ISACA Journal - 2014 Volume 4

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

Internal audit work plans tend to focus on priorities based on risk with the highest operational impact. For many organizations this results in IT audits focused on financial applications, human resources (HR) applications, enterprise resource planning (ERP) systems and the like. Many other systems remain out of audit scope due to limited audit resources and medium or low priorities in the annual audit plan. Other assurance functions, such as information security, struggle with the same resource constraints. Performing detailed technical information security risk assessments that involve manual tasks, specific skills and tools are costly and, therefore, performed only on those systems exposed to risk with the highest business impact. However, a detailed information security risk assessment in the form of ethical hacking is the most accurate method to estimate risk likelihood.

Information security vendors have recognized the need to optimize the process of managing ethical hacking projects with the goal to reduce their costs. They start offering ethical hacking services in the form of Security as a Service (SecaaS) solutions. The ability to acquire ethical hacking security assessment for information systems with medium or even low business impact would allow organizations to build more complete and accurate risk treatment plans and optimize resources for information security management.

MEASURING IT RISK

COBIT® 51 recommends following best practices for effective IT risk management:

1. Make sure the IT risk management framework fits with the risk management objectives of the enterprise. Use similar risk classification principles and, wherever possible, classify and manage IT risk in a business-driven hierarchy, for example: • Strategic • Program • Project • Operational

2. Define standard scales for IT risk assessment, covering impact and probability aligned with the organization’s enterprise risk management (ERM) framework. 2

3. Align the IT risk management appetite and tolerance levels with the ERM framework.

Risk indicators are defined as metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite. If carefully selected and measured with due diligence, these metrics represent a powerful management tool for making strategic decisions in governing the IT function within an enterprise. The following criteria should be taken into account for selection of information-security-related risk indicators: potential impact on vital information assets, efforts required to exploit information systems (IS) vulnerability, reliability of critical IT assets and sensitivity of information.

The likelihood of successfully exploiting a vulnerability is determined by the degree of difficulty in performing the exploit, the skill of the attacker, and the popularity or availability of the vulnerability. A vulnerability that is known to be popular among malicious hackers carries a higher probability of success. Industry-standard tools for assessment of vulnerabilities are software-based vulnerability scanners. These automated tools compare detected applications, operating systems and other components on audited hosts against proprietary or public databases of known vulnerabilities. They provide reports on detected gaps and recommend implementation of security patches, if available, or vendor-suggested work-around solutions. However, they do not put vulnerabilities in a business context and, thus, impact estimates could be misleading. A determined hacker is more likely to exploit even the low-scaled vulnerability if it is on a high-value business asset.

Moreover, automated vulnerability scanners do not provide information on interrelated

Viktor Polic, Ph.D.,

CISA, CRISC, CISSP, has been an information and communication technology professional with the United Nations and several specialized agencies since 1993. His current position is chief of the information security office at the International Labour Organization. Polic is also an adjunct faculty member at Webster University (Geneva, Switzerland), teaching courses on information security and telecommunications within the Computer Science Department of the School of Business and Technology, and serves as a member of the Scientific Committee for Advanced Studies in Information Security at the Department of Management Studies of the Faculty of Economic and Social Sciences at the University of Geneva (Switzerland).