Security Convergence
SECURITY
CONVERGENCE
AND
Risk Management for Identity ERM
Management Solutions
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
The Alliance for Enterprise Security Risk ManagementTM (AESRMTM, www.aesrm.org) is a
partnership of two leading international security organizations, formed to address issues
surrounding the convergence of traditional and logical security.
About ASIS
ASIS International (www.asisonline.org) is the preeminent
organization for security professionals, with more than 36,000
members worldwide. Founded in 1955, ASIS is dedicated to
increasing the effectiveness and productivity of security
professionals by developing educational programs and
materials that address broad security interests, such as the ASIS
Annual Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the security
management profession to business, the media, government
entities and the public. By providing member and the security
community with access to a full range of programs and services,
and by publishing the industry’s number one magazine—
Security Management—ASIS leads the way for advanced and
improved security performance.
About ISACA
With more than 86,000 constituents in more than 160
countries, ISACA (www.isaca.org) is a recognized worldwide
leader in IT governance, control, security and assurance.
Founded in 1969, ISACA sponsors international conferences,
publishes the
®
ISACA Journal, and develops international
information systems auditing and control standards. It also
administers the globally respected Certified Information
Systems Auditor™ (CISA®) designation, earned by more than
60,000 professionals since 1978; the Certified Information
Security Manager® (CISM®) designation, earned by more than
10,000 professionals since 2002; and the new Certified in the
Governance of Enterprise IT™ (CGEIT™) designation.
Disclaimer
The Alliance for Enterprise Security Risk Management (AESRM), www.aesrm.org, has designed
and created this publication, titled The Convergence of IT Security and Enterprise Risk
Management (ERM): Risk Management for Identity Management Solutions (the “Work”),
primarily as an educational resource for security professionals. AESRM makes no claim that use
of any of the Work will assure a successful outcome. The Work should not be considered
inclusive of all proper information, procedures and tests or exclusive of other information,
procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, security professionals should apply their
own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 2
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Reservarion of Rights
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. No part of
this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a
retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without prior written authorization from AESRM. Reproduction of
selections of this publication, for internal, noncommercial or academic use only, is permitted and
must include full attribution of the material’s source. No other right or permission is granted with
respect to this work.
AESRM Member Organizations
ASIS International
1625 Prince Street
Alexandria, VA 22314, USA
Phone: +1.703.519.6200
Fax: +1.703.519.1501
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008, USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: research@isaca.org
Web site: www.isaca.org
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for
Identity Management Solutions
Printed in the United States of America
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 3
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Acknowledgments
AESRM wishes to recognize
Emil G. D'Angelo, CISA, CISM, Bank of Tokyo Mitsubishi UFJ, USA
Eduard J. Emde, CISSP, CPP, RSE, Interseco, The Netherlands.
Anne T. Ferraro, CISA, CISM, Information Risk and Business Resiliency, JP Morgan Chase &
Co., USA
Dave B. Morrow, CISM, Secure Business Operations LLC, USA
Jeff M. Spivey, CPP, PSP, RiskIQ, USA
The Authors
András Gábor, Ph.D., CISA, (agabor@informatika.bke.hu) is an economist, graduated from the
then-Karl Marx University of Economics (Hungary). He has a second degree in computer
science (1979), earned his Ph.D. in 1983, and has been a Certified Information Systems Auditor
(CISA) since 1999. He is associate professor, the head of the department of information systems
and of the Technology Transfer Centre of the Budapest University of Economic Sciences and
Public Administration. He is also head of the information management division of the
Information Technology Foundation of the Hungarian Academy of Science. His research field
includes systems design, information management, intelligent systems and knowledge
management. He was a visiting scholar at the Harvard Business School (USA) in 1995, the
University of Amsterdam (The Netherlands) in 1990-1995, the Imperial College of Science and
Technology (UK) in 1986, the DePaul University department of computer science and
information systems (USA) in 1985, and the Imperial Chemical Industries pharmaceutical
division (UK) in 1975. He is the holder of the Award for Excellence of the President of the
Hungarian Academy of Sciences. He has published several books and papers
(http://informatika.bke.hu/).
