SlideShare a Scribd company logo

CELOE MRKI Lecture Notes 02 v0.1_old.pptx

Download as PPTX, PDF
D
DandzaPraditya

Lecture notes risk management

Education
1 of 28
Aspek People, Process, dan Technology Pada Seven Enablers ISH4U3 Manajemen Risiko dan Keamanan Informasi By: Rokhman Fauzi & Team Teaching IS Management Information Systems | School of Industrial Engineering | Telkom University
Agenda 1. Prinsip, kebijakan, dan kerangka kerja 2. Proses 3. Struktur organisasi 4. Etika, perilaku, dan kultur 5. Informasi 6. Layanan, aplikasi, dan infrastruktur 7. SDM, skill, dan kompetensi 2
Drivers for Risk The main drivers for risk management include providing:  Stakeholders with substantiated and consistent opinions over the current state of risk throughout the enterprise  Guidance on how to manage risk to levels within the enterprise’s risk appetite  Guidance on how to set up the appropriate risk culture for the enterprise  Wherever possible, quantitative risk assessments enabling stakeholders to consider the cost of mitigation and the required resources against the loss exposure 3
Risk Perspectives 4
Risk Function Perspectives 5 COBIT 5 for Risk provides guidance and describes how each enabler contributes to the overall governance and management of the risk function. For example:  Which Processes are required to define and sustain the risk function, govern and manage risk  What Information flows are required to govern and manage risk—e.g., risk universe, risk profile  The Organisational Structures that are required to govern and manage risk effectively—e.g., enterprise risk committee, risk function  What People and Skills should be put in place to establish and operate an effective risk function
Seven Enablers & IT Risk The seven categories of enablers also apply to managing risk. The enablers support the provisioning of risk governance and management over enterprise IT, as shown in the following examples: 1. Principles, Policies and Frameworks—Risk principles, risk policies and compliance approaches 2. Processes—The core risk processes in the evaluate, direct and monitor (EDM) and align, plan and organise (APO) domains, as well as the application of many other processes to the risk function 3. Organisational Structures—ERM committee, chief risk officer (CRO) 4. Culture, Ethics and Behaviour—Enterprisewide behaviour, management behaviour and risk professionals’ behavior supporting risk management 5. Information—Risk profile, risk scenarios, risk map 6. Services, Infrastructure and Applications—Emerging risk advisory services 7. People, Skills and Competencies—CRISC certification, risk management and technical skills 6
The Principles, Policies and Frameworks (1) 7 The Principles, Policies and Frameworks model (figure 14) shows: • Stakeholders—Stakeholders for principles and policies can be internal or external to the enterprise. They include the board and executive management, compliance officers, risk managers, internal and external auditors, service providers and customers, and regulatory agencies. The stakes are twofold: Some stakeholders define and set policies, others have to align to, and comply with, the policies. • Goals and metrics—Principles, policies and frameworks are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise values, as defined by the board and executive management.
The Principles, Policies and Frameworks (2) ▪ Principles need to: – Be limited in number – Use simple language, expressing as clearly as possible the core values of the enterprise ▪ Policies provide more detailed guidance on how to put principles into practice and they influence how decision making aligns with the principles. Good policies are: ▫ Effective—They achieve the stated purpose. ▫ Efficient—They ensure that principles are implemented in the most efficient way. ▫ Non-intrusive—They appear logical for those who have to comply with them, i.e., they do not create unnecessary resistance. ▫ Aligned—They are in alignment with the overall enterprise strategy. 8
The Principles, Policies and Frameworks (3) 9 Life cycle—Policies have a life cycle that has to support the achievement of the defined goals. Frameworks are key because they provide a structure to define consistent guidance. For example, a policy framework provides the structure in which a consistent set of policies can be created and maintained, and it also provides an easy point of navigation within and amongst individual policies.
The Principles, Policies and Frameworks (4) 10 • Good practices: Good practice requires that policies be part of an overall governance and management framework, providing a (hierarchical) structure into which all policies should fit and clearly make the link to the underlying principles. As part of the policy framework, the following items need to be described: • Scope and validity • Roles and responsibilities of the stakeholders • The consequences of failing to comply with the policy • The means for handling exceptions • The manner in which compliance with the policy will be checked and measured Policies should be aligned with the enterprise’s risk appetite. Policies are a key component of an enterprise’s system of internal control, whose purpose it is to manage and contain risk. As part of risk governance activities, the enterprise’s risk appetite is defined, and this risk appetite should be reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise. Policies need to be revalidated and/or updated at regular intervals to ensure relevance to business requirements and practices.
