cobit 5 for it policies and risk - bpug- · pdf filegroup technology and operations deutsche...

Deutsche Bank

COBIT 5 for IT Policies and Risk

6th October 2015

Group Technology and Operations

Deutsche Bank Alan Shepherd

ISACA/BPUG COBIT in der Praxis

Contents

How COBIT 5 is used for IT Management Policy

COBIT 5 as Basis for Risk Management

What COBIT, ISO, etc. Don’t Tell You




COBIT 5 as Basis for Policies

How COBIT 5 is used for IT Management Policy




Further Reading

10/6/2015 2010 DB Blue template

3

Praxiswissen COBIT, Markus Gaulke

mit Praxisbeitrag zum Thema

http://www.amazon.de/Praxiswissen-COBIT-Grundlagen-praktische-IT-Governance/dp/3864900557/ref=sr_1_1?ie=UTF8&qid=1400860484&sr=8-1







COBIT 5 Product Family


4




COBIT 5 Enabling Processes


5




DB Policy Built in Two Steps


6

Version 1 (published)

9 out of 37 COBIT

Processes have been

included in V1.1 of the

IT Management Policy.

Version 2

All 37 COBIT

Processes will be

included in V2 of the IT

Management Policy.




COBIT 5 as Basis for Risk Management

COBIT 5 for Risk

Risk Scenarios

Risk Management Process

Other Standards




COBIT 5 Products


8




Risk Scenarios


9




Risk Scenarios


10




Risk Scenarios


11

See Appendix for Sample




Risk Management Process


12




Risk Management in ISO Standards


13

ISO 31000:2009(E) ISO/IEC 27005:2011




PMBOK 4th Edition


14




ISO/IEC 27005:2011


15




What COBIT, ISO, etc. Don’t Tell You

Some Problems with Current Risk Assessment Methods

Some Answers

Some Advanced Answers

References




Risk Assessment Methods


17

If your Risk Assessment is wrong ... ... mitigation is addressing

the wrong problems

Waste

Bad Decisions

How do you know it works? Effectiveness of

methods not verified

Some methods are

known not to work

Methods that do work

are not used

Probability x Loss Assumes Risk Neutral (most people are risk averse)

Loses Information

Assumes Risks are

independent

Risk of extensive defaults

on subprime loans

Risk of novel financial

products

Risk of failure of AIG

Low

Low

Low

Financial Crisis




Risk Assessment Problems


18

Catastrophic Overconfidence

Near misses or survivals

increase risk tolerance

Logical Errors Misconception of Chance

Conjunction Fallacy

Law of Small Numbers

Variance in Small Samples

Insensitivity to Prior Probabilities

Experience of “Experts” Non-Random

(Selective) Memory-Based

Logical Errors in Conclusions

Inconsistent

Framing Posing question differently gets

different answers




Ordinal Scales


19

1 – 2 – 3 – 4 – 5 High – Medium – Low

Unlikely – Possible - Likely

Understanding varies widely

between individuals

Range Compression High = > €100m €500m is also High

Clustering

Presumption of Regular Intervals

No Validation against Reality

They are not units of measure

Cannot be added / multiplied

2 is not twice as good as 1

They ignore (psychological) research

Bias

Framing

Inconsistency

Etc.




Probability and Measurement


20

Probability

Unambiguous description of uncertainty

50% Probability = Total Uncertainty

Measurement

Observation based

uncertainty reduction

about a quantity

It has been done before

You think you can’t measure it?

You have more data than you think

You need less data than you think

Getting more data is more economical than you think

You probably need completely different data than you think

Wrong Distribution

Not everything is Gaussian

Catastrophes, common mode

and cascade failures tend to be

Power Law




Answer 1 – Know our Risk Appetite Answer 2 – Model the Risks


21

Document Risk Appetite/Tolerance

Model Uncertain Systems




Answer 3 - Calibration


22

After calibration, 9 out of 10

answers will be in the given range.

Calibrated Estimators

Give estimates with ranges which are correct 90%

of the time.

Know the confidence of binary (true/false)

answers.

It is not very difficult to learn! (1/2 day training)

The resulting range may be wide, but it can be narrowed

by MEASUREMENT.




Answer 4 – Monte Carlo Simulation Advanced


23

Monte Carlo Simulation

Generates 1000’s of random values for each

variable in a model and shows the distribution of

the results.

Can take

• Distributions

• Correlations

into account.

Easily implemented with Excel or other tools.




Answer 5 – Bayes 1/2 Very Advanced


24

Bayesian Networks

Nothing known about Design,

Complexity, Testing Quality or

amount of usage.

Update prior knowledge with new information.

Invert conditional probabilities.

Additional Information




Answer 5 – Bayes 2/2


25

Bayesian Networks

Update prior knowledge with new information.

If zero defects found in

testing

and

complexity known to be high

there is a high probability that

testing was poor

and design was good

Defects expected in operation

are lower, but

Additional Information




Answers – Other


26

Organisation

Positions

Incentives

Certifications

Community

Scientific

Approach

Quality Control

Validate against

event history

Use empirical

observations




References


27

The Failure of Risk Management – Why it is Broken and How to Fix It

Douglas W. Hubbard, 2009

How to Measure Anything – Finding the Value of “Intangibles” in Business, 3rd Edition

Douglas W. Hubbard, 2014

Risk Assessment and Decision Analysis with Bayesian Networks

Norman Fenton, Martin Neill, 2013




Appendix

Sample COBIT 5 Risk Scenario





30





31





32





33





34

cobit 5 for it policies and risk - bpug- · pdf filegroup technology and operations deutsche...

Documents