2. Leonard Ong
CPP, CFE, PMP, CISA, CISM, CRISC, CISSP
CSSLP, CIPM, GSNA, GCIH, GCFA, GCIA
•! More than 14 years experience in Security
Management, Information Security and Corporate
Security.
•! Honorary Chairman, ASIS International (Singapore
Chapter)
•! Immediate Past President, Director-Research
ISACA Singapore Chapter
•! Crisis Management and Business Continuity
Management Council, ASIS International
•! IT Security Council, ASIS International
•! Professional Influence / Advocacy Committee,
ISACA
13. APT in Action
Operation Aurora, 2010
StuxNet, 2010
RSA/Lockheed Martin,
2011
Duqu, Flame, 2011-12
New York
Times, 2013
--
Adobe, 2013
--
Korean
Banks, 2013
Against the
unknown
Reputation Risk
Customer
Confidence
Remediation Cost
Effort
14. 14!
A Troubling !
Lack of Initiative
There aren’t enough precautions
being taken against the threat of
an APT.
Up to 81.8% of survey takers
have not updated their
agreements with vendors who
provide protection against APT.
And 67.3% reported that they
haven’t held any APT awareness
training programs for their
employees.
Has your enterprise increased security
training as a result of APTs?
0% 20% 40% 60% 80%
Very Likely
Likely
Not Very likely
Not at All Likely
ISACA, 2014
Yes
No
16. management of enterprise information technology (IT). Simply stated, COBIT 5 helps enterprises to create optimal value
from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5
enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-
end CoBIT business and IT stakeholders.
5
functional areas of responsibility and considering the IT-related interests of internal and external
COBIT 5 for Risk, highlighted in figure 1, builds on the COBIT 5 framework by focusing on risk and providing more
detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise.
16!
Figure 1—COBIT 5 Product Family
COBIT® 5
COBIT 5 Enabler Guides
COBIT® 5:
Enabling Processes
COBIT 5 Professional Guides
COBIT® 5 Implementation
COBIT® 5:
Enabling Information
COBIT® 5
for Assurance
COBIT® 5
for Information
Security
COBIT® 5
for Risk
COBIT 5 Online Collaborative Environment
Other Enabler
Guides
Other Professional
Guides
Terminology
ISACA, 2014
COBIT 5 for Risk discusses IT-related risk. Section 1, chapter 2 defines what is meant by IT-related risk; however, for ease
of reading, the term ‘risk’ is used throughout the publication, which refers to IT-related risk. The guidance and principles
that are explained throughout this publication are applicable to any type of enterprise, whether it operates in a commercial
17. CoBIT 5
17!
Product Family
Framework Enabling Processes Implementation
COBIT 5 is the overarching business
and management framework for
governance and management of
enterprise IT.
A detailed reference guide to the
processes defined in the COBIT 5
process reference model.
Provides a good practice approach
for implementing GEIT based on a
continual improvement life cycle
Information Security Assurance Risk
Specific focus on Information
Security
Practical guidance for assurance
professionals on how to use COBIT 5
to support a variety of IT assurance
activities.
Specific focus on Risk
ISACA, 2014
18. Risk Duality
18!
FOR RISK
Figure 6—Risk Duality
Positive Outcomes: Value
Creation or Preservation
Negative Outcomes: Value
Destruction or Fail to Gain
Well governed and managed
information and technology
delivers business benefits
and/or preserves value
Poorly governed and
managed information and
technology will destroy
value or fail to deliver benefits.
• New IT-enabled business
opportunities
• Enhanced business
opportunities
• Sustainable competitive
advantage
• Unrealised or reduced
business value
• Missed IT-enabled
business opprtunities
• Adverse IT-related
events destroying value
ISACA, 2014
Risk is not always to be avoided. Doing business is about taking risk that is consistent with the risk appetite, i.e., many
business propositions require IT risk to be taken to achieve the value proposition and realise enterprise goals and
objectives, and this risk should be managed but not necessarily avoided.
19. 19!
Processes for Governance of Enterprise IT
Processes for Management of Enterprise IT
Evaluate, Direct and Monitor
EDM01 Ensure
Governance
Framework Setting
and Maintenance
Align, Plan and Organise Monitor, Evaluate
and Assess
APO01 Manage
the IT Management
Framework
APO08 Manage
Relationships
APO02 Manage
Strategy
APO09 Manage
Service
Agreements
Build, Acquire and Implement
Deliver, Service and Support
APO03 Manage
Enterprise
Architecture
APO10 Manage
Suppliers
APO04 Manage
Innovation
APO11 Manage
Quality
APO05 Manage
Portfolio
APO12 Manage
Risk
APO06 Manage
Budget and Costs
APO07 Manage
Human Resources
MEA01 Monitor,
Evaluate and Assess
Performance and
Conformance
MEA02 Monitor,
Evaluate and Assess
the System of Internal
Control
MEA03 Monitor,
Evaluate and Assess
Compliance With
External Requirements
APO13 Manage
Security
DSS01 Manage
Operations
DSS02 Manage
Service Requests
and Incidents
DSS03 Manage
Problems
DSS04 Manage
Continuity
DSS05 Manage
Security
Services
DSS06 Manage
Business
Process Controls
BAI01 Manage
Programmes and
Projects
BAI08 Manage
Knowledge
BAI02 Manage
Requirements
Definition
BAI09 Manage
Assets
BAI03 Manage
Solutions
Identification
and Build
BAI10 Manage
Configuration
BAI04 Manage
Availability
and Capacity
BAI05 Manage
Organisational
Change
Enablement
BAI06 Manage
Changes
BAI07 Manage
Change
Acceptance and
Transitioning
EDM02 Ensure
Benefits Delivery
EDM03 Ensure
Risk Optimisation
EDM04 Ensure
Resource
Optimisation
EDM05 Ensure
Stakeholder
Transparency
Figure 18—Supporting Processes for the Risk Function
The processes listed in figure 19 are key supporting processes for the risk function in the enterprise.
ISACA, 2014
20. Risk Scenario
Event
• Disclosure
• Interruption
• Modification
• Theft
• Destruction
• Ineffective design
• Ineffective execution
• Rules and regulations
• Inappropriate use
Risk Scenario
20!
Asset/Resource
• People and skills
• Organisational structures
• Process
• Infrastructure (facilities)
• IT infrastructure
• Information
• Applications
Time
• Duration
• Timing occurrence (critical or non-critical)
• Detection
• Time lag
ISACA, 2014
several years?)
It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk
scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event
in figure 36. The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability.
Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or by
the threat strength. One should not mix these three types of events into one big ‘risk list’.
Figure 36—Risk Scenario Structure
Threat Type
• Malicious
• Accidental
• Error
• Failure
• Nature
• External requirement
Actor
• Internal (staff, contractor)
• External (competitor, outsider,
business partner, regulator, market)
Chapter 3 contains a set of generic IT risk scenarios that are built in line with the model described in the previous
paragraphs. The set of generic scenarios contains examples of negative outcomes, but also examples where a risk, when
managed well, can lead to a positive outcome.
21. Magnitude
C
A B
Frequency
Risk Heat Map and Aggregation
21!
ISACA, 2014
77
Figure 40—Aggregation of Risk Maps—Shared Risk
Magnitude
Frequency
Magnitude
Frequency
D
B
Magnitude
Frequency
B
C
A B
A D
C
B
A C
Personal Copy of: Mr. Leonard Ong
22. Key takeaways
1. Be aware the current and future trends of
cyber threats
2. Prepare for the unknown
3. Adopt Enterprise Governance approach
4. Develop Risk profile before selecting
solution
22