched and are vulnerable to malicious code.
A malware infection of one of those computers resulted in the infection of multiple computers in the operations network and, due to the lack of security,
also in the office network.
Threat Type
The nature of the event lies in the inappropriate design of the network architecture caused by error.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the chief information officer (CIO), the
information security officer, the network manager and the operations network manager. The external actors are the developers of malicious code.
Event
The event is interruption caused by systems not available and ineffective design of the network architecture.
The resources that lead to the business impact are the process DSS05 Manage security services, with ineffective patch management and inadequate
security incident procedures, and the IT infrastructure, with unpatched systems, inadequate segregation of networks and monitoring capabilities (e.g.,
intrusion prevention system [IPS]).
The resources affected are business processes, which cannot be operated because no IT services are available; the unavailable IT infrastructure; the
accessibility of information; and the accessibility of applications.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the network infrastructure. The timing of
occurrence is critical because business processes are regularly unavailable, which results in missed business. Because security events are not detected
immediately, the detection is moderate. The consequence is immediate because there is momentarily no business.
Risk Type
• Risk Sharing/Transfer: Outsourcing of patch management services
•R isk Mitigation: Separate networks with proper mechanisms and apply an IPS. Define and apply a patch management process for both networks.
Monitor network security.
Effect Effect
on on Essential
152
Chapter 7
Process Enabler
Effect Effect
architectures covering the business, information,
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
followed up.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their
reliability and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
DSS05.02 Manage network and Use security measures and related management Low High YES
of connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
security-related events. events are integrated with general event monitoring
153

Effect Effect
on on Essential
Head of IT operations Accountable for the proper management and maintenance of the IT High High YES
infrastructure
Head of architecture Design architecture in an optimal way. High High YES
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Maintenance plan Plan the maintenance of the IT infrastructure. Low High YES
Effect Effect
on on Essential
Configuration management Assists in identifying areas for improvement Medium Medium NO
database (CMDB)
Effect Effect
on on Essential
requirements.
Technical skills Manage the different infrastructure components. Medium Medium NO
• (04) Frequency of update or risk profile
• (14) Level of business user satisfaction with quality and timeliness (or availability) of management information
• (BAI09) Number of obsolete assets
154
Chapter 7
0806 Data center infrastructure not adapted to growing needs
Risk Scenario Title Data center infrastructure not adapted to growing needs
Risk Scenario
A data center is hosting operational, development and testing equipment. As the business demand grew, additional IT infrastructure was installed in the
data center, but the data center infrastructure (e.g., the air-conditioning cooling capability) was not adapted to the growing needs.
In peak times, the development and test systems had to be shut down due to overheating of the server room. Due to overheating, some servers had a
hardware failure, some shut down independently and some air conditioning systems broke and had to be replaced.
A proper plan to maintain the physical infrastructure was not in place, and corrective action was taken in an ad hoc manner, rather than being based on a
sound business continuity plan (BCP).
Threat Type
The nature of the event is in the inappropriate design of the data center caused by accident/error.
Actor-
The actor that generates the threat that exploits a vulnerability is internal—the head of operations.
Event
The event is interruption, which is caused by a significant drop of system availability, and ineffective design of the data center.
The resources that lead to the business impact are the process BAI09 Manage assets, e.g., ineffective management of infrastructure, the process
BAI04 Manage availability and capacity and the physical infrastructure, due to the inadequate data center infrastructure.
The resources affected are processes such as development and testing, which cannot be executed; the IT infrastructure because hardware is broken
due to overheating or being shut down; the physical infrastructure because of broken air-conditioning equipment; information because it is not
available; and applications because testing and development environments are not available.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the infrastructure. Business is missed because
systems are not regularly available. Therefore, the timing of occurrence is critical. Because hardware failure and the system unavailability are immediate,
the detection is instant. Because a long period of time is required to update or replace the infrastructure, the consequences are delayed.
Risk Type
IT Programme and Project Delivery P Delays in projects because development and test environments were not available
• Risk Avoidance: Shut down some servers.
• Risk Acceptance: The board accepts the risk that there may be service disruptions.
• Risk Mitigation: Upgrade the infrastructure equipment to meet the technology needs. Replace servers with newer technologies and a lower footprint.
Effect Effect
on on Essential
Change management Define the rules and guidelines to change infrastructure components in a High High YES
155
Process Enabler
Effect Effect
BAI04.01 Assess current Assess availability, performance and capacity Low High YES
availability, performance of services and resources to ensure that cost-
and capacity and create justifiable capacity and performance are available
a baseline. to support business needs and deliver against
service level agreements (SLAs). Create availability,
performance and capacity baselines for future
comparison.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review High Medium YES
followed up.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their reliability
and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
guidelines.
156
Chapter 7

Effect Effect
on on Essential
Head of IT operations Accountable for the proper management and maintenance of the IT Medium High YES
infrastructure
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Current asset inventory Track all assets throughout the enterprise. Medium Low NO
Maintenance plan Plan the maintenance of the IT infrastructure. Medium High YES
Configuration status Track changes to configuration. High Medium YES
reports
Effect Effect
on on Essential
Configuration management Assists in identifying areas for improvement High High YES
database (CMDB)
Technical skills Manage the different infrastructure components. High High YES
• (BAI04) Number of transition peaks where target performance is exceeded
• (BAI04) Number of events where capacity has exceeded planned limits

157
158
Chapter 7
09 Software
0908 High number of emergency changes
Risk Scenario Title High number of emergency changes

Risk Scenario Category 09 Software
Risk Scenario
Business users frequently require changes to live applications on short notice and IT staff (development and operations) use the well-defined emergency
change process to fast-track these requests. Emergency changes do not require formal acceptance from business users and can be transitioned to
the live environment immediately. Because the emergency change process does not require functional requirements and critical documentation to be
updated, sometimes these changes are missed in upcoming releases.
An analysis of changes showed that 40 percent of all changes were emergency changes that were deployed without being properly tested. These
changes caused 80 percent of the incidents recorded.
Threat Type
The nature of the event is a failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers, the IT operations function and the business owners.
Event
The event is unauthorized and untested modification of applications.
The resources that lead to the business impact are the ineffective process BAI06 Manage changes, a lack of people and skills to perform quality
assurance and a lack of people and skills in the business staff who should be involved in development and testing. Another asset that causes the
business impacts are the applications because a lack of quality is causing errors and requiring quick fixes and/or a lack of functionality is
requiring amendments.
The resources and assets affected are business processes because erroneous applications cause IT service interruptions, which cause process
interruptions. Information is also affected because as it can be unduly changed or is inconsistent due to untested and erroneous applications. The lack
of change records and/or audit trails makes the effect on information even worse. Applications are affected because they are changed without being
duly tested.
Time
The duration of the event is extended because a long period of time is required to change the related processes and because the event is also a cultural
issue. The timing of occurrence can be critical because systems and applications are not available for doing business. The detection is moderate
because the malfunctions caused by emergency changes are usually detected shortly after implementation. Because systems and applications can be
interrupted at the moment, an emergency change is put into production and the time lag between event and consequence is immediate.
Risk Type
IT Benefit/Value Enablement S Updated solutions are available on short notice.
IT Programme and Project Delivery S Quick delivery of solutions
S Development resources can barely be planned, which leads to delays in projects.
IT Operations and Service Delivery P Quality issues and service interruptions due to untested applications
S Compliance and security issues due to unapproved changes
• Risk Acceptance: Only the business owners experiencing quality and/or availability issues can approve emergency changes.
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Require, for emergency changes, a thorough test and documentation after deployment to the live environment to make emergency changes more
complex than regular changes. Require a formal test and approval by the business after deployment to the live environment to ensure that the
emergency change addressed the issue and the change was needed on short notice.
159

Effect Effect
on on Essential
Process Enabler
Effect Effect
BAI03.09 Manage changes to Track the status of individual requirements Low Medium NO
requirements. (including all rejected requirements) throughout
the project life cycle and manage the approval of
changes to requirements.
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the High High YES
and authorize change impact on business processes and IT services,
requests. and to assess whether change will adversely
affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged,
categorized, assessed, authorized, prioritized
planned and scheduled.
BAI06.02 Manage emergency Carefully manage emergency changes to minimize High High YES
changes. further incidents and make sure the change is
controlled and takes place securely. Verify that
emergency changes are appropriately assessed and
authorized after the change.
BAI06.03 Track and report Maintain a tracking and reporting system to Medium Medium YES
change status. document rejected changes, communicate the
status of approved and in-process changes, and
complete changes. Make certain that approved
changes are implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update Medium Medium YES
the changes. accordingly the solution and user documentation
and the procedures affected by the change.
Effect Effect
on on Essential
Head of development Accountable for the proper design and development of the software Medium Medium NO
components
Effect Effect
on on Essential
Testing is performed on all Users and developers cooperate in testing the software components. High High YES
appropriate levels
Information Enabler
Effect Effect
on on Essential
Quality assurance (QA) Define the steps to take in order to assure quality. High High YES
plan (test plan and
procedures)
Effect Effect
on on Essential
N/A N/A
160
Chapter 7

Effect Effect
on on Essential
N/A N/A
• (BAI06) Amount of rework caused by failed changes
• (BAI06) Reduced time and effort required to make changes
• (BAI06) Number and age of backlogged change requests
• (BAI06) Percentage of unsuccessful changes to inadequate impact assessments
• (BAI06) Percentage of total changes that are emergency fixes
• (BAI06) Number of emergency changes not authorised after the change
• (BAI06) Stakeholder feedback ratings on satisfaction with communications
161
0910 Unauthorized changes to applications
Risk Scenario Title Unauthorized changes to applications

Risk Scenario
Due to an undetected failure in the production deployment process controls, IT developers have the opportunity to alter applications and deploy changes
to the live environment without approval of the business owner or IT operations staff (lack of a four-eyes principle). To keep up with the market, with a
particular product, there was significant business pressure to deploy new functionality before it was properly tested by Quality Assurance (QA).
The developers, who are confident in their work, agreed to apply changes to the system without proper end-user testing and, often, without informing
the end users of a new functionality. This practice results in added capabilities that are not used and late detection of errors in the changes and leads to
incorrect information, service disruption and incidents that result in business losses.
Threat Type
The nature of the event is failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers.
Event
The event is unauthorized modification of applications.
The resources that lead to the business impact are the ineffective processes BAI 06 Manage changes, BAI07 Manage change acceptance and
transitioning, and DSS06 Manage business process controls and people and skills, such as the developers who are applying changes without
authorization, the lack of sufficient staff to perform development QA and the lack of business users who are involved in development and testing.
The resources affected are business processes caused by new and unplanned/untested alterations of functionality, applications caused by changed
functionality without adequate testing and acceptance and information that is unduly changed due to malfunction of applications.
Time
The duration of the event is extended because a long period of time is needed to change the related processes. The timing of occurrence is
noncritical. The detection is slow because malfunctions cannot always be detected immediately. Because a long period of time is needed to change the
related process and update the infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement P The added functionality is not used by the business functions.
IT Programme and Project Delivery S Usage of development resources is not aligned with business priorities and resources can barely
be planned.
IT Operations and Service Delivery P IT service interruptions due to malfunctioning applications
S Compliance issue due to untested and unapproved changes
S Compliance issue and security problems of developers having access to the live environment
• Risk Avoidance: Remove access rights to the live environment for developers.
•R isk Acceptance: Board approval of the risk. The chief information officer (CIO) or developers should not be able to accept the significant exposure of
developers having access to the live environment and the lack of a change process.
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Effect Effect
on on Essential
162
Chapter 7
Process Enabler
Effect Effect
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the High Low YES
and authorize change impact on business processes and IT services,
requests. and to assess whether change will adversely
affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged,
categorized, assessed, authorized, prioritized
planned and scheduled.
BAI06.03 Track and report Maintain a tracking and reporting system to Low Medium NO
change status. document rejected changes, communicate the
status of approved and in-process changes, and
complete changes. Make certain that approved
changes are implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update Low Low NO
the changes. accordingly the solution and user documentation
and the procedures affected by the change.
BAI07.01 Establish an Establish an implementation plan that covers High High YES
implementation plan. system and data conversion, acceptance testing
criteria, communication, training, release
preparation, promotion to production, early
production support, a fallback/backout plan, and a
postimplementation review. Obtain approval from
relevant parties.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide High High YES
standards that define roles, responsibilities, and
entry and exit criteria. Ensure that the plan is
approved by relevant parties.
BAI07.04 Establish a test Define and establish a secure test environment High High YES
environment. representative of the planned business process
and IT operations environment, performance and
capacity, security, internal controls, operational
practices, data quality and privacy requirements,
and workloads.
BAI07.05 Perform acceptance Test changes independently in accordance with High High YES
tests. the defined test plan prior to migration to the live
BAI07.06 Promote to production Promote the accepted solution to the business and Medium High YES
and manage releases. operations. Where appropriate, run the solution as
a pilot implementation or in parallel with the old
solution for a defined period and compare behavior
and results. If significant problems occur, revert
back to the original environment based on the
fallback/backout plan. Manage releases of solution
components.
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High High YES
behalf.
163

Effect Effect
on on Essential
Head of development Accountable for the proper design and development of the software Medium Medium NO
components
Effect Effect
on on Essential
appropriate levels.
Information Enabler
Effect Effect
on on Essential
plan (test plan and
procedures)
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Technical skills Design and develop the proper software components. Low Low NO
Key Risk Indicators (KRIs) elated to IT Goals
• (04) Frequency of update or risk profile
164
Chapter 7

• (BAI06) Amount of rework caused by failed changes
• (BAI06) Reduced time and effort required to make changes
• (BAI06) Number and age of backlogged change requests
• (BAI06) Percentage of unsuccessful changes to inadequate impact assessments
• (BAI06) Percentage of total changes that are emergency fixes
• (BAI06) Number of emergency changes not authorised after the change
• (BAI06) Stakeholder feedback ratings on satisfaction with communications
• (BAI07) Number and percentage of root cause analyses completed
• (DSS06) Percentage of completed inventory of critical process and key controls
165
0911 Unmanaged development and testing methodologies
Risk Scenario Title Unmanaged development and testing methodologies

Risk Scenario
An IT organization’s software development department does not maintain a common standard for software development (e.g., development framework,
implementation standards) and testing methodologies (e.g., testing types and minimum requirements). This practice leads to differing approaches for
various development initiatives because the application of methodologies is left to the discretion of individuals. Testing methodologies (e.g., white box
testing, volume testing and socialization testing) are applied based on the availability of technology (testing environment), but are not driven by the type
of implementation. The lack of standards leads to deficiencies in the quality of the developed software, which causes numerous incidents. The effort to
adopt existing testing approaches is high because there is low re-use of testing methodologies. The teams frequently start from the beginning when
defining a test plan, which leads to a lack of resources for actual testing because effort is bound to planning rather than to test execution.
Threat Type
The nature of the event is a failure of the processes APO11 Manage quality and BAI07 Manage change acceptance and transitioning.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers and the quality assurance (QA) (testing) function.
Event
The event is unauthorized modification of applications.
The resources that lead to the business impact are the ineffective processes APO11 Manage quality and BAI07 Manage change acceptance because
consistent testing approaches are absent. The resource IT Infrastructure also leads to business impact because there is a lack of test environments,
e.g., for parallel testing.
The resources affected are business processes because the inefficient QA and testing processes lead to unstable applications and inconsistent data
and information. Other resources that are affected are people and skills due to the ineffective use of testing staff.
Time
The duration of the event is extended because a long period of time is required to change the related processes and the IT infrastructure. The timing
of occurrence is noncritical. The detection is slow because malfunctions cannot always be detected immediately. Because a long period of time is
required for changing the related processes and for updating the IT infrastructure, the consequences are delayed.
Risk Type
IT Programme and Project Delivery P Lack of adequate QA/testing in projects (QA is not applied due to an overly complex and burdensome
approach)
S Inefficient use of human and IT resources due to immature (ad hoc) testing processes
IT Operations and Service Delivery P Quality issues and service interruptions due to untested applications
S Compliance and security issues due to untested changes
• Risk Acceptance: Accept the lack of QA by the chief information officer (CIO) and the business owners.
• Risk Mitigation: Apply professional and current testing approaches (in-house or outsourced).
Effect Effect
on on Essential
Fallback procedure Guidelines in case rollback is necessary Low High YES
166
Chapter 7
Process Enabler
Effect Effect
APO11.05 Integrate quality Incorporate relevant quality management practices High High YES
management into the definition, monitoring, reporting and ongoing
into solutions for management of solutions development and service
development and offerings.
service delivery.
BAI01.09 Manage program and Prepare and execute a quality management plan, Low Medium NO
project quality. processes and practices, aligned with the quality
management system (QMS) that describes the
program and project quality approach and how it
will be implemented. The plan should be formally
reviewed and agreed on by all parties concerned
and then incorporated into the integrated program
and project plans.
BAI03.01 Design high-level Develop and document high-level designs using High High YES
solutions. agreed-on and appropriate phased or rapid agile
development techniques. Ensure alignment with the
IT strategy and enterprise architecture. Reassess
and update the designs when significant issues
occur during detailed design or building phases or
as the solution evolves. Ensure that stakeholders
actively participate in the design and approve each
version.
BAI03.02 Design detailed Develop, document and elaborate detailed designs High High YES
solution components. progressively using agreed-on and appropriate
phased or rapid agile development techniques,
addressing all components (business processes
and related automated and manual controls,
supporting IT applications, infrastructure services
and technology products, and partners/suppliers).
Ensure that the detailed design includes internal
and external service level agreements (SLAs) and
operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively High High YES
standards. Ensure that all control requirements in
the business processes, supporting IT applications
and infrastructure services, services and technology
products, and partners/suppliers are addressed.
BAI03.05 Build solutions. Install and configure solutions and integrate High High YES
with business process activities. Implement
control, security and auditability measures during
configuration, and during integration of hardware
and infrastructural software, to protect resources
and ensure availability and data integrity. Update the
services catalogue to reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a quality assurance High High YES
assurance (QA). (QA) plan aligned with the quality management
system (QMS) to obtain the quality specified in the
requirements definition and the enterprise’s quality
policies and procedures.
167

Effect Effect
BAI03.07 Prepare for solution Establish a test plan and required environments High High YES
testing. to test the individual and integrated solution
components, including the business processes and
supporting services, applications and infrastructure.
BAI03.08 Execute solution Execute testing continually during development, High High YES
testing. including control testing, in accordance with the
defined test plan and development practices in the
appropriate environment. Engage business process
owners and end users in the test team. Identify, log
and prioritize errors and issues identified during
testing.
BAI03.09 Manage changes to Track the status of individual requirements High High YES
requirements. (including all rejected requirements) throughout
the project life cycle and manage the approval of
changes to requirements.
BAI03.10 Maintain solutions. Develop and execute a plan for the maintenance High High YES
of solution and infrastructure components. Include
periodic reviews against business needs and
operational requirements.
BAI03.11 Define IT services and Define and agree on new or changed IT services High High YES
maintain the service and service level options. Document new or
portfolio. changed service definitions and service level options
to be updated in the services portfolio.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide Low Medium NO
BAI07.04 Establish a test Define and establish a secure test environment Medium Medium NO
environment. representative of the planned business process
and IT operations environment, performance and
capacity, security, internal controls, operational
practices, data quality and privacy requirements,
and workloads.
BAI07.05 Perform acceptance Test changes independently in accordance with Low Medium NO
Effect Effect
on on Essential
Head of development Accountable for the proper design and development of the software High High YES
components
Effect Effect
on on Essential
appropriate levels.
Information Enabler
Effect Effect
on on Essential
plan (test plan and
procedures)
168
Chapter 7

Effect Effect
on on Essential
Integrated development Facilitate development; consists of a source code editor, build automation Medium Medium YES
environment (IDE) tools and a debugger
Knowledge repositories Share and coordinate knowledge regarding development activities. High High YES
Effect Effect
on on Essential
Technical skills Design and develop the proper software components. Medium Medium YES
• (05) Percentage of IT-enabled investments where benefits realisation is monitored through the full economic life cycle
• (APO11) Average stakeholder satisfaction rating with solutions and services
• (APO11) Percentage of stakeholders satisfied with IT quality
• (APO11) Number of services with a formal quality management plan
• (APO11) Percentage of projects reviewed that meet target quality goals and objectives
• (APO11) Percentage of solutions and services delivered with formal certification
• (APO11) Number of defects uncovered prior to production
• (APO11) Number of processes with a defined quality requirement
• (APO11) Number of processes with a formal quality assessment report
• (APO11) Number of SLAs that include quality acceptance criteria
• (BAI07) Number and percentage of root cause analyses completed

169
10 Business Ownership of IT
1001 Business failing to be accountable
Risk Scenario Title Business failing to be accountable

Risk Scenario Category 10 Business ownership of IT
Risk Scenario
A large global financial enterprise has a strategy of growing the business with expansion into new business domains. The business is constantly
changing its priorities with little or no communication with the IT organization. This practice leads to constant change in the requirements for the
technology under development and frequent escalations from business management to the head of development. A situation of the business and IT
constantly blaming each other exists, with the business not accepting any culpability in the process and blaming IT. The chief executive officer (CEO)
advised the chief information officer (CIO) that one of the business leaders had presented to the board a plan to immediately outsource all of IT. The CEO
requested that the CIO and the business work together to resolve the business challenges and to deliver the business.
Threat Type
The nature of the event is a failure of the process BAI01 Manage programmes and projects.
Actor
The actors that generate the threat that exploits a vulnerability are internal—Steering (Program/Projects) Committee, business executive and business
process owners, CIO and head of development.
Event
The event is an ineffective design and/or ineffective execution of the process BAI01 Manage programmes and projects.
The resource that leads to the business impact is the process BAI01 Manage programmes and projects. The organizational structure also leads to
some business impact because of a blaming culture that is caused by the business and by the IT people.
The resources that are affected are the business processes because new applications do not fulfill the requirements and, therefore, business is not
satisfied with the results. The entire enterprise is affected because discord exists on the side of the business people and on the side of the IT staff.
Time
The duration of the event is extended because it is not easy to change the culture and it cannot be done quickly. The timing of occurrence is critical
because the enterprise is currently in a phase of growing the business with expansion into new business domains. As an increasing number of disputes
between business and IT surface, the detection can be classified as moderate. The consequences will last for a long period of time because the situation
(culture) cannot be improved easily and quickly, and, therefore, consequences are delayed.
Risk Type
IT Benefit/Value Enablement S The blaming culture hinders the enterprise from improving efficiency and/or effectiveness of business
processes. IT does not act as a real enabler for new business initiatives.
IT Programme and Project Delivery P Scope creep leads to project budget and time overruns and affects quality of project results.
•R isk Sharing/Transfer: Implement a governance process to manage and prioritize the business demand. Transfer risk from business and IT to a
governance body like the Steering (Program/Project) Committee.
•R isk Mitigation: Develop a process to work with the business areas through the system development life cycle (SDLC), incorporating requirements
and organizational alignment to business requirements. Communicate with the business about the financial aspects of existing technology, including
return on investment (ROI) and total cost of ownership (TCO), and the potential impacts of the future technologies.
Effect Effect
on on Essential
Enterprise governance Involve business and IT. High High YES
guiding principles
Reporting and Clarify the means of communication. High High YES
communication principles
170
Chapter 7
Process Enabler
Effect Effect
APO01.04 Communicate Communicate awareness and understanding of IT Medium Medium NO
management objectives objectives and direction to stakeholders throughout
and direction. the enterprise.
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Medium NO
APO05.06 Manage benefits Monitor the benefits of providing and maintaining High High YES
achievement. appropriate IT services and capabilities, based on
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an High High YES
engagement. active exchange of accurate, consistent and timely
information that reaches all relevant stakeholders.
This includes planning, identifying and engaging
Effect Effect
on on Essential
Finance Provide a common methodology used by business and IT to assess High High YES
opportunities in terms of value for the enterprise.
Strategy (IT executive) Key structure that should take accountability over IT and business High High YES
committee cooperation
Board of directors Accountable for the governance framework setting and maintenance Medium Medium NO
Effect Effect
on on Essential
Business and IT work The business takes into account the difficulties that IT faces, IT learns the High High YES
together as partners. business issues.
Information Enabler
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Service level agreements Describe the service level/objectives established to meet business High High YES
(SLAs) expectations.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Relationship management IT should have the proper skills to build relations with relevant business Medium Medium NO
skills stakeholders.
IT-related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
required affinity with IT.
171