Processes 11 Goals—Process goals are defined as ‘a statement describing the desired outcome of a process. An outcome can be an artefact, a significant change of a state or a significant capability improvement of other processes’. They are part of the goals cascade, i.e., process goals support IT-related goals, which, in turn, support enterprise goals. Process goals can be categorised as: • Intrinsic goals—Does the process have intrinsic quality? Is it accurate and in line with good practice? Is it compliant with internal and external rules? • Contextual goals—Is the process customised and adapted to the enterprise’s specific situation? Is the process relevant, understandable and easy to apply? • Accessibility and security goals—The process remains confidential, when required, and is known and accessible to those who need it. Stakeholders—Processes have internal and external stakeholders, with their own roles; stakeholders and their responsibility levels are documented in RACI (responsible, accountable, consulted, informed) charts. External stakeholders include customers, business partners, shareholders and regulators. Internal stakeholders include the board, management, staff and volunteers.
Processes (2) 12 • Life cycle—Each process has a life cycle. It is defined, created, operated, monitored and adjusted/updated or retired. Generic process practices such as those defined in the COBIT process assessment model (PAM), based on International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15504, can assist with defining, running, monitoring and optimising processes. • Good practices—COBIT 5: Enabling Processes contains a process reference model, in which process internal good practices are described in increasing levels of detail: practices, activities and detailed activities. In this publication, this good practice is not repeated; only risk-specific guidance is developed when relevant.
13
Key Supporting Processes for the Risk Function (1) 14
Key Supporting Processes for the Risk Function (2) 15
Organisational Structures (1) 16 Stakeholders—Organisational structures stakeholders can be internal or external to the enterprise. These stakeholders include the individual members of the structure, other structures, organisational entities, clients, suppliers and regulators. Their roles vary and include decision making, influencing and advising. The stakes of each of the stakeholders also vary, i.e., what interest do they have in the decisions made by the structure? Goals—The goals for the Organisational Structures enabler include have a proper mandate, have well-defined operating principles and the application of other good practices. The outcome of the organizational structures enabler should include numerous good activities and decisions.
Organisational Structures (2) 17 Life cycle—An organisational structure has a life cycle. The organisational structure is created, exists and is adjusted, and, finally, it can be disbanded. During its inception, a mandate—a reason and purpose for its existence—has to be defined. Good practices—A number of good practices for organisational structures can be distinguished, such as: • Operating principles—The practical arrangements regarding how the structure operates, such as frequency of meetings, documentation and housekeeping rules • Decisions—Risk-based direction considering the processing of relevant inputs and required or expected outputs • Span of control—The decision-rights boundaries of the organisational structure • Level of authority/decision rights—The decisions that the structure is authorised to make • Delegation of authority—The structure’s authority to delegate a subset of its decision rights to other structures that report to it. • Escalation procedures—The escalation path for a structure, which describes the required actions in case of problems in making decisions.
Lines of Defense Against Risk 18 • As the first line of defence, operational managers own and manage risk. They also are responsible for implementing corrective actions to address process and control deficiencies. • In practice, a single line of defence often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line of defence controls. • Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the enterprise. This high level of independence is not available in the second line of defence. Internal audit also provides assurance on the manner in which the first and second lines of defence achieve risk management.
Culture, Ethics and Behaviour 19 Stakeholders—Culture, ethics and behaviour stakeholders can be internal or external to the enterprise. Internal stakeholders include the entire enterprise, external stakeholders include regulators, e.g., external auditors or supervisory bodies. Stakes are twofold: Some stakeholders, e.g., legal officers, risk managers, HR managers, remuneration boards and officers, deal with defining, implementing and enforcing desired behaviours; others have to align with the defined rules and norms.
Culture, Ethics and Behaviour (2) 20 Goals—Goals for the Culture, Ethics and Behaviour enabler relate to: • Organisational ethics, determined by the values by which the enterprise wants to live • Individual ethics, determined by the personal values of each individual in the enterprise and depending, to an important extent, on external factors such as religion, ethnicity, socioeconomic background, geography and personal experiences • Individual behaviours, which collectively determine the culture of an enterprise. Many factors, such as the external factors mentioned above, interpersonal relationships in enterprises, personal objectives and ambitions also drive behaviours. Some types of behaviours that can be relevant in this context include: • Behaviour towards taking risk—How much risk does the enterprise feel it can absorb and which risk is it willing to take? • Behaviour towards following policy—To what extent will people embrace and/or comply with policy? • Behaviour towards negative outcomes—How does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause?
