Notes de cours
Digital risk & security samenvatting
- Cours
- Digital risk & Security
- Établissement
- Universiteit Antwerpen (UA)
Notities van de les. Je mag de samenvatting meenemen naar het examen!
[Montrer plus]
Vendeur
S'abonnerAperçu du contenu
Digital risk and securityInhoud
1. Introduction................................................................................................................................................. 4
1.1 Risk a short introduction ....................................................................................................................... 4
1.2 Risk management – context .................................................................................................................. 6
Risk- the big picture................................................................................................................................. 6
IT governance definitions ........................................................................................................................ 7
2. Risk & security Standards and Frameworks ................................................................................................ 8
2.1 risk & security references: Terminology and definitions .................................................................... 17
2.2 risk & security issues are real .............................................................................................................. 20
2.4 Risk & security references: A risk ontology: Fair ( factor analysis of information risk) ...................... 22
3. COBIT 2019 refresher ............................................................................................................................ 27
3.1 cobit as an I&T framework .................................................................................................................. 28
3.2 COBIT 2019 product architecture........................................................................................................ 30
3.2 Designing a tailored governance system: impact of design factors ................................................ 46
3.3 Designing a tailored governance system: Governance System Design Workflow ......................... 47
3.4 Performance management overview .................................................................................................. 53
Process performance: capability level................................................................................................... 54
Organisational structure performance management ........................................................................... 55
3.5 Information quality management ....................................................................................................... 57
4. The risk function and the security function .......................................................................................... 59
Practical COBIT Guidance for Risk & Security Management ................................................................. 59
4.1. The risk function ................................................................................................................................. 60
4.1.1. COBIT 2019 Governance Component Organisational structures ................................................ 60
4.1.2. COBIT 2019 Governance Component: Supporting Processes ..................................................... 61
4.1.3. COBIT 2019 Governance Component: Culture, Ethics & Behaviour ........................................... 62
4.1.5. COBIT 2019 Governance Component: Information .................................................................... 67
4.1.6. COBIT 2019 Governance Component: Services, Infrastructure, Applications ........................... 68
4.1.6. COBIT 2019 Governance Component: : People, Skills & Competences ...................................... 69
4.2. The security function .......................................................................................................................... 71
4.2.1. COBIT 2019 Information Security FA – Information Security Organisational Structures ........... 71
1
, 4.2.2. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures -
CISO ....................................................................................................................................................... 72
4.2.3. COBIT 2019 Information Security FA – Information Security Specific Organisational Structures
............................................................................................................................................................... 73
4.2.4. COBIT 2019 Information Security FA – Information Security: Processes .................................... 74
4.2.5. COBIT 2019 Information Security FA: Culture, Ethics & Behaviour............................................. 76
4.2.6. COBIT 2019 Information Security FA: Information...................................................................... 79
4.2.7. COBIT 2019 Information Security FA: Services ............................................................................ 80
5. Risk Governance .................................................................................................................................... 82
COBIT 2019 – EDM03: Ensure Risk Optimisation ...................................................................................... 82
SFIA V7 – responsibility levels ............................................................................................................... 86
COBIT 2019 – EDM03: Ensure Risk Optimisation SFIA V7 – BURM (Business Risk Management) ....... 86
COBIT 2019 – EDMO3 – ensure risk optimisation ................................................................................. 87
5.1. Risk taxonomy .............................................................................................................................. 87
5.1.1. Risk taxonomy: expressing and describing risk .................................................................... 87
5.1.2. Quantitative vs qualitative ................................................................................................... 87
5.1.3. Frequent vs Bayesian views ................................................................................................. 88
5.1.4. A simple view?...................................................................................................................... 89
5.1.5. Example sets of business impact criteria ............................................................................. 89
5.2. Risk taxonomy, risk appetite, risk capacity................................................................................... 93
5.2.1. Definitions risk appetite – tolerance- capacity..................................................................... 93
5.2.2. Risk map & risk appetite....................................................................................................... 94
6. Risk management .................................................................................................................................. 95
6.1. Risk management process ............................................................................................................ 95
6.1.1. AP012: managed risk ............................................................................................................ 95
6.1.2. SFIA V7 – responsibility levels .............................................................................................. 99
6.1.3. COBIT 2019 – APO12: Managed Risk SFIA V7 – INAS (Information Assurance) .................. 99
7. Risk identification ................................................................................................................................ 102
7.1. Risk scenarios.............................................................................................................................. 102
7.1.1. COBIT 2019 – Components of risk scenarios...................................................................... 102
7.1.2. COBIT (and FAIR) risk scenarios .......................................................................................... 104
7.1.3. COBIT 2019 Risk scenario categories ................................................................................. 104
7.1.4. FAIR risk scenarios .............................................................................................................. 106
7.2. Generic guidance on working with risk scenarios ...................................................................... 107
