Enterprise Risk Monitoring process

Welcome to my one-page site dealing with Governance, Risk and Compliance (GRC). Here you can find references to my articles published on ISACA Journal. This is a site to invite to deepen the topics of the GRC. There is no use of cookies and for any discussion or clarification on these themes, please contact me on the ISACA Journal website or to my references in the footer. You are always welcome!

Enterprise Risk Monitoring

The idea behind this risk methodology is to use a Capability Maturity Model (CMM) to collect all the relevant controls of the organization and to link it with the Enterprise Risk Management (ERM) and Internal Audit processes. The link is ambivalent to be able to create a virtuous cycle of mutual collaboration, managing processes as cooperating services, according to the logic of the Agile methodology.

Title	Published	Summary
Enterprise Risk Monitoring Methodology, Part 1: Risk Treatment Plan	29 March 2019	How to build a Risk Treatment Plan fully integrated into Corporate Governance processes.
Enterprise Risk Monitoring Methodology, Part 2: Enterprise Risk Assessment	9 April 2019	How to manage an Enterprise Risk Assessment process based on a Capability Maturity Model.
Enterprise Risk Monitoring Methodology, Part 3: Risk-based Internal Audit	26 December 2019	How to define a Risk-based Internal Audit process following a collaborative approach with a Capability Maturity Model.
Enterprise Risk Monitoring Methodology, Part 4: Risk Executive Summary	24 June 2020	How to effectively present the results of Internal Control and Risk Management to top management through a Risk Executive Summary.

Title

Published

Summary

Enterprise Risk Monitoring Methodology, Part 1: Risk Treatment Plan

29 March 2019

How to build a Risk Treatment Plan fully integrated into Corporate Governance processes.

Enterprise Risk Monitoring Methodology, Part 2: Enterprise Risk Assessment

9 April 2019

How to manage an Enterprise Risk Assessment process based on a Capability Maturity Model.

Enterprise Risk Monitoring Methodology, Part 3: Risk-based Internal Audit

26 December 2019

How to define a Risk-based Internal Audit process following a collaborative approach with a Capability Maturity Model.

Enterprise Risk Monitoring Methodology, Part 4: Risk Executive Summary

24 June 2020

How to effectively present the results of Internal Control and Risk Management to top management through a Risk Executive Summary.

Corporate Governance

An integrated method to combine the verification activities of the achievement of the control objectives with the methods of assessing the risk levels, making use of a Capability Maturity Model.

Title	Published	Summary
Extended Accountability of the CIO	to be issued	To make I&T management in the organization more effective, it is necessary to broaden the role of the CIO, which means requiring greater responsibilities and skills in the GRC area, with the right attention on the importance of control from a business perspective rather than the typical focus on pure technological performance.
Agile Manifesto for Internal Audit	22 March 2023	The internal audit process must be responsive to internal enterprise changes to easily align with the evolution of the business and guarantee the effectiveness of audit operations. An innovative approach can be based on principles derived from Agile logic, with a sequence of simple objectives, fast implementation and subsequent evaluation of the results.
Capability Maturity Model and Risk Register Integration: The Right Approach to Enterprise Governance	24 February 2022	A consistent approach for Enterprise Governance by a close bond between the Risk Register and a Capability Maturity Model.
A Holistic Approach to Controls, Risk and Maturity	2 June 2021	How to integrate control performance, risk assessment and maturity evaluation through a Capability Maturity Model.
Security Adjustments to Strengthen the Bond Between Risk Registers and Information	28 October 2021	A valuable component of corporate governance is the risk register. Although it is not mandatory, using a risk register to build a sound risk governance process for an organization is strongly recommended.

Title

Published

Summary

Extended Accountability of the CIO

to be issued

To make I&T management in the organization more effective, it is necessary to broaden the role of the CIO, which means requiring greater responsibilities and skills in the GRC area, with the right attention on the importance of control from a business perspective rather than the typical focus on pure technological performance.

Agile Manifesto for Internal Audit

22 March 2023

The internal audit process must be responsive to internal enterprise changes to easily align with the evolution of the business and guarantee the effectiveness of audit operations. An innovative approach can be based on principles derived from Agile logic, with a sequence of simple objectives, fast implementation and subsequent evaluation of the results.

Capability Maturity Model and Risk Register Integration: The Right Approach to Enterprise Governance

24 February 2022

A consistent approach for Enterprise Governance by a close bond between the Risk Register and a Capability Maturity Model.

A Holistic Approach to Controls, Risk and Maturity

2 June 2021

How to integrate control performance, risk assessment and maturity evaluation through a Capability Maturity Model.

