Professional Documents
Culture Documents
The Concept
The concept behind this methodology is that the
operating rules in an organization are issued to
achieve the business objectives and to highlight any
issue in opposition to objectives. So, indirectly,
evaluating the rules’ enforcement provides a basis
for calculating exposure to the risk. In other words,
Luigi Sbriz, CISM, CRISC, ISO/IEC 27001:2013 LA, ITIL v3,
it is similar to an evaluation of vulnerability.
UNI 11697:2017 DPO
Has been the risk monitoring manager at Magneti Marelli for more than
four years. Previously, he was responsible for information and The idea of building an appropriate set of rules is to
communications technology operations and resources in the APAC region split the organization into its basic constituent
(China, Japan, Malaysia) and, before that, was the worldwide information rules—a few hundred rules taken from policies,
security officer for more than seven years. For internal risk monitoring, he procedures, contractual constraints, regulations,
developed the described methodology, merging an operative risk analysis laws, standards and so on. For each rule selected, it
with a consequent risk assessment driven by the maturity level of the is necessary to assess its current level of
processes. Also, he designed the cybermonitoring tool. Sbriz was also a
implementation, and the assessment is provided by
consultant for business intelligence systems for several years. He can be
an accountable party or “expert” for that rule.
contacted directly at https://it.linkedin.com/in/luigisbriz or his current
contact information can be found at http://sbriz.tel. Reassembling the rules, singularly evaluated,
The evaluation of the expected loss makes sense The second information area is an explanation and
only when the probability of its occurrence is clear. is always recommended when it is necessary to
As with other measures, the evaluation of the worst- understand the severity of the issue. Typically, the
case scenario is made with a qualitative indicator of explanation is addressed to a person (risk analyst,
likelihood matching a hidden analytics probability auditor) who does not know the process under
(figure 4). evaluation and, for this reason, the explanation
must be clear and essential.
The reason the maturity, loss and likelihood
measures are qualitative assessments, not
Risk Calculation
quantitative, is to ensure easier management of the
data entry by the end user. The consideration for Several methods can be adopted for the calculation
this decision depends on the events being of the risk, but the recommendation is to use the
managed; the events are in the future so the easiest. The method used here avoids complex
determination of a number is tougher to manage calculations by exploiting all the possible
with respect to a small set of qualitative items. How combinations (Cartesian product)1 of three input
many elements will be adopted (i.e., ternary scale, parameters (maturity, loss expectancy, likelihood)
five-value scale) is not so significant because a together and assigning a risk level for each. Risk
precise estimate is not expected as it is an estimate level is the output (figure 5).
made by a person for a potential event in the future.
It is random enough to not require great precision. The risk function is implemented by a small table of
three input parameters, three columns dedicated to
Remediation and Explanation maturity, loss expectancy and likelihood, while the
last column provides the output (risk level). With an
The assessment of the level of application of the SQL selected on this, a risk matrix is performed for
rule cannot miss two further information areas. the transformation of the maturity assessment in a
They are optional when the unit is compliant or risk level; this means great flexibility and minimal
mandatory if noncompliance is determined. The complexity. The management of the Cartesian
first area is a remediation plan, but reduced to the product is simple because the logical relationship
essential. The remediation plan is synthetically maturity/loss/likelihood with the risk level is kept in
summarized according to only two pieces of natural language and by an easy script that is
information: the organizational position having truncated and populated against the risk matrix
accountability to solve the problem and the period when anyone wants to update some risk level.
In any moment, the level of the risk can be viewed provided by the risk assessor can be changed by
either as qualitative data or as numerical data with the certifier. In this case, a suitable flag indicates
minimal effort by the use of the risk master file that this change and the answer becomes unchangeable
has stored the qualitative/quantitative relationship, for the risk assessor for a certain period.
the displaying styles, the labels and the weights for
the consolidation. So, in the same way, the three The auditor is independent relative to the entity or
input parameters are stored in master tables having the working process considered and acts on the
all the relationships needed in the calculation or in complete set of rules directly onsite. Three different
the presentation of the data switching between kinds of checks can be performed: interview of
analytical or textual or vice versa. This enables one involved people, analysis of documented
on-the-fly inquiry to extract the risk outcomes in information and observation. As the certifier, the
terms of value (qualitative/quantitative) and auditor can change any evaluation, which will block
presentation features (i.e., fonts, icons, colors). data entry for a certain period (a parameter defined
in the system) to the local risk assessor and to the
Self-Assessment Certification risk certifier. See figure 6 for a matrix reflecting the
different levels of assessment and certification of
Basically, the enterprise risk assessment process the statements.
described here is intended as a self-assessment
process. It is organized to gather information at the The assessment provided is kept valid for a fixed
entity level, involving all the local departments or period and then automatically placed in the expired
processes based on the experience of the status. A good choice as a value for the period is
managers involved in completing the checklist. Of the time interval between a revaluation and the
course, it is necessary to ensure harmonization and following. The auditing can be split if it has been
control of the answers provided. Recalling the certified using an interview (trust with the answer)
Responsible, Accountable, Supported, Consulted, and through an audit, i.e., if an independent test
Informed (RASCI) matrix, there are two additional (without data prepared by the interviewed person)
roles to perform the verification of the self- has happened.
assessment statements: the certifiers and
the auditors.