• (APO01) Number of staff who attended training or awareness sessions
• (APO02) Percentage of initiatives in the IT strategy that are self-funding (financial benefits in excess of costs)
• (APO09) Number of business processes with undefined service agreements
• (APO09) Percentage of live IT services covered by service agreements
• (APO09) Percentage of customers satisfied that service delivery meets agreed-on levels
• (APO09) Percentage of services being monitored to service levels
• (APO09) Percentage of service targets being met
• (BAI01) Frequency of programme/projects status reviews
172
Chapter 7
1003 Cloud service provider
Risk Scenario Title Cloud service provider

Risk Scenario
A company decides to move its cloud services to a foreign country where the costs are lower than local providers, without doing appropriate due
diligence concerning the third parties that can provide the service. The business decides to outsource to cloud without counsel from IT in their areas of
competence. Even though the company has an IT governance framework in place, it was ignored and IT was not consulted. Therefore, implied security,
data privacy and compliance were not considered.
The cross-border data, security, privacy and potential compliance issues are:
• Personally identifiable information (PII) and various global data privacy laws
• Sensitive personal information (SPI)
• Cloud provider policies and procedures
• Data leakage
A process for reviewing the third-party compliance requirements is non-existent, and the decision was imposed on IT.
When the service is in place, the company detects data leakage in critical information and unknown areas of data.
Due to this severe issue, the impact to business reputation is severely damaged and will potentially drive the company out of business by losing future
service contracts.
Threat Type
The nature of the event is a failure (ignorance) of the governance process EDM01 Ensure governance framework setting and maintenance. The
consequence was non-compliance with rules and regulations.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the business executives that decided to outsource without involving IT.
Event
The event is an ineffective execution of the governance process EDM01 Ensure governance framework setting and maintenance and an ineffective
design of the management process MEA03 Monitor, evaluate and assess compliance with external requirements, which lead to a breach of rules and
regulations. The event can also be classified as disclosure because data leakage in critical information was detected.
The resources/assets that lead to the business impact are the processes EDM01 Ensure governance framework setting and maintenance and
MEA03 Monitor, evaluate and assess compliance with external requirements and the people and skills, with business executives ignoring the
governance process.
The resource/asset that was mainly affected is critical information due to data leakage. But also the entire enterprise (organizational structures and
people) is affected because its reputation is severely damaged, which can drive the company out of business.
Time
The duration of the events is extended because a long period of time is required to correct the situation, if ever. Because the company can be driven
out of business, the timing of occurrence is critical. The event was detected as soon as IT was involved and the noncompliance was recognized,
therefore, detection can be classified as moderate. The time lag between event and consequence is delayed because it can potentially drive the
company out of business.
Risk Type
IT Benefit/Value Enablement S IT not seen as technology enabler for new business initiatives.
IT Programme and Project Delivery P No contribution of IT to new or improved business solutions
IT Operations and Service Delivery S Service interruption.
• Risk Avoidance: Not engaging with third parties
• Risk Acceptance: If the contract has been executed (without IT review), the company has to accept that it is not going to be able to recover assets.
• Risk Mitigation: The process for selection of third parties will be reviewed to include all technical and non-technical requirements.
173

Effect Effect
on on Essential
guiding principles
Process Enabler
Effect Effect
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the High High YES
system. enterprise’s governance of IT. Assess whether the
governance system and implemented mechanisms
(including structures, principles and processes)
are operating effectively and provide appropriate
oversight of IT.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based High High YES
service agreements. on the options in the service catalogues. Include
internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide High High YES
service levels. reports that management can use to make
decisions and manage future requirements for
performance.
APO10.01 Identify and evaluate Identify suppliers and associated contracts and High High YES
supplier relationships categorize them into type, significance and
and contracts. criticality. Establish supplier and contract evaluation
criteria and evaluate the overall portfolio of existing
and alternative suppliers and contracts.
APO10.02 Select suppliers. Select suppliers according to a fair and formal High High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High High YES
Effect Effect
on on Essential
Strategy (IT executive) Key structure that should take accountability over IT and business cooperation High High YES
committee
Board of directors Accountable for the governance framework setting and maintenance High High YES
Effect Effect
on on Essential
174
Chapter 7
Information Enabler
Effect Effect
on on Essential
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
IT related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
• (03) Percentage of executive management roles with clearly defined accountabilities for IT decisions
• (03) Number of times IT is on the board’s agenda in a proactive manner
• (03) Frequency of IT strategy (executive) committee meetings
• (03) Rate of execution of executive IT-related decisions
• (12) Number of business processing incidents caused by technology integration errors
• (APO09) Number and severity of service breaches
175
1004 Ineffective Service Level Agreements
Risk Scenario Title Ineffective Service Level Agreements

Risk Scenario
A business misses the majority of the service level agreements (SLAs) for its clients, which results in charge-back costs to the company revenue stream.
A review of the company’s SLAs found that they were written with an advantage to the client and not written to protect or aim to protect the company.
The company must have their legal department counsel review and rewrite all of the company’s SLA contracts in cooperation with the IT department.
After the SLAs are reviewed, the legal department must examine the language in the SLAs in detail to determine the frequency and timing of changes
with each client.
Threat Type
The nature of the event is a failure of the process APO09 Manage service agreements.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the business part that is responsible for the managed service accounts.
Event
The event is ineffective design and/or ineffective execution of the process APO09 Manage service agreements.
The assets/resources that lead to the business impact are all assets and resources, e.g., people and skills, infrastructure (facilities), IT
infrastructure, information and applications that enable services to be provided to clients.
The assets/resources that are affected are the services (processes) that are provided to clients.
Time
The duration of the event is extended because a long period of time is required to review and rewrite all of the company’s SLA contracts. Because the
company encounters charge-back costs to the company revenue stream, the timing of occurrence is critical. The event was detected as soon as clients
complained and, therefore, is classified as instant. The time lag between event and consequence is immediate because the penalties (charge-back
costs) are due immediately after nonfulfillment of the service levels.
Risk Type
IT Benefit/Value Enablement P Company revenue stream is affected by charge-back costs.
IT Operations and Service Delivery P IT service interruptions and security problems for clients and compliance issues
•R isk Mitigation: To reduce customer escalation and to process improvements and governances, the company needs accountability for the missed
SLAs, metrics improvement and dashboard, and automated prevention and alerts. Renegotiate contracts.
Effect Effect
on on Essential
guiding principles
176
Chapter 7
Process Enabler
Effect Effect
APO01.04 Communicate Communicate awareness and understanding of IT Low High YES
APO02.01 Understand enterprise Consider the current enterprise environment and Low High YES
APO05.06 Manage benefits Monitor the benefits of providing and maintaining High High YES
achievement. appropriate IT services and capabilities based on
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based High High YES
service agreements. on the options in the service catalogues. Include
APO09.04 Monitor and report Monitor service levels, identify trends and provide High High YES
performance.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an Low High YES
Effect Effect
on on Essential
Strategy (IT executive) Key structure that should take accountability over IT and business cooperation High High YES
committee
Effect Effect
on on Essential
Information Enabler
Effect Effect
on on Essential
Service level agreements Describe the service level/objectives established to meet business High High YES
Effect Effect
on on Essential
N/A N/A
177

Effect Effect
on on Essential
IT-related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
• (11) Trend of capability assessment results
• (APO09) Number and severity of service breaches

178
Chapter 7
11 Suppliers
1101 Outsourcing of implementation services
Risk Scenario Title Outsourcing of implementation services

Risk Scenario Category 11 Suppliers
Risk Scenario
A bank needs to start an implementation process for a new software bundle that is part of its branch platform. The software provider has business
partners in the region, but not locally, because this is the first implementation of its kind. The actual vendor offers state-of-the-art, best-of-breed
software, and is the right solution needed.
The requirements for this business partner are local representation and knowledge of local regulations that apply to the specific industry. Lack of
supplier due diligence regarding delivery capability and sustainability of the supplier’s service are the main issues with the decision that was made.
After the bank detects the inability of the business partner to comply with service level agreements (SLAs), the implementation process is interrupted
with a substantial loss in time and resources, due to excessive reliance upon the vendor and a lack of training of its own personnel.
Threat Type
The nature of the event is a failure of the procurement process because too much weight was put on sustainability of the provider instead of equal
weight on sustainability and the capability to comply with SLAs.
Actor
The actors that generate the threat that exploits a vulnerability are internal (function accountable for the procurement process), and external (provider
of the implementation services).
Event
The event is interruption of the implementation process.
The asset/resource that leads to the business impact is the process APO10 Manage suppliers.
The resources that are affected by the interruption of the implementation are mainly the IT infrastructure and applications. The business processes
that are supported by the affected IT infrastructure and applications are secondary resources.
Time
The duration of the event is extended because there is a substantial loss in time. The timing of occurrence is critical because the bank needs this new
bundle of software for its branches. The detection is slow because it was not recognized until the implementation already started. The time lag between
event and consequence is delayed because, in the worst case, a new provider must be evaluated.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness
IT Operations and Service Delivery P Service interruption
• Risk Avoidance: Bank will abstain from outsourcing. Bank should train own personnel in the service application implementation to counter reliance
on the business partner.
• Risk Mitigation: Bank will review its governance process and enhance requirements when building the request for information (RFI) and request for
proposal (RFP) for qualifying business partners. Bank will perform proper review and selection of third parties.
Effect Effect
on on Essential
Procurement policy Provide a set approach to selecting suppliers, including the acceptance criteria High High YES
for terms of business.
179
Process Enabler
Effect Effect
APO10.02 Select suppliers. Select suppliers according to a fair and formal Low High YES
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each High High YES
relationships and strategic supplier. Manage, maintain and monitor
contracts. contracts and service delivery. Ensure that new or
changed contracts conform to enterprise standards
and legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the High High YES
ability to continually provide secure, efficient and
effective service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of Low High YES
performance and suppliers, compliance to contract requirements,
compliance. and value, and address identified issues promptly.
Effect Effect
on on Essential
Business process owner Set requirements and performance indicators and ensure that proper High High YES
expectations are incorporated in the contracts.
Procurement department Provide the support and approach to efficiently engage with suppliers. High High YES
Effect Effect
on on Essential
Respect procurement Additional effort is required to ensure minimal protection regarding suppliers. High High YES
procedures
Information Enabler
Effect Effect
on on Essential
Service requirements Knowing business goals allows for a reasonable position for negotiation. High High YES
IT strategy Define boundaries and enterprise objectives to take into account when High High YES
negotiating contracts.
Supplier catalogue A structured presentation of known suppliers, including previous performance High High YES
Service level agreements Describe the service level/objectives established to meet business Medium High YES
Effect Effect
on on Essential
Vendor management Sets up a system to keep track of the evolution of exposure to risk during the High High YES
system entire process from selection until termination of service.
Effect Effect
on on Essential
Negotiation skills Ensure that minimal requirements are supported Medium Medium NO
180
Chapter 7

• (APO10) Percentage of suppliers meeting agreed-on requirements
• (APO10) Number of service breaches to IT-related services caused by suppliers
• (APO10) Number of risk-related events leading to service incidents
• (APO10) Frequency of risk management sessions with supplier
• (APO10) Percentage of risk-related incidents resolved acceptably (time and cost)
• (APO10) Number of supplier review meetings
• (APO10) Number of formal disputes with suppliers
• (APO10) Percentage of disputes resolved amicably in a reasonable time frame
181
1103 Infrastructure expansion services
Risk Scenario Title Infrastructure expansion services

Risk Scenario
After a cost review regarding the expansion of a company’s volume of operations, the company IT department decides to move to cloud services for
infrastructure support (infrastructure as a service [IaaS]). The company makes this decision without doing appropriate due diligence concerning third
parties. A process for reviewing the third-party compliance requirements does not exist.
After the service is in place, the company detects that the service provider cannot meet contract service level agreements (SLAs) for the future increase
in company operations volume that is planned for the next two years. Due to this severe issue, future business growth and sustainability is in jeopardy
and threatens the planned business expansion.
The main issues that have become evident are related to security, compliance, business continuity planning and cloud supplier capacity, as follows:
• Insufficient network throughput/capacity
• Slow transaction response time
• No review of cloud provider policies and procedures
• Need to update the business continuity plan (BCP) and the disaster recovery plan (DRP) processes to include the vendor/provider BCP/DRP
Threat Type
The nature of the event is a failure in decision making because the decision lacked adequate information from inappropriate due diligence.
Actor
The actors that generate the threat that exploits a vulnerability are internal and external. The internal actor is the function that is accountable for the
due diligence within the process APO10 Manage suppliers. The external actor is the service provider.
Event
The event is interruption of services and ineffective design of IT infrastructure.
The resources that are affected are mainly the IT infrastructure and applications. The secondary affected resources are the business processes that
are supported by the affected IT infrastructure and applications.
Time
The duration of the event is extended because the provider must upgrade its infrastructure and systems or the company has to switch to another
provider. The timing of occurrence is critical due to the severe issue that future business growth and sustainability are in jeopardy, which threatens
the planned business expansion. The detection is slow because it was not recognized until the service was in place. The time lag between event and
consequence is delayed because, in the worst case, the new provider needs to be evaluated.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness—future business growth
and sustainability are in jeopardy and the planned business expansion is threatened
IT Operations and Service Delivery P Insufficient network throughput/capacity, slow transaction response time, security problems and
compliance issues.
• Risk Avoidance: Abstinence from outsourcing
•R isk Mitigation: The process for selection of third parties will be reviewed and then the company will adjust all technical and
non-technical requirements.
Effect Effect
on on Essential
Procurement policy Provide a set approach to selecting suppliers including the acceptance criteria High High YES
for terms of business.
182
Chapter 7
Process Enabler
Effect Effect
stakeholders.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the High High YES
APO10.05 Monitor supplier Periodically review the overall performance of Low High YES
performance and suppliers, compliance to contract requirements, and
compliance. value, and address identified issues promptly.
Effect Effect
on on Essential
Procurement department Provide the support and approach to efficiently engage with suppliers. Medium Medium NO
Chief information Accountable for managing suppliers Medium Medium NO
officer (CIO)
Effect Effect
on on Essential
procedures.
A transparent and To optimize the outcome of the vendor relationship High High YES
participative culture is an
Information Enabler
Effect Effect
on on Essential
Service requirements Knowing business goals allows for a reasonable position for negotiation. High High YES
IT strategy Define boundaries and enterprise objectives to take into account when Medium Medium NO
negotiating contracts.
Supplier catalogue A structured presentation of known suppliers, including previous performance High High YES
Service level agreements Describe the service level/objectives established to meet business Medium Medium NO

Effect Effect
on on Essential
Vendor management Sets up a system to keep track of the evolution of exposure to risk during the High High YES
system entire process from selection until termination of service.
183

Effect Effect
on on Essential
Negotiation skills Ensure that minimal requirements are supported. High High YES
184
Chapter 7
1107 Cloud providers selected directly by the business
Risk Scenario Title Cloud providers selected directly by the business

Risk Scenario
The IT department, which has responsibility for developer and enterprise architecture (EA) for the enterprise, identified that the business engaged directly
with, and purchased capability directly from, a number of cloud service providers for capability that is being developed internally. The IT department
discovered the relationship following a request from the cloud provider for access to integrate with internal systems of record.
Following discussions with the business, it is agreed to terminate the development of the external solution and to transition the relationship with the
cloud provider to IT.
IT is now encumbered with a service level agreement that has minimal performance metrics reporting (most of the service level agreement [SLA]
reporting is meaningless). Without integration with in-house systems (especially dashboards for ticketing events), it will be difficult to derive value for
the enterprise.
Threat Type
The nature of the event is a failure in decision making because the decision was made by the business without consulting IT.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the business executive that made the decision without consulting IT.
Event
The event is inappropriate use of resources and ineffective design of the SLAs.
The main resources that are affected are the applications. The secondary resources that are affected are the business processes that are supported by
the affected applications.
Time
The duration of the event is extended because the IT department now has the responsibility for the relationship and must integrate the provided
services with the in-house systems. The timing of occurrence is noncritical. The detection is moderate because the relationship was detected
accidentally, following a request from the cloud provider. The time lag between event and consequence is immediate because the responsibility of the
relationship is transferred immediately to IT.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness—future business growth
and sustainability in jeopardy and the planned business expansion is threatened
IT Programme and Project Delivery P Run redundant projects.
• Risk Mitigation: The IT department enters into a relationship with the business to understand the business expectations and attempts to renegotiate
effective monitoring and service delivery with the cloud provider.
Effect Effect
on on Essential
Procurement policy Provide a set approach to selecting suppliers, including the acceptance criteria High High YES
for the terms of business.
185
Process Enabler
Effect Effect
APO09.02 Catalog IT-enabled Define and maintain one or more service catalogs Medium High YES
services. for relevant target groups. Publish and maintain live
IT-enabled services in the service catalogs.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) Medium High YES
service agreements. based on the options in the service catalogs. Include
APO09.04 Monitor and report Monitor service levels, identify trends and provide Medium High YES
performance.
APO09.05 Review service Conduct periodic reviews of the service agreements Medium High YES
agreements and and revise when needed.
contracts.
stakeholders.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the Low High YES
APO10.05 Monitor supplier Periodically review the overall performance of Medium Medium NO
performance and suppliers, compliance to contract requirements,
compliance. and value, and address identified issues promptly.
Effect Effect
on on Essential
Procurement department Provide the support and approach to efficiently engage with suppliers High High YES
Chief information Accountable for managing suppliers Low Low NO
officer (CIO)
Effect Effect
on on Essential
procedures.
Information Enabler
Effect Effect
on on Essential
Service requirements Knowing business goals allows for a reasonable position for negotiation Medium High YES
IT strategy Defining boundaries and enterprise objectives to take into account when Low Low NO
negotiating contracts
Service level agreements Describe the service level/objectives established to meet business Medium High YES
186
Chapter 7

Effect Effect
on on Essential
N/A
Effect Effect
on on Essential
N/A N/A

187
188
Chapter 7
12 Regulatory Compliance
1201 PCI DSS Compliance
Risk Scenario Title PCI DSS Compliance

Risk Scenario Category 12 Regulatory compliance
Risk Scenario
PCI DSS is the payment card industry (PCI) data security standard (DSS). It is a proprietary information security standard for enterprises that handle
cardholder information for the major debit, credit, prepaid, e-purse, automated teller (ATM) and point of service (POS) cards. The standard was created to
increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually, by an external qualified
security assessor (QSA) that creates a report on compliance (ROC) for enterprises that handle large volumes of transactions, or by a self-assessment
questionnaire (SAQ) for companies that handle smaller volumes.
A company makes a major change in its business strategy and introduces an e-commerce web site to sell its products. The company is taking credit
card payments through this web site, which generates a large proportion of company total sales. Senior management was either unaware or decided
to go to market before the company was fully PCI DSS compliant. The noncompliance with the PCI DSS regulation is detected by the enterprise’s
sponsoring bank, which takes action. This action results in a fine to the company and has a negative impact on the enterprise’s reputation.
Threat Type
The nature of the event is a failure of the process MEA03 Monitor, evaluate and assess compliance with external requirements and, at a more detailed
level, a failure of the management practice identify external compliance requirements. The threat type can also be classified as a breach of external
requirements.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the senior management that was either
unaware or decided to go to market before the company was fully PCI DSS compliant. The external actors are the enterprise’s bank and the regulators
that fine the company.
Event
The event is ineffective design and/or ineffective execution of the management practice Identify external compliance requirements, within the process
MEA03 Monitor, evaluate and assess compliance with external requirements. The event can also be classified as a breach of rules and regulations.
The asset/resource that leads to the business impact is the process MEA03 Monitor, evaluate and assess compliance with external requirements.
The assets/resources that are affected are the business processes of the company’s e-commerce activities.
Time
The duration is extended because the company must implement additional security measures to be compliant, and then these security measures must
be assessed. Timing is noncritical because noncompliance will not have an immediate impact on the business. Detection is through the enterprise’s
bank and is slow because it took some time before noncompliance was discovered. The time lag between event and consequence is delayed because
the regulator will first need to assess the extent of the breach of rules and regulations and then will address the fine.
Risk Type
IT Operations and Service Delivery P Compliance issues
• Risk Avoidance: The enterprise decides to have no online sales presence.
• Risk Acceptance: Senior management accepts the risk and is prepared to pay any fines and have the company’s reputation damaged.
• Risk Sharing/Transfer: The enterprise outsources the processing of the e-commerce web site.
• Risk Mitigation: Implement required data security practices to be compliant with PCI DSS.
Effect Effect
on on Essential
Compliance policy Guide the identification of external compliance requirements. High High YES
189
Process Enabler
Effect Effect
MEA03.01 Identify external On a continuous basis, identify and monitor for High Low YES
compliance changes in local and international laws, regulations
requirements. and other external requirements applicable to the
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High High YES
external requirements. procedures and methodologies to ensure that
legal, regulatory and contractual requirements are
addressed and communicated. Consider industry
standards, codes of good practice, and best practice
guidance for adoption and adaptation of existing
plans.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High Low YES
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High High YES
external compliance. adherence with policies, principles, standards,
procedures and methodologies. Confirm that
corrective actions to address compliance gaps are
closed in a timely manner.
Effect Effect
on on Essential
Compliance department Provide guidance on legal, regulatory and contractual compliance. Track new High High YES
and changing regulations.
Legal group Legal support during analysis and litigation High High YES
Effect Effect
on on Essential
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
in daily operations. compliance.
Information Enabler
Analysis of new legal and Regulations imposed by government need to be analyzed. High High YES
regulatory compliance
requirements
Effect Effect
on on Essential
Regulatory databases Facilitate the follow-up of compliance requirements. High High YES
Effect Effect
on on Essential
Litigation skills Once prosecution is initiated, the proper skills are required to minimize Low Medium YES
legal impact
Legal analysis skills Understand expectations of local regulator. High High YES
190
Chapter 7

