Scribd Logo
Upload

Welcome to Scribd!

  • (MRTI) Week 07

    Uploaded by

    Isyana Arroyyani
    15 views25 pages
    The document discusses IT risk management frameworks. It introduces ISO 31000, COSO ERM, and ISO 27001 as common risk management frameworks. It provides an overview of each framework, including what they are, their key stages or components, and how they approach risk management. The frameworks take complementary approaches and can be used together by organizations to comprehensively manage IT risks. The document instructs students to complete exercises to learn about each framework in more detail.

    Original Description:

    Original Title

    [MRTI] Week 07

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses IT risk management frameworks. It introduces ISO 31000, COSO ERM, and ISO 27001 as common risk management frameworks. It provides an overview of each framework, including what they are, their key stages or components, and how they approach risk management. The frameworks take complementary approaches and can be used together by organizations to comprehensively manage IT risks. The document instructs students to complete exercises to learn about each framework in more detail.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    15 views25 pages

    (MRTI) Week 07

    Uploaded by

    Isyana Arroyyani
    The document discusses IT risk management frameworks. It introduces ISO 31000, COSO ERM, and ISO 27001 as common risk management frameworks. It provides an overview of each framework, including what they are, their key stages or components, and how they approach risk management. The frameworks take complementary approaches and can be used together by organizations to comprehensively manage IT risks. The document instructs students to complete exercises to learn about each framework in more detail.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 25

    WEEK 7

    IT RISK MANAGEMENT
    COMPREHEND FRAMEWORKS IN RISK MANAGEMENT

    Lecturer:
    Hanim Maria Astuti, M.Sc.
    Eko Wahyu Tyas, MBA.
    Information Systems Department
    Institut Teknologi Sepuluh Nopember
     Identify and assess risks related to the use of IT in an
    organization

    Page 2
    Independent Learning:
     ISO31000
     ERM COSO
     ISO 27001

    Page 3
    Framework vs.
    Standards

    Page 4
    Framework: What is

     “a structural plan or basis of a project”.

     “a structure or frame supporting or containing


    something”.

    Page 5
    Standard: What is

     “a rule or principle that is used as a basis for judgment”.

     “something considered by an authority or by general


    consent as a basis of comparison; an approved model”.

    Page 6
    Their position

     Frameworks & standards are complementary each


    other.

    Page 7
    Secara berkelompok (Group Work), pahami konsep
    ISO31000. Untuk memahami konsep, jawablah
    berdasarkan aspek what, why, when, how.

    Pada akhir dari tugas ini, Anda harus bisa memahami


    konsep ISO31000 berikut juga stagesnya.

    Durasi: 30 menit.
    Kumpulkan tugas Anda dalam bentuk PDF di
    \\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
    Username/password: kuliahshare/kuliahshare4321
    Page 8
    Secara berkelompok (Group Work), pahami konsep ERM
    COSO. Untuk memahami konsep, jawablah berdasarkan
    aspek what, why, when, how.

    Pada akhir dari tugas ini, Anda harus bisa memahami


    konsep ERM COSO berikut juga stagesnya.

    Durasi: 30 menit.
    Kumpulkan tugas Anda dalam bentuk PDF di
    \\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
    Username/password: kuliahshare/kuliahshare4321
    Page 9
    Secara berkelompok (Group Work), pahami konsep ISO
    27001. Untuk memahami konsep, jawablah berdasarkan
    aspek what, why, when, how.

    Pada akhir dari tugas ini, Anda harus bisa memahami


    konsep ISO27001 berikut juga stagesnya.

    Durasi: 30 menit.
    Kumpulkan tugas Anda dalam bentuk PDF di
    \\10.126.10.21\Kuliah Share\MRTI GENAP 2016\KELAS C
    Username/password: kuliahshare/kuliahshare4321
    Page 10
    Common Risk
    Management Frameworks

    Page 11
    At a glance

     Risk management practices are very important in


    today‟s society.
     In the past, financial institutions are the only
    institutions which put risk management practices as
    their important agenda.
     As today, almost all types of companies regard the
    importance of managing risk.