Culture, Ethics and Behaviour (3) 21 Life cycle—An organisational culture, ethical stance and individual behaviours, etc., all have their life cycles. Starting from an existing culture, an enterprise can identify required changes and work towards their implementation. Several tools, described in the good practices, can be used. Good practices—Good practices for creating, encouraging and maintaining desired behaviour throughout the enterprise include: • Communication throughout the enterprise of desired behaviours and the underlying corporate values • Awareness of desired behaviour, strengthened by the example behaviour exercised by senior management and other champions • Incentives encourage desired behaviour, and deterrents discourage undesirable behaviour, often as part of the HR reward and recognition programme • Re-evaluation of expectations, influences and changes in behaviour and practices reports on existing behaviour versus the behaviour that management perceives • Rules and norms, which provide more guidance on desired organisational behaviour. These link very clearly to the principles and policies that an enterprise puts in place.
Information 22 Different categories of roles in dealing with information are possible, ranging from detailed proposals (e.g., suggesting specific data or information roles such as architect, owner, steward, trustee, supplier, beneficiary, modeller, quality manager, security manager) to more general proposals—for instance, distinguishing amongst information producers, information custodians and information consumers, as follows: • Information producer is responsible for creating the information • Information custodian is responsible for storing and maintaining the information • Information consumer is responsible for using the information Stakeholders—Can be internal or external to the enterprise. The generic model also suggests that, apart from identifying the stakeholders, their stakes (i.e., why they care or are interested in the information) need to be identified.
Three Subdimensions of Quality (1) 23 [1] Intrinsic quality The extent to which data values are in conformance with the actual or true values. It includes: • Accuracy—The extent to which information is correct and reliable • Objectivity—The extent to which information is unbiased, unprejudiced and impartial • Believability—The extent to which information is regarded as true and credible • Reputation—The extent to which information is highly regarded in terms of its source or content
Three Subdimensions of Quality (1) 24 [2] Contextual and representational quality The extent to which information is applicable to the task of the information user and is presented in an intelligible and clear manner, recognising that information quality depends on the context of use. It includes: • Relevancy—The extent to which information is applicable and helpful for the task at hand • Completeness—The extent to which information is not missing and is of sufficient depth and breadth for the task at hand • Currency—The extent to which information is sufficiently up to date for the task at hand • Appropriate amount of information—The extent to which the volume of information is appropriate for the task at hand • Concise representation—The extent to which information is compactly represented • Consistent representation—The extent to which information is presented in the same format • Interpretability—The extent to which information is in appropriate languages, symbols and units, with clear definitions • Understandability—The extent to which information is easily comprehended • Ease of manipulation—The extent to which information is easy to manipulate and apply to different tasks
Three Subdimensions of Quality (3) 25 [3] Security/accessibility quality The extent to which information is available or obtainable. It includes: • Availability/timeliness—The extent to which information is available when required, or easily and quickly retrievable • Restricted access—The extent to which access to information is restricted appropriately to authorised parties
Information Life Cycle 26 Life cycle—The full life cycle of information needs to be considered, and different approaches may be required for information in different phases of the life cycle. The COBIT 5 Information enabler distinguishes the following phases: 1. Plan—The phase in which the creation and use of the information resource is prepared. Activities in this phase may refer to the identification of objectives, the planning of the information architecture, and the development of standards and definitions, e.g., data definitions, data collection procedures. 2. Design—Defining the risk management information requirements 3. Build/acquire/create/implement—The phase in which the information resource is acquired. Activities in this phase may refer to the creation of data records, the purchase of data and the loading of external files. 4. Use/operate
Information Life Cycle – Use/Operate Use/operate, which includes: • Store—The phase in which information is held electronically or in hard copy (or even just in human memory). Activities in this phase may refer to the storage of information in electronic form, e.g., electronic files, databases, data warehouses, or as hard copy, e.g., paper documents. • Share—The phase in which information is made available for use through a distribution method. Activities in this phase may refer to the processes involved in getting the information to places where it can be accessed and used, e.g., distributing documents by email. For electronically held information, this life cycle phase may largely overlap with the store phase, e.g., sharing information through database access, file/document servers. • Use—The phase in which information is used to accomplish goals. Activities in this phase may refer to all kinds of information usage (e.g., managerial decision making, running automated processes), and may also include activities such as information retrieval and converting information from one form to another. 27
Discussion 28