191
1202 Regulations for the financial industry
Risk Scenario Title Regulations for the financial industry

Risk Scenario
A financial services enterprise is unaware of and/or does not keep up to date with the local and international regulations for conducting business in this
market. This results in a fine, and the company is threatened by the external regulators with the removal of its trading license in case of recurrence.
Threat Type
The nature of the event is a failure of the process MEA03 Monitor, evaluate and assess compliance with external requirements or, at a more detailed
level, a failure of the management practices Identify external compliance requirements and Confirm with external compliance. The threat type can also
be classified as a breach of external requirements.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is senior management who is unaware
and/or does not keep up to date with the local and international regulations. The external actors are the regulators that fine the company.
Event
The event is ineffective design and/or ineffective execution of the management practices Identify external compliance requirements and Confirm with
external requirements, within the process MEA03 Monitor, evaluate and assess compliance with external requirements. The event can also be classified
as a breach of rules and regulations.
The assets/resources that are affected are the business processes.
Time
The duration is extended because the company must implement additional controls to be compliant. Timing is noncritical because non-compliance will
not have an immediate impact on the business. Detection is slow because it usually takes some time before noncompliance is discovered. The time lag
between event and consequence is delayed because the regulator will first have to assess the extent of the breach of rules and regulations and then will
address the fine.
Risk Type
• Risk Acceptance: Senior management accepts the risk and is prepared to pay any fines and have the company’s reputation damaged.
• Risk Mitigation: Implement required control practices to be compliant with local and international financial industry rules and regulations.
Effect Effect
on on Essential
Compliance policy Guide the identification of external compliance requirements. High High YES
192
Chapter 7
Process Enabler
Effect Effect
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High Low YES
standards, codes of good practice, and best practice
guidance for adoption and adaptation of existing
plans.
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High Low YES
Effect Effect
on on Essential
Effect Effect
on on Essential
Risk-aware and All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
compliance-aware culture compliance.
is present throughout the
enterprise including the
proactive identification and
escalation of risk.
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
in daily operations. compliance.
Information Enabler
Effect Effect
on on Essential
Analysis of new legal and Regulations imposed by the government need to be analyzed. High High YES
requirements
Effect Effect
on on Essential
193

Effect Effect
on on Essential
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal Low High YES
impact on the enterprise.
194
Chapter 7
1203 Data transfer across country borders
Risk Scenario Title Data transfer across country borders

Risk Scenario
An enterprise’s IT service provider hosts servers that run the enterprise’s human resources (HR) system in another country. This IT service provider is
transferring personal information to a country that is not covered by appropriate data privacy regulations, contrary to local data privacy regulations,
which results in a fine from the enterprise’s regulator and publicity with the potential to cause reputational damage.
Threat Type
The nature of the event is a failure of the process MEA03 Monitor, evaluate and assess compliance with external requirements or, at a more detailed
level, a failure of the management practices Identify external compliance requirements and Confirm with external compliance. The threat type can also
be classified as a breach of external requirements.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the compliance office that did
not ensure that the company’s IT service provider complies with required rules and regulations. The external actors are the regulators who fined
the company.
Event
The event is ineffective design and/or ineffective execution of the management practices Identify external compliance requirements and Confirm with
external compliance, within the process MEA03 Monitor, evaluate and assess compliance with external requirements. The event can also be classified as
a breach of rules and regulations.
The assets/resources that are affected are the business processes and people, who could be affected through the disclosure of personal information.
Time
The duration is extended because the company must implement additional controls to be compliant. Timing is noncritical because noncompliance will
not have an immediate impact on the business. Detection is slow because it usually takes some time before noncompliance is discovered. The time lag
between event and consequence is delayed because the regulator will first have to assess the extent of the breach of rules and regulations and then
will address the fine.
Risk Type
• Risk Avoidance: Abstain from outsourcing.
• Risk Acceptance: Senior management accepts the risk and is prepared to pay any fines and has the company’s reputation damaged.
• Risk Mitigation: Implement required control practices to be compliant with data privacy rules and regulations. Ensure that servers are not located
across country borders.
Effect Effect
on on Essential
Industry/market specific Define the rules and guidelines to identify specific compliance requirements High High YES
policies and the procedures to meet applicable requirements.
Compliance policy Guide the identification of external compliance requirements and procedures High High YES
to meet applicable requirements
195
Process Enabler
Effect Effect
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High Low YES
standards, codes of good practice, and best
practice guidance for adoption and adaptation of
existing plans.
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High Low YES
Effect Effect
on on Essential
Privacy officer Monitor impact of laws and make sure privacy directives are met. High High YES
Effect Effect
on on Essential
Risk-aware and All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
compliance-aware culture compliance.
is present throughout the
enterprise, including the
proactive identification and
escalation of risk.
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory High High YES
in daily operations compliance.
Information Enabler
Effect Effect
on on Essential
Analysis of new legal and Regulations imposed by the government need to be analyzed. High High YES
requirements
Effect Effect
on on Essential
196
Chapter 7

Effect Effect
on on Essential
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal Low High YES
impact on the enterprise.

197
198
Chapter 7
13 Geopolitical
1301 Fire caused by political activists
Risk Scenario Title Fire caused by political activists

Risk Scenario Category 13 Geopolitical
Risk Scenario
The board of directors of an enterprise assesses the likelihood of political actions in the region where the company has its business and IT premises as
low and, therefore, has no prevention process to respond to political activities such as riots, agitations and civil disturbances. Following the outbreak of
a serious fire, which was caused by a political activist at a neighboring oil refinery, an enterprise is required by the authorities to evacuate their offices
because of the danger of the fire spreading. The enterprise’s personnel are not allowed back into their offices for several days. While there is no damage
to the enterprise’s business and IT facilities, access is denied by the authorities until the surrounding area is made safe. Therefore, the enterprise has no
access to business and IT facilities for a long period of time, which has a major negative impact on the enterprise’s ongoing business operations.
Threat Type
The nature of the event is the malicious act of fire at the neighboring oil refinery and also the external requirement by the authorities to evacuate
the building.
Actor
The actors were the external political activists that started the fire and the external authorities that demanded the evacuation of the building and denied
access until the surrounding area was made safe again.
Event
The event is an interruption of the business processes caused by the fact that the business and IT facilities are unavailable or cannot be accessed.
The asset/resource that leads to the business impact is people, the political activists.
The asset/resources that are affected are all business and IT processes that cannot be performed because access is prevented to physical and
IT infrastructure, facilities, equipment, infrastructure, information and applications.
Time
The timing is critical because it has an immediate impact on business operations. Detection is instant. Time lag between event and consequence is
immediate. The duration is extended because a long period of time may pass before the authorities allow access to the offices again.
Risk Type
IT Operations and Service Delivery P IT (and business) service interruptions
S Physical security problems

• Risk Avoidance: Do not place business or IT premises in the critical area.
• Risk Acceptance: The board assesses the likelihood of political actions in the region as low and accepts the risk.
• Risk Sharing/Transfer: Take out insurance against business disruption.
• Risk Mitigation: Implement a secondary backup data center and access to alternative business premises and have an effective business continuity
plan (BCP).
Effect Effect
on on Essential
N/A N/A
199
Process Enabler
Effect Effect
EDM03.01 Evaluate risk Continually examine and make judgment on the Low High YES
management. effect of risk on the current and future use of IT in
the enterprise. Consider whether the enterprise’s
risk appetite is appropriate and that risk to
enterprise value related to the use of IT is identified
and managed.
EDM03.02 Direct risk Direct the establishment of risk management Low Medium NO
management. practices to provide reasonable assurance that
IT risk management practices are appropriate to
ensure that the actual IT risk does not exceed the
board’s risk appetite.
APO12.01 Collect data. Identify and collect relevant data to enable effective Medium High YES
IT-related risk identification, analysis and reporting.
APO12.02 Analyze risk. Develop useful information to support risk decisions Low High YES
that take into account the business relevance of
risk factors.
APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk Low High YES
attributes (including expected frequency, potential
impact and responses) and of related resources,
capabilities and current control activities.
APO12.04 Articulate risk. Provide information on the current state of Low High YES
IT-related exposures and opportunities in a timely
manner to all required stakeholders for appropriate
response.
APO12.05 Define a risk Manage opportunities to reduce risk to an Medium Medium NO
management action acceptable level as a portfolio.
portfolio.
APO12.06 Respond to risk. Respond in a timely manner with effective Low High YES
measures to limit the magnitude of loss from
IT-related events.
DSS04.01 Define the business Define business continuity policy and scope aligned Low Medium NO
continuity policy, with enterprise and stakeholder objectives.
objectives and scope.
DSS04.02 Maintain a continuity Evaluate business continuity management options Low High YES
strategy. and choose a cost-effective and viable continuity
strategy that will ensure enterprise recovery and
continuity in the face of a disaster or other major
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS04.05 Review, maintain and Conduct a management review of the continuity Low High YES
improve the continuity capability at regular intervals to ensure its
plan. continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with
the change control process to ensure that the
continuity plan is kept up to date and continually
reflects actual business requirements.
Effect Effect
on on Essential
Business continuity and Maintain options for continuous service. Low High YES
disaster recovery
N/A N/A
200
Chapter 7
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Contingency planning skills Maintain options for continuous service. Low High YES
• (EDM03) Level of alignment between IT risk and enterprise risk
• (EDM03) Number of potential IT risks identified and managed
• (EDM03) Refreshment rate of risk factor evaluation
• (EDM03) Percentage of IT risk action plans executed on time
• (EDM03) Percentage of critical risk that has been effectively mitigated
• (EDM03) Level of unexpected enterprise impact
• (EDM03) Percentage of IT risk that exceeds enterprise risk tolerance
• (APO12) Degree of visibility and recognition in the current environment
• (APO12) Number of loss events with key characteristics captured in repositories
• (APO12) Percentage of audits, events and trends captured in repositories
• (APO12) Percentage of key business processes included in the risk profile
• (APO12) Completeness of attributes and values in the risk profile
• (APO12) Percentage of risk management proposals rejected due to lack of consideration of other related risk
• (APO12) Number of significant incidents not identified and included in the risk management portfolio
201
1302 Access to key business markets
Risk Scenario Title Access to key business markets

Risk Scenario
An enterprise made a major investment in a business-to-business e-commerce solution to sell its products on a global basis. The emerging markets
are the key markets for the enterprise to achieve its planned return on investment (ROI) of this e-commerce solution. One of the governments of these
emerging markets disrupts its connection to the Internet; therefore, the enterprise is prevented access to one of its key business markets, resulting in a
substantial drop in sales.
Threat Type
The nature of the event is the external requirements caused by political instability, or the direct act of the foreign government in the country where the
company generates a large proportion of its product sales and income.
Actor
The actor that generates the threat that exploits is the deliberate action by an external foreign government.
Event
The event is interruption of communications, impacting business sales and resulting in a loss of income.
The asset/resource that leads to the business impact is the external people of the foreign government.
The assets/resources that are affected are the loss of the physical and IT infrastructure, which leads to the loss of communications to a key business
route to a foreign market and impacts the ability to process sales transactions.
Time
The timing of the event is critical. The duration is extended because it is not known when the government will allow access to the Internet again,
and access to this important market could be denied for a long period of time. The detection is immediate by the denial of connection. The time lag
between event and consequence is immediate because the processing of sales transactions is not possible from the moment the connection to the
Internet is disrupted.
Risk Type
• Risk Avoidance: Do not invest in the capability of doing business in politically unstable countries.
• Risk Acceptance: The board accepts that this is a risk of doing business in politically unstable countries.
• Risk Sharing/Transfer: Take out insurance against business disruption.
• Risk Mitigation: The enterprise engages a professional lobby company and maintains a good business relationship with the foreign government.
Effect Effect
on on Essential
Safe harbor policies Provide guidance about provisions of a law or regulation that specify that Medium Low NO
certain conduct will be deemed not to violate a given rule.
202
Chapter 7
Process Enabler
Effect Effect
EDM03.01 Evaluate risk Continually examine and make judgment on the Low Medium NO
and managed.
APO12.01 Collect data. Identify and collect relevant data to enable effective Low High YES
IT-related risk identification, analysis and reporting.
APO12.02 Analyze risk. Develop useful information to support risk decisions Low High YES
that take into account the business relevance of
risk factors.
APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk Low High YES
attributes (including expected frequency, potential
impact and responses) and of related resources,
capabilities and current control activities.
APO12.04 Articulate risk. Provide information on the current state of Low High YES
IT-related exposures and opportunities in a
timely manner to all required stakeholders for
appropriate response.
APO12.05 Define a risk Manage opportunities to reduce risk to an Low High YES
management action acceptable level as a portfolio.
portfolio.
APO12.06 Respond to risk. Respond in a timely manner with effective Low High YES
measures to limit the magnitude of loss from
IT-related events.
DSS04.02 Maintain a continuity Evaluate business continuity management options Low Medium NO
Effect Effect
on on Essential
disaster recovery
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
203

Effect Effect
on on Essential
204
Chapter 7
1303 Bomb taking out a data center
Risk Scenario Title Bomb taking out a data center

Risk Scenario
Political tensions continue to develop around the world and often result in terrorist attacks. Over the past few years, large banks have also been targeted
because they are being blamed for much of the world’s economic problems. A multinational bank that is located in London, England has a data center
that controls its automated teller machine (ATM) network. The bank also has a backup data center in another city in the United Kingdom. A deliberate
action by a terrorist group results in a bomb attack that takes out the main data center in London. In a coordinated attack, the backup data center is also
destroyed by a bomb. This event takes out the bank’s entire ATM network.
Threat Type
The nature of the event is the malicious deliberate action by the terrorist group.
Actor
The actor that generates the threat that exploits the vulnerability is the external terrorist group.
Event
The event is destruction of the two data centers and the service interruption of the bank’s ATM network.
The assets/resources that lead to the business impact are people of the terrorist group.
The assets/resources that are affected are the business process providing cash to clients through ATM, the physical infrastructure, facilities,
equipment, etc., and the IT infrastructure, including computing hardware, network infrastructure and middleware.
Time
The duration of the event is extended; it will take many days to restore the ATM services. The timing of the occurrence is critical to providing a service
to the bank’s customers. The event detection is immediate because it is the instant loss of ATM service. For the same reason, the time lag between the
event and the consequence is immediate.
Risk Type
S Security problems
• Risk Sharing/Transfer: Outsource server hosting. Take out business disruption insurance.
• Risk Mitigation: Implement and/or improve business continuity planning and disaster recovery planning. Ensure that IT sites are built and designed
to minimize the impact of environmental risk (e.g., theft, air, fire, smoke, water, vibration, terror, vandalism, chemicals and explosives). Take out a
contract with a disaster recovery planning service provider.
Effect Effect
on on Essential
N/A N/A
205
Process Enabler
Effect Effect
EDM03.01 Evaluate risk Continually examine and make judgment on the Low High YES
and managed.
DSS01.04 Manage the Maintain measures for protection against High High YES
environment. environmental factors. Install specialized
equipment and devices to monitor and control the
environment.
DSS01.05 Manage facilities. Manage facilities, including power and Low Medium NO
guidelines.
DSS04.01 Define the business Define business continuity policy and scope aligned Low High YES
DSS04.02 Maintain a continuity Evaluate business continuity management options Low High YES
DSS05.05 Manage physical Define and implement procedures to grant, limit High Medium YES
Effect Effect
on on Essential
disaster recovery
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
206
Chapter 7

Effect Effect
on on Essential
• (APO12) Degree of visibility and recognition in the current environment
207
208
Chapter 7
14 Infrastructure Theft or Destruction

1401 Tailgating
Risk Scenario Title Tailgating

Risk Scenario Category 14 Infrastructure theft or destruction
Risk Scenario
A small company that has policies and systems to control authorized personnel entry to restricted service areas fails to update a new team that was
recently added to the company for a special project.
New employees are often encouraged to enter facilities along with other employees who have been granted access to the facilities. A clear
differentiation does not exist between the badges assigned to visitors and employees. Regularly, the security personnel fail to escort visitors.
The company has not upgraded its security monitoring to a digital format.
After a recent physical site audit (using camera and monitor recordings), it was observed that an unknown person gained access to the building, which
resulted in industrial espionage through the theft of a device with information about the latest company product that was scheduled to be launched to
the market in the next quarter.
Threat Type
The nature of the event is malicious.
Actor
The actor that generates the threat that exploits a vulnerability is an external person—thief.
Event
The event is theft and disclosure of sensitive information about the latest company product.
The assets/resources that lead to the business impact an ineffective design and/or ineffective execution of the process DSS05 Manage security
services and its management practices Manage physical access to IT assets and Manage sensitive documents and output devices.
The asset/resource that was affected is the sensitive information about the latest company product.
Time
The duration of the event is extended because the advantage against the competitors is lost. The timing of occurrence is critical because the
company’s product was just about to hit the market within the next quarter. Detection is moderate because it was detected through the reviewing of the
videotapes. The time lag between event and consequence is delayed because the company will increase revenue with the new product.
Risk Type
IT Operations and Service Delivery P Physical security problems
• Risk Mitigation: Physical site security policies will be enforced. Visitor badges will be changed to a flashing color and physical barriers and visitor
logs will be installed.
Effect Effect
on on Essential
Physical and Restrict physical access to infrastructure in order to prevent destruction. High High YES
environmental information
security policy
209
Process Enabler
Effect Effect
DSS05.05 Manage physical Define and implement procedures to grant, limit High High YES
DSS05.06 Manage sensitive Establish appropriate physical safeguards, High High YES
security tokens.
Effect Effect
on on Essential
Information security Implementation of security measures High High YES
manager
Head of IT operations Respond to infrastructure theft and destruction. Low High YES
Effect Effect
on on Essential
Information security To prevent unauthorized physical access High Medium YES
operations.
People respect the To prevent unauthorized physical access High Medium YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of infrastructure theft and destruction High High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Access requests Audit access requests and approvals. High Medium YES
Access logs Monitor access to facilities. Medium High YES
Facilities assessment The enterprise is aware of the state and risk of the facilities. High Low YES
reports
Effect Effect
on on Essential
Access control To prevent unauthorized logical access High Medium YES
Alarm and monitoring To prevent unauthorized physical access High High YES
security system
210
Chapter 7

Effect Effect
on on Essential
Information security skills To implement controls to prevent or reduce the impact of infrastructure theft High High YES
and destruction.
211
1402 Theft of development servers
Risk Scenario Title Theft of development servers

Risk Scenario
A company has understandable policies and systems to control authorized personnel entry to its main offices and buildings. Because the company grew
quite fast and needed more office space, the company decided to transfer the development team to a building that was rented for this purpose. The
rented building had careless and inefficient entry and environmental controls.
There was a break-in at the building that hosted the development team, and most of the development servers were stolen. Because the servers could
not be replaced quickly, the theft of the servers led to big delays in most of the development projects.
Threat Type
Actor
The actor that generates the threat that exploits the vulnerability is an external thief.
Event
The event is theft of a substantial number of development servers.
The asset/resource that leads to the business impact is ineffective design and/or ineffective execution of environmental controls for the physical
infrastructure, facilities and equipment.
The asset/resource that was affected is the IT infrastructure, specifically, the development servers.
Time
The duration of the event is extended because replacement cannot be organized immediately. The timing of occurrence is critical because the company
is working on some strategically important development projects. Detection is immediate because it was detected the morning after the servers were
stolen. The time lag between event and consequence is delayed because the company must acquire, configure and implement the new servers, which
can take a long period of time.
Risk Type
IT Benefit/Value Enablement S Delayed projects lead to missed opportunities as an enabler for new business initiatives.
IT Programme and Project Delivery S Delayed project delivery
IT Operations and Service Delivery P Destruction of value to the enterprise
• Risk Sharing/Transfer: Insurance for equipment
•R isk Mitigation: Physical site security policies will be enforced for all sites. Environmental controls will be implemented for all sites. Contract to a
disaster recovery service.
Effect Effect
on on Essential
Physical and Restrict physical access to infrastructure in order to prevent destruction. High Low YES
environmental information
security policy
Business continuity and Validate recoverability of information, services, application and infrastructure. Low High YES
212
Chapter 7
Process Enabler
Effect Effect
DSS01.04 Manage the Maintain measures for protection against High Medium YES
environment. environmental factors. Install specialized equipment
and devices to monitor and control the environment.
DSS05.05 Manage physical Define and implement procedures to grant, limit High Low YES
Effect Effect
on on Essential
Information security Responsible for implementing security measures. High Low YES
manager
Effect Effect
on on Essential
Information security To prevent unauthorized physical access High Low YES
operations.
People respect the To prevent unauthorized physical access High Low YES
principles.
Stakeholders are aware To minimize impact of infrastructure theft and destruction Medium High YES
enterprise.
Information Enabler
Effect Effect
on on Essential
Access requests Audit access requests and approvals. High Low YES
Access logs Monitor access to facilities. Medium Low NO
reports
Effect Effect
on on Essential
Access control To prevent unauthorized logical access High Low YES
Alarm and monitoring To prevent unauthorized physical access High Medium YES
security system
213

Effect Effect
on on Essential
and destruction.
214
Chapter 7
1404 Accidental destruction of individual servers
Risk Scenario Title Accidental destruction of individual servers

