Join Michael Lester for an in-depth discussion in this video Risk management process, part of CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors.
- [Instructor] All right, let's talk about the risk management process. So why is risk management so challenging? Well essentially it's trying to predict the future. You're trying figure out all the bad things that might happen to you and then where best to deploy in your resources. There's an incredible number of variables to identify, take into consideration. You're also trying to surmise all of the possible threats and then come up with solutions for them, every possible threat whether it's a hurricane, it's a fire, it's a burglar, it's a hacker, et cetera, et cetera.
There's a lot of things to consider there. You may not be able to consider them all depending on your scope and how much resources you have to put into this risk management effort. It involves gathering data from many, many resources. That means from the grunt work like taking a clipboard and walking around and actually interviewing people or surveying people to processing complex log files, looking at scan results from say some vulnerability scanner, taking a look at the results from the last penetration test, all sorts of things that you need to collect and process, and gather information, et cetera.
You're dealing with many unknowns, like how often is a hurricane going to hit your facility? Well, you just don't know. You're going to have to spitball, you're going to have to guess in a lot of cases, and that can add a lot of uncertainty into your calculations. And then finally, you're trying to quantify qualitative things. That means put a dollar sign or a number to something that isn't really easy to put a number to, like how much money is the organization's reputation worth, for example. That's a hard thing to nail down, but you're going to have to take some kind of stab at that at some point.
So, these are some of the challenges that are involved risk management. Now if you're going to succeed in this risk management effort, things that you're going to need. Well you have to have some kind of commitment from senior management. If you don't have buy in from management this is never going to go any where. You need to have their involvement, and you need to have their support. You should have some kind of documented process. First of all, you should have a process that you're going to follow, but it must be documented in some way so that everyone's on the same page just that this is the process we're going to go through, and we'll take a look at what that process should look like in a minute. There should be some kind of risk management policy that's signed off on my management and maybe even the board of directors saying here at company X we're going to follow this process, here are the roles and responsibilities, here's what you as a worker bee should be doing, here's what management is expected to do, here's what the board is expected to do.
All of that's lined out. Here are the rules, here's the process defined in some policy that everyone's been made aware of. And then finally, who's going to be on the team? Now when it comes to risk management just about every department is going to have some voice at the table when it comes to performing risk management. You've got to have everyone involved. And a process should look something like what we see on the screen. There should be several different phases, the planning phase where you figure out what we're going to do and how it's going to be done, the collection phase where the grunt work is done, where we pull in the information, we absorb it, then we make some decisions, and then we make those recommendations to management.
Management makes the call as to how we're going to actually handle the risk, but there's four different things they can do. They can mitigate or reduce the risk by putting some kind of control in place. They can transfer the risk and make it somebody else's problem. They can accept the risk, which means as long as it's within their acceptable risk levels they can just accept it and move on, or they can avoid it entirely by just stopping what ever it is that's risky, and we'll talk about each of those when we get into those sections. And that's risk management.
Instructor Michael Lester starts out with a description of IT governance and the role of IT policies, processes, and standards, providing examples of many of the most common types. He reviews three key areas for auditing: risk management, business continuity, and disaster recovery planning. He also explains how an IT department and its auditing team should be organized. At each stage, he explains how the auditor would address these topics in a typical audit environment.
- IT governance
- Policies, processes, and standards
- Risk management
- IT organization
- Business continuity
- Disaster recovery