Fundamentals of Information Security Risk Management Auditing
eBook - ePub

Fundamentals of Information Security Risk Management Auditing

An introduction for managers and auditors

  1. 161 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Fundamentals of Information Security Risk Management Auditing

An introduction for managers and auditors

About this book

For any modern business to thrive, it must assess, control and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise's risk management strategy, not in isolation. They must be identified, documented, assessed and managed, and assigned to risk owners so that they can be mitigated and audited.

Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.

Product overview

Fundamentals of Information Risk Management Auditing ā€“ An Introduction for Managers and Auditors has four main parts:

  • What is risk and why is it important?

    An introduction to general risk management and information risk.

  • Introduction to general IS and management risks

    An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity and availability of information.

  • Introduction to application controls

    An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.

  • Life as an information risk management specialist/auditor

    A guide for those considering, or undergoing, a career in information risk management.

Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.

Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.

The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.

Topics covered

Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defence; change management; service management; disaster planning; frameworks and approaches, including Agile, COBITĀ®5, CRAMM, PRINCE2Ā®, ITILĀ® and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301 and ISO 38500; the UK Government's Cyber Essentials scheme; IT security controls; and application controls.

Contents

Part I: What is risk and why is it important?

Chapter 1: Risks and controls
Chapter 2: Enterprise risk management (ERM) frameworks
Chapter 3: Risk management assurance and audit
Chapter 4: Information risks and frameworks

Part II: Introduction to general IT and management risks

Chapter 5: Overview of general IT and management risks
Chapter 6: Security and data privacy
Chapter 7: System development and change control
Chapter 8: Service management and disaster planning

Part III: Introduction to Application controls

Chapter 9: Overview of application controls (Integrity)

Part IV: Life as an Information Risk Management specialist

Chapter 10: Planning, running and reviewing information risk management assignments
Chapter 11: Personal development and qualifications

About the author

Christopher Wright is a qualified accountant, Certified Information Systems Auditor and Certified ScrumMasterā„¢ with over 30 years' experience providing financial and IT advisory and risk management services. For 16 years, he worked at KPMG, where he was head of information risk training in the UK and also ran training courses overseas, including in India and throughout mainland Europe. He managed a number of major IS audit and risk assignments, including project risk and business control reviews. He has worked in a wide range of industry sectors including oil and gas, the public sector, aviation, and travel. For the past eight years, he has been an independent consultant specialising in financial, SOX and operational controls for major ERP implementations, mainly at oil and gas/utilities enterprises.

He is an international speaker and trainer on Agile audit and governance, and is the author of two other titles, also published by ITGP: Agile Governance and Audit and Reviewing IT in Due Diligence.

Fundamentals series

Fundamentals of Information Risk Management Auditing is part of the Fundamentals Series, co-published by IT Governance Publishing and Information Security Buzz.

Buy Fundamentals of Information Risk Management Auditing now.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Fundamentals of Information Security Risk Management Auditing by Christopher Wright in PDF and/or ePUB format, as well as other popular books in Informatik & Cybersicherheit. We have over one million books available in our catalogue for you to explore.

