Professional Documents
Culture Documents
Risk Scenarios
Risk Scenarios
SCENARIOS
Using COBIT® 5 for Risk
Risk Scenarios Using COBIT® 5 for Risk
About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology.
ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of
Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association
has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created Risk Scenarios Using COBIT® 5 for Risk (“the Work”) primarily as an educational resource
for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should
apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
2
Acknowledgments
Acknowledgments
ISACA wishes to recognize:
Lead Developer
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Fischer IT GRC Beratung & Schulung, Switzerland
Development Team
Evelyn Anton, CISA, CISM, CGEIT, CRISC, UTE, Uruguay
Robert E Stroud, CGEIT, CRISC, CA, USA
Mike Hughes, CISA, CGEIT, CRISC, 123 Consultants GRC Ltd., United Kingdom
Elza Adams, CISA, CISSP, PMP HP, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria
Eduardo Ritegno, CISA, CRISC, QAR (IIA), Banco de la Nacion Argentina, Argentina
Andre Pitkowski, CGEIT, CRISC, APIT Informatica, Brazil
Expert Reviewers
Mohamed Tawfik Abul Farag, KPMG, Egypt
Mark Adler, CISA, CISM, CGEIT, CRISC, CCSA, CFE, CFSA, CIA, CISSP, CRMA, CRP, Wal-Mart Stores, Inc., USA
Gerardo H. Arancibia Vidal, CISM, CRISC, Ernst & Young, Chile
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK
Vilius Benetis , CISA, CRISC, PhD, NRD CS, Lithuania
Jean-Louis Bleicher, CRISC, France
Graham Carter, CISA, CGEIT, ABB Limited, Switzerland
Richard Cartwright, CGEIT, ISP/ITCP, ITIL, PMP, MZP Solutions, Canada
Katalina Coronel Hoyos, CISA, SASCURE Cia. Ltda., Ecuador
Gabriel Croci, CISA, CRISC, SOMOS Consultancy Services, Uruguay
Diego Patricio del Hoyo, CISM, CRISC, CISSP, Westpac Banking Corporation, Australia
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 5 Accredited Trainer, PMP,
Venlee IT Consultancy LLP, India
Joseph Fodor, CISA, CPA, Ernst & Young, LLP, USA
Giovanni Guzman De Leon, CISM, ITIL, CFC, ISO 9001, PhD Candidate, Independent Consultant, Guatemala
Jason Hageman, CISA, ITIL V3, MGM Resorts International, USA
Tomas Hellum, LinkGRC, Denmark
Sharon Jones, CISA, MGM Resorts International, USA
Masatoshi Kajimoto, CISA, CRISC, Independent Consultant, Japan
Satish Kini, CRISC, CISSP, COBIT 5 Certified Assessor, Firstbest Consultants Pvt Ltd., India
Vaman Amarjeet Gokuldas Kini, CISA, CISM, CEH, CISSP, LPT, 27KLA, The World Bank Group, India
Shruti Shrikant Kulkarni, CISA, CRISC, CISSP, CPISI, CCSK, ITIL V3 Expert, Infosys Technologies Limited, India
John W. Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/U, IBM Global Business Services, USA
Michel Lambert, CISA, CISM, CGEIT, CRISC, Ministere de l’Agriculture, des Pecheries et de l’Alimentation du
Quebec, Canada
Romualdas Lecickis, CISA, CISM, CGEIT, CRISC, NRD CS, Lithuania
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA
Sebastian Marondo, CISA, CISM, NRD-EA, National Audit Office- Tanzania, Tanzania
John Simiyu Masika, CISA, CISM, Kenya Airways Ltd., Kenya
Radmila Mihajlovic, CISA, Consultant, Canada
Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, GovernaTI, Colombia
Oscar Moreno Mulas, CISA, OKY Consulting/Zelaya Rivas Asociados, El Salvador
Raphael Otieno Onyango, CISA, BCOM, CPA (K), Ecumenical Church Loan Fund – Kenya, Kenya
Abdul Rafeq, Wincer Infotech Limited, India
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India
Franco Rigante, CISA, CRISC, PMP, Grant Thornton Argentina, Argentina
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Eddy J. Schuermans, CGEIT, ESRAS bvba, Belgium
Paras K. Shah, CISA, CGEIT, CRISC, CA, Vital Interacts, Australia
David Sheidlower, CISM, Health Quest, USA
Emil David Skrdla, CISA, CISM, CGEIT, CRISC, ITIL V3, PCI ISA, PCIP, The University of Oklahoma, USA
Gustavo A. Solís, Grupo Cynthus, S.A. de C.V., Mexico
Mark Stacey, CISA, FCA, BG Group, USA
3
Risk Scenarios Using COBIT® 5 for Risk
Acknowledgments (cont.)
Expert Reviewers (cont.)