Integration Between RTP and ERA
The certifier is identified in the same working Now, it is time to again consider the risk treatment
process with respect to the rule considered, but plan (RTP) tool. The work carried out for the
with a role/position in an upper business level, such issuance of the RTP will not be lost if the
as the headquarters level, department-head level or information needs to be shared. The framework of
similar. The type of check envisaged is an offsite both is basically the same but with different levels
interview (i.e., by email, telephone call, video of detail management; so, it is possible to correlate
conferencing) with the local risk assessor, the risk analysis of one with the other. A logical
eventually supported by documented information sequence consists of executing before the RTP and,
sent by the interviewed person. Any answer consequently, all the involved controls in the
enterprise risk assessment (ERA) are fed (LOSS) in ERA (figure 8). The granularity of the
automatically. Data entry in ERA will be blocked for impact on performance in RTP is less than the
all its impacted controls. monetary impact in ERA.
The conversion relationships RTP/ERA are elevated In the risk list in RTP, the probabilities are coded in
to the actions list and the risk list; both are one way the same way as ERA. In contrast, the rating for risk
(figure 7). In the actions list, there is the relationship assessment (RISK) in RTP relates to the rating of
between the domain of the progress of the actions the maturity level (MATURITY) in ERA (figure 9). The
(PROGRESS) in RTP with the domain of the rating of concept of acceptable risk in RTP is equivalent to
the maturity level (MATURITY) in ERA. The actions compliance in ERA, but the impact of a
on delay in RTP are evaluated anyway as a single in confidentiality, integrity, availability (CIA) objective
progress without distinctions in ERA. above the baseline will need further attention.
The actions list also illustrates the relationship Even the concepts are the same: The calculation
between the impact of missing the implementation functions of the risk in RTP and ERA must remain
objectives (IMPACT) in RTP and the expected loss distinct because the algorithms use logic and
weights differently.
>
Risk Monitoring Used for the Internal Audit Plan Each ai is a component of the auditability and wi, its
Periodically, the internal audit process needs to weight. Evaluating the auditability index (figure 14)
issue a new plan to audit the entities. Prioritization for each entity and sequencing it from highest to
of the entities to be visited is answered by using the lowest will provide the list of eligible candidates for
the audit on top. The decision of how many and declaration of problems or unaddressed problems.
which indicators to use depends on the type of
business and the risk analyses. A good heuristic is This concept is represented by higher scores for
to choose an indicator for each critical factor distrust situations and lower for others. The
identified in the achievement of the business answers are, consequently, also weighted if they are
objectives. The following example shows the 12 certified or audited compared to those that are only
critical factors evaluated using, partially or totally, self-assessed. So, the outcome is an indicator of
specific groups of ERA controls. distrust obtained by applying a formula with a
different logic than the maturity level. This is easily
Two indicators show the impact of the relationship possible by changing only the weights used for
with ERA. The first indicator (called untrusted ERA) each rating in the calculation algorithm and
is fully based on the ERA outcomes but with a nothing else.
different perspective of the maturity level. An
indicator of confidence in risk assessments has to As a second example of an indicator impacted by
be considered in the same way when all is declared the ERA process, consider the measure of the level
perfect (but without evidence) and when all is of insecurity of the data (figure 15). It is similar to
declared wrong (but without remediation plan). the indicator of the information security level, but is
These answers are more worrying than situations of obtained with a different logic.
declared issues with remediation plan (negative
situation but supposed under control). In other Both are obtained by mixing information from ERA
words, there is more confidence in situations where to build the evaluation of a few ISO 27001 controls,
problems are faced than situations without plus information gathered by the mapping of the
entity (e.g., operative information from RTP). The repeatedly required same data (for different
outcome could be strange if it is considered that both frameworks), and only the right people are involved
are quite high, but there are two different types of (i.e., those who deal with the topic operationally for
logic. Information security is a formal evaluation of their working position).
compliance of the applied controls in the data
protection. Data insecurity is the lack of confidence in Other significant benefits include the ease of
the consistency of the answers used in the managing the structure without a post process to
information security KPI evaluation. In the example, realign the database and the absence of a massive
an inconsistency is a declaration of business impact training of risk assessors (self-explanatory forms
analysis (BIA) compliant when the parameter tailored to daily work). The people involved will have
Maximum Tolerable Downtime (MTD) is missing. It is to evaluate only their own job, and this operation
a clear indication of distrust in the answers; there is contributes quality to the answers gathered. Of
no trust in an analysis when the main parameter course, many people are involved, but only for a very
addressing the analysis itself is missing. small and consistent activity with their own work.