Recommended

COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfAliehaDhea
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdfKarthick Panneerselvam
 
FINAL IMS PPT - Read-Only - Compatibility Mode.pdf
FINAL IMS PPT - Read-Only - Compatibility Mode.pdfFINAL IMS PPT - Read-Only - Compatibility Mode.pdf
FINAL IMS PPT - Read-Only - Compatibility Mode.pdfKShah24
 
What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? Ardea International
 
19600 Compliance Management System Guidelines
19600 Compliance Management System Guidelines19600 Compliance Management System Guidelines
19600 Compliance Management System GuidelinesNimonik
 
19600 compliance management system guidelines
19600 compliance management system guidelines19600 compliance management system guidelines
19600 compliance management system guidelinesNimonik
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 

Recommended

COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfAliehaDhea
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdfKarthick Panneerselvam
 
FINAL IMS PPT - Read-Only - Compatibility Mode.pdf
FINAL IMS PPT - Read-Only - Compatibility Mode.pdfFINAL IMS PPT - Read-Only - Compatibility Mode.pdf
FINAL IMS PPT - Read-Only - Compatibility Mode.pdfKShah24
 
What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? Ardea International
 
19600 Compliance Management System Guidelines
19600 Compliance Management System Guidelines19600 Compliance Management System Guidelines
19600 Compliance Management System GuidelinesNimonik
 
19600 compliance management system guidelines
19600 compliance management system guidelines19600 compliance management system guidelines
19600 compliance management system guidelinesNimonik
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10Mulyadi Yusuf
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
ISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsPECB
 
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...Beulah Heights University
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
strategic management process ppt.pdf
strategic management process ppt.pdfstrategic management process ppt.pdf
strategic management process ppt.pdfMohammed Kandeel
 
Strategic managemnet process ppt
Strategic managemnet process pptStrategic managemnet process ppt
Strategic managemnet process pptMUHAMMAD HASRATH
 
Ethics module2 kerala univer
Ethics module2 kerala univerEthics module2 kerala univer
Ethics module2 kerala univerPOOJA UDAYAN
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.pptSashaKing4
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Strategic Management
Strategic ManagementStrategic Management
Strategic ManagementManishNathSrivastava
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
ISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management PolicyISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management PolicyLife Cycle Engineering
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Asset management
Asset managementAsset management
Asset managementrob coulson
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 

