ISACA Unveils New Risk Mgt. FrameworkCOBIT 5 for Risk Features 20 Scenarios
ISACA has issued a new information risk management framework - COBIT 5 for Risk - that provides 20 risk scenario categories to help organizations to better mitigate risk.
"Those risk scenarios can be used by risk practitioners to help guide and direct risk management activity that they need to take," says Steven Babb, chair of the COBIT 5 for Risk Task Force.
ISACA is an independent, not-for-profit association that develops industry practices and guidance to manage, secure and govern information systems.
COBIT 5 for Risk replaces ISACA's Risk IT Framework, published in 2009. It includes guidance on how COBIT 5 supports risk management and governance and how to establish and maintain an effective risk function based on COBIT's seven enablers:
- Principles, policies and frameworks;
- Organizational structures;
- Culture, ethics and behavior;
- Services, infrastructure and applications;
- People, skills and competencies.
Useful Risk Scenarios
The 20 risk scenarios that help users gain a better handle on managing risk are a defining feature of COBIT 5 for Risk. The scenarios include more than 100 risk types, such as employee sabotage and theft, data breaches, disclosure of sensitive information through social media, industrial espionage and support for innovation.
Each scenario identifies positive and negative situations surrounding a risk type. Take, for instance, the risk scenario that deals with regulatory compliance. Among the negative situations the ISACA guide identifies is the impact on an operational IT environment caused by an unawareness of potential regulatory changes. A positive scenario describes an enterprise that establishes a legal and compliance department to track regulatory changes to generate business value.
Another risk scenario, on malware, identifies negative risk types as a disgruntled employee who implements a time bomb that leads to data loss or the pilfering of company data through a phishing attack. A positive example outlines an IT infrastructure appropriately protected behind firewalls and that continuously monitors its IT systems for vulnerabilities.
It's up to each organization to decide how to use these scenarios to build its own information risk management processes. "It provides a very good starting point for implementing risk management," says Babb, who is head of governance, risk and assurance at Betfair Group, a British Internet betting exchange.
ISACA says the guide is intended to help risk professionals incorporate IT risk into enterprise risk management; help IT and business managers understand how to communicate IT risk to business decision makers; and help boards of directors and senior executives to understand the implications of IT risk on the enterprise's strategic goals.
The new framework is designed for organizations at any level of risk management maturity, Babb says. "It's making sure that you right-size it for the size of organization you're working within," he says.
Dwayne Melancon, chief technology officer at Tripwire, a provider of risk management software, says COBIT 5 for Risk should prove more useful than the document it replaces by providing more prescriptive guidance on how to implement an information risk framework. Still, he says, the new guide remains a bit abstract for those "not baked in" to the risk management world.
"Big organizations - insurance companies, banks, companies like that, which have risk managers - will probably be fine with it," Melancon says. "But when you get down into small- and medium-size businesses, they don't have a risk practitioner [on staff]. It will still be hard for them to adopt [the framework]. They'll end up hiring a consultant to help guide them through the process. At least the needle is moving in the right direction with the work that ISACA is doing."
COBIT, an acronym for Control Objectives for Information Related Technology, is a framework created by ISACA for information technology management and IT governance. Version 5 is the latest rendition of COBIT that allows managers to bridge the gap between control requirements, technical issues and business risks (see COBIT 5 for Security: What You Need to Know). COBIT 5 for Risk is the latest add-on document. ISACA published COBIT 5 for Information Security last December and COBIT 5 for Assurance in June (see 3 Cybersecurity Game Changers).