Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Internal audit work plans tend to focus on
priorities based on risk with the highest
operational impact. For many organizations
this results in IT audits focused on financial
applications, human resources (HR) applications,
enterprise resource planning (ERP) systems and
the like. Many other systems remain out of audit
scope due to limited audit resources and medium
or low priorities in the annual audit plan. Other
assurance functions, such as information security,
struggle with the same resource constraints.
Performing detailed technical information
security risk assessments that involve manual
tasks, specific skills and tools are costly and,
therefore, performed only on those systems
exposed to risk with the highest business impact.
However, a detailed information security risk
assessment in the form of ethical hacking is the
most accurate method to estimate risk likelihood.
Information security vendors have recognized
the need to optimize the process of managing
ethical hacking projects with the goal to reduce
their costs. They start offering ethical hacking
services in the form of Security as a Service
(SecaaS) solutions. The ability to acquire ethical
hacking security assessment for information
systems with medium or even low business impact
would allow organizations to build more complete
and accurate risk treatment plans and optimize
resources for information security management.
MEASURING IT RISK
COBIT® 51 recommends following best practices
for effective IT risk management:
1. Make sure the IT risk management framework
fits with the risk management objectives of
the enterprise. Use similar risk classification
principles and, wherever possible, classify and
manage IT risk in a business-driven hierarchy,
for example:
• Strategic
• Program
• Project
• Operational
2. Define standard scales for IT risk assessment,
covering impact and probability aligned with
the organization’s enterprise risk management
(ERM) framework. 2
3. Align the IT risk management appetite and
tolerance levels with the ERM framework.
Risk indicators are defined as metrics capable
of showing that the enterprise is subject to, or
has a high probability of being subject to, a risk
that exceeds the defined risk appetite. If carefully
selected and measured with due diligence, these
metrics represent a powerful management tool
for making strategic decisions in governing the
IT function within an enterprise. The following
criteria should be taken into account for selection
of information-security-related risk indicators:
potential impact on vital information assets,
efforts required to exploit information systems
(IS) vulnerability, reliability of critical IT assets
and sensitivity of information.
The likelihood of successfully exploiting a
vulnerability is determined by the degree of
difficulty in performing the exploit, the
skill of the attacker, and the popularity or
availability of the vulnerability. A vulnerability
that is known to be popular among malicious
hackers carries a higher probability of success.
Industry-standard tools for assessment of
vulnerabilities are software-based vulnerability
scanners. These automated tools compare
detected applications, operating systems and
other components on audited hosts against
proprietary or public databases of known
vulnerabilities. They provide reports on detected
gaps and recommend implementation of security
patches, if available, or vendor-suggested
work-around solutions. However, they do not
put vulnerabilities in a business context and,
thus, impact estimates could be misleading. A
determined hacker is more likely to exploit even
the low-scaled vulnerability if it is on a high-value
business asset.
Moreover, automated vulnerability scanners
do not provide information on interrelated
Viktor Polic, Ph.D.,
CISA, CRISC, CISSP, has
been an information and
communication technology
professional with the
United Nations and several
specialized agencies
since 1993. His current
position is chief of the
information security office
at the International Labour
Organization. Polic is also an
adjunct faculty member at
Webster University (Geneva,
Switzerland), teaching courses
on information security and
telecommunications within
the Computer Science
Department of the School of
Business and Technology,
and serves as a member
of the Scientific Committee
for Advanced Studies in
Information Security at the
Department of Management
Studies of the Faculty of
Economic and Social
Sciences at the University of
Geneva (Switzerland).
Ethical Hacking: The Next Level or the
Game Is Not Over?
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article: