Transcript risk awareness and communication

ISACA®
The recognized global
leader in IT governance,
control, security and
assurance
High-level session overview
1. CRISC background information
2. Part I—The Big Picture
2
CRISC BACKGROUND
INFORMATION
3
About the CRISC Exam
• The content of the 2012 CRISC Review Manual is
based on the CRISC job practice found at
www.isaca.org/criscjobpractice
• There are 5 domains in the CRISC job practice
• The CRISC exam is a practice-based exam. Simply
reading the material in this manual will not properly
prepare candidates for the exam.
• No representations or warranties are made by ISACA
in regard to this or other ISACA publications assuring
candidates’ passage of the CRISC exam. This
publication was produced independently of the CRISC
Certification Committee, which has no responsibility for
the content of this manual.
4
About the CRISC Exam
• The CRISC certification is designed to meet the
growing demand for professionals who can
integrate enterprise risk management (ERM)
with discrete IS control skills. The technical
skills and practices the CRISC certification
promotes and evaluates are the building blocks
of success in this growing field, and the CRISC
designation demonstrates proficiency in this
role.
5
Exam Relevance
Ensure that the CRISC candidate…
Has the practical knowledge required to perform the tasks described in the task
and knowledge statements.
The percentages listed with the domains indicate the emphasis or percentage
of questions that will appear on the exam from each domain. For a description
of each domain’s task and knowledge statements, visit
www.isaca.org/criscjobpractice.
Note: The concepts introduced in
In this manual are considered a
fundamental part of the CRISC
job practice.
6
About the CRISC Exam
• The exam in 200 multiple choice questions.
• CRISC exam questions are developed with the intent of
measuring and testing practical knowledge and the
application of general concepts and standards.
• All questions are designed with one best answer.
• The candidate is asked to choose the correct or best
answer from the options.
• Good preparation for the CRISC exam can be achieved through an
organized plan of study. To assist individuals with the development of a
successful study plan, ISACA offers study aids and review courses to
exam candidates. See www.isaca.org/criscbooks to view the ISACA
study aids that can help prepare for the exam
7
Manual Setup
The CRISC Review Manual 2012 is organized
into two parts:
• Part I— Risk Management and Information
Systems Control Theory and Concepts
• Part II— Risk Management and Information
Systems Control in Practice
8
Additional Resources
• Study Questions, Answers and Explanations
• Glossary
• Suggested Resources for Further Study
• List of Exhibits
• The CRISC candidate also may find it useful to
study the CRISC™ Review, Questions,
Answers & Explanations Manual 2012, which
consists of 100 multiple-choice study questions.
9
CRISC Review Course
Part I
The Big Picture: How Risk
Management Relates to Risk
Governance
Section Overview
• Exam Relevance
• Discuss specific topics within the chapter
• Case Study
• Sample Questions
• Key Terms (Definition and Acronyms)
• Suggested Reading
11
Learning Objectives
As a result of completing this chapter, the CRISC candidate should be able
to:
 Differentiate between risk management and risk governance
 Identify the roles and responsibilities for risk management
 Distinguish between various risk management methodologies
 Apply and differentiate the standards, practices and principles of risk
management
 List the main tasks related to risk governance
 Recognize relevant risk management standards, frameworks and
practices
 Explain the meaning of key risk management concepts, including risk
appetite and risk tolerance
12
®
ISACA
Trust in, and value from,
information systems
Section Topic
RISK MANAGEMENT
Section Topics
• Risk Management
• Essentials of Risk Governance
– Risk Appetite and Risk Tolerance
– Risk Awareness and Communication
– Risk Culture
15
Overview of Risk Management
Risk Management:
• Is the process of balancing the risk associated with
business activities with an adequate level of control
that will enable the business to meet its objectives.
• Holistically covers all concepts and processes
affiliated with managing risk, including the
systematic application of management policies,
procedures and practices; the tasks of
communicating, consulting, establishing the
context; and identifying, analyzing, evaluating,
treating, monitoring and reviewing risk.
16
Risk
• Risk reflects the combination of the likelihood of
events occurring and the impact those events
have on the enterprise.
• Risk—the potential for events and their
consequences, contains both:
– Opportunities for benefit (upside)
– Threats to success (downside)
17
Risk and Opportunity
Management
Guiding Principles for Effective Risk
Management
• Maintain Business Objective Focus
• Integrate IT Risk Management Into Enterprise
Risk Management (ERM)
• Balance The Costs And Benefits Of Managing
Risk
• Promote Fair And Open Communication
• Establish Tone At The Top And Assign
Personal Accountability
• Daily Process With Continuous Improvement
18
Responsibility vs. Accountability
Responsibility—belongs to those who must
ensure that the activities are
completed successfully.
Accountability—applies to those who either own
the required resources or those
who have the authority to
approve the execution and/or
accept the outcome of an activity
within specific risk management
processes.
19
Responsibility vs. Accountability
20
Risk Management
Roles and Responsibilities
The CRISC executes on:
– Risk evaluation
– Risk response activities
The CRISC functions within the risk governance
framework established within the enterprise
21
Section Topic
ESSENTIALS OF RISK
GOVERNANCE
Relevance of
Risk Governance
• Risk is an integral part of business
• Risk is a core factor related to the stability,
growth and success of the organization
• Risk represents the opportunity for growth and
levels of profit
• Risk poses the possibility of loss or damage to
the business objectives
• Risk governance addresses the oversight of the
business risk strategy of the enterprise
23
Overview of
Risk Governance
• Risk governance is the domain of the
enterprises senior management and
shareholders.
