Information System Risk Scenario Using COBIT 5 for Risk And NIST SP 800-30 Rev. 1 A Case Study

Abstract

The use of Risk Scenario is key to risk management. From the IT security perspective, risk management is the process of understanding and responding to factors that may lead to a failure in information security of an information system. Risk Scenario needs to be built as a starting point to conduct its risk assessment. Risk Assessment is an essential component of risk management to define appropriate response or security control to handle risk. Risk assessment which involves an understanding of possible risk, knowledge of likely risks and threats, measured assessments of established controls and executed plans to address identified vulnerabilities. To resume the result from risk assessment process in COBIT 5 for Risk known as risk scenario document. This paper discusses how to create a Risk Scenario on a critical application system owned by a government agency as a case study. While NIST SP 800-30 Revision 1 to fulfill risk assessment process. The result is a Risk Scenario document and can be used as a starting point for implementing comprehensive risk management COBIT 5 for Risk framework.