Andrea Kő, Ph.D. (ko@informatika.bke.hu) graduated at the Eötvös Lóránd University of
Budapest (ELTE) in 1988 with an MSc in mathematics and physics. She received a university
doctoral degree in computer science in 1992. She is a senior lecturer of the Corvinus University
of Budapest, in the department of information systems. Her research field includes systems
design, information management, intelligent systems, knowledge management, management and
design of ontologies, and IT audit. She took part in several research and development projects
including GUIDE [FP6 IST project—Networked Businesses and Governments (IST-2002-
2.3.1.9)], and SAKE (Semantic-enabled Agile Knowledge-based E-government FP6 IST
STREP). Kő has also published and presented several papers at international conferences
(http://informatika.bke.hu/).
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 4
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Introduction
In today’s technology-driven business environment, services offered by enterprises—particularly
e-services—increasingly depend on information and the systems that deliver it. These services
generally must satisfy multiple requirements, such as transparency, availability, accessibility,
convenience and compliance. At the same time, information technology (IT) environments are
becoming increasingly complex in both function and architecture. These two factors—increased
complexity and greater demands—significantly increase the level of risk associated with these
services. Key among these is information security risk.
Even as there is a demand for improved management and control over these complex
environments and their inherent risks, economic recession and the challenge of global markets
have resulted in stronger competition among enterprises, demanding that they carefully manage
all expenses, including their security investments. Regulatory scrutiny and legislation also have
changed significantly in recent times, as demonstrated by responses to recent well-known
bankruptcies and creative accounting activities [Ahold (NL), Parmalat (IT), Enron (US),
WorldCom (US), Vivendi (FR)].1 New members of the European Union (EU), such as Hungary,
have had to face additional EU legislative requirements as well.
The most challenging and demanding legislative requirements for enterprises are the US
Sarbanes-Oxley Act and Basel II. No one anticipated the financial and other consequences
resulting from these laws, but the effect on enterprises was more extensive than expected.2 Due
to these regulations, enterprises have been compelled to rearrange or enhance their operations
and processes. These adaptations have been costly and have potentially introduced new security
risks.
All these factors taken into consideration require that security risks—indeed, all operational
risks—be effectively and consistently managed within the context of broader organizational risks.
This publication provides an overview of enterprise security risk management, as well as the
associated risk management framework, and demonstrates a case from the identity management
domain to which the risk management framework has been applied.
Enterprise Security Risks and Their Management
Several definitions and approaches for enterprise risk management (ERM) exist in the literature.
In this publication, the widely referenced and accepted Committee of Sponsoring Organizations
of the Treadway Commission (COSO) definition will be used:
Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.3
1 Alles, M.; A. Kogan; M. Vasarhelyi; “The Law of Unintended Consequences? Assessing the Costs, Benefits and
Outcomes of the Sarbanes-Oxley Act,” ISACA Journal, volume 1, USA, 2004, www.isaca.org/journal
2 Zhang, I. X.; “Economic Consequences of the Sarbanes-Oxley Act of 2002,” William E. Simon Graduate School
of Business Administration, USA, 2005
3 COSO, Enterprise Risk Management—Integrated Framework, USA, 2004, downloaded 24 July 2008,
www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 5
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
This definition covers all the important aspects of how enterprises manage risk, providing a
sufficiently general foundation to be useful across all organizations, industries and sectors.
To effectively implement a risk management program, enterprises need a common operational
framework and process. A typical process for risk management is defined as (figure 1)4:
Determination of the scope of investigation
Risk identification
Risk analysis and evaluation
Risk communication and treatment
Risk monitoring
The scope of investigation must first be defined to determine the domain of analysis. During risk
identification, a comprehensive list of risks is produced, which will likely impact the investigated
domain. Risks are characterized by several factors, including origin, event type, potential
consequences and any protecting mechanism and controls. The impact and likelihood of each
risk is assessed during the risk analysis phase, which also seeks to determine the potential
sources of risks as well as the impact of any existing controls. Risk analysis techniques are
varied and include interviews with domain experts, simulations and questionnaires.