More Related Content

Similar to CELOE MRKI Lecture Notes 02 v0.1_old.pptx

Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
ISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsPECB
 
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...Beulah Heights University
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
strategic management process ppt.pdf
strategic management process ppt.pdfstrategic management process ppt.pdf
strategic management process ppt.pdfMohammed Kandeel
 
Strategic managemnet process ppt
Strategic managemnet process pptStrategic managemnet process ppt
Strategic managemnet process pptMUHAMMAD HASRATH
 
Ethics module2 kerala univer
Ethics module2 kerala univerEthics module2 kerala univer
Ethics module2 kerala univerPOOJA UDAYAN
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
ISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management PolicyISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management PolicyLife Cycle Engineering
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Asset management
Asset managementAsset management
Asset managementrob coulson
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 

Similar to CELOE MRKI Lecture Notes 02 v0.1_old.pptx (20)

Coso erm
Coso ermCoso erm
Coso erm
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
ISO 45001 Key Implementation Steps
ISO 45001 Key Implementation StepsISO 45001 Key Implementation Steps
ISO 45001 Key Implementation Steps
 
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
Bryson. chapter 2. the strategy change cycle. an effective strategic planning...
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
strategic management process ppt.pdf
strategic management process ppt.pdfstrategic management process ppt.pdf
strategic management process ppt.pdf
 
Strategic managemnet process ppt
Strategic managemnet process pptStrategic managemnet process ppt
Strategic managemnet process ppt
 
Ethics module2 kerala univer
Ethics module2 kerala univerEthics module2 kerala univer
Ethics module2 kerala univer
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Strategic Management
Strategic ManagementStrategic Management
Strategic Management
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
ISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management PolicyISO 55000 for Leaders: Developing an Asset Management Policy
ISO 55000 for Leaders: Developing an Asset Management Policy
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Asset management
Asset managementAsset management
Asset management
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 

Recently uploaded

MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 

Recently uploaded (20)

MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 

CELOE MRKI Lecture Notes 02 v0.1_old.pptx

  • 1. Aspek People, Process, dan Technology Pada Seven Enablers ISH4U3 Manajemen Risiko dan Keamanan Informasi By: Rokhman Fauzi & Team Teaching IS Management Information Systems | School of Industrial Engineering | Telkom University
  • 2. Agenda 1. Prinsip, kebijakan, dan kerangka kerja 2. Proses 3. Struktur organisasi 4. Etika, perilaku, dan kultur 5. Informasi 6. Layanan, aplikasi, dan infrastruktur 7. SDM, skill, dan kompetensi 2
  • 3. Drivers for Risk The main drivers for risk management include providing:  Stakeholders with substantiated and consistent opinions over the current state of risk throughout the enterprise  Guidance on how to manage risk to levels within the enterprise’s risk appetite  Guidance on how to set up the appropriate risk culture for the enterprise  Wherever possible, quantitative risk assessments enabling stakeholders to consider the cost of mitigation and the required resources against the loss exposure 3
  • 5. Risk Function Perspectives 5 COBIT 5 for Risk provides guidance and describes how each enabler contributes to the overall governance and management of the risk function. For example:  Which Processes are required to define and sustain the risk function, govern and manage risk  What Information flows are required to govern and manage risk—e.g., risk universe, risk profile  The Organisational Structures that are required to govern and manage risk effectively—e.g., enterprise risk committee, risk function  What People and Skills should be put in place to establish and operate an effective risk function
  • 6. Seven Enablers & IT Risk The seven categories of enablers also apply to managing risk. The enablers support the provisioning of risk governance and management over enterprise IT, as shown in the following examples: 1. Principles, Policies and Frameworks—Risk principles, risk policies and compliance approaches 2. Processes—The core risk processes in the evaluate, direct and monitor (EDM) and align, plan and organise (APO) domains, as well as the application of many other processes to the risk function 3. Organisational Structures—ERM committee, chief risk officer (CRO) 4. Culture, Ethics and Behaviour—Enterprisewide behaviour, management behaviour and risk professionals’ behavior supporting risk management 5. Information—Risk profile, risk scenarios, risk map 6. Services, Infrastructure and Applications—Emerging risk advisory services 7. People, Skills and Competencies—CRISC certification, risk management and technical skills 6
  • 7. The Principles, Policies and Frameworks (1) 7 The Principles, Policies and Frameworks model (figure 14) shows: • Stakeholders—Stakeholders for principles and policies can be internal or external to the enterprise. They include the board and executive management, compliance officers, risk managers, internal and external auditors, service providers and customers, and regulatory agencies. The stakes are twofold: Some stakeholders define and set policies, others have to align to, and comply with, the policies. • Goals and metrics—Principles, policies and frameworks are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise values, as defined by the board and executive management.
  • 8. The Principles, Policies and Frameworks (2) ▪ Principles need to: – Be limited in number – Use simple language, expressing as clearly as possible the core values of the enterprise ▪ Policies provide more detailed guidance on how to put principles into practice and they influence how decision making aligns with the principles. Good policies are: ▫ Effective—They achieve the stated purpose. ▫ Efficient—They ensure that principles are implemented in the most efficient way. ▫ Non-intrusive—They appear logical for those who have to comply with them, i.e., they do not create unnecessary resistance. ▫ Aligned—They are in alignment with the overall enterprise strategy. 8
  • 9. The Principles, Policies and Frameworks (3) 9 Life cycle—Policies have a life cycle that has to support the achievement of the defined goals. Frameworks are key because they provide a structure to define consistent guidance. For example, a policy framework provides the structure in which a consistent set of policies can be created and maintained, and it also provides an easy point of navigation within and amongst individual policies.
  • 10. The Principles, Policies and Frameworks (4) 10 • Good practices: Good practice requires that policies be part of an overall governance and management framework, providing a (hierarchical) structure into which all policies should fit and clearly make the link to the underlying principles. As part of the policy framework, the following items need to be described: • Scope and validity • Roles and responsibilities of the stakeholders • The consequences of failing to comply with the policy • The means for handling exceptions • The manner in which compliance with the policy will be checked and measured Policies should be aligned with the enterprise’s risk appetite. Policies are a key component of an enterprise’s system of internal control, whose purpose it is to manage and contain risk. As part of risk governance activities, the enterprise’s risk appetite is defined, and this risk appetite should be reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise. Policies need to be revalidated and/or updated at regular intervals to ensure relevance to business requirements and practices.
