100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Digital risk & security samenvatting $7.67   Add to cart

Class notes

Digital risk & security samenvatting

 96 views  8 purchases
  • Course
  • Institution

Lesson notes. You can bring the summary to the exam!

Preview 4 out of 149  pages

  • March 8, 2024
  • 149
  • 2022/2023
  • Class notes
  • Dirk steuperaert
  • All classes
avatar-seller
Digital risk and security
Inhoud
1. Introduction................................................................................................................................................. 4
1.1 Risk a short introduction ....................................................................................................................... 4
1.2 Risk management – context .................................................................................................................. 6
Risk- the big picture................................................................................................................................. 6
IT governance definitions ........................................................................................................................ 7
2. Risk & security Standards and Frameworks ................................................................................................ 8
2.1 risk & security references: Terminology and definitions .................................................................... 17
2.2 risk & security issues are real .............................................................................................................. 20
2.4 Risk & security references: A risk ontology: Fair ( factor analysis of information risk) ...................... 22
3. COBIT 2019 refresher ............................................................................................................................ 27
3.1 cobit as an I&T framework .................................................................................................................. 28
3.2 COBIT 2019 product architecture........................................................................................................ 30
3.2 Designing a tailored governance system: impact of design factors ................................................ 46
3.3 Designing a tailored governance system: Governance System Design Workflow ......................... 47
3.4 Performance management overview .................................................................................................. 53
Process performance: capability level................................................................................................... 54
Organisational structure performance management ........................................................................... 55
3.5 Information quality management ....................................................................................................... 57
4. The risk function and the security function .......................................................................................... 59
Practical COBIT Guidance for Risk & Security Management ................................................................. 59
4.1. The risk function ................................................................................................................................. 60
4.1.1. COBIT 2019 Governance Component Organisational structures ................................................ 60
4.1.2. COBIT 2019 Governance Component: Supporting Processes ..................................................... 61
4.1.3. COBIT 2019 Governance Component: Culture, Ethics & Behaviour ........................................... 62
4.1.5. COBIT 2019 Governance Component: Information .................................................................... 67
4.1.6. COBIT 2019 Governance Component: Services, Infrastructure, Applications ........................... 68
4.1.6. COBIT 2019 Governance Component: : People, Skills & Competences ...................................... 69
4.2. The security function .......................................................................................................................... 71
4.2.1. COBIT 2019 Information Security FA – Information Security Organisational Structures ........... 71


1

, 4.2.2. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures -
CISO ....................................................................................................................................................... 72
4.2.3. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures
............................................................................................................................................................... 73
4.2.4. COBIT 2019 Information Security FA – Information Security: Processes .................................... 74
4.2.5. COBIT 2019 Information Security FA: Culture, Ethics & Behaviour............................................. 76
4.2.6. COBIT 2019 Information Security FA: Information...................................................................... 79
4.2.7. COBIT 2019 Information Security FA: Services ............................................................................ 80
5. Risk Governance .................................................................................................................................... 82
COBIT 2019 – EDM03: Ensure Risk Optimisation ...................................................................................... 82
SFIA V7 – responsibility levels ............................................................................................................... 86
COBIT 2019 – EDM03: Ensure Risk Optimisation SFIA V7 – BURM (Business Risk Management) ....... 86
COBIT 2019 – EDMO3 – ensure risk optimisation ................................................................................. 87
5.1. Risk taxonomy .............................................................................................................................. 87
5.1.1. Risk taxonomy: expressing and describing risk .................................................................... 87
5.1.2. Quantitative vs qualitative ................................................................................................... 87
5.1.3. Frequent vs Bayesian views ................................................................................................. 88
5.1.4. A simple view?...................................................................................................................... 89
5.1.5. Example sets of business impact criteria ............................................................................. 89
5.2. Risk taxonomy, risk appetite, risk capacity................................................................................... 93
5.2.1. Definitions risk appetite – tolerance- capacity..................................................................... 93
5.2.2. Risk map & risk appetite....................................................................................................... 94
6. Risk management .................................................................................................................................. 95
6.1. Risk management process ............................................................................................................ 95
6.1.1. AP012: managed risk ............................................................................................................ 95
6.1.2. SFIA V7 – responsibility levels .............................................................................................. 99
6.1.3. COBIT 2019 – APO12: Managed Risk SFIA V7 – INAS (Information Assurance) .................. 99
7. Risk identification ................................................................................................................................ 102
7.1. Risk scenarios.............................................................................................................................. 102
7.1.1. COBIT 2019 – Components of risk scenarios...................................................................... 102
7.1.2. COBIT (and FAIR) risk scenarios .......................................................................................... 104
7.1.3. COBIT 2019 Risk scenario categories ................................................................................. 104
7.1.4. FAIR risk scenarios .............................................................................................................. 106
7.2. Generic guidance on working with risk scenarios ...................................................................... 107
Risk scenario guidance (1) ................................................................................................................... 107