Risk communication and treatment is the sharing of information about risks with decision
makers and stakeholders, which facilitates the appropriate decision regarding the actual treatment
of the risk. Risk treatment is the process whereby measures to address each risk are selected and
implemented. This decision is based on numerous factors, such as potential impact (including
cumulative impacts) of each of the four risk treatment strategies (below), costs associated with
mitigation, and the risk’s relationship to other enterprise risks. Enterprises can follow four
strategies during risk treatment:
Accept the risk.
Treat the risk with the proper control mechanism.
Transfer the risk to another party.
Terminate the activity causing the risk.
The final step, risk monitoring, is an iterative task that guarantees that the risk treatment actions
are effective and continue to meet stakeholder requirements. It also can provide tracking to
ensure that the risk attributes of likelihood and impact do not change over time.
4 ISACA, CISA Review Manual, USA, 2008, www.isaca.org
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 6
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Figure 1—Risk Management Framework
Beyond the risk management process, the risk management framework has additional key
components, including people, processes, technology and governance (figure 1). Risk
management activities are performed by people, who need proper authority and sufficient
competency to accomplish their tasks. In many cases, processes must be modified and rearranged
depending on the outcome of risk management activities, and caution is needed to ensure that the
mitigation of one risk does not introduce new risks. Technology also has a supporting role during
risk management. It can enhance quality and consistency through use of dedicated risk
management software, which, if effectively chosen and utilized, can foster better communication
and more consistent monitoring of the risk catalog. Governance (enterprise governance,
corporate governance, IT governance) also has a key role in the risk management process since it
determines how key decisions that affect the entire enterprise are made, and ensures that security
risks are considered and addressed within the greater context of other enterprise risks and
business goals and objectives.
Identity Management and its Security Risks
Tasks related to the identification and authentication of persons and other enterprises always
have been a necessary part of business processes. New e-services that dramatically impact
identity administration are increasingly being offered for citizens and enterprises. Customer
confidence and trust in services provided must be continuously monitored, while simultaneously
satisfying requirements relating to data protection, privacy and other matters of law.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 7
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Appropriately, identity management has become a key factor of top security initiatives of many
enterprises.5 The primary driver is obvious: the ever-increasing demands of serving citizens,
enterprises and public institutions through the Internet and private networks require robust and
effective identify management solutions. Protection of personally identifiable information—the
raw material of identity management systems—against internal and external vulnerabilities and
threats is a significant challenge for large enterprises. IT infrastructures and networks continue to
increase in size and complexity, which generally means frequent introduction of new
vulnerabilities and other risks. Identity management solutions are now a key component within
this ever-expanding enterprise architecture.
The major building blocks of a typical identity management solution are defined as:6
Enterprise directory service
Authentication
Access control
User management
The application of an identity management solution has many advantages, including:
Expansion of the scope of services offered by IT that were not possible due to the complexity
associated with managing multiple identities
Reduced support and administrative costs
Reduced user creation and administration time
Greater management control, audit trail and cost transparency
Improved security and integration in the case of fragmented workflows and databases
Reduced help desk workload
Simplified resource access
There are many different identity management solutions deployed worldwide, and often they
must be able to interface with each other. Therefore, interoperability among these solutions is
frequently mandatory. However, identity management solutions vary greatly in both maturity
and interoperability. Compliance with regulatory requirements (e.g., data protection laws) also
impacts the required capabilities of the identity management solution. These factors place new
demands on security organizations. They have required new security roles to be defined and
filled, and often have significantly increased the workload of the already burdened security teams.
Even as enterprises strive to get a handle on identity management as a process, many have to
cope simultaneously with increasing identity-related security risks, such as the use of false
identities, identity theft, the disclosure of personally identifiable information, and unauthorized
access. Of these, the most common threat is considered to be identity theft.7 The high rate of
occurrence has necessitated that organizations review their security management practice to
address this threat, even as they build out their identity management solutions.