Risk scenario guidance (1) ................................................................................................................... 107
2
, Risk scenario guidance (2) ................................................................................................................... 107
Risk scenario guidance (3) ................................................................................................................... 107
Risk scenario guidance (4) ................................................................................................................... 108
Risk scenario guidance (5) ................................................................................................................... 108
Risk scenario guidance (6) ................................................................................................................... 109
Risk scenario guidance (7) ................................................................................................................... 109
Risk scenario guidance (8) ................................................................................................................... 110
Risk scenario guidance (9) ................................................................................................................... 110
8. Risk analysis ......................................................................................................................................... 112
8.1. Qualitative risk analysis ................................................................................................................... 113
8.1.1. risk analysis flow........................................................................................................................ 113
8.2.2. Some examples .................................................................................................................. 114
8.2. Quantitative risk analysis ............................................................................................................ 120
8.2.1. Measuring risk .................................................................................................................... 120
8.2.2. Calibration .......................................................................................................................... 121
8.2.3. The risk analysis process in FAIR ........................................................................................ 123
Tools .................................................................................................................................................... 128
8.3. Risk aggregation ......................................................................................................................... 129
9. Risk response ....................................................................................................................................... 133
9.1. risk response options ....................................................................................................................... 134
9.1.1. risk response parameters .......................................................................................................... 136
9.1.2. Risk response: mitigation ( COBIT 2019) ................................................................................... 136
9.2. Business case for risk response .................................................................................................. 139
9.3. Risk reporting/communication ................................................................................................... 141
9.3.1. Components of I&T risk communication............................................................................ 142
9.3.2. Quality requirements for I&T risk reporting ...................................................................... 143
9.4. Examples of risk related information items ............................................................................... 145
9.4.1. Risk profile .......................................................................................................................... 145
9.4.2. Risk factors ......................................................................................................................... 145
9.4.3. Inputs/outputs AP012 ........................................................................................................ 146
9.5. key risk indicators ....................................................................................................................... 146
9.5.1. key risk indicators – definition ........................................................................................... 146
9.5.2. Leading and lagging indicators ........................................................................................... 147
9.5.3. Selection criteria ................................................................................................................ 147
3
, 9.5.4. Key risk indicators benefits ................................................................................................ 148
9.5.5. Challenges for key risk indicators ....................................................................................... 148
9.5.6. Source of KRI’s .................................................................................................................... 149
1. Introduction
1.1 Risk a short introduction
Risk is one of these things that many people define in different ways. Things will happen (u don’t know
what, when and which impact), but you can’t just stay home because bad things will happen (even though
there are risks, the enterprise still has to complete their missions).
Risk is about uncertainty:
➢ Uncertainty over
o What is going to happen?
o When it is going to happen?
o How big the impact will be?
➢ Yet, organisations need to manage this uncertainty, because:
o NOT travelling the road is not an option
o Risk should not distract us from our goals…
Highly publicised risk is not always the most important risk, there is need a consistent and systematic
overview of all risks.
The real cause of the problem is quit important.
➢ Need for a method for consistently analysing risk down to root cause
➢ Need for a mechanism to distinguish small from big risk
➢ If we quantify risk we need solid methods and reliable data to do so
Risks relates to objectives
➢ Example: if you want to cross a bridge safely and dry there is much risk
But if the objective is to have fun there probably won’t be a lot of risk
Detectability
➢ You know what to look for, i.e. what constitutes risk for you and what not…
o In other words: what are the relevant risk scenarios for your organisation?
➢ Once known, risk can be analysed, controls can be implemented, monitoring is applied to
recognise risk occurrence and to respond as appropriate
U have to able to detect risk, have to know what can happen, knowing what to look for. Only
then u can see how bad they are and take counter measures
4
Les avantages d'acheter des résumés chez Stuvia:
Qualité garantie par les avis des clients
Les clients de Stuvia ont évalués plus de 700 000 résumés. C'est comme ça que vous savez que vous achetez les meilleurs documents.
L’achat facile et rapide
Vous pouvez payer rapidement avec iDeal, carte de crédit ou Stuvia-crédit pour les résumés. Il n'y a pas d'adhésion nécessaire.
Focus sur l’essentiel
Vos camarades écrivent eux-mêmes les notes d’étude, c’est pourquoi les documents sont toujours fiables et à jour. Cela garantit que vous arrivez rapidement au coeur du matériel.
Foire aux questions
Qu'est-ce que j'obtiens en achetant ce document ?
Vous obtenez un PDF, disponible immédiatement après votre achat. Le document acheté est accessible à tout moment, n'importe où et indéfiniment via votre profil.
Garantie de remboursement : comment ça marche ?
Notre garantie de satisfaction garantit que vous trouverez toujours un document d'étude qui vous convient. Vous remplissez un formulaire et notre équipe du service client s'occupe du reste.
Auprès de qui est-ce que j'achète ce résumé ?
Stuvia est une place de marché. Alors, vous n'achetez donc pas ce document chez nous, mais auprès du vendeur merelpeeraer. Stuvia facilite les paiements au vendeur.
Est-ce que j'aurai un abonnement?
Non, vous n'achetez ce résumé que pour €7,09. Vous n'êtes lié à rien après votre achat.
Peut-on faire confiance à Stuvia ?
4.6 étoiles sur Google & Trustpilot (+1000 avis)
80467 résumés ont été vendus ces 30 derniers jours
Fondée en 2010, la référence pour acheter des résumés depuis déjà 14 ans