Five essential aspects of control are identified in the standard:
o o o o o
?
Corporate control environment Risk assessment Control activities
Information and communications Monitoring
Chapter 4: Application of risk management—The risk management review processes must identify areas of opportunity, in which, for example, effective risk management can be turned into a competitive advantage for the company. Risk management in this context goes beyond the control of financial risks. Reputation and a company's future survival are also taken into consideration. Companies under King II must ensure that the governance surrounding risk management is transparent and disclosed to its stakeholders. In King II, risk management is viewed as a continuous process of identifying, evaluating, and managing risk.
Risk assessment in this context addresses the company's exposure:
? ? ? ? ? ?
Physical and operational risks Human resource risks Technical risks
Business continuity and disaster recovery Credit and market risks Compliance risks
Here are a few sections of the act, which preserve the integrity of the risk management process:
? ? ?
Section 275A: Prohibits the provision of nonaudit services; requires the auditor to subject the nonaudit service to his or her own external audit procedures. Section 275A(3)(b): Prohibits an auditor having financial interest in a company. Section 287: States that directors will be guilty of an offense when incomplete or noncompliant financial reports are issued. Directors are guilty of an offence in cases where the auditor expressed either a qualified opinion or an adverse opinion.
? ?
Section 287 and section 440FF: State that it will be an offense for any director to issue incomplete or noncompliant financial reports.
Section 287A: False or misleading statements—directors of a company are accountable to their stakeholders, and the major exposure to liability should rest with the directors or executives responsible for making the decisions or preparing the financial statements that mislead stakeholders.
Figure 1.4 illustrates how vulnerabilities and hazards are managed in the King Report.
Figure 1.4: Risk analysis and assessment process flow.
Finally, the risk analysis process must maintain independence. As cited from the Executive Summary of the King Report, 2002, ISBN 0-620-28852-3, March 2002:
?
Independence of mind—The state of minds that permits the provision of an opinion without being affected by influences that comprise professional judgment, allowing an individual to act with integrity, and exercise objectivity and professional skepticism.
?
Independence in appearance—The avoidance of facts and circumstances that are so significant that a reasonable and informed third party, having knowledge of all relevant information, including safeguards applied, would reasonably conclude a firm's, or a member of the assurance team's, integrity, objectivity, or professional skepticism had been compromised.
United States NIST SP 800-30
NIST SP 800-30 consists of three sections: risk assessment, risk mitigation, and control evaluation. It is a questionnaire, interview and tool-based risk methodology. Risk management encom-passes three processes: risk assessment, risk mitigation, and evaluation and assessment. Section 1 describes the risk assessment process, which includes identification, evaluation of risks and risk impacts, and recommendation of risk-reducing measures. Section 2 describes risk mitigation, which refers to prioritizing, implementing, and maintaining the appropriate
risk-reducing measures recommended from the risk assessment process. Section 3 provides an evaluation and assessment of the processes. Nine steps of risk assessment:
?
Step 1: System characterization—The first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the accreditation boundaries, and provides information essential to defining the risk.
?
Step 2: Threat identification—The goal of this step is to identify the potential threat sources and compile a threat statement listing potential threats and threat sources that are applicable to the system being evaluated.
?
Step 3: Vulnerability identification-The goal of this step is to develop a list of system vulnerabilities, flaws, or weaknesses that could be exploited by the potential threat sources.Methods for identifying system vulnerabilities are the identification of
vulnerability sources, the performance of system security testing, and the development of a security requirements checklist.
?
Step 4: Control analysis and methods —The goal of this step is to analyze the controls implemented, or planned for implementation, by the organization to minimize or eliminate the likelihood or probability of a threat's exercising system vulnerability.
?
Step 5: Likelihood determination—The likelihood rating indicates the probability that a potential vulnerability may be exercised within a threat environment. The factors that must be considered are threat source, motivation, capability, the nature of the vulnerability, existence, and effectiveness of current controls. The likelihood that a potential vulnerability could be exercised by a given threat source is then rated as high, medium, or low.
? ?
Step 6: Impact analysis—The next step in measuring the level of risk is to determine the impact resulting from a successful threat exercise of vulnerability.
Step 7: Risk determination—The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a particular threat and vulnerability pair can be expressed as a function of the likelihood of a given threat source attempting to exercise a given vulnerability, the magnitude of the impact should a threat source successfully exercise the vulnerability, and the adequacy of planned or existing security controls for reducing or eliminating the risk.
?
Step 8: Control recommendations—During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization's operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The factors that should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks are effectiveness of recommended options, legislation and regulation, organizational policy operational impact, and safety and reliability.
?
Step 9: Results documentation—Once the risk assessment has been completed, threat sources and vulnerabilities identified, risks numerically assessed, and
recommended controls provided, the results should be documented in an offcial report or briefing. A risk assessment report is a management document that helps senior management—the mission owners— make decisions on changes needed—in policy, procedures, budgets, and operation and management of the system.
Risk mitigation is the second process of risk management. It involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment. Because elimination of all risk is usually impractical or close to impossible, it is the responsibility of senior functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease mission risk to an acceptable level.
?
Phase 1. Options—The goals and mission of an organization should be considered in selecting any of these risk mitigation options. It is not practical to address all identified risks, so priority should be given to the threat and vulnerability pairs that have the highest potential to cause significant impact or harm. NIST SP800-30 defines the following options when addressing risk:
o o o o o o
?
Risk assumption: Accept the potential risk and continue operating.
Risk avoidance: Avoid the risk by eliminating the risk cause or consequence or both.
Risk limitation: Limit the risk by implementing controls that minimize the adverse impact of a threat's exercising a vulnerability.
Risk planning: Manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.
Research and acknowledgment of risk: Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct it.
Risk transference: Transfer the risk by using other options to compensate for the loss.
Phase 2. Risk mitigation strategy—Figure 1.5 outlines the risk mitigation strategy set out in NIST SP800-30.
o o o o
?
When a vulnerability or flaw exists, implement assurance techniques to reduce the likelihood of a vulnerability exploit.
When a vulnerability can be exercised, apply layered protections and administrative controls to minimize the risk of an exploit or prevent it. When the attacker's cost is less than the potential gain, apply protection to decrease an attacker's motivation by increasing the attacker's effort.
When loss is too great, apply technical and nontechnical protections to limit the potential
Phase 3. Control implementation—When control actions must be taken, address the greatest risks and strive for suffcient risk mitigation at the lowest cost with minimum impact on other mission capabilities by the following:
o o o o o o
?
Prioritizing actions
Evaluating recommended control options Conducting cost-benefit analysis
Selecting control based on the results of the cost-benefit analysis
Assigning responsibility to appropriate persons who have the expertise and skill sets to implement the selected controls Developing a safeguard implementation plan
Phase 4. Control categories:
o
Technical security controls: These controls may range from simple to complex measures and usually involve system architectures, engineering disciplines, and security packages with a mix of hardware, software, and firmware.
o
Management security controls: Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization's goals and missions.
o
Operational security controls: Operational controls, implemented in accordance with a base set of requirements, technical controls, and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat sources.
?
Phase 5. Cost-benefit analysis : The cost-benefit analysis can be qualitative or quantitative. Its purpose is to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk.
Figure 1.5: Risk and threat mitigation process flow.
International Standards Organization/UN: ISO/IEC 13335-2