Risk Scenario
A key account manager uses a tablet computer for all of his customer relationship management (CRM) activities (client administration, orders, etc.).
During a visit and a presentation at a customer site, a teapot is knocked over and the hot tea pours over the tablet, destroying it. The data from the tablet
cannot be recovered because the internal memory is badly damaged. Because the tablet was not included in the backup procedures of the company
and the key account manager has never backed up his data, all the data are lost.
Threat Type
The nature of the event is accidental, pouring water over the device and destroying it.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the key account manager who knocks over the tea pot.
Event
The event is destruction of a device and the data on this device.
The asset/resource that leads to the business impact is ineffective design and/or ineffective execution of backup procedures for mobile devices.
The asset/resource that was affected is the information on the device.
Time
The duration of the event is extended because the data are lost definitively and have to be reworked from memory and papers from the key account
manager. The timing of occurrence is critical because the key account manager needs the information daily and the company will lose revenue.
Detection is immediate because it was detected immediately, when the data were lost. The time lag between event and consequence is delayed
because the key account manager must recover the information from his memory and documentation.
Risk Type
IT Operations and Service Delivery P Destruction of value to the enterprise the device and security problems
• Risk Sharing/Transfer: Insurance for equipment
• Risk Mitigation: Include mobile devices in backup policy and procedures and implement automated online backups.
Effect Effect
on on Essential
215
Process Enabler
Effect Effect
DSS04.07 Manage backup Maintain availability of business-critical information. Low High YES
arrangements.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High High YES
DSS06.06 Secure information Secure information assets accessible by the High High YES
Effect Effect
on on Essential
Effect Effect
on on Essential
Stakeholders are aware To minimize impact of infrastructure theft and destruction Low High YES
enterprise.
Information Enabler
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
and destruction.
216
Chapter 7


217
218
Chapter 7
15 Malware
1502 Virus Infection
Risk Scenario Title Virus Infection

Risk Scenario Category 15 Malware
Risk Scenario
External hackers with the motivation to cause business disruption use viruses to attack a company’s IT systems. A virus penetrates the enterprise’s IT
infrastructure, infecting servers, desktops and laptops and destroying information. The enterprise is infected with a virus that has a malicious payload
that causes certain types of files to be deleted. In some cases, the virus was designed to delete the entire drive contents. Through the attack of the
enterprise’s IT infrastructure, information is destroyed, preventing timely business decisions.
Threat Type
The nature of the event is a malicious infection with a virus.
Actor
The actors that generate the threat that exploits the vulnerability are external hackers with the motivation to cause business disruption.
Event
The event results in destruction of information and interruption of business processes.
The asset/resource that leads to the business impact are people, specifically, the hackers that attack the systems with the virus.
The assets/resources that are affected by the event are different business processes that are interrupted and information that is destroyed.
Time
The duration of the event is extended because the attack of the enterprise’s IT infrastructure destroys information. The timing of occurrence is critical
because it prevents timely business decisions. The detection of the event is immediate because the information is lost at the time of the virus infection.
For the same reason, the time lag between event and consequence is immediate.
Risk Type
IT Operations and Service Delivery P IT service interruption
P Security problems
S Compliance issues
• Risk Acceptance: The board makes the decision that no one would be interested in attacking the enterprise—“it won’t happen to us.”
• Risk Sharing/Transfer: Take out business disruption insurance.
• Risk Mitigation: Install an antivirus solution on all relative IT infrastructure assets and keep definitions up to date. Implement an awareness program.
Effect Effect
on on Essential
Information security policy Outline information security arrangements within the enterprise. High High YES
Malicious software Detail the preventive, detective and corrective measures in place across the High Medium YES
prevention policy enterprise to protect information systems and technology from malware.
Architecture principles Information security requirements are embedded within the enterprise Medium Medium NO
architecture and translated into a formal information security architecture.
219
Process Enabler
Effect Effect
APO01.08 Maintain compliance Implement procedures to maintain compliance, Medium Low NO
with policies and performance measurement of policies and other
procedures. enablers of the control framework, and enforce the
consequences of noncompliance or inadequate
performance. Track trends and performance
and consider these in the future design and
improvement of the control framework.
APO13.02 Define and manage an Maintain an information security plan that describes High Medium YES
information security risk how information security risk is to be managed and
treatment plan. aligned with the enterprise strategy and enterprise
architecture. Ensure that recommendations for
implementing security improvements are based on
approved business cases and implemented as an
integral part of services and solutions development,
then operated as an integral part of business
operation.
DSS05.01 Protect against Implement and maintain preventive, detective and High Medium YES
spam, etc.
DSS05.07 Monitor the Using intrusion detection tools, monitor the High Low YES
Effect Effect
on on Essential
Information security Implement security measures. High High YES
manager
Head of IT operations Lead the incident response team to restore service in a timely fashion. Low High
Effect Effect
on on Essential
Information security To prevent the unintentional installation of malware Medium Low NO
operations.
People respect the To prevent the unintentional installation of malware High Low YES
principles.
Stakeholders are aware To minimize impact of the installation of malware Medium High YES
enterprise.
Awareness and training To prevent the unintentional installation of malware High Low YES
regarding malware, email
and Internet usage.
220
Chapter 7
Information Enabler
Effect Effect
on on Essential
Threat information reports Intelligence regarding types of attacks High Low NO
Monitoring reports Identification of attack attempts, threat events, etc. Low High YES
Effect Effect
on on Essential
Security information and Provides real-time analysis of security alerts generated by network hardware High High YES
event management (SIEM) and applications.
Anti-malware tools Protection against viruses High Low YES
Monitoring and alert Timely notification of potential threats Medium High YES
services
Effect Effect
on on Essential
Information security skills Prevent and reduce the impact of malware. High High YES
IT technical skills Appropriate configuration of IT infrastructure such as intrusion detection High Medium YES
systems (IDS) to detect infections and prevent spreading.
• (15) Number of incidents related to non-compliance policy
• (APO01) Percentage of active policies, standards and other enablers documented and up to date
• (APO13) Number of security related incidents
• (APO13) Level of stakeholder satisfaction with the security plan throughout the enterprise
• (APO13) Number of security solutions deviating from the plan
• (APO13) Number of security incidents caused by non-adherence to the security plan
• (APO13) Number of services with confirmed alignment to the security plan
221
1503 Employee termination and theft
Risk Scenario Title Employee termination and theft

Risk Scenario
An employee has been notified that, due to company budget restrictions, he is going to be laid off in the next 30 days. This person considers himself to
be a critical asset to the company, and after he is notified, as revenge, he starts to copy enterprise core data and email them to competitors.
After securing these data on his own media device, he designs a time bomb and puts it into production systems to change systems logic that supports
critical business functions (90 days after he is gone from the company) that will result in great losses to the company.
Because this employee is very close to the company’s chief information security officer (CISO), who is going to retire from the company, the CISO agrees
to help this employee alter the company’s security controls.
Threat Type
Actor
The actor that generates the threat that exploits a vulnerability is internal—the employee who was laid off.
Event
The event is disclosure of company data and unauthorized modification of the systems logic by the time bomb.
The asset/resource that leads to the business impact is people (the employee who was laid off). The ineffective design and ineffective execution of
the processes DSS05 Manage security services and APO07 Manage human resources are also resources.
The resources that are affected are the business processes that are supported by the system logic that was changed by the time-bomb and
information, such as the core enterprise data that were copied and sent to competitors.
Time
The duration of the event is extended because it takes a long time to correct the affected system logic, the damage to reputation and the business due
to the disclosed core enterprise data. Timing is critical because the CISO is going to retire. The detection is slow because the time bomb is not detected
before it destroys the system logic. For the same reason, the time lag between the event and the consequence is delayed.
Risk Type
•R isk Mitigation: The enterprise needs to update the human resources (HR) policy for employee termination, especially for critical employees,
defining processes, including notification to the IT department. The IT department, after notification, should:
– Verify and actively monitor employee’s activity log after employee is notified.
– Build special reports to management on this activity log.
– Limit data access to critical resources.
Effect Effect
on on Essential
Malicious software Detail the preventive, detective and corrective measures in place across the High High YES
Architecture principles Information security requirements are embedded within the enterprise High Low YES
222
Chapter 7
Process Enabler
Effect Effect
DSS05.01 Protect against Implement and maintain preventive, detective and Medium Low NO
spam, etc.
DSS05.04 Manage user identity Ensure that all users have information access rights High Medium YES
and logical access. in accordance with their business requirements and
coordinate with business units that manage their
own access rights within business processes.
DSS05.05 Manage physical Define and implement procedures to grant, limit High Low YES
Effect Effect
on on Essential
manager
Head of IT operations Lead the incident response team to restore service in a timely fashion. Low High YES
Effect Effect
on on Essential
Information security To prevent the unintended installation of malware High Low YES
operations.
People respect the To prevent the unintended installation of malware Medium Medium NO
principles.
Stakeholders are aware To minimize impact of the installation of malware Low High YES
enterprise.
Awareness and training To prevent the unintended installation of malware High Low YES
and internet usage.
Information Enabler
Effect Effect
on on Essential
Threat information reports Intelligence regarding types of attacks Medium Medium NO
Monitoring reports Identify attack attempts, threat events, etc. Low High YES
223

Effect Effect
on on Essential
Malicious software Protection against malware High Low YES
protection tools
Monitoring and alert Timely notification of potential threats Low High YES
services
Effect Effect
on on Essential
IT technical skills Appropriate configuration of IT infrastructure such as intrusion detection Medium Medium NO
224
Chapter 7
1504 Phishing
Risk Scenario Title Phishing

Risk Scenario
A group of hackers send spam emails to a large number of users in an enterprise, purporting to be from the company, informing them that there has
been a security issue with their company user account and requesting that they verify their logon credentials. These credentials will be captured by the
malware and used at a later date to gain unauthorized access to company business systems. This information is then sold to a competitor.
Threat Type
The nature of the event is the malicious action by the hackers and the spam email that is received and accessed by employees accidentally, and
results in users being tricked into providing their log-on credentials, and hackers then using these credentials to gain access to the enterprise’s business
systems and information.
Actor
The actors that generate the threat that exploits the vulnerability are the external hackers who are distributing the malware in the email. The internal
employees are also actors by opening the email and acting on the request, providing their log-on credentials.
Event
The event is theft and disclosure of data because credentials are used to gain access to the enterprise’s business systems and information, and
sensitive commercial information is then sold to a competitor.
The asset/resource that lead to the business impact is people because they are the hackers, and also the employees who were tricked.
The asset/resource that is affected is the stolen and sensitive commercial information, which is then sold to a competitor.
Time
When the credentials are used by the hackers to gain unauthorized access to the enterprise’s business systems, it is critical that the event be detected
quickly because the company is planning a marketing action and competitors could get to market sooner. However, the duration may be extended
because the stolen information can be used by the competitors over a longer period to gain clients from the attacked company. Detection is probably
moderate and the time lag between event and consequence is delayed because there may be a delay from the time that the hackers gain log-on
credentials, to the time they use them to gain unauthorized access.
Risk Type
S IT service interruptions
S Compliance issues
• Risk Sharing/Transfer: Use a hosted email service, which includes a spam filtering service.
• Risk Mitigation: Implement spam filters to identify and quarantine spam emails, and educate end-users. Implement intrusion detection systems (IDSs)
to identify logon attempts coming from outside the enterprise.
Effect Effect
on on Essential
Malicious software Detail the preventive, detective and corrective measures in place across the High High YES
Architecture principles Information security requirements are embedded within the enterprise Medium Low NO
225
Process Enabler
Effect Effect
APO01.03 Maintain the enablers Maintain the enablers of the management system Medium Low NO
of the management and control environment for enterprise IT, and
system. ensure that they are integrated and aligned with
the enterprise’s governance and management
philosophy and operating style. These enablers
include the clear communication of
expectations/requirements. The management
system should encourage cross-divisional
co-operation and teamwork, promote compliance
and continuous improvement, and handle process
deviations (including failure).
APO01.04 Communicate Communicate awareness and understanding of IT Medium Low NO
APO01.08 Maintain compliance Implement procedures to maintain compliance, Medium Low NO
with policies and performance measurement of policies and other
procedures enablers of the control framework, and enforce the
consequences of noncompliance or inadequate
performance. Track trends and performance
and consider these in the future design and
improvement of the control framework.
APO07.03 Maintain the skills Define and manage the skills and competencies Medium Low NO
qualification and certification programmes where
APO13.02 Define and manage an Maintain an information security plan that describes High Medium YES
information security risk how information security risk is to be managed and
treatment plan. aligned with the enterprise strategy and enterprise
architecture. Ensure that recommendations for
implementing security improvements are based on
approved business cases and implemented as an
integral part of services and solutions development,
then operated as an integral part of business
operation.
DSS05.01 Protect against Implement and maintain preventive, detective and High Medium YES
spam, etc.
226
Chapter 7

Effect Effect
on on Essential
manager
Head of IT operations Lead the incident response team to restore service in a timely fashion. Low High YES
Effect Effect
on on Essential
Information security To prevent the unintended installation of malware High Medium YES
operations.
People respect the To prevent the unintended installation of malware High High YES
principles.
Stakeholders are aware To minimize impact of the installation of malware Medium High YES
enterprise.
Awareness and training To prevent the unintended installation of malware High Medium YES
and internet usage.
Information Enabler
Effect Effect
on on Essential
Threat information reports Intelligence regarding types of attacks High Medium YES
Effect Effect
on on Essential
Malicious software Protection against malware High Low YES
protection tools
Monitoring and alert Timely notification of potential threats Medium High YES
services
Effect Effect
on on Essential
IT technical skills Appropriate configuration of IT infrastructure such as intrusion detection High Medium YES
227

• (15) Number of incidents related to non-compliance policy
• (APO01) Percentage of active policies, standards and other enablers documented and up to date
• (APO13) Number of security related incidents
• (APO13) Level of stakeholder satisfaction with the security plan throughout the enterprise
• (APO13) Number of security solutions deviating from the plan
• (APO13) Number of services with confirmed alignment to the security plan

228
Chapter 7
16 Logical Attacks
1602 Network penetration
Risk Scenario Title Network penetration

Risk Scenario Category 16 Logical attacks
Risk Scenario
An enterprise has a public web site, through which a group of hackers takes down the enterprise’s business systems. This is done by breaching the
enterprise’s network perimeter and penetrating the network, and then introducing malware that takes down the servers and results in a successful
denial-of-service (DOS) attack, which denies users access to applications. Normal business operations are disrupted. Sales cannot be processed over
the company’s web site, causing loss of revenue and reputational damage.
Threat Type
The nature of the event is a malicious DOS attack by hackers, which takes down the servers, denying users access to applications and information.
Actor
The actors that generate the threat that exploits the vulnerability are the external hackers.
Event
The event is interruption of IT services so that users cannot access the applications and information and, therefore, normal business processes/
operations are interrupted and sales cannot be processed over the company’s web site, causing loss of revenue and reputational damage.
The asset/resource that leads to the business impact are people—the hackers.
The asset/resources that are affected are mainly the interrupted business operations. However, because access is denied to the enterprise’s
IT infrastructure, information and applications are also affected.
Time
Response to the DOS attack is critical to restore access to business systems quickly and so sales can be issued again. The duration is extended
because it may take quite some time to restore the official web site. Detection of the event is immediate, and the time lag between the event and the
consequence is also immediate.
Risk Type
IT Operations and Service Delivery P IT service (and business) interruption
P Security problems
S Compliance issues
• Risk Acceptance: The board makes the decision that no one would be interested in attacking the enterprise, “it won’t happen to us.”
• Risk Sharing/Transfer: Take out business disruption insurance.
• Risk Mitigation: Install and configure a firewall, server hardening and security patches that are kept up to date. Deploy and actively monitor an IDS.
Have disaster recovery procedures in place to restore the web site, if required.
Effect Effect
on on Essential
Technical security policies Detail the technical consequences of the information security policy. High High YES
and procedure
Architecture principles Information security requirements are embedded within the enterprise High High YES
229
Process Enabler
Effect Effect
DSS05.01 Protect against Implement and maintain preventive, detective High Medium YES
malware. and corrective measures in place (especially
spam, etc.
DSS05.02 Manage network and Use security measures and related management Medium Low NO
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low YES
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Medium NO
Effect Effect
on on Essential
manager
Head of IT operations Lead the management response team to restore service in a timely fashion. Low High YES
Service manager In case attacks are successful, communicate with end-user and help to Low High YES
manage the response.
Chief security architect Design security measures. High High YES
Effect Effect
on on Essential
Information security To prevent logical attacks High Medium YES
operations.
People respect the To prevent logical attacks Medium Low NO
principles.
Stakeholders are aware To minimize impact of logical attacks Low High YES
enterprise.
Information Enabler
Effect Effect
on on Essential
Service level agreements Detail the action to be undertaken in case of attack. Low Medium NO
(SLAs)
230
Chapter 7

Effect Effect
on on Essential
Firewall Prevent successful logical attacks. High Low YES
Network management Identify weaknesses. High Medium YES
tools/ vulnerability
scanners
Monitoring and alert Timely notification of potential threats. Low High YES
services
Information security skills Prevent and reduce the impact of logical attacks. High High YES
IT technical skills Configure the IT infrastructure, such as firewalls and critical network High High YES
components, etc.
• (DSS04) Frequency of recovery tests
231
1604 Industrial espionage
Risk Scenario Title Industrial espionage

Risk Scenario
A successful worldwide pharmaceutical company is subject to industrial espionage from advanced persistent threats (APTs) by external hackers. A
foreign government sponsored the hackers to gain research and development secrets to help advance the pharmaceutical industry within its country.
The IT infrastructure was penetrated by the use of APT techniques, and sensitive product research and development information stolen and leaked out,
allowing cheaper competing products to be brought to market.
Threat Type
The nature of the event is malicious penetration of the IT infrastructure by the use of APT techniques.
Actor
The actors that generate the threat that exploits the vulnerability are external hackers sponsored by an external foreign government.
Event
The event is theft and disclosure because the IT infrastructure was penetrated and sensitive product research and development information was stolen,
allowing cheaper competing products to be brought to market.
The asset/resource that leads to the business impact are people—the hackers.
The assets/resources that are affected are the penetrated IT infrastructure and the sensitive product research and stolen development information.
Time
Response to the denial of service (DOS) attack is critical to restore access to business systems quickly and so sales can be issued again. The duration is
extended because it may take quite some time to restore the official web site. Detection of the event is immediate and the time lag between the event
and the consequence is also immediate.
The duration of the event is extended because APTs usually remain undetected for quite some time. The timing of occurrence is critical because the
company has a short period of time before issuing a new pharmaceutical product based on the sensitive research results. Because it may be a long
period of time before this information leakage is detected, the classification for the detection is slow, and, for the same reason, the time lag between
event and consequence is delayed.
Risk Type

•R isk Mitigation: Install and appropriately configure firewalls, server hardening and ensure that security patches are installed in a timely manner.
Deploy and actively monitor an intrusion detection system (IDS) solution.
Effect Effect
on on Essential
and procedure
232
Chapter 7
Process Enabler
Effect Effect
DSS05.01 Protect against Implement and maintain preventive, detective High Medium YES
malware. and corrective measures in place (especially
spam, etc.
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low YES
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Medium NO
Effect Effect
on on Essential
manager
Service manager In case attacks are successful, communicate with end-user and help to Low Medium NO
Effect Effect
on on Essential
Information security To prevent logical attacks High Low YES
operations.
People respect the To prevent logical attacks High Low YES
principles.
Stakeholders are aware To minimize impact of logical attacks Low High YES
enterprise.
Information Enabler
Effect Effect
on on Essential
Service level agreements Detail the action to be undertaken in case of attack. Low High YES
(SLAs)
233

Effect Effect
on on Essential
Network management Identify weaknesses. High Low YES
tools/vulnerability
scanners
services
Effect Effect
on on Essential
IT technical skills Configure IT infrastructure, such as firewalls and critical network components, High Medium YES
etc.
234
Chapter 7
1606 Hacktivism
Risk Scenario Title Hacktivism

Risk Scenario
Hacktivism (the combination of hacking and activism) involves inserting or modifying code to promote political ideology—promoting political expression,
freedom of speech, human rights, etc. An activist group hacks into a government’s web site and changes the information on a web page to publicize the
group’s political messages and cause public embarrassment to the government.
Threat Type
The nature of the event is a malicious act by an activist group that exploits vulnerabilities in the government’s IT infrastructure and posts information on
the government’s official web site that provides a view that is contrary to government policy, or to promote the group’s ideology.
Actor
The actor that generates the threat that exploits the vulnerability is an external activist.
Event
The event is an interruption as the government’s infrastructure is attacked and information is modified on the web site.
The asset/resource that lead to the business impact people—the political activists.
The assets/resources that are affected are the government’s IT infrastructure that is attacked and the information changed on the web site.
Time
The duration of the event is likely to be moderate because such changes to web sites are usually noticed shortly after the event and can be corrected
by uploading the backup of the web site. The timing of occurrence is critical because visitors to the government web site usually need the provided
information immediately. The time taken to detect the change is also moderate because such changes to web sites are usually reported quickly by the
visitors of the web site. The time lag between the event and consequence is immediate because the web site is changed at the same time that the hack
happens.
Risk Type
P Security problems
S Compliance issues
• Risk Mitigation: Install and appropriately configure firewalls, server hardening and ensure that security patches are installed in a timely manner.
Deploy and actively monitor an intrusion detection system (IDS) solution.
Effect Effect
on on Essential
and procedure
235
Process Enabler
Effect Effect
DSS01.03 Monitor IT Monitor the IT infrastructure and related events. Low High YES
infrastructure. Store sufficient chronological information in
operations logs to enable the reconstruction,
review and examination of the time sequences of
operations and the other activities surrounding or
supporting operations.
of connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Low NO
Effect Effect
on on Essential
manager
Head of IT operations Lead the response team to restore service in a timely fashion. Low High YES
Service manager In case attacks are successful, communicate with end-user and help to Low High YES
Effect Effect
on on Essential
Information security To prevent logical attacks High Low YES
operations.
People respect the To prevent logical attacks High Low YES
principles.
Stakeholders are aware To minimize impact of logical attacks Medium High YES
enterprise.
Information Enabler
Effect Effect
on on Essential
Service level agreements Detail the action to be undertaken in case of attack. Low High YES
(SLAs)
236
Chapter 7

Effect Effect
on on Essential
Network management Identify weaknesses. High Low YES
tools/vulnerability
scanners
services
Effect Effect
on on Essential
IT technical skills Configure IT infrastructure, such as firewalls and critical network components High Medium YES
etc.
• (DSS04) Percentage of successful and timely restoration from backup or alternate media copies

237
238
Chapter 7
17 Industrial Action
1701 Staff is on strike
Risk Scenario Title Staff is on strike