2

, Risk scenario guidance (2) ................................................................................................................... 107
Risk scenario guidance (3) ................................................................................................................... 107
Risk scenario guidance (4) ................................................................................................................... 108
Risk scenario guidance (5) ................................................................................................................... 108
Risk scenario guidance (6) ................................................................................................................... 109
Risk scenario guidance (7) ................................................................................................................... 109
Risk scenario guidance (8) ................................................................................................................... 110
Risk scenario guidance (9) ................................................................................................................... 110
8. Risk analysis ......................................................................................................................................... 112
8.1. Qualitative risk analysis ................................................................................................................... 113
8.1.1. risk analysis flow........................................................................................................................ 113
8.2.2. Some examples .................................................................................................................. 114
8.2. Quantitative risk analysis ............................................................................................................ 120
8.2.1. Measuring risk .................................................................................................................... 120
8.2.2. Calibration .......................................................................................................................... 121
8.2.3. The risk analysis process in FAIR ........................................................................................ 123
Tools .................................................................................................................................................... 128
8.3. Risk aggregation ......................................................................................................................... 129
9. Risk response ....................................................................................................................................... 133
9.1. risk response options ....................................................................................................................... 134
9.1.1. risk response parameters .......................................................................................................... 136
9.1.2. Risk response: mitigation ( COBIT 2019) ................................................................................... 136
9.2. Business case for risk response .................................................................................................. 139
9.3. Risk reporting/communication ................................................................................................... 141
9.3.1. Components of I&T risk communication............................................................................ 142
9.3.2. Quality requirements for I&T risk reporting ...................................................................... 143
9.4. Examples of risk related information items ............................................................................... 145
9.4.1. Risk profile .......................................................................................................................... 145
9.4.2. Risk factors ......................................................................................................................... 145
9.4.3. Inputs/outputs AP012 ........................................................................................................ 146
9.5. key risk indicators ....................................................................................................................... 146
9.5.1. key risk indicators – definition ........................................................................................... 146
9.5.2. Leading and lagging indicators ........................................................................................... 147
9.5.3. Selection criteria ................................................................................................................ 147


3

, 9.5.4. Key risk indicators benefits ................................................................................................ 148
9.5.5. Challenges for key risk indicators ....................................................................................... 148
9.5.6. Source of KRI’s .................................................................................................................... 149




1. Introduction
1.1 Risk a short introduction

Risk is one of these things that many people define in different ways. Things will happen (u don’t know
what, when and which impact), but you can’t just stay home because bad things will happen (even though
there are risks, the enterprise still has to complete their missions).

Risk is about uncertainty:

➢ Uncertainty over
o What is going to happen?
o When it is going to happen?
o How big the impact will be?
➢ Yet, organisations need to manage this uncertainty, because:
o NOT travelling the road is not an option
o Risk should not distract us from our goals…

Highly publicised risk is not always the most important risk, there is need a consistent and systematic
overview of all risks.

The real cause of the problem is quit important.

➢ Need for a method for consistently analysing risk down to root cause
➢ Need for a mechanism to distinguish small from big risk
➢ If we quantify risk we need solid methods and reliable data to do so

Risks relates to objectives

➢ Example: if you want to cross a bridge safely and dry there is much risk
But if the objective is to have fun there probably won’t be a lot of risk

Detectability

➢ You know what to look for, i.e. what constitutes risk for you and what not…
o In other words: what are the relevant risk scenarios for your organisation?
➢ Once known, risk can be analysed, controls can be implemented, monitoring is applied to
recognise risk occurrence and to respond as appropriate

 U have to able to detect risk, have to know what can happen, knowing what to look for. Only
then u can see how bad they are and take counter measures


4

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller merelpeeraer. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $7.67. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

67163 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$7.67  8x  sold
  • (0)
  Add to cart