5 AESRM, Deloitte and Touche LLP, The Convergence of Physical and Information Security in the Context of
Enterprise Risk Management, USA, February 2005, www.isaca.org/ContentManagement/
ContentDisplay.cfm?ContentID=36010
6 IT Governance Institute, PricewaterhouseCoopers, Enterprisewide Identity Management—Managing Secure and
Controllable Access in the Extended Enterprise Environment, USA, 2004,
www.isaca.org/Template.cfm?Section=Search&template=/Ecommerce/ProductDisplay.cfm&ProductID=509
7 Cilli, C.; “Identity Theft and Cybercrime,” ISACA Journal, volume 6, USA, 2005, www.isaca.org/journal
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 8
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Having a consistent risk management framework to reference as they build these solutions and
deal with their inherent risks is proving to be highly beneficial to many enterprises, and should
be considered a critical factor to support this activity in the enterprise. The following section
demonstrates the application of a risk management framework for an identity management
research project known as GUIDE.
Application of Risk Management Framework in GUIDE Project
GUIDE (IST-2003-507498) is an EU research project into cross-border identity management and
the mutual recognition of electronic identifiers. GUIDE was funded by the European
Commission’s 6th Framework Programme, and consisted of 23 organizations from 13 countries.
Its research covered both the technical and social aspects of cross-border identity management.
GUIDE included an analysis of the current status of identity management in Europe, and also
developed a technical architecture to support both cross-border identity management as well as
the mutual recognition of electronic identifiers. This architecture has been developed and tested
through two trials of cross-border e-government services.
In support of the technical activities, research was conducted into the certification strategy and
the trust model and governance structures required to support cross-border identity management.
The first trial tested the GUIDE identity management architecture application for E101 services.
The Netherlands and Belgium were chosen for the trial because they wished to develop their
existing applications to completely eliminate the need for handling a paper-based E101 form.
Therefore, both countries had additional sets of user requirements for the E101 trial, so that the
systems involved in the trial could be examined for remodeling or replacement. A second trial
targeted business related e-government services, focused on e-procurement.
As has been established, identity management services and architectures can introduce numerous
risks, so a customized version of the previously discussed risk management framework8 was
applied during the evaluation and assessment of the two trials of cross-border e-government
services. Several aspects were emphasized during the investigation, such as information
management policies [systems development life cycle (SDLC) applied during the development],
guidance used [e.g., Control Objectives for Information and related Technology (COBIT®),9 IT
Infrastructure Library (ITIL)10], system documentation management, and regulatory compliance
and project management.
Since the scope had already been defined by the projects selected, the next step in the risk
management process was risk identification, which entailed the listing of all risks encountered in
the trials. (A sampling of those risks is found in figure 5.)
The next step was risk analysis and evaluation, which determined the impacts of the identified
risks (figure 2). A numeric value was assigned to each risk dimension, ranging from 1
(commendable) through 5 (unsatisfactory) (figure 3).
8 Booker S.; J. R. Gardner; L. Steelhammer; I. Zumbakyte; (2004): “What Is Your Risk Appetite? The Risk-IT
Model,” ISACA Journal, volume 2, USA, 2004, www.isaca.org/journal
9 IT Governance Institute, COBIT 4.1, USA, 2007, www.itgi.org/cobit
10 UK Office of Government Commerce, ITIL V3, UK, 2008
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 9
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
A weighted audit rate was then calculated from the subjectively assigned value to each of the risk
dimensions (in the example, it is 2.8). The risk dimensions are the aspects that are emphasized at
the determination of the risk’s level of significance. If the weighted audit rate is below 3, the
significance level is low; if it is 3, the significance level is medium; if it is above 3, the
significance level is high. In this case, the development of the identity management solution was
assessed, so risks dimensions were defined accordingly. Likelihood is obviously a subjectively
assigned value (it can be low, medium and high). The assigned level of likelihood should be a
reasonable reflection of the potential that the risk will be realized. The significance level and the
likelihood together determine the risk level, according to the risk rank matrix (figure 4).