Risk Scenario Category 17 Industrial action
Risk Scenario
All members of the IT department of a hospital in a large city are on a labor union strike, and projects and development initiatives are making no progress.
Business users also are on strike, so the impact on service delivery is significant; all systems have stopped.
Threat Type
Because the strike by the members of the IT department was provoked by the labor union, the nature of the event is based on an external requirement.
Actor
The actors that generate the threat that exploits a vulnerability are internal (IT staff that is on strike) and external (labor union that provoked the strike).
Event
The event is an interruption of the overall IT services.
The resource/asset that leads to the business impact is the people of the IT department which is on strike.
The resources affected are business processes that are not being performed. IT processes such as development are also affected by the standstill of
the IT department. Because the IT developers are not working, the applications are not being updated and operated.
Time
Because it appears that the strike will not be finished soon and that there is a delay in development of new applications, the duration of the event is
looked at as extended. As programs and projects for urgently needed new applications are stopped and will be delayed, the timing of occurrence
is critical. The detection is clearly immediate because the work stopped at the same time as the strike started. For the same reason, the time gap
between the event and the consequence is immediate.
Risk Type
IT Programme and Project Delivery P No progress in projects
IT Operations and Service Delivery P No services are provided to internal users.
• Risk Acceptance: Acceptance of the risk by the board
• Risk Sharing/Transfer: Outsource service delivery.
• Risk Mitigation: Negotiate with staff members and/or the union to keep essential services (e.g., in a hospital or in an EPU).
Effect Effect
on on Essential
Human resources (HR) Define rights and obligations of all staff, detailing acceptable and unacceptable High Medium YES
policy behavior by the employees, and in so doing, manage the risk that is linked to
human behavior.
Vendor management Define backup or emergency service delivery options. Low High YES
policy
239
Process Enabler
Effect Effect
APO01.01 Define the Establish an internal and extended organizational Low High YES
organizational structure. structure that reflects business needs and IT
management decision making to take place in the
most effective and efficient manner.
APO07.02 Identify key IT Identify key IT personnel while minimizing Low High YES
personnel. reliance on a single individual performing a
BAI01.10 Manage program and Eliminate or minimize specific risk associated Low Medium NO
project risk. with programs and projects through a systematic
process of planning, identifying, analyzing,
responding to, and monitoring and controlling the
areas or events that have the potential to cause
unwanted change. Risk faced by program and
project management should be established and
centrally recorded.
Effect Effect
on on Essential
Head of HR Responsible for establishing expectations from and for staff High Medium YES
Legal group Support initial contracting and prosecution in case of breach of contract. Medium Medium NO
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational High High YES
structure for stakeholder communication
Business executive Facilities two-way communication. Medium Medium NO
Effect Effect
on on Essential
Transparent and To prevent industrial action from occurring High Low YES
Information Enabler
Effect Effect
on on Essential
Contract agreements with Clear definition of responsibilities, rights and obligations for all individual staff High Medium YES
staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific Medium Medium NO
arrangements with vendors
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Low High YES
Resource gap analysis Clear analysis of critical level of resources Medium High YES
Effect Effect
on on Essential
Third-party backup Temporary support in case of industrial action Low High YES
services
240
Chapter 7

Effect Effect
on on Essential
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal Medium Medium NO
operational requirements are met.
Litigation skills Once prosecution is initiated, the proper skills are required to defend the Low High YES
interests of the enterprise.
241
1703 Third-party unable to provide services
Risk Scenario Title Third-party unable to provide services

Risk Scenario
A chemical manufacturing enterprise has outsourced IT services to a third-party service provider. Because the third party’s labor is on strike, the provider
cannot deliver its services to the manufacturer and refuses to give access to the data. These data are urgently needed to finish a research project for
a new pharmaceutical product. Because it is already known in the market that the direct competitor is moving ahead with a similar project, it is critical
to finish the project before the competitor. Because there is no settlement between the third-party provider and its labor, the strike can go on for a long
period of time.
Threat Type
Because the strike is caused by the third-party’s labor, the nature of the event is an external requirement.
Actor
The actor that generates the threat that exploits a vulnerability is external, the labor of the third party.
Event
The event is an interruption of the IT services from the third party.
The resource/asset that leads to the business impact is organizational structure because it is the external people of the third-party provider who are
on strike.
The resources affected are business processes that are not being performed, IT processes that are at a standstill, information that is not accessible
and applications that are not available.
Time
Because it appears that the strike will not be finished soon, the duration of the event is extended. Because the data are urgently needed for research,
the timing of occurrence is critical. The detection is clearly immediate because the services provided stopped at the same time that the strike started.
For the same reason, the time gap between the event and the consequence is immediate.
Risk Type
IT Benefit/Value Enablement P Business services are disrupted.
IT Operations and Service Delivery P No IT services are provided to users.
P Data are not available.
• Risk Avoidance: Do not outsource.
• Risk Sharing/Transfer: Escrow agreements
• Risk Mitigation: Backup of data and systems are maintained at an independent third party.
Effect Effect
on on Essential
human behavior.
policy
242
Chapter 7
Process Enabler
Effect Effect
APO02.02 Assess the current Assess the performance of current internal business Medium Medium NO
environment, and IT capabilities and external IT services,
capabilities and and develop an understanding of the enterprise
performance. architecture in relation to IT. Identify issues currently
being experienced and develop recommendations
in areas that could benefit from improvement.
Consider service provider differentiators and options
and the financial impact and potential costs and
benefits of using external services.
APO10.01 Identify and evaluate Identify suppliers and associated contracts and Low High YES
supplier relationships categorize them into type, significance and
and contracts. criticality. Establish supplier and contract evaluation
criteria and evaluate the overall portfolio of existing
and alternative suppliers and contracts.
APO10.02 Select suppliers. Select suppliers according to a fair and formal Medium High YES
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each Low High YES
Effect Effect
on on Essential
Legal group Support initial contracting and prosecution in case of breach of contract. High High YES
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational Medium Medium NO
Business executive Facilitate two-way communication. Medium Medium NO
Effect Effect
on on Essential
N/A N/A
Information Enabler
Effect Effect
on on Essential
Supplier contracts Clear definition of responsibilities, rights and obligations for specific High High YES
Knowledge repositories Minimize the effect of partial unavailability of resources by sharing knowledge Low Medium NO
regarding processes, technology, etc.
Resource gap analysis Clear analysis of critical level of resources Low High YES
243

Effect Effect
on on Essential
services
Effect Effect
on on Essential
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal High High YES

244
Chapter 7
1704 Bank has been affected by strike
Risk Scenario Title Bank has been affected by strike

Risk Scenario
An enterprise’s bank has been on strike for longer than a week, and some of the company’s critical operations are being affected.
The company’s customers and enterprise providers cannot cash checks using automated teller machines (ATMs) or perform other operations. Although
the bank has electronic channels, the strike is also affecting the related services that require manual procedures in the background. As a result of the
strike, the company finances are being affected and no cash is flowing.
It does not look like the strike will be resolved soon. The company needs to align the standard and automated procedures (e.g., credit allowance,
payment period, customer limits) and, therefore, several changes are needed to systems and information on short notice. Although there is a service level
agreement (SLA) with an emergency response team that does not adhere to the strike, the bank does not have the capacity to apply those changes in the
time frame needed.
Threat Type
Because the bank is affected by the strike rather than the company, the nature of the event can be classified as an external requirement.
Actor
The actor that generates the threat that exploits a vulnerability is external—the bank or, specifically, their labor.
Event
The event is an interruption of external banking services.
The resource/asset that leads to the business impact is the organizational structure because it is the external bank that cannot provide the services.
The resources/assets affected are customer facing and other finance processes that need to be amended. Also, information from applications such as
credit allowance and payment period are affected and need to be changed.
Time
Because it appears that the strike will not be over soon, the duration of the event can be classified as extended. Because payments have to be made and
data such as credit allowance is urgently needed, the timing of occurrence is critical. The detection is clearly immediate because the services provided
by the bank stopped at the same time that the strike started. For the same reason, the time gap between the event and the consequence is immediate.
Risk Type
IT Operations and Service Delivery P IT service interruptions due to emergency changes
S IT service operations due to service providers refusing to provide the service
S Changes to information as controls are being loosened (e.g., staff who are allowed to change credit
allowance can also change other information)

• Risk Mitigation: Define emergency and alternate procedures on short notice.
Effect Effect
on on Essential
human behavior.
policy
245
Process Enabler
Effect Effect
Effect Effect
on on Essential
Head of HR Responsible for establishing expectations from and towards staff. High Medium YES
Legal group Support initial contracting and prosecution in case of breach of contract. Medium Medium NO
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational High High YES
Business executive Facilitate two-way communication. Medium Medium NO
Effect Effect
on on Essential
Transparent and To prevent industrial action from occurring High Medium YES
Information Enabler
Contract agreements Clear definition of responsibilities, rights and obligations for all individual staff High Medium YES
with staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific Medium Medium NO
Knowledge repositories Minimize the effect of partial unavailability of resources by sharing knowledge Low High YES
regarding processes, technology, etc.
Resource shortfall analysis Temporary support in case of industrial action Low High YES
Effect Effect
on on Essential
services
Effect Effect
on on Essential
HR skills Management of skills and competencies High Medium YES
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal Medium Medium YES
246
Chapter 7

• (DSS04) Frequency of continuity tests
• (DSS04) Percentage of issues identified that have been subsequently addressed in the BCP
• (DSS04) Percentage of internal and external stakeholders hat have received continuity training
• (DSS04) Percentage of issues identified that have been subsequently addressed in the continuity training materials

247
248
Chapter 7
18 Environmental
1801 Emergency generator fuel containment
Risk Scenario Title Emergency generator fuel containment

Risk Scenario Category 18 Environmental
Risk Scenario
A large company’s main data center has a backup emergency generator that includes a fuel supply tank that has capacity for three days of usage, if
needed. The fuel tank is rusting badly, does not have a fuel-leak containment reservoir and is not physically secured. The local electric power fails at
1:45 pm on a Friday afternoon during the warm-weather season. The generator started to power up and only lasted for 15 minutes. The local physical
security officer found that they had an environmental emergency that had to be declared an event. The security officer notified the local police and safety
officials. It was discovered that the generator fuel supply leaked 95 percent of its fuel into the local river, which no one had noticed. Upon review of the
last business continuity plan/disaster recovery plan (BCP/DRP) live exercise (this exercise was scheduled for five minutes and was successful), there
was nothing detected. This was performed during the previous quarter; there was no prior review of the physical backup emergency generator area for
the last six months. Also, there is no mention of the emergency generator area in the BCP/DRP. Further investigation found that the security cameras had
been disabled at an unknown time, and the security department was using an analogue camera system, which had also been sabotaged with a loop
showing the emergency generator in the winter time. Because of the sabotage of the fuel tank and the camera systems, the security officer had to alert
the federal, state and local investigation agencies.
Threat Type
The nature of the event was malicious, but also a failure of the management process DSS01 Manage operations, specifically the management practice
Manage the environment.
Actor
The actors that generate the threat that exploits a vulnerability are internal (chief security officer who is accountable for the management of the
environment) and also external (saboteur).
Event
The event is destruction (contamination of the environment—the river).
The main asset/resource that leads to the impact is the physical infrastructure, specifically, the rusting and leaking fuel tank, and not having a fuel
containment facility to catch any potential leak.
The assets/resources that are affected are the physical infrastructure that was sabotaged and the environment.
Time
The duration of the event is extended because the contamination cannot be corrected in due time. The timing of occurrence is critical because the
power failure hit as the fuel tank was sabotaged. The detection is immediate because the generator stops working as soon as the fuel tank is empty.
The time lag between the event and the consequence is immediate because the fuel runs out and the river was immediately contaminated.
Risk Type
IT Benefit/Value Enablement: N/A
IT Operations and Service Delivery P Physical security problems
• Risk Mitigation: The enterprise updates the BCP/DRP plans. The security department changes the security camera systems to a digital format. They
need to verify that the backup cameras are working properly, make sure that the policy includes the review status of the generator area every day,
and make sure that it has area activity/motion alarms for security alerting. The company protects the emergency generator area with a physical fence
and builds a fuel container leakage that has sufficient capacity. The company will have to pay penalties and fines for the fuel leakage, for not having
sufficient policies and procedures in the BCP/DRP plans, and for not meeting federal, state and local health and safety regulations. For environmental
and health safety, the federal, state, and OSHA (US Occupational Safety and Health Administration) health departments require that the all fuel tanks be
maintained, secured, monitored, and must have a containment reservoir capacity that is larger than the capacity that the fuel supply tank can hold.
Effect Effect
on on Essential
Social and environmental Environmental awareness should be part of the overall enterprise policy on Medium Medium NO
responsibility policy corporate responsibility.
Rules of behavior Users should be made aware of their individual impact on the environment. Medium Medium NO
(acceptable use)
249
Process Enabler
Effect Effect
DSS01.04 Manage the Maintain measures for protection against Low High YES
environment.
DSS01.05 Manage facilities. Manage facilities, including power and High Low YES
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Medium High YES
review the BCP. basis to exercise the recovery plans against
predetermined outcomes and to allow innovative
DSS05.05 Manage physical access Define and implement procedures to grant, limit High High YES
to IT assets. and revoke access to premises, buildings and
Effect Effect
on on Essential
Head of IT operations Responsible for managing the IT environment and facilities High High YES
Effect Effect
on on Essential
A clearly defined structure People are involved and aware of the consequences of environmental issues High High YES
for ethical responsibility and are empowered to handle according to ethical guidelines.
and a culture that
promotes specific
accountability is developed
and supported.
Information Enabler
Effect Effect
on on Essential
IT strategy Environmental awareness should be part of the IT strategy. Medium Medium NO
Asset register To assess the environmental impact of the used technology High High YES
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Systems development Streamline and optimize the technology. Low Low NO
250
Chapter 7

251
252
Chapter 7
19 Acts of Nature
1903 Data center design
Risk Scenario Title Data center design

Risk Scenario Category 19 Acts of nature
Risk Scenario
An enterprise has its main data center located on the top floor of a 16-story building, without an enclosure for its critical infrastructure. This situation
was observed in the last two annual audit reports by the external auditors. Due to existing budget restraints and considerable costs to build special
enclosures or an enhanced roof design modification, the board of directors, based on probability, disregarded these recommendations, believing that the
auditors put an unnecessary risk level on this issue.
Due to the climate change, during a severe rain and hail storm, the existing roof integrity was compromised, which resulted in water leakage into the
critical servers. Because the hail stones were so big, the main communication lines to the backup data center were also destroyed.
This situation interrupted the service and resulted in missed service level agreements (SLAs) for critical and long standing clients who terminated their
contracts immediately. This situation was a significant loss of revenue for the company offering the service.
Threat Type
The main threat type is a natural event.
Actor
Not every type of threat requires an actor, e.g., failures or natural causes. This event has a natural cause and there is no actor.
Event
The event is an interruption of the services caused by the destruction of the roof resulting in a water leakage and the destruction of the main
communications lines to the backup data center.
The asset/resource that leads to the business impact is the facilities (the roof of the data center and the missing enclosure of the critical infrastructure).
The assets/resources that are affected are different business processes (especially the ones from the clients) and the infrastructure and facilities that
were destroyed by the severe rain and hail storm.
Time
At the time of the severe rain and hail storm, there was no enclosure for the critical infrastructure and also no backup communication line and, therefore,
the time of occurrence is critical. The duration of the event is extended because clients terminated their contracts and will not come back, and it takes
quite some to get the lost reputation back to attract new clients. Because the water poured in the data center and suddenly interrupted the services,
the detection is immediate. The consequences are also immediate because the infrastructure cannot be used any longer. The clients terminated their
contracts immediately and therefore the revenue was lost immediately.
Risk Type
IT Operations and Service Delivery P IT service interruption and compliance issues (unfulfilled SLAs)
• Risk Acceptance: Acceptance that this situation stays after the facilities are repaired and the infrastructure is replaced
• Risk Sharing/Transfer: Insurance against the financial loss for the infrastructure and facilities
• Risk Mitigation: The board needs to take into consideration audit reports. Communication lines and resources need to be redundant and secondary
routes need to be put in place. A special enclosure and enhanced roof capability must be built for the data center.
Effect Effect
on on Essential
Backup policy Backups are available. Low High YES
253
Process Enabler
Effect Effect
BAI04.02 Assess business Identify important services to the enterprise, map Medium High YES
DSS01.04 Manage the Maintain measures for protection against Low High YES
environment.
guidelines.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on High High YES
Effect Effect
on on Essential
Business continuity Responsible for BCP plans Low High YES
manager
Head IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information Responsible for developing and implementing a business continuity response Low High YES
officer (CIO)
Business process owners Accountable for developing and implementing a business continuity response Low High YES
Effect Effect
on on Essential
Stakeholders are aware People are involved and aware of how to react when an incident occurs. High High YES
respond to threats.
Business management The business is committed and proactively contributes to risk mitigation. Low High YES
engages in continuous
cross-functional
collaboration to allow for
efficient and effective
business continuity
programs.
Information Enabler
Effect Effect
on on Essential
Insurance policy Insurance in case of acts of nature is available. Low Medium NO
reports
Incident response actions People are aware of how to react when an incident occurs. Low High YES
and communications
254
Chapter 7

Effect Effect
on on Essential
Monitoring and alert Timely notification of potential threats Medium Low NO
services
Effect Effect
on on Essential
Information risk Identify and formulate a response to information risk related to acts of nature. High High YES
management
Technical understanding Technical expertise regarding specific and relevant acts of nature Medium Medium NO
255
1905 Data center on the river
Risk Scenario Title Data center on the river

Risk Scenario
A large manufacturing enterprise completed an acquisition of a manufacturing company which has its primary data center in a plant that is located
along a major river. The acquisition had only recently been completed when there was a major flood due to heavy rain storms. Even with the mitigation
processes of pumps in place, the plant was quickly flooded, including the data center.
This resulted in severe damage to the data center. Furthermore, due to the loss of critical staff, the acquired company’s backup files access list not being
updated and the contract with the acquired manufacturer’s backup capability not being renewed, there was no capability to easily recover IT facilities
in a time frame required by the business. Not only is the plant impacted, the ability to manage debtors, creditors and staff has been lost until IT facilities
can be restored.
The disaster recovery plan (DRP) covers the manufacturing equipment and the systems related to their recovery, but it does not cover the IT facilities.
Threat Type
The main threat type is a natural event. A secondary nature of the event is failure of the process DSS04 Manage continuity, especially not updating the
backup files access list and not renewing the contract with the acquired manufacturer’s backup capability.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event has a natural cause and for this there is no actor. For
the failure of the process DSS04 Manage continuity, the actor is internal—the person accountable for the update of business continuity plan (BCP) and
the DRP capabilities.
Event
The event is destruction of facilities (the plant) and an interruption because there was no capability to easily recover in a reasonable time frame. Also,
the ability to manage creditors and staff has been lost (interruption) until operations can be restored.
The assets/resources that lead to the business impact are the facilities in the destroyed plant and the process DSS04 Manage continuity, which was
ineffectively executed.
The assets/resources that are affected are different business processes, and also the facilities that were destroyed.
Time
Because the heavy rain happened when the backup files access list had not yet been updated and when the contract with the acquired manufacturer’s
backup capability had not yet been renewed, the time of occurrence of the event is critical. Because there is no capability to easily recover in a
reasonable time frame, the duration of the event is extended. As the flooding (snow melting and heavy rain) suddenly destroyed the plant and
interrupted the services at the same time, the detection is immediate. The consequences are also immediate because the destroyed plant cannot be
used any longer and has to be replaced, rebuilt or repaired.
Risk Type
IT Operations and Service Delivery P Destruction of facilities and service interruption
• Risk Sharing/Transfer: Insurance of facilities
•R isk Mitigation: The company needs to undertake an immediate review of their BCP to incorporate all critical systems and test the plan following a
review of the process and method of recovery.
Effect Effect
on on Essential
Backup policy Backups are available. Low High YES
Business continuity and Validate recoverability of data. Low High YES
256
Chapter 7
Process Enabler
Effect Effect
DSS01.04 Manage the Maintain measures for protection against Medium High YES
DSS01.05 Manage facilities. Manage facilities, including power and Medium High YES
guidelines.
DSS04.01 Define the business Define business continuity policy and scope aligned Medium High YES
DSS04.02 Maintain a continuity Evaluate business continuity management options Medium High YES
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Medium High YES
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Medium High YES
DSS04.05 Review, maintain and Conduct a management review of the continuity Medium High YES
improve the BCP. capability at regular intervals to ensure its
continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with the
change control process to ensure that the continuity
plan is kept up to date and continually reflects
actual business requirements.
DSS04.06 Conduct BCP training. Provide all concerned internal and external parties Medium High YES
with regular training sessions regarding the
procedures and their roles and responsibilities in
case of disruption.
DSS04.07 Manage backup Maintain availability of business-critical information Medium High YES
arrangements.
DSS04.08 Conduct a Assess the adequacy of the BCP following the Medium High YES
post-resumption successful resumption of business processes and
review. services after a disruption.
Effect Effect
on on Essential
Business continuity Responsible for BCP Low High YES
manager
Head of IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information Responsible for developing and implementing a business continuity response Low High YES
officer (CIO)
257

Effect Effect
on on Essential
Stakeholders are aware People are involved and aware of how to react when an incident occurs. Low High YES
respond to threats.
cross-functional
business continuity
programs.
Information Enabler
Effect Effect
on on Essential
Insurance policy Insurance in case of acts of nature is available. Low High YES
reports
and communications
Effect Effect
on on Essential
services
Effect Effect
on on Essential
management
Technical understanding Technical expertise regarding specific and relevant acts of nature High High YES
258
Chapter 7
1906 Impact of rising water table
Risk Scenario Title Impact of rising water table