Donald T. Steane, CIA, CMA, CPA, CRMA, DTS Consulting Services, Canada
Dirk Steuperaert, CISA, CGEIT, CRISC, ITIL, IT In Balance BVBA, Belgium
Louis C. Tinto, CISA, CRISC, CFE, CIA, Omnicom Media Group, USA
Alok Tuteja, CGEIT, CRISC, CIA, CISSP, Mazrui Holdings LLC, UAE
Orlando Tuzzolo, CISM, CGEIT, CRISC, World Pass IT Solutions, Brazil
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
4
Table of Contents
Table of Contents
List of Figures............................................................................................................................................................................7
Chapter 1. Introduction............................................................................................................................................................9
Background.............................................................................................................................................................................9
Purpose of This Publication..................................................................................................................................................10
Who Should Use This Guide?..............................................................................................................................................10
Scope and Approach.............................................................................................................................................................11
Prerequisite Knowledge........................................................................................................................................................11
5
Risk Scenarios Using COBIT® 5 for Risk
Appendix 2. Glossary............................................................................................................................................................277
6
List of Figures
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits.....................................................................10
7
Risk Scenarios Using COBIT® 5 for Risk
8
Chapter 1
Introduction
Chapter 1
Introduction
Background
Risk scenario analysis is an important component of enterprise risk management (ERM) (figure 1). This technique is
a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA has
issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping their
enterprises manage their risk portfolios.
Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios
that can be used for risk analysis and assessment. Risk Scenarios Using COBIT 5 for Risk provides readers with potential
scenarios to consider in their own organizations—to allow the scenarios to be tailored—this will require that scenarios be
added, removed and amended to provide a focused set of relevant scenarios that fit organizations’ specific risk, risk appetite and
business needs.
Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a
process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk
assessment is slightly broader, and includes the preliminary and ancillary activities of risk analysis, i.e., the identification
of detailed risk scenarios and the definition of responses such as mitigation plans and the description of existing controls.
Risk analysis and assessment is a core approach to bring realism, insight, organizational engagement, improved analysis and
structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and are one of
the key information items needed to identify, analyze and respond to risk (COBIT 5 Process APO12).
9
Risk Scenarios Using COBIT® 5 for Risk
The main purpose of Risk Scenarios Using COBIT 5 for Risk is to give guidance on the development of IT-related risk
scenarios. These scenarios are based on the determination of the value of an asset or a business process. The potential threats
and vulnerabilities that can lead to a loss event should be considered as well as the potential benefits to more effective and
efficient achievement of business objectives and protection or increase of business value. The secondary purpose of this
publication is to provide guidance on how to respond to risk that exceeds the enterprise’s tolerance level. Special guidance is
given on how the COBIT 5 enablers can help in risk management activities.
The adoption of risk scenario analysis can help satisfy requirements from multiple stakeholders. Figure 2 describes the
potential stakeholder benefits that risk scenario analysis can provide.
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits
Role/Function Benefits of Adopting Risk Scenarios Using COBIT 5 for Risk
Board and executive management Better understanding of the implications of IT risk to enterprise strategic objectives and how to better use IT for
successful strategy execution
Chief risk officer (CRO) and Assistance with managing IT risk, in line with generally accepted ERM principles, and incorporating IT risk into
corporate risk managers for enterprise risk
enterprise risk management (ERM)
Operational risk managers Linking their ERM framework to COBIT 5 for Risk; identification of operational losses or development of key risk
indicators (KRIs)
IT management Better understanding of how to identify and manage IT risk and how to communicate IT risk to business
decision makers
IT service managers Enhancement of their view of operational risk
IT security Positioning of security risk among other categories of IT risk
Information security/chief Positioning IT risk within the enterprise information risk management structure
information security officer (CISO)
Chief financial officer (CFO) Gaining a better view of IT risk and its financial implications
Business Better understanding and management of IT risk in line with business objectives
Internal auditors Better analysis of risk in support of audit plans and reports
Compliance Advise the risk function with regards to compliance requirements and their potential impact on the enterprise
General counsel Advise the risk function on regulation-related risk and potential impact or legal implications on the enterprise
Regulators Support assessment of regulated enterprises’ IT risk management approach and the impact of risk on
regulatory requirements
External auditors Additional guidance on exposure levels when establishing an opinion over the quality of internal control
Insurers Help establish adequate IT insurance coverage and obtain agreement on exposure levels
IT contractors and subcontractors Better alignment of utility and warranty of IT services provided; understanding of responsibilities arising from
risk assessment
10
Chapter 1
Introduction
Prerequisite Knowledge
Risk Scenarios Using COBIT 5 for Risk builds on COBIT 5 for Risk. The key concepts about the use of scenarios from
COBIT 5 for Risk are repeated in this guide, making it a fairly stand-alone guide, in essence not requiring any prerequisite
knowledge. However, an understanding of COBIT 5 for Risk will accelerate the comprehension of the contents of this
guide. In addition, some risk-relevant items that are described in detail in COBIT 5 for Risk are not repeated in Risk
Scenarios Using COBIT 5 for Risk and may require the use of other guides in the COBIT 5 product family.
For risk mitigation, Risk Scenarios Using COBIT 5 for Risk refers mainly to the COBIT 5 enablers and also to the process
reference model and COBIT 5 processes described therein. If readers wish to know more about COBIT 5 enablers, e.g.,
to implement or improve some of them as part of a risk response (mitigation), they are referred to the following COBIT 5
product family guides: the COBIT 5 framework, COBIT 5: Enabling Processes and COBIT 5: Enabling Information.
11