  • 11. Processes 11 Goals—Process goals are defined as ‘a statement describing the desired outcome of a process. An outcome can be an artefact, a significant change of a state or a significant capability improvement of other processes’. They are part of the goals cascade, i.e., process goals support IT-related goals, which, in turn, support enterprise goals. Process goals can be categorised as: • Intrinsic goals—Does the process have intrinsic quality? Is it accurate and in line with good practice? Is it compliant with internal and external rules? • Contextual goals—Is the process customised and adapted to the enterprise’s specific situation? Is the process relevant, understandable and easy to apply? • Accessibility and security goals—The process remains confidential, when required, and is known and accessible to those who need it. Stakeholders—Processes have internal and external stakeholders, with their own roles; stakeholders and their responsibility levels are documented in RACI (responsible, accountable, consulted, informed) charts. External stakeholders include customers, business partners, shareholders and regulators. Internal stakeholders include the board, management, staff and volunteers.
  • 12. Processes (2) 12 • Life cycle—Each process has a life cycle. It is defined, created, operated, monitored and adjusted/updated or retired. Generic process practices such as those defined in the COBIT process assessment model (PAM), based on International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15504, can assist with defining, running, monitoring and optimising processes. • Good practices—COBIT 5: Enabling Processes contains a process reference model, in which process internal good practices are described in increasing levels of detail: practices, activities and detailed activities. In this publication, this good practice is not repeated; only risk-specific guidance is developed when relevant.
  • 13. 13
  • 14. Key Supporting Processes for the Risk Function (1) 14
  • 15. Key Supporting Processes for the Risk Function (2) 15
  • 16. Organisational Structures (1) 16 Stakeholders—Organisational structures stakeholders can be internal or external to the enterprise. These stakeholders include the individual members of the structure, other structures, organisational entities, clients, suppliers and regulators. Their roles vary and include decision making, influencing and advising. The stakes of each of the stakeholders also vary, i.e., what interest do they have in the decisions made by the structure? Goals—The goals for the Organisational Structures enabler include have a proper mandate, have well-defined operating principles and the application of other good practices. The outcome of the organizational structures enabler should include numerous good activities and decisions.
  • 17. Organisational Structures (2) 17 Life cycle—An organisational structure has a life cycle. The organisational structure is created, exists and is adjusted, and, finally, it can be disbanded. During its inception, a mandate—a reason and purpose for its existence—has to be defined. Good practices—A number of good practices for organisational structures can be distinguished, such as: • Operating principles—The practical arrangements regarding how the structure operates, such as frequency of meetings, documentation and housekeeping rules • Decisions—Risk-based direction considering the processing of relevant inputs and required or expected outputs • Span of control—The decision-rights boundaries of the organisational structure • Level of authority/decision rights—The decisions that the structure is authorised to make • Delegation of authority—The structure’s authority to delegate a subset of its decision rights to other structures that report to it. • Escalation procedures—The escalation path for a structure, which describes the required actions in case of problems in making decisions.
  • 18. Lines of Defense Against Risk 18 • As the first line of defence, operational managers own and manage risk. They also are responsible for implementing corrective actions to address process and control deficiencies. • In practice, a single line of defence often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line of defence controls. • Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the enterprise. This high level of independence is not available in the second line of defence. Internal audit also provides assurance on the manner in which the first and second lines of defence achieve risk management.
  • 19. Culture, Ethics and Behaviour 19 Stakeholders—Culture, ethics and behaviour stakeholders can be internal or external to the enterprise. Internal stakeholders include the entire enterprise, external stakeholders include regulators, e.g., external auditors or supervisory bodies. Stakes are twofold: Some stakeholders, e.g., legal officers, risk managers, HR managers, remuneration boards and officers, deal with defining, implementing and enforcing desired behaviours; others have to align with the defined rules and norms.
  • 20. Culture, Ethics and Behaviour (2) 20 Goals—Goals for the Culture, Ethics and Behaviour enabler relate to: • Organisational ethics, determined by the values by which the enterprise wants to live • Individual ethics, determined by the personal values of each individual in the enterprise and depending, to an important extent, on external factors such as religion, ethnicity, socioeconomic background, geography and personal experiences • Individual behaviours, which collectively determine the culture of an enterprise. Many factors, such as the external factors mentioned above, interpersonal relationships in enterprises, personal objectives and ambitions also drive behaviours. Some types of behaviours that can be relevant in this context include: • Behaviour towards taking risk—How much risk does the enterprise feel it can absorb and which risk is it willing to take? • Behaviour towards following policy—To what extent will people embrace and/or comply with policy? • Behaviour towards negative outcomes—How does the enterprise deal with negative outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be assigned without treating the root cause?
