Driving Accountability Through An Effective Risk Register

Transcription

1 Version Driving Accountability Through An Effective Risk Register ISACA Birmingham Chapter March 20, Lunch & Learn Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass

2 Current State Risks continue to grow in the IT and Cybersecurity Environments IT Auditor are charged to do more with less resources Unfortunately it is difficult to get past the low-hanging fruit findings into something more meaningful.

3 Pain Points 1 Repeat audit findings 5 Known policy / procedure gaps 2 Technical debt 6 Lack of traction to resolve issues 3 Excessive vulnerabilities 7 Legacy mindsets 4 Permanent exceptions

4 Target State Focus on more meaningful issues: Deliver valuable issues / reports Propel process maturity Drive individual accountability

5 Create a Risk Register

6 Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

7 Identify Components RACI Criteria: Types of Risks Analysts PMO: Project Risks Subject Matter Experts (SMEs) InfoSec: CIA of Information Assets Decision Making Authority (DMAs) IT: Governance of Enterprise IT Risk Treatment Owners (RTOs) Working Group Workflow Stages Identification Analysis Steering Committee Technology Decision Making GRC Tools Treatment Automation Monitoring Workflows Validation Notification Closure Reporting

8 Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

9 Process

10 Identification 01 Risks can be identified from multiple sources in the environment. Key Points for Success: Clear, Consistent Criteria Defined Sources Decision Required

11 Analysis 02 Risks of all sizes can affect an organization. This stage is essential for determining the potential impact. Key Points for Success: Know Your Audience Factually State the Risk (WCGW) No Control Reversal Qualify & Quantify the Risk Simplify Ranking

12 Decision Making 03 The Decision Making Authority (DMA) should be provided the appropriate amount of information to make a well-informed decision. Key Points for Success: Thorough Analysis Appropriate DMA Understand DMA Decision / Rationale Avoid Surprises

13 Risk Treatment 04 The Risk Treatment Owner (RTO) should be held accountable for providing a plan that appropriately addresses the risk. Key Points for Success: Plan with Dates & Milestones Short & Long-Term Treatment Routine Updates Accurate Target Dates

14 Validation 05 Risk validation should reflect that the treatment was successful in fulfilling the treatment decision. Key Points for Success: Validation Preparation SME Communication Demonstrable Evidence

15 Closure 06 Once the risk has been appropriately addressed, it can be closed. This stage can be used to reflect on the efficiency and effectiveness of the process. Key Points for Success: Perform Quality Control Calculate Measurements & Metrics Prepare Reporting Continual Process Improvement

16 Monitoring 07 Monitoring is a time bound stage for a risk. The timing can be set by risk, but should not exceed one year. Key Points for Success: Routine Interim and Periodic Updates Ensuring Progress Reporting Changes in Constraints

17 Path Forward Create a Risk Register: Design: Identify Components Build: Create Register / Process Run: Drive Accountability

18 Visibility Accountability Effectiveness In order to be effective, the products of the process must be seen by appropriate levels of management: Risks accepted; Target dates changed; and Validation failed. Quarterly Leadership Meetings - Executive Management Monthly Working Groups - Management Weekly Register Reviews - Analysts

19 Recap: Driving Accountability Through An Effective Risk Register Pain Points Risk Register: Components Risk Register: Process Risk Register: Effectiveness Target State: Achieved

20 Thank you. Chris Womack, CIA, CISA, GCCC Director Information Security Governance BBVA Compass