    Page 12
     There are several frameworks commonly used in the
    practice of managing risks.
     The common frameworks:
     ISO 31000
     ERM COSO
     ISO 27001

    Page 13
     Consists of the principles, framework and process for
    managing risks.

     The idea is that risk management process must be


    incorporated within the managerial & operational
    practice of the company. Risk management is seen as
    an important agenda for the company and should be
    part of the company culture.

    Page 14
     Stage one: Establishing the context
     The most important deliverable from this stage is
    establishing the objectives and scope of the risk
    assessment.
     Stage two: Risk assessment
     The risk assessment phase has three goals: risk
    identification, risk analysis and risk evaluation.
     Stage three: Risk treatment
     More commonly referred to as the risk management
    stage, the organization implements controls designed
    to reduce risk, assess the effectiveness of those
    controls and implement additional controls on an as-
    needed basis.
    Page 15
    Page 16
     COSO Enterprise Risk Management-Integrated
    Framework was initiated in 2004.
     This framework is quite well-known and used globally
    by many institutions.
     Like with ISO 31000, this framework also considers the
    blend of company‟s day-to-day activities (strategic,
    operations, reporting and compliance) with the
    practice of managing risks.
     It consists of 8 main components.

    Page 17
    Page 18
     Entity objectives can be viewed in the context of
    four categories:
     Strategic
     Operations
     Reporting
     Compliance

    Page 19
     ERM considers activities at all levels of the
    organization:
     Enterprise-level
     Division or subsidiary
     Business unit processes

    Page 20
    Page 21
     The ISO 27000 family of standards helps
    organizations keep information assets secure.
     ISO/IEC 27001 is the best-known standard in the
    family providing requirements for an information
    security management system (ISMS).
     An ISMS is a systematic approach to managing
    sensitive company information so that it remains
    secure. It includes people, processes and IT
    systems by applying a risk management process.
     It can help small, medium and large businesses
    in any sector keep information assets secure.
    Page 22
    ISO/IEC 27001:2013 has the following sections:
     0 Introduction - the standard uses a process approach.
     1 Scope - it specifies generic ISMS requirements suitable for organizations of
    any type, size or nature.
     2 Normative references - only ISO/IEC 27000 is considered absolutely
    essential to users of ‟27001: the remaining ISO27k standards are optional.
     3 Terms and definitions - a brief, formalized glossary, soon to be
    superseded by ISO/IEC 27000.
     4 Context of the organization - understanding the organizational context,
    the needs and expectations of „interested parties‟, and defining the scope
    of the ISMS. Section 4.4 states very plainly that “The organization shall
    establish, implement, maintain and continually improve” a compliant ISMS.
     5 Leadership - top management must demonstrate leadership and
    commitment to the ISMS, mandate policy, and assign information security
    roles, responsibilities and authorities.
     6 Planning - outlines the process to identify, analyze and plan to treat
    information security risks, and clarify the objectives of information security.
     7 Support - adequate, competent resources must be assigned, awareness
    raised, documentation prepared and controlled.

    Page 23
     8 Operation - a bit more detail about assessing and treating information
    security risks, managing changes, and documenting things (partly so that
    they can be audited by the certification auditors).
     9 Performance evaluation - monitor, measure, analyze and
    evaluate/audit/review the information security controls, processes and
    management system in order to make systematic improvements where
    appropriate.
     10 Improvement - address the findings of audits and reviews (e.g.
    nonconformities and corrective actions), make continual refinements to the
    ISMS
     Annex A Reference control objectives and controls - little more in fact
    than a list of titles of the control sections in ISO/IEC 27002. The annex is
    „normative‟, implying that certified organizations are expected to use it,
    but they are free to deviate from or supplement it in order to address their
    particular information security risks.
     Bibliography - points readers to five related standards, plus part 1 of the
    ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is
    identified in the body of the standard as a normative (i.e. essential)
    standard and there are several references to ISO 31000 on risk management.

    Page 24
    Page 25

    You might also like