Figure 2—Risk Analysis and Evaluation
Weighted
Significance
Risk
Finding
Risk Dimensions
Likelihood
Audit Rate
Level
Level
Description Information
1
Low High
Medium
of finding
management policies
Standards used
3
System
3
documentation
management
Regulatory
5
compliance
Project organization
2
Weighted audit rate
2.8
The risk level can be high for many reasons: there were substantial deficiencies in the identity
management trials, the trials were not managed properly (project processes and elements were
poorly handled), or identity management characteristics were not considered. If the risk level is
medium, weaknesses exist, but not from all aspects. A low risk level indicates that the project
activity was well managed.
Figure 3—Audit Rating Scale
Rating
Description
5—Unsatisfactory The auditable dimension/activity was not in compliance with policies,
systems and procedures.
4—Improvement
The auditable dimension/activity was not always in compliance with
needed
policies, systems and procedures.
3—Average
The auditable dimension/activity was generally in compliance with
policies, systems and procedures.
2—Good
The auditable dimension/activity was in compliance with policies,
systems and procedures. Some control deficiencies were identified but
were not expected to lead to major risk.
1—Commendable The auditable dimension/activity has achieved its goals and objectives.
The auditable dimension/activity was in compliance with policies,
systems and procedures. No significant control deficiencies were
identified.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 10
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Figure 4—Risk Rank Matrix
Significance Level
Likelihood
Risk Level
High High
High
High Medium
High
Medium High
High
High Low
Medium
Low High
Medium
Medium Medium
Medium
Low Medium
Low
Medium Low
Low
Low Low
Low
The GUIDE chosen approach mandated that the definitive best practice of the audit field, COBIT,
be utilized for the assessment. COBIT is a de facto standard within the audit domain. It offers
control practices that provide a reference framework for management, users, and IS audit, control
and security practitioners. Conducting the audit against COBIT’s four domains [Plan and
Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and
Evaluate (ME)] assured that all the required capabilities were covered and the trial system was
given a comprehensive assessment. The application of COBIT for the evaluation also helped
reveal the attitudes of users toward the trial design and implementation, as well as the acceptance
prospects of the project as a whole by the interested parties.
Information-gathering methods were varied, and included documentation review, interviews and
meetings (e-meetings and telephone conferencing) with the stakeholders of the trials. During the
GUIDE project trial assessments, the aforementioned risk identification and analysis approaches
were used. Figure 5 indicates a sample for risk identification and analysis, where the existing
control environment of the trials was assessed. Assessment statements were used for the
improvement of the identity management architecture and for giving feedback to the project
team. This sample shows two auditable dimensions: separation of duties and testing of trials.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 11
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Figure 5—GUIDE Risk Analysis and Evaluation
Main Inputs for the
Significance
Likeli-
Risk
Existing Controls
Assessment
COBIT
Risks
Exploration of Existing
Level
hood
Level
of the Trial
Statement
Reference
Controls of the Trial
No
High High
High
GUIDE E101 Trial
Trial 1 teams could not
The segregation of
PO4. 10
segregation
Requirements
manage segregation of
duties was in
of duties—a
Specification—Part4
duties as it is described in
compliance with
single
Requirements Summary
the IT audit standards.
general audit policies
individual
E101 Trial High Level
There were overlapping
and procedures. Some
has the
Design v 0.8
roles, as noted in the direct
control deficiencies
possibility to
Design Model for the
observation section. One
were identified (such
subvert a
GUIDE Trial
reason is the limited
as overlapping roles),
critical
Demonstrator and GUIDE number of the project
but these are not
process
Gateway Component
participants. In spite of this expected to lead to
Specification
fact, and due to the nature
major risk.
Implementation and
of the trial (test
Integration Planning for
environment), these
Trial 1
overlapping roles did not
cause difficulties.
Lack of a
High Medium
High
GUIDE E101 Trial
Detailed test plan exists
The auditable
PO10.11
test plan for
Requirements
and is discussed in
dimension was in
the trial
Specification
deliverables
compliance with
Implementation and
policies, systems and
Integration Planning for
procedures. No
Trial 1
significant control
deficiencies were
identified.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 12
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
Compliance and substantive tests according to the IT audit process were part of the trials
evaluation. During the compliance test it was determined whether controls (planned during the
design) were being applied in a manner that complied with the documentation and standards.
