ISRM Short notes

Viraj Dissanayake

Enterprise Risk management

 Financial risk
 Information management risk
 Other

Risk management process (5 step process)

 Identification
 Qualitative analysis
 Quantitative assessment
 Response planning
 Monitoring & controlling

Risk = impact x probability

Proximity – intermediate nature of the risk to be taken in to consideration

Standard levels of response

 Avoid
 Mitigate
 Transfer
 Defer
 Accept
GRC
Governess – management level
Risk management – mitigating risk
Compliance – Rules and regulations

IT governess
Requirements
o Appropriate structure
o Placing processes in planed manner
o Proper communication
o Accountability
IT Risk management
Requirements
o Operational approach
o Technology
o Partnering
IT Compliance
Objective

1|Page
 o Cooperate compliance
o Best practice
o Legal

COBIT – A framework that guides to fulfill IT governess responsibilities, developed by ISACA

COBIT 5 Principles

 Meeting stake holder needs

 Covering the enterprise end to end
 Single integrated framework
 Holistic approach
 Separating governess from management

FISMA (Federal Information Security Management) – An act implemented to protect Federal IS. Purpose
is to protect critical information infrastructure

NIST (National Institute of Standards & Technologies)

NIST SP800-39 – Managing information security risks

Objectives
o Establishing appropriate governess structure
o Conducting management process across three tires
o Foster an organizational climate
o Targeting individuals

Target Audience
 Oversight responsibility for risk management – CEO
 Responsibilities for conducting organizational missions/business functions – Manager
 Information security oversight, management, and operational responsibilities –CIO, CISO
 Information security assessment and monitoring responsibilities – evaluators, auditors
 Responsibilities for acquiring information technology products, services, or information systems
– procurement officer
 Information system/security design, development and implementation responsibilities –
architect, program manager

Security life cycle of NIST SP800-39

 Categorization
 Select
 Implement
 Assess
 Authorize
 Monitor

2|Page
Three tiers

 Organization (governess)
 Business process
 Information system

Components (Tasks) of NIST SP800-39

 Frame
 Assess
 Respond
 Monitor

3|Page
4|Page
ISO COSO

ISO27005 – Info sec risk management

The standard doesn't specify, recommend or even name any specific risk management method

Steps in ISO27005

1 – Context establishment (defines scope, risk tolerance level, policies)

2 – Risk assessment (identify, analyze and evaluate risks, determine likelihood)
- Risk analysis
 Risk identification
 Risk estimation
- Risk evaluation
3- Risk treatment & acceptance (Security controls, share risk, accept & avoid risk)
4 – Risk monitoring & review

Risk treatment (Proceed if and only if assessment satisfactory is acceptable)

 Reduction
 Retention
 Avoidance
 Transfer

Residual risk – the risk value we get after applying a risk treatment option

ISO 31000 Enterprise risk management – applicable to many areas of business

Same risk management process as in the ISO27005

COSO Risk management framework (Committee of sponsoring organization)

COSO ERM Cube consists of Business objectives, ERM Components, Business structure

Management develops a portfolio based on two perspectives

 Business unit level
 Entity level

Entity objectives of ERM Framework

 strategic
 operation
 reporting
 compliance

5|Page
There are 8 components in COSO ERM Framework

1) Internal environment – Establish philosophy regarding risk management

2) Objective setting – forms the risk appetite of the entity
3) Event Identification – Differentiate risks and opportunities
4) Risk assessment - asses risk from the perspective of impact and likelihood
5) Risk response – Identifies and evaluate possible response to risk
6) Control activates – Policies and procedures
7) Information & communication
8) Monitoring - ongoing monitoring, separate evaluation

Quantitative risk analysis - Assign monetary values to individual components

Advantages of quantitative analysis

 Objectivity
 Easy to present the results
 Direct cost projection

Quantitative analysis mathematical techniques - Bayesian, fuzzy logic, fault tree

Root cause analysis (RCA) - Method of identifying root cause of the problem

RCA techniques
 Five whys
 Fish bone

Disaster recovery planning – Rebuilding process after a disaster

6|Page
Business continuity planning – Activities required to keep organization running without the normal
operations

Business continuity can be proceeded only if the disruption or disaster is a mild one, not a severe one

7|Page