Welcome to my one-page website dealing with Governance, Risk and Compliance (GRC). Here you can find references to my articles published on ISACA Journal. This is a website that invites you to learn more about GRC topics. There is no use of cookies and for any discussion or clarification on these themes, please contact me on the ISACA Journal website or to my references in the footer.
You are always welcome!

Enterprise Risk Monitoring

The idea behind this risk methodology is to use a Capability Maturity Model (CMM) to collect all the relevant controls of the organization and to link it with the Enterprise Risk Management (ERM) and Internal Audit processes. The link is ambivalent to be able to create a virtuous cycle of mutual collaboration, managing processes as cooperating services, according to the logic of the Agile methodology.
Title Published Summary
The Modeling of Risk Evaluation, Risk Appetite, and Risk Tolerance 18 December 2024 The concepts of risk appetite and tolerance need a clear representation to be understood and used in the risk assessment process. Clarity and simplicity are the basis for allowing senior management to consciously express a periodic valorization of these concepts.
Yet Another Risk Depiction (YARD) 18 June 2024 Risk management is first a system, and therefore is composed of a series of processes that interact with each other, either in sequence by using the output of a completed phase as input for the following phase, or in a transversal manner by affecting multiple phases together.
Enterprise Risk Monitoring Methodology, Part 1: Risk Treatment Plan 29 March 2019 How to build a Risk Treatment Plan fully integrated into Corporate Governance processes.
Enterprise Risk Monitoring Methodology, Part 2: Enterprise Risk Assessment 9 April 2019 How to manage an Enterprise Risk Assessment process based on a Capability Maturity Model.
Enterprise Risk Monitoring Methodology, Part 3: Risk-based Internal Audit 26 December 2019 How to define a Risk-based Internal Audit process following a collaborative approach with a Capability Maturity Model.
Enterprise Risk Monitoring Methodology, Part 4: Risk Executive Summary 24 June 2020 How to effectively present the results of Internal Control and Risk Management to top management through a Risk Executive Summary.

Corporate Governance

An integrated method to combine the verification activities of the achievement of the control objectives with the methods of assessing the risk levels, making use of a Capability Maturity Model.
Title Published Summary
Adding Value with Risk-Based Information Security 1 September 2024 Effective IT security management system design must start with top management and include the entire perimeter of the supply chain, with special attention paid to ensuring compliance with all relevant laws.
Extended Accountability of the CIO 1 September 2023 To make I&T management in the organization more effective, it is necessary to broaden the role of the CIO, which means requiring greater responsibilities and skills in the GRC area, with the right attention on the importance of control from a business perspective rather than the typical focus on pure technological performance.
Agile Manifesto for Internal Audit 22 March 2023 The internal audit process must be responsive to internal enterprise changes to easily align with the evolution of the business and guarantee the effectiveness of audit operations. An innovative approach can be based on principles derived from Agile logic, with a sequence of simple objectives, fast implementation and subsequent evaluation of the results.
Capability Maturity Model and Risk Register Integration: The Right Approach to Enterprise Governance 24 February 2022 A consistent approach for Enterprise Governance by a close bond between the Risk Register and a Capability Maturity Model.
A Holistic Approach to Controls, Risk and Maturity 2 June 2021 How to integrate control performance, risk assessment and maturity evaluation through a Capability Maturity Model.
Security Adjustments to Strengthen the Bond Between Risk Registers and Information 28 October 2021 A valuable component of corporate governance is the risk register. Although it is not mandatory, using a risk register to build a sound risk governance process for an organization is strongly recommended.

Identity Trust System

Using a single, suitable set of identity credentials that is accepted by every website on the Internet is a realistic possibility. Here is a proposal on how to create a system based on the trust of an Identity Provider and how IdPs can communicate with each other.
Title Published Summary
Modeling an Identity Trust System 8 November 2023 Description of the identity system based on trust in an Identity Provider and using a symmetric scheme for authentication. There are use cases and sequence diagrams of the proposed processes. A proposed standard is included as Internet-Draft on the IETF database. Please leave your comments, criticisms or suggestions. Thank you.
How to Digitally Verify Human Identity:
The Case of Voting		 1 January 2023 Through the use of a symmetric identity system it is possible to build a mechanism for voting that provides greater security and advantages compared to postal voting.
A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 1:
Identity Trust Abstract Model		 20 April 2022 The identity of an Internet citizen, or netizen, is generally determined by asking the digital citizen to share personal data with the authentication system to obtain credentials to access data. But is it really necessary to disseminate personal data on the Internet, even on the systems visited only once?
A Symmetrical Framework for the Exchange of Identity Credentials Based on the Trust Paradigm, Part 2:
Identity Trust Service Implementation		 27 April 2022 The use of double trustees addresses the mutual recognition of two entities without the prior registration of personal data on each new authentication system, thus maintaining anonymity. In addition, it helps authorities combat fraud resulting from identity theft, as absolute anonymity is not allowed when entering into contractual agreements.

Information Security

Some information security topics managed by the organizational security perspective. How these topics can be managed to allow a value creation for organizations.
Title Published Summary
Using Near Miss Incidents as Risk Indicators 3 July 2023 A near miss incident is an unplanned event that can potentially develop unintended consequences but does not actually develop them. From a risk perspective, it is an indicator of an anomalous situation and, as such, must be investigated to understand the potential impact on an organization's objectives.
Addressing Intentional Threats Using Risk Assessment:
The Case of Ransomware and Eavesdropping		 21 September 2022 When the risk of a ransomware attack cannot be avoided, actions must be taken to ensure that the impact is manageable. Risk assessment can be used as a tool to deal with the most representative classes of intentional threats: ransomware and eavesdropping.
Communicating Information Security Risk Simply and Effectively, Part 1:
A Three-Step Process for Top Management		 21 December 2021 An effective communication to top management. Any accurate risk assessment loses all its effectiveness if it is not properly understood by managerial executives with decision-making power.
Communicating Information Security Risk Simply and Effectively, Part 2:
A Three-Step Process for Top Management		 23 December 2021 An effective communication to top management. The ability to answer top management's questions is the first step to being successful in presenting information security risk effectively.
My name is Luigi and you can contact me directly via my personal email or you can find some other my personal information on LinkedIn.
Further ways to contact me are via Threema or Telegram or WhatsApp or Skype.