Risk Scenario
A global financial enterprise has several data centers globally, with one in a mid-European location that was built 15 years ago. The entire computing
facility is underground and is bombproof, has multi-layered physical security and regularly tests business continuity plan (BCP) processes with their other
data centers. Growing use of technology in banking, acquisitions and business ensures that capacity is constantly a challenge for the enterprise.
From time to time, there has been moisture appearing in the data center and the amount of moisture has been increasing over time with dehumidifiers
being installed to compensate. Over time, the level of moisture has steadily increased and a dehumidifier failure led to a complete failure of the data
center, requiring the replacement of a large amount of equipment due to water damage.
A subsequent review identified that there is a slowly rising water table. Although not critical, the dependence on the data center mandates that
action is required.
Threat Type
The main threat type is a natural event. A secondary nature of the event is failure of physical infrastructure/equipment—the dehumidifiers.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event has a natural cause, and the secondary type is failure
of the dehumidifiers and there is no actor.
Event
The event is an interruption caused by the complete failure of the data center and the destruction of the roof resulting in water leakage and the
destruction to a lot of the equipment due to water damage.
The asset/resource that leads to the business impact is the facilities/equipment—failure of the dehumidifier.
The assets/resources that are affected are different business processes and the infrastructure itself that was destroyed and has to be replaced.
Time
At the time of the dehumidifier failure, the moisture had already been increasing over a time, therefore, the time of occurrence of the event (failure of the
dehumidifier) is critical.
Because a subsequent review identified that there is a slowly rising water table, although noncritical, the dependence on the data center mandates that
action is required and that this can take some time and this classifies the duration of the event as extended. Because the moisture in the data center
suddenly damaged some of the equipment and interrupted the services at the same time, the detection is immediate. The consequences are also
immediate because the destroyed equipment cannot be used any longer and has to be replaced immediately.
Risk Type
IT Operations and Service Delivery P IT service interruption, damage of equipment
• Risk Acceptance: Top management must determine whether the risk can be accepted and/or actions to mitigate the risk, including reconfiguration or
replacement of the data center. This would mean that only the dehumidifier that failed is replaced and the data center is left as is.
• Risk Sharing/Transfer: Insurance for the destroyed equipment
• Risk Mitigation: The enterprise must consider the implications of the environmental change on the data center and the ability for the data center to
function within the changing environmental circumstances. The enterprise will need to consider the future viability of the data center or change the
infrastructure and/or rebalancing the load across the enterprise.
Effect Effect
on on Essential
Backup policy Backups are available. Low Medium NO
Business continuity and Validate recoverability of data. Low Medium NO
259
Process Enabler
Effect Effect
DSS01.04 Manage the Maintain measures for protection against Medium High YES
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Low High YES
DSS05.05 Manage physical Define and implement procedures to grant, limit High High YES
Effect Effect
on on Essential
Business continuity Responsible for BCP plans Low High YES
manager
Head of IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information officer Responsible for developing and implementing a business continuity response Low High YES
(CIO)
Effect Effect
on on Essential
Stakeholders are aware People are involved and aware of how to react when an incident occurs. High High YES
respond to threats.
cross-functional
business continuity
programs.
Information Enabler
Effect Effect
on on Essential
Insurance policy Insurance in case of acts of nature is available. Low Medium NO
reports
and communications
260
Chapter 7

Effect Effect
on on Essential
Monitoring and alert Timely notification of potential threats High Low NO
services
Effect Effect
on on Essential
management
Technical understanding Technical expertise regarding specific and relevant acts of nature Medium Medium NO
• (DSS04) Percentage of internal and external stakeholders that have received business continuity training
261
262
Chapter 7
20 Innovation
2001 Systems upgrades interoperability
Risk Scenario Title Systems upgrades interoperability

Risk Scenario Category 20 Innovation
Risk Scenario
A large enterprise that is upgrading its channels business platform solution for external customers did not take into account the software prerequisites
needed for the upgrade. The versions of the company’s currently approved browsers are not compatible with the new solution due to security concerns
(new policies not developed, installation masters not modified, etc.) and the browser cannot be upgraded to the necessary version for the solution in an
adequate period of time.
Due to this situation and the existing contract penalties that are defined in the service provider’s service level agreement (SLA), a high-priority
workaround project utilizing virtual machines must be put in place until the security and technology departments review the situation and take the
necessary remedial steps.
Because the additional processor and communication line requirements were not considered as part of the original design’s capacity planning
requirements for the branches, the entire upgrade is compromised.
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation and BAI02 Manage requirements definition.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the Steering (Programs/Projects) Committee.
Event
The event is an ineffective design and/or ineffective execution of the processes APO04 Manage innovation and BAI02 Manage requirements definition
and leads to interruption of the project upgrading channels business platform solution.
The assets/resources that lead to the business impact are the processes APO04 Manage innovation and BAI02 Manage requirements definition and the
people and skills of the Steering (Programs/Projects) Committee.
The assets/resources that are affected are mainly the business processes that are supported by the channels business platform solution.
Time
The duration of the event is extended because the entire upgrade is delayed for quite some time. The timing of the occurrence is critical because the
branches need this update to improve their sales. The event detection is slow; it was not detected that the browser versions were not compatible until
the security concerns surfaced. The time lag between the event and the consequence is delayed because the overrun in time is quite material.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use technology to improve efficiency
IT Programme and Project Delivery S Overrun of time for the project
IT Operations and Service Delivery S The workarounds affect operational stability.
• Risk Mitigation: Provide infrastructure that can be an enabler for innovation, such as collaboration tools for enhancing work between geographic
locations and divisions. Analyze stakeholder (IT security) interests and requirements. Monitor individual project performance related to delivery of the
expected capabilities, schedule, benefits realization, costs, risk or other metrics to identify potential impacts on program performance. Take timely
remedial action when required. Define and implement a requirements definition and maintenance procedure and a requirements repository that are
appropriate for the size, complexity, objectives and risk of the initiative.
Effect Effect
on on Essential
263
Process Enabler
Effect Effect
APO04.01 Create an environment Create an environment that is conducive to Medium Low NO
conducive to innovation. innovation, considering issues such as culture,
reward, collaboration, technology forums, and
mechanisms to promote and capture employee
ideas.
APO04.02 Maintain an Work with stakeholders to understand their Medium Medium NO
understanding of the challenges. Maintain an adequate understanding of
enterprise environment. enterprise strategy and the competitive environment
or other constraints so that opportunities enabled by
new technologies can be identified.
APO04.04 Assess the potential of Analyze identified emerging technologies Medium Medium NO
emerging technologies and/or other IT innovation suggestions. Work
and innovation ideas. with stakeholders to validate assumptions on the
potential of new technologies and innovation.
APO04.05 Recommend Evaluate and monitor the results of High High YES
appropriate further proof-of-concept initiatives and, if favorable,
initiatives. generate recommendations for further initiatives
and gain stakeholder support.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an High High YES
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High Low YES
BAI02.04 Obtain approval of Coordinate feedback from affected stakeholders High High YES
requirements and and, at predetermined key stages, obtain business
solutions. sponsor or product owner approval and sign-off on
functional and technical requirements, feasibility
studies, risk analyses and recommended solutions.
Effect Effect
on on Essential
Chief executive Accountable for creating the environment conducive for innovation Medium Low NO
officer (CEO)
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives Medium Medium NO
Chief information officer Accountable for identifying technology based innovations and for assessing High High YES
(CIO) their potential
Innovation group Responsible for identifying innovation opportunities and for developing High High YES
business cases for innovation initiatives
Effect Effect
on on Essential
Willingness to take risk Innovation by definition is about new technologies and new ways of working, High High YES
both bringing potential resistance and unsure benefits. However, not having
this risk willingness attitude will exclude upfront any potential for innovation.
Support of senior Senior management support is required to fund the innovation initiatives and High High YES
management for to support them to overcome initial resistance.
Failure is allowed attitude Not every innovation project or initiative will be successful, and a certain High Medium YES
amount of failure should be accepted as the price to pay for successful
initiatives.
264
Chapter 7
Information Enabler
Effect Effect
on on Essential
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into High High YES
the enterprise’s strategic plans.
Recognition program Innovation needs to be adequately rewarded, according to a formalized plan. Low Low NO
Evaluation of innovation Formal evaluation of innovation initiatives facilitates executive High High YES
initiatives decision making.
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
communication
requirements.
• (APO04) Stakeholder feedback and surveys
• (BAI01) Frequency of project status reviews
265
2002 Programming flaw
Risk Scenario Title Programming flaw

Risk Scenario
A programmer makes a coding error that allows individual(s) to gain increased access beyond their responsibilities. The programming error is not
detected by quality assurance (QA) procedures and the code is made live. The programming flaw in this application, managing medical records, allows
all system users open access to sensitive patient identifiable medical information. This access can lead to unauthorized and inappropriate disclosure
(accidental or malicious) of sensitive information, which usually results in a fine by the local regulators for a breach of data privacy and a loss of public
confidence in the ability of the enterprise to keep sensitive medical information safe and secure.
Threat Type
The nature of the event is an unauthorized and inappropriate accidental disclosure of sensitive information.
Actor
The internal programmer making the coding error and the internal individual(s) gaining increased access beyond their responsibilities.
Event
The event is disclosure of sensitive information.
The assets/resources that lead to the business impact are people, the programmer and the QA team, and also the process APO11 Manage quality, which
did not detect the programming flaw.
The asset/resource is information because the programming flaw provides access to sensitive patient data to which the user is not entitled.
Time
The timing is critical because the potential exposure to medical records is immediate. The duration is extended, detection is slow and time lag is
delayed. The programming error may go undetected for a long period of time because users discovering that they have access to records that they are
not normally able to access may not inform the relevant person responsible for information security.
Risk Type
IT Benefit/Value Enablement P Effectiveness of business processes
IT Operations and Service Delivery S Security and compliance problems
• Risk Mitigation: Implement change management and QA.
Effect Effect
on on Essential
Architecture principles Architecture principles define the underlying general rules and guidelines for Medium Medium NO
Process Enabler
Effect Effect
APO11.05 Integrate quality Incorporate relevant quality management practices Medium Low NO
management into the definition, monitoring, reporting and
into solutions for ongoing management of solutions development and
development and service offerings.
service delivery.
BAI07.01 Establish an Establish an implementation plan that covers High Medium YES
implementation plan. system and data conversion, acceptance testing
criteria, communication, training, release
preparation, promotion to production, early
production support, a fallback/backout plan, and a
post-implementation review. Obtain approval from
relevant parties.
266
Chapter 7

Effect Effect
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprise-wide High High YES
BAI07.05 Perform acceptance Test changes independently in accordance with High High YES
BAI07.06 Promote to production Promote the accepted solution to the business and High Medium YES
and manage releases. operations. Where appropriate, run the solution as
a pilot implementation or in parallel with the old
solution for a defined period and compare behavior
and results. If significant problems occur, revert
back to the original environment based on the
fallback /backout plan. Manage releases of solution
components.
BAI03.06 Perform QA. Develop, resource and execute a quality assurance High Medium YES
(QA) plan aligned with the quality management
system (QMS) to obtain the quality specified in the
requirements definition and the enterprise’s quality
policies and procedures.
Effect Effect
on on Essential
Chief executive Accountable for creating the environment conducive for innovation Medium Medium NO
officer (CEO)
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives Low Low NO
Chief information officer Accountable for identifying technology based innovations and for assessing Medium Medium NO
(CIO) their potential.
Innovation group Responsible for identifying innovation opportunities and for developing Low Low NO
Effect Effect
on on Essential
Willingness to take risk Innovation by definition is about new technologies and new ways of working, Medium Low NO
Support of senior Senior management support is required to fund the innovation initiatives and Low Low NO
Failure is allowed attitude Not every innovation project or initiative will be successful, and a certain Medium Medium NO
initiatives.
Information Enabler
Effect Effect
on on Essential
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into Medium Medium NO
the enterprise’s strategic plans.
Recognition program Innovation needs to be adequately rewarded according to an agreed-on and Low Low NO
formalized plan.
Evaluation of innovation Formal evaluation of innovation initiatives facilitate executive decision making. Medium Medium NO
initiatives
267

Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
Leadership and Clarify the rationale for the architecture and the potential consequences. Medium Medium NO
communication
Architecture skills Develop efficient and effective architecture aligned to the business Medium Medium YES
requirements.
• (APO11) Average stakeholder satisfaction rating with solutions and services
• (APO11) Percentage of stakeholders satisfied with IT quality
• (APO11) Percentage of projects reviewed that meet target quality goals and objectives
• (APO11) Percentage of solutions and services delivered with formal certification
• (APO11) Number of defects uncovered prior to production
• (APO11) Number of processes with a defined quality requirement
• (APO11) Number of processes with a formal quality assessment report
268
Chapter 7
2003 Stopping acquisition
Risk Scenario Title Stopping acquisition

Risk Scenario
For its administrative processes, an insurance company is using self-developed IT platforms from the 1980s or 1990s. Usually, these solutions work
quite well and are reliable. However, they are also inflexible. Therefore, it is very time consuming, complex and costly to bring new insurance products to
the market.
The company plans to acquire a solution from a relatively small software company. Plans are to replace its old self-developed solution with this new
standard software, which will become the new core insurance solution for claims administration. The implementation and customization is done together
with the software company. At about halfway through the project, it is recognized that the project will not deliver the expected benefits and not fulfil the
requirements. The project is stopped and the contract with the software company is cancelled.
Because the old legacy system still has to be replaced, there are different options for the insurance company to consider. These vary from a new
standard solution to a full in-house development. However, the stoppage leads to a delay of at least one to two years, and most of the developments to
date are lost.
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation and BAI03 Manage solutions identification and build.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the Steering Program/Project Committee.
Event
The event is an ineffective design and/or ineffective execution of the process BAI03 Manage solutions identification and build.
The asset/resource that leads to the business impact is the people that chose this standard solution and decided to go with the small software
company—this could be the Strategy Executive Committee or the Steering (Program/Project) Committee.
The assets/resources that are affected are the business processes and business innovation and the people who have to work with the inflexible systems.
Time
The duration of the event is extended as the stopped project has to be re-launched or even started from the scratch again. The timing of occurrence is
critical as other insurance companies already have new and more flexible solutions in place and therefore are more competitive. The event is detected
after a moderate time and project was stopped and not carried out until the end when it was detected that the solution will not meet the requirements.
The time lag between the event and the consequence is delayed as the project overrun in time will be one to two years.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use technology to improve efficiency, effectiveness and flexibility
IT Programme and Project Delivery P Stranded costs for investments
P Significant delay in project delivery
IT Operations and Service Delivery S The old and inflexible systems can bring reduction of value to the enterprise.
• Risk Sharing/Transfer: Use a business process provider for the administration of claims.
• Risk Mitigation: Proof of concept. Clear requirements management.
Effect Effect
on on Essential
269
Process Enabler
Effect Effect
APO04.02 Maintain an Work with stakeholders to understand their High High YES
understanding of the challenges. Maintain an adequate understanding of
enterprise environment. enterprise strategy and the competitive environment
or other constraints so that opportunities enabled by
new technologies can be identified.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of Medium Low NO
the technology the enterprise’s external environment to identify
environment. emerging technologies that have the potential
to create value (e.g., by realizing the enterprise
strategy, optimizing costs, avoiding obsolescence,
and better enabling enterprise and IT processes).
Monitor the marketplace, competitive landscape,
industry sectors, and legal and regulatory trends
to be able to analyze emerging technologies or
innovation ideas in the enterprise context.
APO04.04 Assess the potential of Analyze identified emerging technologies Medium Low NO
emerging technologies and/or other IT innovation suggestions. Work
and innovation ideas. with stakeholders to validate assumptions on the
potential of new technologies and innovation.
APO04.05 Recommend Evaluate and monitor the results of Low Medium NO
appropriate further proof-of-concept initiatives and, if favorable,
initiatives. generate recommendations for further initiatives
and gain stakeholder support.
APO04.06 Monitor the Monitor the implementation and use of emerging Low High YES
implementation and use technologies and innovations during integration,
of innovation. adoption and for the full economic life cycle to
ensure that the promised benefits are realized and
to identify lessons learned.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High Medium YES
BAI02.02 Perform a feasibility Perform a feasibility study of potential alternative High High YES
study and formulate solutions, assess their viability and select the
alternative solutions. preferred option. If appropriate, implement the
selected option as a pilot to determine possible
improvements.
BAI02.03 Manage requirements Identify, document, prioritize and mitigate functional, Medium Medium NO
risk. technical and information processing-related risk
associated with the enterprise requirements and
proposed solution.
BAI03.04 Procure solution Procure solution components based on the Medium Medium NO
270
Chapter 7

Effect Effect
on on Essential
Chief executive Accountable for creating the environment conducive for innovation Medium High YES
officer (CEO)
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives High High YES
Chief information officer Accountable for identifying technology based innovations and for assessing High High YES
(CIO) their potential
Innovation group Responsible for identifying innovation opportunities and for developing Medium High YES
Effect Effect
on on Essential
Willingness to take risk Innovation by definition is about new technologies and new ways of working, Medium Medium NO
Support of senior Senior management support is required to fund the innovation initiatives and Medium Medium NO
Failure is allowed attitude Not every innovation project or initiative will be successful, and a certain Medium Medium NO
initiatives.
Information Enabler
Effect Effect
on on Essential
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into High High YES
the enterprise’s strategic plans
Recognition program Innovation needs to be adequately rewarded, according to a formalized plan Low Low NO
Evaluation of innovation Formal evaluation of innovation initiatives facilitate executive decision making. High High YES
initiatives
Effect Effect
on on Essential
N/A N/A
Effect Effect
on on Essential
communication
requirements.
271

272
Appendix 1
Risk Scenario Analysis Template
Appendix 1
Risk Scenario Analysis Template10
This appendix contains a comprehensive template for the treatment of a risk scenario—from conception through response
and monitoring—in support of the core risk management processes (APO12) of an enterprise.
Risk Scenario Template

Risk Scenario Title:
Risk Scenario Category � 01-Portfolio establishment and maintenance
High-level description of the scenario category � 02-Programme/project life cycle management
� 03-IT investment decision making
� 04-IT expertise and skills
� 05-Staff operations
� 06-Information
� 07-Architecture
� 08-Infrastructure
� 09-Software
� 10-Business ownership of IT
� 11-Suppliers
� 12-Regulatory compliance
� 13-Geopolitical
� 14-Infrastructure theft or destruction
� 15-Malware
� 16-Logical attacks
� 17-Industrial action
� 18-Environmental
� 19-Acts of nature
� 20-Innovation
Risk Scenario
Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the
threat/vulnerability type and includes the actors, events, assets and time issues.
Threat Type � Malicious
The nature of the event � Accidental
� Error
� Failure
� Natural
� External requirement
Actor � Internal
Who or what triggers the threat that exploits a vulnerability � External
� Human
� Nonhuman
Event � Disclosure
Something that happens that was not supposed to happen, something � Interruption
does not happen that was supposed to happen, or a change in � Modification
circumstances. Events always have causes and usually have � Theft
consequences. A consequence is the outcome of an event and has an � Destruction
impact on objectives. � Ineffective design
� Ineffective execution
� Rules and regulations
� Inappropriate use
Asset � Process
An asset is something of either tangible or intangible value that is worth � People and skills
protecting, including people, systems, infrastructure, finances and � Organizational structure
reputation. � Physical Infrastructure
� IT Infrastructure
� Information
� Applications
Resource � Process
A resource is anything that helps to achieve a goal. � People and skills
� Organizational structure
� Physical Infrastructure
� IT Infrastructure
� Information
� Applications
Adapted from ISACA, COBIT® 5 for Risk, USA, 2013, www.isaca.org/cobit, pp. 243-244.
273
Risk Scenario Template (cont.)

Time Timing � Noncritical � Critical
Duration � Short � Moderate � Extended
Detection � Slow � Moderate � Instant
Time lag � Immediate � Delayed
Risk Type
Describe the consequences resulting from the event. Include whether the risk type is primary or secondary.
Risk Type P/S Risk Description
IT Benefit/Value Enablement
IT Programme and Project Delivery
IT Operations and Service Delivery
Risk Avoidance:
Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:
Risk Mitigation Using COBIT 5 Enablers (see appendix D in COBIT 5 for Risk)
Effect Effect
on on Essential
Process Enabler
Effect Effect
on on Essential

Effect Effect
on on Essential

Effect Effect
on on Essential
Information Enabler
Effect Effect
on on Essential

Effect Effect
on on Essential

Effect Effect
on on Essential
274
Appendix 1
Risk Scenario Analysis Template

•
•
•
•
275
276
Appendix 2
Glossary
Appendix 2
Glossary
Term Explanation
Asset Something of either tangible or intangible value that is worth protecting, including people, systems,
infrastructure, finances and reputation
Business goal The translation of the enterprise’s mission from a statement of intention into performance targets and results
Business impact The net effect, positive or negative, on the achievement of business objectives
Business impact analysis (BIA) Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing
the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the
minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
Business objective A further development of the business goals into tactical targets and desired results and outcomes
Enterprise risk management (ERM) The discipline by which an enterprise in any industry assesses, controls, exploits, finances, and monitors risk
from all sources for the purpose of increasing the enterprise’s short- and long-term value to its stakeholders
Event Something that happens at a specific place and/or time
Event type For the purpose of IT risk management,11 one of three possible sorts of events: threat event, loss event and
vulnerability event
Frequency A measure of the rate by which events occur over a certain period of time
IT risk The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within
an enterprise
IT risk profile A description of the overall (identified) IT risk to which the enterprise is exposed
IT risk register A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description,
owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and disposition.
IT risk scenario The description of an IT-related event that can lead to a business impact
IT-related incident An IT-related event that causes an operational, developmental and/or strategic business impact
Key risk indicator (KRI) A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating
important risk
Lag indicator Metrics for achievement of goals—An indicator relating to the outcome or result of an enabler, i.e., this indicator
is only available after the facts or events
Lead indicator Metrics for application of good practice—An indicator relating to the functioning of an enabler, i.e., this indicator
will provide an indication on possible outcome of the enabler
Loss event Any event during which a threat event results in loss
Magnitude A measure of the potential severity of loss or the potential gain from realized events/scenarios
Residual risk The remaining risk after management has implemented a risk response
Risk (business) A probable situation with uncertain frequency and magnitude of loss (or gain)
Risk aggregation The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for
the enterprise
Risk analysis 1. A process by which frequency and magnitude of IT risk scenarios are estimated
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those
assets and evaluating how vulnerable each asset is to those threats
Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission
Risk assessment A process used to identify and evaluate risk and its potential effects
Risk culture The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines
how openly risk and losses are reported and discussed
Risk factor A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related
events/scenarios
Risk indicator A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk
that exceeds the defined risk appetite
(IT) Risk issue 1. An instance of an IT risk
2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk
Risk map A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude
11
Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and
well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those
metrics are far more likely to be flawed.
277
Term Explanation
Risk response Risk avoidance, risk acceptance, risk sharing/transfer, risk mitigation, leading to a situation that as much future
residual risk (current risk with the risk response defined and implemented) as possible (usually depending on
budgets available) falls within risk appetite limits
Risk statement A description of the current conditions that may lead to the loss; and a description of the loss. Source: Software
Engineering Institute (SEI). For a risk to be understandable, it must be expressed clearly. Such a statement must
include a description of the current conditions that may lead to the loss; and a description of the loss.
Risk tolerance The acceptable level of variation that management is willing to allow for any particular risk as the enterprise
pursues its objectives
Threat Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result
in harm
Threat event Any event during which a threat element/actor acts against an asset in a manner that has the potential to directly
result in harm
Vulnerability A weakness in the design, implementation, operation or internal control of a process that could expose the
system to adverse threats from threat events
Vulnerability event Any event during which a material increase in vulnerability results. Note that this increase in vulnerability can
result from changes in control conditions or from changes in threat capability/force.
278
Appendix 3
Processes for Governance and Management of Enterprise IT
Appendix 3
Figure 18—COBIT 5 Process Reference Model
Processes for Governance of Enterprise IT