  • 21. Culture, Ethics and Behaviour (3) 21 Life cycle—An organisational culture, ethical stance and individual behaviours, etc., all have their life cycles. Starting from an existing culture, an enterprise can identify required changes and work towards their implementation. Several tools, described in the good practices, can be used. Good practices—Good practices for creating, encouraging and maintaining desired behaviour throughout the enterprise include: • Communication throughout the enterprise of desired behaviours and the underlying corporate values • Awareness of desired behaviour, strengthened by the example behaviour exercised by senior management and other champions • Incentives encourage desired behaviour, and deterrents discourage undesirable behaviour, often as part of the HR reward and recognition programme • Re-evaluation of expectations, influences and changes in behaviour and practices reports on existing behaviour versus the behaviour that management perceives • Rules and norms, which provide more guidance on desired organisational behaviour. These link very clearly to the principles and policies that an enterprise puts in place.
  • 22. Information 22 Different categories of roles in dealing with information are possible, ranging from detailed proposals (e.g., suggesting specific data or information roles such as architect, owner, steward, trustee, supplier, beneficiary, modeller, quality manager, security manager) to more general proposals—for instance, distinguishing amongst information producers, information custodians and information consumers, as follows: • Information producer is responsible for creating the information • Information custodian is responsible for storing and maintaining the information • Information consumer is responsible for using the information Stakeholders—Can be internal or external to the enterprise. The generic model also suggests that, apart from identifying the stakeholders, their stakes (i.e., why they care or are interested in the information) need to be identified.
  • 23. Three Subdimensions of Quality (1) 23 [1] Intrinsic quality The extent to which data values are in conformance with the actual or true values. It includes: • Accuracy—The extent to which information is correct and reliable • Objectivity—The extent to which information is unbiased, unprejudiced and impartial • Believability—The extent to which information is regarded as true and credible • Reputation—The extent to which information is highly regarded in terms of its source or content
  • 24. Three Subdimensions of Quality (1) 24 [2] Contextual and representational quality The extent to which information is applicable to the task of the information user and is presented in an intelligible and clear manner, recognising that information quality depends on the context of use. It includes: • Relevancy—The extent to which information is applicable and helpful for the task at hand • Completeness—The extent to which information is not missing and is of sufficient depth and breadth for the task at hand • Currency—The extent to which information is sufficiently up to date for the task at hand • Appropriate amount of information—The extent to which the volume of information is appropriate for the task at hand • Concise representation—The extent to which information is compactly represented • Consistent representation—The extent to which information is presented in the same format • Interpretability—The extent to which information is in appropriate languages, symbols and units, with clear definitions • Understandability—The extent to which information is easily comprehended • Ease of manipulation—The extent to which information is easy to manipulate and apply to different tasks
  • 25. Three Subdimensions of Quality (3) 25 [3] Security/accessibility quality The extent to which information is available or obtainable. It includes: • Availability/timeliness—The extent to which information is available when required, or easily and quickly retrievable • Restricted access—The extent to which access to information is restricted appropriately to authorised parties
  • 26. Information Life Cycle 26 Life cycle—The full life cycle of information needs to be considered, and different approaches may be required for information in different phases of the life cycle. The COBIT 5 Information enabler distinguishes the following phases: 1. Plan—The phase in which the creation and use of the information resource is prepared. Activities in this phase may refer to the identification of objectives, the planning of the information architecture, and the development of standards and definitions, e.g., data definitions, data collection procedures. 2. Design—Defining the risk management information requirements 3. Build/acquire/create/implement—The phase in which the information resource is acquired. Activities in this phase may refer to the creation of data records, the purchase of data and the loading of external files. 4. Use/operate
  • 27. Information Life Cycle – Use/Operate Use/operate, which includes: • Store—The phase in which information is held electronically or in hard copy (or even just in human memory). Activities in this phase may refer to the storage of information in electronic form, e.g., electronic files, databases, data warehouses, or as hard copy, e.g., paper documents. • Share—The phase in which information is made available for use through a distribution method. Activities in this phase may refer to the processes involved in getting the information to places where it can be accessed and used, e.g., distributing documents by email. For electronically held information, this life cycle phase may largely overlap with the store phase, e.g., sharing information through database access, file/document servers. • Use—The phase in which information is used to accomplish goals. Activities in this phase may refer to all kinds of information usage (e.g., managerial decision making, running automated processes), and may also include activities such as information retrieval and converting information from one form to another. 27