Dec 2021 PDM: From ERM to CSRM’
- This event has passed.
December 11, 2021 @ 3:45 pm IST - 7:00 pm ISTFree
15:45 – Virtual Networking
16:00 – Greetings from ISACA Chennai Chapter
16:03 – Monthly Security News Round-up
16:25 – Chapter Updates and Speaker Introduction
17:30 – From ERM to CSRM’ by Rohit Banerjee
Topic Name: From ERM through CSRM to C-SCRM, an overview journey from top of cyberrisk pyramid to the bottom, using NIST and other best practices
In the emergent context, businesses and industries have faced tremendous challenges, as demonstrated in the semiconductor shortage impacting to all the way to automotive industry, and continued state-sponsored Advanced Persistent Threats (APTs) impacting not just the large enterprises but also the MIcro, Small, Medium Enterprises (MSMEs) and the common person as well, through ransomware and spyware payloads hidden in “free” mobile apps. Hence, the continued disruptions within the global logistics and supply chain systems, and continued cyber attacks and breaches won’t vanish overnight, and just detecting and responding to cyber incidents is not enough! In fact, the quantum of cyber breaches at the MSME level is astronomically huge when cyberrisk impact is aggregated at MSME level, however these MSME level risks are rarely consolidated or even reported. Perhaps, a better approach would be to design a simple, yet effective preventive cyberrisk program, however as is the usual case, most of the cybersecurity “experts” only focus on the technology components, technology issues, technology controls and technology risks, rather than factoring the business risks at all.
In this webinar, a brief overview of the Enterprise Risk Management in the business context will be discussed, followed by an unlearning of a perspective that risk is always negative. The discussions would then consider human elements of behaviour, attitude and EQ/EI with respect to risk-based decision making, and then briefly explain the famous COSO ERM principles and components. The Portfolio, Program, Project risk pyramid will also be briefly touched upon, before walking down the Strategy to Operations cycle of business risk decisions. After the ERM concepts, the discussions will lead to overview perusal of recently published 2nd edition of ISACA’s Risk-IT framework and its cascading topography of I&T risks categories with special focus on cyber and information risks. That would be followed by a cursory glance of the other I&T risk best practices and frameworks and differences in their respective terminologies and taxonomies, along with a visual analysis of the ERM to Cybersecurity Risk Management (CSRM) pipeline alignment with respect to NIST publications and other existing standards. Focus on supply chain risk management (SCRM), especially for ICT context will be continued, along with special attention to Cyber Supply Chain Risk Management (C-SCRM), and how to leverage such alignments to improve business risk-based decisions. The discussion will finally close with walking through some of the common challenges, pitfalls and cognitive biases while designing a high-level end-to-end CSRM and C-SCRM program, and recommend the popular COBIT 2019 design guidelines to govern and manage the initiatives under one umbrella framework.
By the end of the webinar, the participants should have at least a high-level understanding of the interactions and interrelations of different components and best practices relevant to cyberrisks, business risk, and designing risk appetite frameworks for their respective organisations.
• Understanding ERM business context
• Accepting risk is both negative and positive
• Taking risk decisions based on attitude and emotional intelligence
• Introducing COSO ERM concepts
• Cascading through Portfolio, Program, and Project risk pyramid
• Assessing risk decisions within Strategy- to-Operations cycle
• Reviewing Risk-IT framework’s risk topography
• Focusing on I&T risks, and cyberrisks
• Differentiating between I&T risk taxonomies and terminologies
• Aligning NIST CSF, RMF, CSRM, C-SCRM with other best practices
• Applying business risk decisions to cyber supply chain risk management
• Avoiding common pitfalls, biases, and challenges in cyberrisks
• Wrapping it up with COBIT 2019 EGIT design guidelines
• Following through with reference materials
Rohit Banerjee is an Enterprise IT Governance, IT Risk and Compliance Trainer, Consultant, Auditor, and Assessor, with 20+ years of overall experience and 16+ years of professional IT experience in development, deployment, and delivery of Enterprise Software Solution leveraging CI/CD DevOps Strategies, innovating and architecting e-Learning Solutions on Mobile and OTT Platforms, drafting and publishing of cutting-edge IoT and Emergent Technologies Enterprise-wide Policies and SOPs, implementing and consulting on Information Security and Cybersecurity Best Practices for MSMEs, and enabling Business Process Re-engineering for e-Governance Transformation Initiatives.
His certifications include CRISC®, CGEIT®, COBIT® 5 NIST Cybersecurity Implementation Certified, CSX® Cybersecurity Fundamentals, Certified COBIT® 5 Assessor, COBIT® 2019, ISO/IEC 27001 Lead Auditor, ISO/IEC 38500 Lead Corporate IT Governance Manager, ISO 9001 Quality Management Systems Lead Implementer and Lead Auditor, ISO- 21500 Lead Project Manager, ISO/TS 29001 Oil and Gas Quality Management Systems Lead Implementer, ITIL® V3 2011, Certified Six Sigma Black Belt, PMP®, PRINCE2® & MSP® Registered Practitioner, Certified Master Trainer and Facilitator and Certified Instructional Designer from CAMI USA. He was also CMMI-DEV V1.3 (Staged) Level 3 appraisal participant and process innovator, and he is the only official APMG® Accredited COBIT® 5 Trainer, and the first PECB® Certified Trainer for ISO IT Governance standard in Oman. He ranked first for CGEIT® in Muscat.
He is currently the Principal Consultant for MAGE IT Training and Consulting Private Limited, and focuses on Middle East (Oman, UAE, Qatar, KSA) and Africa (Mozambique, Botswana, Ghana, Mauritius, Sudan) regions to consult Ministries, Government Agencies, Public Sector Units, Regulatory Authorities, Law Enforcement Agencies, etc. He was ex-Director at ISACA® Muscat Chapter for CGEIT®/CRISC® Certifications and ex Board Member of ISACA® Mumbai Chapter and served as Education Chair and Joint Program Chair. He also serves as ISACA® International volunteer and PMI® International volunteer. He has delivered many seminars in academic as well as professional forums. He has also authored technical research papers and articles, and has been published in international academic journals and trade magazines.