Evaluate, Direct and Monitor
EDM01 Ensure
Governance EDM02 Ensure EDM03 Ensure EDM04 Ensure EDM05 Ensure
Framework Setting Benefits Delivery Risk Optimisation Resource Stakeholder
and Maintenance Optimisation Transparency
Align, Plan and Organise Monitor, Evaluate

and Assess
APO01 Manage APO02 Manage APO03 Manage APO06 Manage APO07 Manage
the IT Management Enterprise APO04 Manage APO05 Manage
Strategy Innovation Portfolio Budget and Costs Human Resources
Framework Architecture
MEA01 Monitor,
Evaluate and Assess
APO09 Manage Performance and
APO08 Manage APO10 Manage APO11 Manage APO12 Manage APO13 Manage Conformance
Service Risk Security
Relationships Agreements Suppliers Quality
Build, Acquire and Implement

BAI03 Manage BAI04 Manage BAI05 Manage BAI07 Manage
BAI01 Manage BAI02 Manage Solutions Organisational Change
Programmes and Requirements Availability BAI06 Manage
Identification and Capacity Change Changes Acceptance and MEA02 Monitor,
Projects Definition and Build Enablement Transitioning Evaluate and Assess
the System of Internal
Control
BAI08 Manage BAI09 Manage BAI10 Manage

Knowledge Assets Configuration
Deliver, Service and Support

MEA03 Monitor,
DSS02 Manage DSS05 Manage DSS06 Manage Evaluate and Assess
DSS01 Manage DSS03 Manage DSS04 Manage Compliance With
Operations Service Requests Security Business
and Incidents Problems Continuity Services Process Controls External Requirements
Processes for Management of Enterprise IT
Source: COBIT® 5, ISACA, USA, 2012, figure 16
Process COBIT 5 Governance or Management Practice

EDM01 Ensure EDM01.01—Evaluate the governance system.
Governance Framework Continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements,
Setting and Maintenance and make a judgement on the current and future design of governance of enterprise IT.
EDM01.02—Direct the governance system.
Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the
governance of IT in line with agreed-on governance design principles, decision-making models and authority levels.
Define the information required for informed decision making.
EDM01.03—Monitor the governance system.
Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance system
and implemented mechanisms (including structures, principles and processes) are operating effectively and provide
279

EDM02 Ensure Benefits EDM02.01—Evaluate value optimisation.
Delivery Continually evaluate the portfolio of IT-enabled investments, services and assets to determine the likelihood of achieving
enterprise objectives and delivering value at a reasonable cost. Identify and make judgement on any changes in direction
that need to be given to management to optimise value creation.
EDM02.02—Direct value optimisation.
Direct value management principles and practices to enable optimal value realisation from IT-enabled investments
throughout their full economic life cycle.
EDM02.03—Monitor value optimisation.
Monitor the key goals and metrics to determine the extent to which the business is generating the expected value
and benefits to the enterprise from IT-enabled investments and services. Identify significant issues and consider
corrective actions.
EDM03 Ensure Risk EDM03.01—Evaluate risk management.
Optimisation Continually examine and make judgement on the effect of risk on the current and future use of IT in the enterprise.
Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.
EDM03.02—Direct risk management.
Direct the establishment of risk management practices to provide reasonable assurance that IT risk management
practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
EDM03.03—Monitor risk management.
Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be
identified, tracked and reported for remediation.
EDM04 Ensure Resource EDM04.01—Evaluate resource management.
Optimisation Continually examine and make judgement on the current and future need for IT-related resources, options for resourcing
(including sourcing strategies), and allocation and management principles to meet the needs of the enterprise in the
optimal manner.
EDM04.02—Direct resource management.
Ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full
EDM04.03—Monitor resource management.
Monitor the key goals and metrics of the resource management processes and establish how deviations or problems will
be identified, tracked and reported for remediation.
EDM05 Ensure EDM05.01—Evaluate stakeholder reporting requirements.
Stakeholder Continually examine and make judgement on the current and future requirements for stakeholder communication and
Transparency reporting, including both mandatory reporting requirements (e.g. regulatory) and communication to other stakeholders.
Establish the principles for communication.
EDM05.02—Direct stakeholder communication and reporting.
Ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring
the quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy
for stakeholders.
EDM05.03—Monitor stakeholder communication.
Monitor the effectiveness of stakeholder communication. Assess mechanisms for ensuring accuracy, reliability and
effectiveness, and ascertain whether the requirements of different stakeholders are met.
280
Appendix 3

APO01 Manage the IT APO01.01—Define the organisational structure.
Management Framework Establish an internal and extended organisational structure that reflects business needs and IT priorities. Put in place the
required management structures (e.g. committees) that enable management decision making to take place in the most
effective and efficient manner.
APO01.02—Establish roles and responsibilities.
Establish, agree on and communicate roles and responsibilities of IT personnel, as well as other stakeholders with
responsibilities for enterprise IT, that clearly reflect overall business needs and IT objectives and relevant personnel’s
authority, responsibilities and accountability.
APO01.03—Maintain the enablers of the management system.
Maintain the enablers of the management system and control environment for enterprise IT, and ensure that they are integrated
and aligned with the enterprise’s governance and management philosophy and operating style. These enablers include the clear
communication of expectations/requirements. The management system should encourage cross-divisional co-operation and
teamwork, promote compliance and continuous improvement, and handle process deviations (including failure).
APO01.04—Communicate management objectives and direction.
Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and users
throughout the enterprise.
APO01.05—Optimise the placement of the IT function.
Position the IT capability in the overall organisational structure to reflect an enterprise model relevant to the importance of
IT within the enterprise, specifically its criticality to enterprise strategy and the level of operational dependence on IT. The
reporting line of the CIO should be commensurate with the importance of IT within the enterprise.
APO01.06—Define information (data) and system ownership.
Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners
make decisions about classifying information and systems and protecting them in line with this classification.
APO01.07—Manage continual improvement of processes.
Assess, plan and execute the continual improvement of processes and their maturity to ensure that they are capable of
delivering against enterprise, governance, management and control objectives. Consider COBIT process implementation
guidance, emerging standards, compliance requirements, automation opportunities, and the feedback of process users,
the process team and other stakeholders. Update the process and consider impacts on process enablers.
APO01.08—Maintain compliance with policies and procedures.
Put in place procedures to maintain compliance with and performance measurement of policies and other enablers of
the control framework, and enforce the consequences of non-compliance or inadequate performance. Track trends and
performance and consider these in the future design and improvement of the control framework.
APO02 Manage Strategy APO02.01—Understand enterprise direction.
Consider the current enterprise environment and business processes, as well as the enterprise strategy and future objectives.
Consider also the external environment of the enterprise (industry drivers, relevant regulations, basis for competition).
APO02.02—Assess the current environment, capabilities and performance.
Assess the performance of current internal business and IT capabilities and external IT services, and develop an
understanding of the enterprise architecture in relation to IT. Identify issues currently being experienced and develop
recommendations in areas that could benefit from improvement. Consider service provider differentiators and options
and the financial impact and potential costs and benefits of using external services.
APO02.03—Define the target IT capabilities.
Define the target business and IT capabilities and required IT services. This should be based on the understanding of the
enterprise environment and requirements; the assessment of the current business process and IT environment and issues;
and consideration of reference standards, best practices and validated emerging technologies or innovation proposals.
APO02.04—Conduct a gap analysis.
Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that
support services) with business outcomes to optimise investment in and utilisation of the internal and external asset base.
Consider the critical success factors to support strategy execution.
APO02.05—Define the strategic plan and road map.
Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT-related goals will contribute to
the enterprise’s strategic goals. Include how IT will support IT-enabled investment programmes, business processes, IT
services and IT assets. Direct IT to define the initiatives that will be required to close the gaps, the sourcing strategy and
the measurements to be used to monitor achievement of goals, then prioritise the initiatives and combine them in a
high-level road map.
APO02.06—Communicate the IT strategy and direction.
Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy,
through communication to appropriate stakeholders and users throughout the enterprise.
281

APO03 Manage APO03.01—Develop the enterprise architecture vision.
Enterprise Architecture The architecture vision provides a first-cut, high-level description of the baseline and target architectures, covering the
business, information, data and application and technology domains. The architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise. The architecture vision
describes how the new capability will meet enterprise goals and strategic objectives and address stakeholder concerns
when implemented.
APO03.02—Define reference architecture.
The reference architecture describes the current and target architectures for the business, information, data, application
and technology domains.
APO03.03—Select opportunities and solutions.
Rationalise the gaps between baseline and target architectures, taking both business and technical perspectives, and
logically group them into project work packages. Integrate the project with any related IT-enabled investment programmes
to ensure that the architectural initiatives are aligned with and enable these initiatives as part of overall enterprise
change. Make this a collaborative effort with key enterprise stakeholders from business and IT to assess the enterprise’s
transformation readiness, and identify opportunities, solutions and all implementation constraints.
APO03.04—Define architecture implementation.
Create a viable implementation and migration plan in alignment with the programme and project portfolios. Ensure that
the plan is closely co-ordinated to ensure that value is delivered and the required resources are available to complete the
necessary work.
APO03.05—Provide enterprise architecture services.
The provision of enterprise architecture services within the enterprise includes guidance to and monitoring of
implementation projects, formalising ways of working through architecture contracts, and measuring and communicating
architecture’s value-add and compliance monitoring.
APO04 Manage APO04.01—Create an environment conducive to innovation.
Innovation Create an environment that is conducive to innovation, considering issues such as culture, reward, collaboration,
technology forums, and mechanisms to promote and capture employee ideas.
APO04.02—Maintain an understanding of the enterprise environment.
Work with relevant stakeholders to understand their challenges. Maintain an adequate understanding of enterprise strategy and
the competitive environment or other constraints so that opportunities enabled by new technologies can be identified.
APO04.03—Monitor and scan the technology environment.
Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging technologies
that have the potential to create value (e.g. by realising the enterprise strategy, optimising costs, avoiding obsolescence,
and better enabling enterprise and IT processes). Monitor the marketplace, competitive landscape, industry sectors, and
legal and regulatory trends to be able to analyse emerging technologies or innovation ideas in the enterprise context.
APO04.04—Assess the potential of emerging technologies and innovation ideas.
Analyse identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders to validate
assumptions on the potential of new technologies and innovation.
APO04.05—Recommend appropriate further initiatives.
Evaluate and monitor the results of proof-of-concept initiatives and, if favourable, generate recommendations for further
initiatives and gain stakeholder support.
APO04.06—Monitor the implementation and use of innovation.
Monitor the implementation and use of emerging technologies and innovations during integration, adoption and for the full
economic life cycle to ensure that the promised benefits are realised and to identify lessons learned.
282
Appendix 3

APO05 Manage Portfolio APO05.01—Establish the target investment mix.
Review and ensure clarity of the enterprise and IT strategies and current services. Define an appropriate investment mix
based on cost, alignment with strategy, and financial measures such as cost and expected ROI over the full economic life
cycle, degree of risk, and type of benefit, for the programmes in the portfolio. Adjust the enterprise and IT strategies where
necessary.
APO05.02—Determine the availability and sources of funds.
Determine potential sources of funds, different funding options and the implications of the funding source on the
investment return expectations.
APO05.03—Evaluate and select programmes to fund.
Based on the overall investment portfolio mix requirements, evaluate and prioritise programme business cases, and decide
on investment proposals. Allocate funds and initiate programmes.
APO05.04—Monitor, optimise and report on investment portfolio performance.
On a regular basis, monitor and optimise the performance of the investment portfolio and individual programmes
throughout the entire investment life cycle.
APO05.05—Maintain portfolios.
Maintain portfolios of investment programmes and projects, IT services and IT assets.
APO05.06—Manage benefits achievement.
Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the agreed-on and
current business case.
APO06 Manage Budget APO06.01—Manage finance and accounting.
and Costs Establish and maintain a method to account for all IT-related costs, investments and depreciation as an integral part
of the enterprise financial systems and chart of accounts to manage the investments and costs of IT. Capture and
allocate actual costs, analyse variances between forecasts and actual costs, and report using the enterprise’s financial
measurement systems.
APO06.02—Prioritise resource allocation.
Implement a decision-making process to prioritise the allocation of resources and rules for discretionary investments
by individual business units. Include the potential use of external service providers and consider the buy, develop and
rent options.
APO06.03—Create and maintain budgets.
Prepare a budget reflecting the investment priorities supporting strategic objectives based on the portfolio of IT-enabled
programmes and IT services.
APO06.04—Model and allocate costs.
Establish and use an IT costing model based on the service definition, ensuring that allocation of costs for services is
identifiable, measurable and predictable, to encourage the responsible use of resources including those provided by
service providers. Regularly review and benchmark the appropriateness of the cost/chargeback model to maintain its
relevance and appropriateness to the evolving business and IT activities.
APO06.05—Manage costs.
Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported and,
in case of deviations, identified in a timely manner and their impact on enterprise processes and services assessed.
APO07 Manage Human APO07.01—Maintain adequate and appropriate staffing.
Resources Evaluate staffing requirements on a regular basis or upon major changes to the enterprise or operational or IT
environments to ensure that the enterprise has sufficient human resources to support enterprise goals and objectives.
Staffing includes both internal and external resources.
APO07.02—Identify key IT personnel.
Identify key IT personnel while minimising reliance on a single individual performing a critical job function through
knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
APO07.03—Maintain the skills and competencies of personnel.
Define and manage the skills and competencies required of personnel. Regularly verify that personnel have the
competencies to fulfil their roles on the basis of their education, training and/or experience, and verify that these
competencies are being maintained, using qualification and certification programmes where appropriate. Provide
employees with ongoing learning and opportunities to maintain their knowledge, skills and competencies at a level
283

APO07 Manage Human APO07.04—Evaluate employee job performance.
Resources (cont.) Perform timely performance evaluations on a regular basis against individual objectives derived from the enterprise’s
goals, established standards, specific job responsibilities, and the skills and competency framework. Employees should
receive coaching on performance and conduct whenever appropriate.
APO07.05—Plan and track the usage of IT and business human resources.
Understand and track the current and future demand for business and IT human resources with responsibilities for
enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT recruitment processes sourcing
plans, and business and IT recruitment processes.
APO07.06—Manage contract staff.
Ensure that consultants and contract personnel who support the enterprise with IT skills know and comply with the
organisation’s policies and meet agreed-on contractual requirements.
APO08 Manage APO08.01—Understand business expectations.
Relationships Understand current business issues and objectives and business expectations for IT. Ensure that requirements are
understood, managed and communicated, and their status agreed on and approved.
APO08.02—Identify opportunities, risk and constraints for IT to enhance the business.
Identify potential opportunities for IT to be an enabler of enhanced enterprise performance.
APO08.03—Manage the business relationship.
Manage the relationship with customers (business representatives). Ensure that relationship roles and responsibilities are
defined and assigned, and communication is facilitated.
APO08.04—Co-ordinate and communicate.
Work with stakeholders and co-ordinate the end-to-end delivery of IT services and solutions provided to the business.
APO08.05—Provide input to the continual improvement of services.
Continually improve and evolve IT-enabled services and service delivery to the enterprise to align with changing enterprise
and technology requirements.
APO09 Manage Service APO09.01—Identify IT services.
Agreements Analyse business requirements and the way in which IT-enabled services and service levels support business processes.
Discuss and agree on potential services and service levels with the business, and compare them with the current service
portfolio to identify new or changed services or service level options.
APO09.02—Catalogue IT-enabled services.
Define and maintain one or more service catalogues for relevant target groups. Publish and maintain live IT-enabled
services in the service catalogues.
APO09.03—Define and prepare service agreements.
Define and prepare service agreements based on the options in the service catalogues. Include internal operational
agreements.
APO09.04—Monitor and report service levels.
Monitor service levels, report on achievements and identify trends. Provide the appropriate management information to aid
performance management.
APO09.05—Review service agreements and contracts.
Conduct periodic reviews of the service agreements and revise when needed.
APO10 Manage Suppliers APO10.01—Identify and evaluate supplier relationships and contracts.
Identify suppliers and associated contracts and categorise them into type, significance and criticality. Establish supplier
and contract evaluation criteria and evaluate the overall portfolio of existing and alternative suppliers and contracts.
APO10.02—Select suppliers.
Select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements.
Requirements should be optimised with input from potential suppliers.
APO10.03—Manage supplier relationships and contracts.
Formalise and manage the supplier relationship for each supplier. Manage, maintain and monitor contracts and service
delivery. Ensure that new or changed contracts conform to enterprise standards and legal and regulatory requirements.
Deal with contractual disputes.
APO10.04—Manage supplier risk.
Identify and manage risk relating to suppliers’ ability to continually provide secure, efficient and effective service delivery.
APO10.05—Monitor supplier performance and compliance.
Periodically review the overall performance of suppliers, compliance to contract requirements, and value for money, and
address identified issues.
284
Appendix 3

APO11 Manage Quality APO11.01—Establish a quality management system (QMS).
Establish and maintain a QMS that provides a standard, formal and continuous approach to quality management for
information, enabling technology and business processes that are aligned with business requirements and enterprise
quality management.
APO11.02—Define and manage quality standards, practices and procedures.
Identify and maintain requirements, standards, procedures and practices for key processes to guide the enterprise in
meeting the intent of the agreed-on QMS. This should be in line with the IT control framework requirements. Consider
certification for key processes, organisational units, products or services.
APO11.03—Focus quality management on customers.
Focus quality management on customers by determining their requirements and ensuring alignment with the quality
management practices.
APO11.04—Perform quality monitoring, control and reviews.
Monitor the quality of processes and services on an ongoing basis as defined by the QMS. Define, plan and implement
measurements to monitor customer satisfaction with quality as well as the value the QMS provides. The information
gathered should be used by the process owners to improve quality.
APO11.05—Integrate quality management into solutions for development and service delivery.
Incorporate relevant quality management practices into the definition, monitoring, reporting and ongoing management of
solutions development and service offerings.
APO11.06—Maintain continuous improvement.
Maintain and regularly communicate an overall quality plan that promotes continuous improvement. This should
include the need for, and benefits of, continuous improvement. Collect and analyse data about the QMS, and improve its
effectiveness. Correct non-conformities to prevent recurrence. Promote a culture of quality and continual improvement.
APO12 Manage Risk APO12.01—Collect data.
Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
APO12.02—Analyse risk.
Develop useful information to support risk decisions that take into account the business relevance of risk factors.
APO12.03—Maintain a risk profile.
Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses)
and of related resources, capabilities and current control activities.
APO12.04—Articulate risk.
Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required
stakeholders for appropriate response.
APO12.05—Define a risk management action portfolio.
Manage opportunities to reduce risk to an acceptable level as a portfolio.
APO12.06—Respond to risk.
Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
APO13 Manage Security APO13.01—Establish and maintain an information security management system (ISMS).
Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management
for information, enabling secure technology and business processes that are aligned with business requirements and
enterprise security management.
APO13.02—Define and manage an information security risk treatment plan.
Maintain an information security plan that describes how information security risk is to be managed and aligned with the
enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements
are based on approved business cases and implemented as an integral part of services and solutions development, then
operated as an integral part of business operation.
APO13.03—Monitor and review the ISMS.
Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect
and analyse data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent
recurrence. Promote a culture of security and continual improvement.
285

BAI01 Manage BAI01.01—Maintain a standard approach for programme and project management.
Programmes and Maintain a standard approach for programme and project management that enables governance and management review
Projects and decision making and delivery management activities focussed on achieving value and goals (requirements, risk, costs,
schedule, quality) for the business in a consistent manner.
BAI01.02—Initiate a programme.
Initiate a programme to confirm the expected benefits and obtain authorisation to proceed. This includes agreeing
on programme sponsorship, confirming the programme mandate through approval of the conceptual business case,
appointing programme board or committee members, producing the programme brief, reviewing and updating the
business case, developing a benefits realisation plan, and obtaining approval from sponsors to proceed.
BAI01.03—Manage stakeholder engagement.
Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely information
that reaches all relevant stakeholders. This includes planning, identifying and engaging stakeholders and managing
their expectations.
BAI01.04—Develop and maintain the programme plan.
Formulate a programme to lay the initial groundwork and to position it for successful execution by formalising the scope
of the work to be accomplished and identifying the deliverables that will satisfy its goals and deliver value. Maintain
and update the programme plan and business case throughout the full economic life cycle of the programme, ensuring
alignment with strategic objectives and reflecting the current status and updated insights gained to date.
BAI01.05—Launch and execute the programme.
Launch and execute the programme to acquire and direct the resources needed to accomplish the goals and benefits of
the programme as defined in the programme plan. In accordance with stage-gate or release review criteria, prepare for
stage-gate, iteration or release reviews to report on the progress of the programme and to be able to make the case for
funding up to the following stage-gate or release review.
BAI01.06—Monitor, control and report on the programme outcomes.
Monitor and control programme (solution delivery) and enterprise (value/outcome) performance against plan throughout
the full economic life cycle of the investment. Report this performance to the programme steering committee and the
sponsors.
BAI01.07—Start up and initiate projects within a programme.
Define and document the nature and scope of the project to confirm and develop amongst stakeholders a common
understanding of project scope and how it relates to other projects within the overall IT-enabled investment programme.
The definition should be formally approved by the programme and project sponsors.
BAI01.08—Plan projects.
Establish and maintain a formal, approved integrated project plan (covering business and IT resources) to guide project
execution and control throughout the life of the project. The scope of projects should be clearly defined and tied to building
or enhancing business capability.
BAI01.09—Manage programme and project quality.
Prepare and execute a quality management plan, processes and practices, aligned with the QMS that describes the
programme and project quality approach and how it will be implemented. The plan should be formally reviewed and
agreed on by all parties concerned and then incorporated into the integrated programme and project plans.
BAI01.10—Manage programme and project risk.
Eliminate or minimise specific risk associated with programmes and projects through a systematic process of planning,
identifying, analysing, responding to and monitoring and controlling the areas or events that have the potential to cause
unwanted change. Risk faced by programme and project management should be established and centrally recorded.
BAI01.11—Monitor and control projects.
Measure project performance against key project performance criteria such as schedule, quality, cost and risk. Identify any
deviations from the expected. Assess the impact of deviations on the project and overall programme, and report results to
key stakeholders.
BAI01.12—Manage project resources and work packages.
Manage project work packages by placing formal requirements on authorising and accepting work packages, and
assigning and co-ordinating appropriate business and IT resources.
BAI01.13—Close a project or iteration.
At the end of each project, release or iteration, require the project stakeholders to ascertain whether the project, release or
iteration delivered the planned results and value. Identify and communicate any outstanding activities required to achieve
the planned results of the project and the benefits of the programme, and identify and document lessons learned for use
on future projects, releases, iterations and programmes.
BAI01.14—Close a programme.
Remove the programme from the active investment portfolio when there is agreement that the desired value has been
achieved or when it is clear it will not be achieved within the value criteria set for the programme.
286
Appendix 3