Security Adjustments to Strengthen the Bond Between Risk Registers and Information

28 October 2021

A valuable component of corporate governance is the risk register. Although it is not mandatory, using a risk register to build a sound risk governance process for an organization is strongly recommended.

Identity Trust System

Using a single, suitable set of identity credentials that is accepted by every website on the Internet is a realistic possibility. Here is a proposal on how to create a system based on the trust of an Identity Provider and how IdPs can communicate with each other.

Title	Published	Summary
Modeling an Identity Trust System	to be issued	Description of the identity system based on trust in an Identity Provider and using a symmetric scheme for authentication. There are use cases and sequence diagrams of the proposed processes.
How to Digitally Verify Human Identity: The Case of Voting	1 January 2023	Through the use of a symmetric identity system it is possible to build a mechanism for voting that provides greater security and advantages compared to postal voting.
A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 1: Identity Trust Abstract Model	20 April 2022	The identity of an Internet citizen, or netizen, is generally determined by asking the digital citizen to share personal data with the authentication system to obtain credentials to access data. But is it really necessary to disseminate personal data on the Internet, even on the systems visited only once?
A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 2: Identity Trust Service Implementation	27 April 2022	The use of double trustees addresses the mutual recognition of two entities without the prior registration of personal data on each new authentication system, thus maintaining anonymity. In addition, it helps authorities combat fraud resulting from identity theft, as absolute anonymity is not allowed when entering into contractual agreements.

Title

Published

Summary

Modeling an Identity Trust System

to be issued

Description of the identity system based on trust in an Identity Provider and using a symmetric scheme for authentication. There are use cases and sequence diagrams of the proposed processes.

How to Digitally Verify Human Identity:
The Case of Voting

1 January 2023

Through the use of a symmetric identity system it is possible to build a mechanism for voting that provides greater security and advantages compared to postal voting.

A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 1:
Identity Trust Abstract Model

20 April 2022

The identity of an Internet citizen, or netizen, is generally determined by asking the digital citizen to share personal data with the authentication system to obtain credentials to access data. But is it really necessary to disseminate personal data on the Internet, even on the systems visited only once?

A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 2:
Identity Trust Service Implementation

27 April 2022

The use of double trustees addresses the mutual recognition of two entities without the prior registration of personal data on each new authentication system, thus maintaining anonymity. In addition, it helps authorities combat fraud resulting from identity theft, as absolute anonymity is not allowed when entering into contractual agreements.

Information Security

Some information security topics managed by the organizational security perspective. How these topics can be managed to allow a value creation for organizations.

Title	Published	Summary
Using Near Miss Incidents as Risk Indicators	3 July 2023	A near miss incident is an unplanned event that can potentially develop unintended consequences but does not actually develop them. From a risk perspective, it is an indicator of an anomalous situation and, as such, must be investigated to understand the potential impact on an organization’s objectives.
Addressing Intentional Threats Using Risk Assessment: The Case of Ransomware and Eavesdropping	21 September 2022	When the risk of a ransomware attack cannot be avoided, actions must be taken to ensure that the impact is manageable. Risk assessment can be used as a tool to deal with the most representative classes of intentional threats: ransomware and eavesdropping.
Communicating Information Security Risk Simply and Effectively, Part 1: A Three-Step Process for Top Management	21 December 2021	An effective communication to top management. Any accurate risk assessment loses all its effectiveness if it is not properly understood by managerial executives with decision-making power.
Communicating Information Security Risk Simply and Effectively, Part 2: A Three-Step Process for Top Management	23 December 2021	An effective communication to top management. The ability to answer top management's questions is the first step to being successful in presenting information security risk effectively.

Title

Published

Summary

Using Near Miss Incidents as Risk Indicators

3 July 2023

A near miss incident is an unplanned event that can potentially develop unintended consequences but does not actually develop them. From a risk perspective, it is an indicator of an anomalous situation and, as such, must be investigated to understand the potential impact on an organization’s objectives.

Addressing Intentional Threats Using Risk Assessment:
The Case of Ransomware and Eavesdropping

21 September 2022

When the risk of a ransomware attack cannot be avoided, actions must be taken to ensure that the impact is manageable. Risk assessment can be used as a tool to deal with the most representative classes of intentional threats: ransomware and eavesdropping.

Communicating Information Security Risk Simply and Effectively, Part 1:
A Three-Step Process for Top Management

21 December 2021

An effective communication to top management. Any accurate risk assessment loses all its effectiveness if it is not properly understood by managerial executives with decision-making power.

Communicating Information Security Risk Simply and Effectively, Part 2:
A Three-Step Process for Top Management

23 December 2021

An effective communication to top management. The ability to answer top management's questions is the first step to being successful in presenting information security risk effectively.

My name is Luigi and you can contact me directly via my personal email or you can find some other my personal information on LinkedIn.