Substantive tests were conducted through trial testing and investigation of trial test
documentation. One of the main objectives of the assessment and evaluation methodology was to
provide evidence that each milestone had been achieved within its time schedule and its
objectives had been qualitatively accomplished.
Overall, the evaluation generated useful experience and feedback, which were utilized to further
improve the GUIDE identity management solution. The project also validated that a risk
management-based approach was the appropriate method for trials evaluation.
Conclusion
Security risks and their management have significant importance in today’s enterprise. They
should always be addressed with a consistent and structured approach. In the GUIDE project trial
assessment, use of an established risk management framework was very effective. Its use in
conjunction with an IT framework such as COBIT proved even more effective.
Security budgets will rise and fall, depending on numerous factors; regardless, management must
increasingly assure senior and executive management that enterprise security risk management is
effectively managed and governed with the same degree of rigor as other risks within the
enterprise. Through the appropriate application of a standard risk management framework,
enterprises should realize:
Enhanced security
Cost-efficiency
Enhanced compliance
Enhanced productivity
Faster response
Enhanced incident correlation
Cleaner audit and compliance
Accountability across the enterprise
Sustainable, repeatable and predictable processes
Strategic growth support
Better user experience
The final pieces to the puzzle are effective governance of the security risk management program
and its integration into the broader enterprise program. Once the security risks have been
identified and appropriately characterized, they must be normalized and aligned with both the
broader operational risks and the other risk families (financial, etc.) inherent to the enterprise.
Only when this is accomplished can an enterprise be satisfied that all risks, independent of origin,
are being addressed in a properly prioritized and effective fashion.
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 13
The Convergence of IT Security and Enterprise Risk Management (ERM): Risk Management for Identity Management Solutions
References
AESRM, Deloitte and Touche LLP, The Convergence of Physical and Information Security in
the Context of Enterprise Risk Management, USA, February 2005,
www.isaca.org/ContentManagement/ ContentDisplay.cfm?ContentID=36010
Alles, M.; A. Kogan; M. Vasarhelyi; “The Law of Unintended Consequences? Assessing the
Costs, Benefits and Outcomes of the Sarbanes-Oxley Act,” ISACA Journal, volume 1, USA,
2004, www.isaca.org/journal
Booker S.; J. R. Gardner; L. Steelhammer; I. Zumbakyte; (2004): “What Is Your Risk Appetite?
The Risk-IT Model,” ISACA Journal, volume 2, USA, 2004, www.isaca.org/journal
Cilli C.; “Identity Theft and Cybercrime,” ISACA Journal, volume 6, USA, 2005,
www.isaca.org/journal
COSO, Enterprise Risk Management—Integrated Framework, USA, 2004, downloaded 24 July
2008, www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
GUIDE Consortium, Creating a European Identity Management Architecture for eGovernment,
UK, istrg.som.surrey.ac.uk/projects/guide/guide/overview.html, downloaded 16 July 2008
ISACA, CISA Review Manual, USA, 2008, www.isaca.org
ISACA, CISM Review Manual, USA, 2008, www.isaca.org
IT Governance Institute (ITGI), PricewaterhouseCoopers, Enterprisewide Identity
Management—Managing Secure and Controllable Access in the Extended Enterprise
Environment, USA, 2004, www.isaca.org/Template.cfm?Section=Search&template=/
Ecommerce/ProductDisplay.cfm&ProductID=509
IT Governance Institute, COBIT 4.1, USA, 2007, www.itgi.org/cobit
IT Governance Institute, IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design
and Implementation of Internal Control Over Financial Reporting, 2nd Edition, USA, 2006,
www.itgi.org
Oud, E. J.; “The Value to IT of Using International Standards,” ISACA Journal, volume 3, USA,
2005, www.isaca.org/journal
Zhang, I. X.; “Economic Consequences of the Sarbanes-Oxley Act of 2002,” William E. Simon
Graduate School of Business Administration, USA, 2005
© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. Page 14