BAI02 Manage BAI02.01—Define and maintain business functional and technical requirements.
Requirements Definition Based on the business case, identify, prioritise, specify and agree on business information, functional, technical and
control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the
BAI02.02—Perform a feasibility study and formulate alternative solutions.
Perform a feasibility study of potential alternative solutions, assess their viability and select the preferred option. If
appropriate, implement the selected option as a pilot to determine possible improvements.
BAI02.03—Manage requirements risk.
Identify, document, prioritise and mitigate functional, technical and information processing-related risk associated with the
enterprise requirements and proposed solution.
BAI02.04—Obtain approval of requirements and solutions.
Co-ordinate feedback from affected stakeholders and, at predetermined key stages, obtain business sponsor or
product owner approval and sign-off on functional and technical requirements, feasibility studies, risk analyses and
recommended solutions.
BAI03 Manage Solutions BAI03.01—Design high-level solutions.
Identification and Build Develop and document high-level designs using agreed-on and appropriate phased or rapid agile development
techniques. Ensure alignment with the IT strategy and enterprise architecture. Reassess and update the designs when
significant issues occur during detailed design or building phases or as the solution evolves. Ensure that stakeholders
actively participate in the design and approve each version.
BAI03.02—Design detailed solution components.
Develop, document and elaborate detailed designs progressively using agreed-on and appropriate phased or rapid agile
development techniques, addressing all components (business processes and related automated and manual controls,
supporting IT applications, infrastructure services and technology products, and partners/suppliers). Ensure that the
detailed design includes internal and external SLAs and OLAs.
BAI03.03—Develop solution components.
Develop solution components progressively in accordance with detailed designs following development methods
and documentation standards, quality assurance (QA) requirements, and approval standards. Ensure that all control
requirements in the business processes, supporting IT applications and infrastructure services, services and technology
products, and partners/suppliers are addressed.
BAI03.04—Procure solution components.
Procure solution components based on the acquisition plan in accordance with requirements and detailed designs,
architecture principles and standards, and the enterprise’s overall procurement and contract procedures, QA requirements,
and approval standards. Ensure that all legal and contractual requirements are identified and addressed by the supplier.
BAI03.05—Build solutions.
Install and configure solutions and integrate with business process activities. Implement control, security and auditability
measures during configuration, and during integration of hardware and infrastructural software, to protect resources and
ensure availability and data integrity. Update the services catalogue to reflect the new solutions.
BAI03.06—Perform quality assurance (QA).
Develop, resource and execute a QA plan aligned with the QMS to obtain the quality specified in the requirements
definition and the enterprise’s quality policies and procedures.
BAI03.07—Prepare for solution testing.
Establish a test plan and required environments to test the individual and integrated solution components, including the
business processes and supporting services, applications and infrastructure.
BAI03.08—Execute solution testing.
Execute testing continually during development, including control testing, in accordance with the defined test plan and
development practices in the appropriate environment. Engage business process owners and end users in the test team.
Identify, log and prioritise errors and issues identified during testing.
BAI03.09—Manage changes to requirements.
Track the status of individual requirements (including all rejected requirements) throughout the project life cycle and
manage the approval of changes to requirements.
BAI03.10—Maintain solutions.
Develop and execute a plan for the maintenance of solution and infrastructure components. Include periodic reviews
against business needs and operational requirements.
BAI03.11—Define IT services and maintain the service portfolio.
Define and agree on new or changed IT services and service level options. Document new or changed service definitions
and service level options to be updated in the services portfolio.
287

BAI04 Manage BAI04.01—Assess current availability, performance and capacity and create a baseline.
Availability and Capacity Assess availability, performance and capacity of services and resources to ensure that cost-justifiable capacity and
performance are available to support business needs and deliver against SLAs. Create availability, performance and
capacity baselines for future comparison.
BAI04.02—Assess business impact.
Identify important services to the enterprise, map services and resources to business processes, and identify business
dependencies. Ensure that the impact of unavailable resources is fully agreed-on and accepted by the customer. Ensure
that, for vital business functions, the SLA availability requirements can be satisfied.
BAI04.03—Plan for new or changed service requirements.
Plan and prioritise availability, performance and capacity implications of changing business needs and service
requirements.
BAI04.04—Monitor and review availability and capacity.
Monitor, measure, analyse, report and review availability, performance and capacity. Identify deviations from established
baselines. Review trend analysis reports identifying any significant issues and variances, initiating actions where
necessary, and ensuring that all outstanding issues are followed up.
BAI04.05—Investigate and address availability, performance and capacity issues.
Address deviations by investigating and resolving identified availability, performance and capacity issues.
BAI05 Manage BAI05.01—Establish the desire to change.
Organisational Change Understand the scope and impact of the envisioned change and stakeholder readiness/willingness to change. Identify
Enablement actions to motivate stakeholders to accept and want to make the change work successfully.
BAI05.02—Form an effective implementation team.
Establish an effective implementation team by assembling appropriate members, creating trust, and establishing common
goals and effectiveness measures.
BAI05.03—Communicate desired vision.
Communicate the desired vision for the change in the language of those affected by it. The communication should be
made by senior management and include the rationale for, and benefits of, the change; the impacts of not making the
change; and the vision, the road map and the involvement required of the various stakeholders.
BAI05.04—Empower role players and identify short-term wins.
Empower those with implementation roles by ensuring that accountabilities are assigned, providing training, and aligning
organisational structures and HR processes. Identify and communicate short-term wins that can be realised and are
important from a change enablement perspective.
BAI05.05—Enable operation and use.
Plan and implement all technical, operational and usage aspects such that all those who are involved in the future state
environment can exercise their responsibility.
BAI05.06—Embed new approaches.
Embed the new approaches by tracking implemented changes, assessing the effectiveness of the operation and use plan,
and sustaining ongoing awareness through regular communication. Take corrective measures as appropriate, which may
include enforcing compliance.
BAI05.07—Sustain changes.
Sustain changes through effective training of new staff, ongoing communication campaigns, continued top management
commitment, adoption monitoring and sharing of lessons learned across the enterprise.
BAI06 Manage Changes BAI06.01—Evaluate, prioritise and authorise change requests.
Evaluate all requests for change to determine the impact on business processes and IT services, and to assess whether
change will adversely affect the operational environment and introduce unacceptable risk. Ensure that changes are logged,
prioritised, categorised, assessed, authorised, planned and scheduled.
BAI06.02—Manage emergency changes.
Carefully manage emergency changes to minimise further incidents and make sure the change is controlled and takes
place securely. Verify that emergency changes are appropriately assessed and authorised after the change.
BAI06.03—Track and report change status.
Maintain a tracking and reporting system to document rejected changes, communicate the status of approved and
in-process changes, and complete changes. Make certain that approved changes are implemented as planned.
BAI06.04—Close and document the changes.
Whenever changes are implemented, update accordingly the solution and user documentation and the procedures
affected by the change.
288
Appendix 3

BAI07 Manage Change BAI07.01—Establish an implementation plan.
Acceptance and Establish an implementation plan that covers system and data conversion, acceptance testing criteria, communication,
Transitioning training, release preparation, promotion to production, early production support, a fallback/backout plan, and a
post-implementation review. Obtain approval from relevant parties.
BAI07.02—Plan business process, system and data conversion.
Prepare for business process, IT service data and infrastructure migration as part of the enterprise’s development
methods, including audit trails and a recovery plan should the migration fail.
BAI07.03—Plan acceptance tests.
Establish a test plan based on enterprisewide standards that define roles, responsibilities, and entry and exit criteria.
Ensure that the plan is approved by relevant parties.
BAI07.04—Establish a test environment.
Define and establish a secure test environment representative of the planned business process and IT operations
environment, performance and capacity, security, internal controls, operational practices, data quality and privacy
requirements, and workloads.
BAI07.05—Perform acceptance tests.
Test changes independently in accordance with the defined test plan prior to migration to the live operational environment.
BAI07.06—Promote to production and manage releases.
Promote the accepted solution to the business and operations. Where appropriate, run the solution as a pilot
implementation or in parallel with the old solution for a defined period and compare behaviour and results. If significant
problems occur, revert back to the original environment based on the fallback/backout plan. Manage releases of solution
components.
BAI07.07—Perform a post-implementation review.
Provide early support to the users and IT operations for an agreed-on period of time to deal with issues and help stabilise
the new solution.
BAI07.08—Provide early production support.
Conduct a post-implementation review to confirm outcome and results, identify lessons learned, and develop an action
plan. Evaluate and check the actual performance and outcomes of the new or changed service against the predicted
performance and outcomes (i.e., the service expected by the user or customer).
BAI08 Manage BAI08.01—Nurture and facilitate a knowledge-sharing culture.
Knowledge Devise and implement a scheme to nurture and facilitate a knowledge-sharing culture.
BAI08.02—Identify and classify sources of information.
Identify, validate and classify diverse sources of internal and external information required to enable effective use and
operation of business processes and IT services.
BAI08.03—Organise and contextualise information into knowledge.
Organise information based upon classification criteria. Identify and create meaningful relationships between information
elements and enable use of information. Identify owners and define and implement levels of access to knowledge
resources.
BAI08.04—Use and share knowledge.
Propagate available knowledge resources to relevant stakeholders and communicate how these resources can be used to
address different needs (e.g. problem solving, learning, strategic planning and decision making).
BAI08.05—Evaluate and retire information.
Measure the use and evaluate the currency and relevance of information. Retire obsolete information.
BAI09 Manage Assets BAI09.01—Identify and record current assets.
Maintain an up-to-date and accurate record of all IT assets required to deliver services and ensure alignment with
configuration management and financial management.
BAI09.02—Manage critical assets.
Identify assets that are critical in providing service capability and take steps to maximise their reliability and availability to
support business needs.
BAI09.03—Manage the asset life cycle.
Manage assets from procurement to disposal to ensure that assets are utilised as effectively and efficiently as possible
and are accounted for and physically protected.
BAI09.04—Optimise asset costs.
Regularly review the overall asset base to identify ways to optimise costs and maintain alignment with business needs.
BAI09.05—Manage licences.
Manage software licences so that the optimal number of licences is maintained to support business requirements and the
number of licences owned is sufficient to cover the installed software in use.
289

BAI10 Manage BAI10.01—Establish and maintain a configuration model.
Configuration Establish and maintain a logical model of the services, assets and infrastructure and how to record configuration items
(CIs) and the relationships amongst them. Include the CIs considered necessary to manage services effectively and to
provide a single reliable description of the assets in a service.
BAI10.02—Establish and maintain a configuration repository and baseline.
Establish and maintain a configuration management repository and create controlled configuration baselines.
BAI10.03—Maintain and control configuration items.
Maintain an up-to-date repository of configuration items by populating with changes.
BAI10.04—Produce status and configuration reports.
Define and produce configuration reports on status changes of configuration items.
BAI10.05—Verify and review integrity of the configuration repository.
Periodically review the configuration repository and verify completeness and correctness against the desired target.
DSS01 Manage DSS01.01—Perform operational procedures.
Operations Maintain and perform operational procedures and operational tasks reliably and consistently.
DSS01.02—Manage outsourced IT services.
Manage the operation of outsourced IT services to maintain the protection of enterprise information and reliability of
service delivery.
DSS01.03—Monitor IT infrastructure.
Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs to enable
the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or
supporting operations.
DSS01.04—Manage the environment.
Maintain measures for protection against environmental factors. Install specialised equipment and devices to monitor and
control the environment.
DSS01.05—Manage facilities.
Manage facilities, including power and communications equipment, in line with laws and regulations, technical and
business requirements, vendor specifications, and health and safety guidelines.
DSS02 Manage Service DSS02.01—Define incident and service request classification schemes.
Requests and Incidents Define incident and service request classification schemes and models.
DSS02.02—Record, classify and prioritise requests and incidents.
Identify, record and classify service requests and incidents, and assign a priority according to business criticality and
service agreements.
DSS02.03—Verify, approve and fulfil service requests.
Select the appropriate request procedures and verify that the service requests fulfil defined request criteria. Obtain
approval, if required, and fulfil the requests.
DSS02.04—Investigate, diagnose and allocate incidents.
Identify and record incident symptoms, determine possible causes and allocate for resolution.
DSS02.05—Resolve and recover from incidents.
Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service.
DSS02.06—Close service requests and incidents.
Verify satisfactory incident resolution and/or request fulfilment, and close.
DSS02.07—Track status and produce reports.
Regularly track, analyse and report incident and request fulfilment trends to provide information for continual improvement.
DSS03 Manage Problems DSS03.01—Identify and classify problems.
Define and implement criteria and procedures to report problems identified, including problem classification,
categorisation and prioritisation.
DSS03.02—Investigate and diagnose problems.
Investigate and diagnose problems using relevant subject matter experts to assess and analyse root causes.
DSS03.03—Raise known errors.
As soon as the root causes of problems are identified, create known-error records and an appropriate workaround, and
identify potential solutions.
DSS03.04—Resolve and close problems.
Identify and initiate sustainable solutions addressing the root cause, raising change requests via the established change
management process if required to resolve errors. Ensure that the personnel affected are aware of the actions taken and
the plans developed to prevent future incidents from occurring.
DSS03.05—Perform proactive problem management.
Collect and analyse operational data (especially incident and change records) to identify emerging trends that may indicate
problems. Log problem records to enable assessment.
290
Appendix 3

DSS04 Manage ContinuityDSS04.01—Define the business continuity policy, objectives and scope.
Define business continuity policy and scope aligned with enterprise and stakeholder objectives.
DSS04.02—Maintain a continuity strategy.
Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will
ensure enterprise recovery and continuity in the face of a disaster or other major incident or disruption.
DSS04.03—Develop and implement a business continuity response.
Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in
readiness for use in an incident to enable the enterprise to continue its critical activities.
DSS04.04—Exercise, test and review the BCP.
Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to
allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.
DSS04.05—Review, maintain and improve the continuity plan.
Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy
and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the
continuity plan is kept up to date and continually reflects actual business requirements.
DSS04.06—Conduct continuity plan training.
Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles
and responsibilities in case of disruption.
DSS04.07—Manage backup arrangements.
Maintain availability of business-critical information.
DSS04.08—Conduct post-resumption review.
Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.
DSS05 Manage Security DSS05.01—Protect against malware.
Services Implement and maintain preventive, detective and corrective measures in place (especially up-to-date security patches
and virus control) across the enterprise to protect information systems and technology from malware (e.g. viruses, worms,
spyware, spam).
DSS05.02—Manage network and connectivity security.
Use security measures and related management procedures to protect information over all methods of connectivity.
DSS05.03—Manage endpoint security.
Ensure that endpoints (e.g. laptop, desktop, server, and other mobile and network devices or software) are secured at a
level that is equal to or greater than the defined security requirements of the information processed, stored or transmitted.
DSS05.04—Manage user identity and logical access.
Ensure that all users have information access rights in accordance with their business requirements and co-ordinate with
business units that manage their own access rights within business processes.
DSS05.05—Manage physical access to IT assets.
Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to
business needs, including emergencies. Access to premises, buildings and areas should be justified, authorised, logged
and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors,
visitors or any other third party.
DSS05.06—Manage sensitive documents and output devices.
Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such
as special forms, negotiable instruments, special-purpose printers or security tokens.
DSS05.07—Monitor the infrastructure for security-related events.
Using intrusion detection tools, monitor the infrastructure for unauthorised access and ensure any events are integrated
with general event monitoring and incident management.
291

DSS06 Manage Business DSS06.01—Align control activities embedded in business processes with enterprise objectives.
Process Controls Continually assess and monitor the execution of the business process activities and related controls, based on enterprise
risk, to ensure that the processing controls are aligned with business needs.
DSS06.02—Control the processing of information.
Operate the execution of the business process activities and related controls, based on enterprise risk, to ensure that
information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate and authorised business use).
DSS06.03—Manage roles, responsibilities, access privileges and levels of authority.
Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support the business
process objectives. Authorise access to any information assets related to business information processes, including those
under the custody of the business, IT and third parties. This ensures that the business knows where the data are and who
is handling data on its behalf.
DSS06.04—Manage errors and exceptions.
Manage business process exceptions and errors and facilitate their correction. Include escalation of business process
errors and exceptions and the execution of defined corrective actions. This provides assurance of the accuracy and
integrity of the business information process.
DSS06.05—Ensure traceability of Information events and accountabilities.
Ensure that business information can be traced to the originating business event and accountable parties. This enables
traceability of the information through its life cycle and related processes. This provides assurance that information that
drives the business is reliable and has been processed in accordance with defined objectives.
DSS06.06—Secure information assets.
Secure information assets accessible by the business through approved methods, including information in electronic form
(such as methods that create new assets in any form, portable media devices, user applications and storage devices),
information in physical form (such as source documents or output reports) and information during transit. This benefits the
business by providing end-to-end safeguarding of information.
MEA01 Monitor, Evaluate MEA01.01—Establish a monitoring approach.
and Assess Performance Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for
and Conformance measuring business solution and service delivery and contribution to enterprise objectives. Integrate this approach with
the corporate performance management system.
MEA01.02—Set performance and conformance targets.
Work with the stakeholders to define, periodically review, update and approve performance and conformance targets
within the performance measurement system.
MEA01.03—Collect and process performance and conformance data.
Collect and process timely and accurate data aligned with enterprise approaches.
MEA01.04—Analyse and report performance.
Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT
performance and fits within the enterprise monitoring system.
MEA01.05—Ensure the implementation of corrective actions.
Assist stakeholders in identifying, initiating and tracking corrective actions in order to address anomalies.
292
Appendix 3

MEA02 Monitor, Evaluate MEA02.01—Monitor internal controls.
and Assess the System of Continuously monitor, benchmark and improve the IT control environment and control framework to meet
Internal Control organisational objectives.
MEA02.02—Review business process controls effectiveness.
Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within
business processes operate effectively. Include activities to maintain evidence of the effective operation of controls
through mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments,
command and control centres, and network operations centres. This provides the business with the assurance of control
effectiveness to meet requirements related to business, regulatory and social responsibilities.
MEA02.03—Perform control self-assessments.
Encourage management and process owners to take positive ownership of control improvement through a continuing
programme of self-assessment to evaluate the completeness and effectiveness of management’s control over processes,
policies and contracts.
MEA02.04—Identify and report control deficiencies.
Identify control deficiencies and analyse and identify their underlying root causes. Escalate control deficiencies and report
to stakeholders.
MEA02.05—Ensure that assurance providers are independent and qualified.
Ensure that the entities performing assurance are independent from the function, groups or organisations in scope. The
entities performing assurance should demonstrate an appropriate attitude and appearance, competence in the skills and
knowledge necessary to perform assurance, and adherence to codes of ethics and professional standards.
MEA02.06—Plan assurance initiatives.
Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and
sufficient knowledge of the enterprise.
MEA02.07—Scope assurance initiatives.
Define and agree with management on the scope of the assurance initiative, based on the assurance objectives.
MEA02.08—Execute assurance initiatives.
Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where
appropriate, and recommendations for improvement relating to identified operational performance, external compliance
and internal control system residual risk.
MEA03 Monitor, MEA03.01—Identify external compliance requirements.
Evaluate and Assess On a continuous basis, identify and monitor for changes in local and international laws, regulations and other external
Compliance with External requirements that must be complied with from an IT perspective.
Requirements
MEA03.02—Optimise response to external requirements.
Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and
contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and
best practice guidance for adoption and adaptation.
MEA03.03—Confirm external compliance.
Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and
contractual requirements.
MEA03.04—Obtain assurance of external compliance.
Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and
methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.
293
294

Risk-Scenarios Res Eng 0914

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Risk-Scenarios Res Eng 0914

Загружено:

Авторское право:

Доступные форматы

RISK

Personal Copy of: Mr. Yonscun Yonscun

Provide feedback: www.isaca.org/riskscenarios

Risk Scenarios Using COBIT® 5 for Risk

ISACA Board of Directors

Guidance and Practices Committee

Special recognition for financial support:

Chapter 2. High-level Description of Risk Management Concepts...................................................................................13

Chapter 3. Risk Scenarios Explained....................................................................................................................................15

Chapter 4. Generic Risk Scenarios........................................................................................................................................23

Chapter 5. Using COBIT 5 Enablers to Mitigate IT Risk Scenarios................................................................................31

Chapter 6. Expressing and Describing Risk.........................................................................................................................65

Chapter 7. Risk Scenario Analysis Examples.......................................................................................................................75

Appendix 1. Risk Scenario Analysis Template...................................................................................................................273

Appendix 3. Processes for Governance and Management of Enterprise IT...................................................................279

List of Figures figures

Figure 1—Risk Scenario Overview...........................................................................................................................................9

Figure 3—Document Overview and Guidance on its Use......................................................................................................11

Figure 4—IT Risk Categories..................................................................................................................................................13

Figure 5—Risk Duality............................................................................................................................................................13

Figure 6—Two Perspectives on Risk.......................................................................................................................................14

Figure 7—Scope of COBIT 5 for Risk.....................................................................................................................................14

Figure 8—Risk Scenario Overview.........................................................................................................................................15

Figure 9—Risk Factors.............................................................................................................................................................17

Figure 10—Internal Risk Factor Considerations.....................................................................................................................18

Figure 11—Risk Scenarios Structure......................................................................................................................................20

Figure 12—Risk Scenario Technique Main Focus Areas........................................................................................................21

Figure 13—Characteristics of Good Risk Scenarios...............................................................................................................22

Figure 14—Example Risk Scenarios.......................................................................................................................................23

Figure 15—Enterprise Goals...................................................................................................................................................70

Figure 16—Probability Rating.................................................................................................................................................72

Figure 17—Risk Response Workflow......................................................................................................................................73

Figure 18—COBIT 5 Process Reference Model...................................................................................................................279

Page intentionally left blank

Figure 1—Risk Scenario Overview

The Risk Management

All Related Enablers

People, Skills and Bottom Up

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34

Purpose of This Publication

Who Should Use This Guide?

Scope and Approach

Figure 3—Document Overview and Guidance on its Use

Page intentionally left blank

Figure 4—IT Risk Categories

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 5

Figure 5—Risk Duality

Well governed and managed Poorly governed and

and/or preserves value value or fail to deliver benefits.

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 6

Figure 6—Two Perspectives on Risk

Risk Function Risk Management

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 8

Figure 7—Scope of COBIT 5 for Risk

COBIT 5 for Risk

COSO ISO 31000 ISO/IEC Others ITIL. ISO/IEC ISO/IEC Others

Enterprise Risk IT Management

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 10

Figure 8—Risk Scenario Overview

The Risk Management

All Related Enablers

People, Skills and Bottom Up

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34

Risk Scenarios Defined