Information

Publisher
IT Governance Publishing
Year
2016
eBook ISBN
9781849288170
Topic
Informatik
Subtopic
Cybersicherheit
PART I: WHAT IS RISK AND WHY IS IT IMPORTANT?
CHAPTER 1: RISKS AND CONTROLS
Overview
Before considering information risk, we need to understand the basic concepts of risks and how they can be managed. This will put the management of specific IT risks into context and also improve our communication with other risk management professionals. Following financial and other business scandals and crises, there has been an increased focus on risk ā€“ a whole industry has been created around the Sarbanes-Oxley Act, impacting US based companies. It has also become an area for academics and standard setters.
In this chapter we will consider:
ā€¢ What is risk?
ā€¢ Management of risk
Images
Risk awareness and identification
Images
Assessing and monitoring risk
Images
Responding to risk.
At the end of the chapter there is a summary of the key points.
What is risk?
Risks are all around us. They are part of everyday life ā€“ whether we are walking to the shops or climbing Mount Everest. When the first caveman left the shelter of the cave there was a risk of accident, or wild animals, or even other cavemen. We deal with risks all of the time, often without even thinking about them. Some are small ā€“ some are huge. There is a saying where I come from that roughly translates as ā€œHe who makes no mistakes makes nothingā€. In other words, without risk there can be no endeavour. Columbus could just have said ā€“ ā€œBut I might fall off the edge of the world, or die of starvation, or get attacked by wild animals or natives ā€“ I think I will stay at homeā€. But instead he weighed the risks, took reasonable steps to reduce them and went anyway. The same could be said of the early IT pioneers. They could have simply decided the risks were too great and just not bothered to invent computers, the Internet, etc. Apple, Facebook and Google are all examples of global IT-based organisations founded by a few people willing to take managed risks.
Risks are not certainties. They may not happen. But if they do, they will have consequences. Take space flight for example, if the early pioneers had sat down and listed all of the things that could go wrong, no one would have left Earthā€™s orbit. Instead, they took a more pragmatic approach, reducing risk where they could, based on their existing knowledge, and then adapting as they learnt lessons and became aware of the major risks.
We could say all new exploration stops (event) because of a fear of risk (trigger) and therefore we do not achieve new inventions or developments (consequence).
Management of risk
Risk management is big business. Consider, for example, the number and size of security companies, health and safety, police, fire, insurance, military, audit and of course information risk specialists. When you look at each of these there are a number of common themes in how they deal with risk:
ā€¢ Identify threats thereby raising awareness of risk and its consequences.
ā€¢ Have frameworks for assessing risk.
ā€¢ Have response mechanisms for reducing risk to an acceptable level.
ā€¢ Establish monitoring arrangements to see if the risk impacts, or if new risks arise.
Risk identification and awareness
Risk awareness comes from experience and learning. Whenever there is a major disaster we have an opportunity to learn and take different future actions. For example, the sinking of the Titanic led to an awareness of the need for more lifeboats on ships. The discovery that the wrong shaped windows on the Comet aircraft led to metal fatigue when the airframe was under stress, led to fewer air crash incidents.
We all have a different appetite for the risks we are willing to take. If this were not the case, there would be no gambling ā€“ as this depends on odds being set based on each of our perceptions of risk and reward. If we all felt the same, we may all want to back the same horse or dog. Or conversely, we could live in a world where everyone gambles recklessly, undertakes dangerous activities without any safety devices, or disappears up the Amazon basin!
In practice, we all have our own level of risk appetite. This will be based on personal experience, our life/financial situation, etc. Unlike risk likelihood/probability and impact it is difficult, if not impossible, to place a metric onto risk appetite. It is a very subjective matter and is not fixed, as it can change as a person or an organisation matures. The risk appetite for an entity will largely be defined from the Board and communicated down. If it is not, the organisation may be taking too little or too much risk to achieve the objectives set by management. Management need to set strategic, financial and operational parameters which provide the decision makers within the organisation with a good steer as to how much risk is acceptable. In addition to experience and situation, external factors will also influence appetite, for example the fiscal and regulatory/compliance framework the entity operates in, and economic and political factors, will all have an influence. Audit has an important role in challenging managementā€™s risk appetite ā€“ acting as a check and balance. Similarly, IT audit holds IT management (and the business) to account, in its use of IT.
Documenting risks
There are a number of ways we can state risks. The one I prefer and will use throughout this book, is that something could happen due to an incident that has implications, or:
<Event><trigger><consequence>
For example, there is a risk:
ā€¢ I may get an electric shock (ā€˜eventā€™) if I put a metal screwdriver into a power socket (ā€˜triggerā€™) and so I will die (ā€˜consequenceā€™); or
ā€¢ a hacker could gain access to my bank account (ā€˜eventā€™) because I am not careful with my passwords (ā€˜triggerā€™) and so I will lose most of my savings (ā€˜consequenceā€™); or
ā€¢ I may have a virus on my computer (ā€˜eventā€™), if I switch off my antivirus software (ā€˜triggerā€™), and so I could lose my important data and files (ā€˜consequenceā€™).
Whilst being simple, this approach provides consistency and clarity ā€“ the reader can immediately see why the risk is important. I often see risks written as statements, such as:
ā€¢ Lose customers
ā€¢ Get prosecuted for health and safety
ā€¢ Get fined for breaking data protection.
In each of the above examples, the definition is too general; it does not tell why this event may occur, the specific nature of the event, or what will happen as a result. The risk definition should answer the questions ā€˜How?ā€™, ā€˜Why?ā€™, ā€˜So What?ā€™. It should be brief, no more than a couple of sentences. It should, however, provide enough information to enable analysis and evaluation of the risk.
Some methodologies consider risk as positive as well as negative ā€“ i.e. a risk can be an opportunity as well as a threat. When we look at this format <event><trigger><consequence> we could apply it to opportunities as well as risks. For example, ā€œIf I bet on the 3.30 pm race, the horse I back may win, therefore I will be able to buy myself a treatā€. Just like risks, there is uncertainty of outcome but we are expressing what could happen.
Within IT projects, risks can be positive as well as negative. For example, if we launch a new website there is a risk that it may be more popular than we expected, leading to a quick return on investment/achievement of business benefits. This may lead to a need to move to the next phase of the website faster than originally intended.
Assessing and monitoring risk
The first consideration is what risks are relevant to the situation being considered. This sounds obvious but I have reviewed many risk frameworks that have simply looked at the wrong risks. The risk may be real but might not have any consequence or specific impact on what we are trying to achieve. For example ā€“ the end of the world as we know it could be a real risk. But I donā€™t really need to consider this if I am trying to perform a risk assessment for going to the shops, or launching a new product, or embarking on a new software project.
Risk assessments may be performed at a number of different levels. The Board, or top management of the organisation, for example, may be interested in strategic risks...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. Part I: What is risk and why is it important?
  6. Part II: Introduction to General IT and Management Risks
  7. Part III: Introduction to Application Controls
  8. Part IV: Life as an Information Risk Management Specialist
  9. Further Reading and Resources
  10. ITG Resources