• This group is responsible for:
– Establishing the organizations risk culture and
acceptable levels of risk
– Setting up the risk framework
– Ensuring effectiveness of the risk management function
24
Objectives of
Risk Governance
Risk governance has three main objectives:
1. Establishing and maintaining a common risk view
2. Integrating risk management into the enterprise
3. Making risk-aware business decisions
25
Foundation of
Risk Governance
An effective risk governance foundation requires:
An
understanding
and consensus
with respect to
the risk
appetite and
risk tolerance
of the
enterprise
An awareness
of risk and of
the need for
effective
communication
about risk
throughout the
enterprise
26
An
understanding
of the
elements of
risk culture
Objectives of
Risk Governance—cont’d.
1. Establishing and maintaining a common risk
view
– Determines which controls are necessary to mitigate risk
– Determines how risk based controls are integrated into
business processes and IS
– Risk governance function oversees the operations of the
risk management team
27
Objectives of
Risk Governance—cont’d.
2. Integrating risk management into the
enterprise
– Enforces a holistic ERM approach for the enterprise
– Requires integration of RM into every departments,
function, system and geographical location
28
Objectives of
Risk Governance—cont.
3. Making risk-aware business decisions
– Consider the full range of opportunities and
consequences each statement through out the
enterprise; society, and the environment
29
Essentials of Risk Governance
RISK APPETITE AND
TOLERANCE
Risk Appetite and Risk Tolerance
Definitions
• Risk appetite—The amount of risk, on a broad
level, that an entity is willing to accept in pursuit
of its mission
• Risk tolerance—The acceptable level of
variation that management is willing to allow for
any particular risk as it pursues its objectives
31
Risk Appetite and Risk
Tolerance—cont’d.
How Risk Appetite relates to risk scenarios with
varying Frequency and Magnitude
• Frequency—How often is the event expected to
occur?
• Magnitude—What is the impact to the
enterprise when the event occurs?
32
Risk Appetite and Risk
Tolerance—cont’d.
Applicable Guidelines for Risk Appetite and Risk
Tolerance
• Connectivity of risk appetite and risk tolerance
• Review and approval of exceptions to risk
tolerance standards
• Risk appetite and tolerance change over time
• Cost of risk mitigation options can affect risk
tolerance
33
Essentials of Risk Governance
RISK CULTURE
Risk Culture Overview
Overview of a Risk-Aware Culture
• Allows for open discussions about risk components
• Acceptable levels of risk are understood and
maintained
• Begins at the top (board and executive)
– Set direction
– Communicate risk-aware decision making
– Reward effective risk management behaviors
• Implies that all levels are aware of how and when
to respond to adverse IT events
35
Risk Culture
• Risk-Aware Culture is a series of behaviors
– Behaviors toward taking risk
– Behavior toward negative outcomes
– Behavior toward policy compliance
• Symptoms of inadequate or problematic risk
culture include:
– Misalignment between real risk appetite and translation
into policies
– Existence of a “blame culture”
36
Section Topics
RISK MANAGEMENT
FRAMEWORKS, STANDARDS
AND PRACTICES
Relevance of
Risk Management Frameworks,
Standards and Practices
Risk Management Frameworks, standards and
practices matter to the CRISC because they:
• Provide a view of “things to watch”
• Act as a guide to focus efforts
• Help achieve business objectives
• Provide credibility
• Save time and cost
38
Frameworks
• Framework – Generally accepted, business
process-oriented structures that establish a
common language and enable repeatable
business processes
– The Risk IT Framework is an example
39
Standards
Standards – Established mandatory rules,
specifications and metrics used to measure
compliance against quality, value, etc.
• Standards are usually intended for compliance
purposes
• IT Audit and Assurance Standards are an
example
40
Practices
Practices are frequent or unusual actions
performed as an application of knowledge.
• Practices are issued by a “recognized authority”
• Leading Practices are actions that optimally
apply knowledge in a particular area.
• Practices are usually derived from
supplement/support standards and frameworks
• The Risk IT Practitioner Guide is an example
41
Essentials of Risk Governance
RISK AWARENESS AND
COMMUNICATION
Risk Awareness and
Communication
Description
• Risk awareness—is about acknowledging that
risk is an integral part of the business
• Risk communication—stresses that is risk is to
be managed and mitigated, it must first be
discussed and effectively communicated
throughout the enterprise
43
Risk Awareness and
Communication—cont’d.
Good vs. Poor Communication
• Benefits of good communication include
contributing to managements understanding of
exposures, awareness, and transparency to
external stakeholders
• Consequences of poor communication include a
false sense of confidence relating to exposure,
incorrect perception by external stakeholders and
perception that the enterprise lacks transparency
with external stakeholders
44
Risk Awareness and
Communication—cont’d.
Types of Risk Information To Be Communicated
• Expectations from risk management (strategy,
policies, procedures, awareness, training, etc.)
• Current risk management capability (risk
management, process maturity)
• Status with regard to IT risk (risk profile, key
risk indicators, loss data, etc.)
45
Key Concepts of
Risk Communications
Elements of Effective Communication
• Clear
• Concise
• Useful
• Timely
• Aimed at the correct target audience
• Available on a need-to-know basis
46
Key Concepts of
Risk Communications
Stakeholder Communication Inputs and Outputs
• It is important for the CRISC to know what
types of information should come from and go
to various stakeholders
47
Dodatki iz podrobnih domen
48
CRISC Review Course
Part I—
Risk Management and Information Systems Control
Theory and Concepts
Domain 1:
Risk Identification,
Assessment and Evaluation
49
Domain 1
Learning Objectives
After completing this chapter, the CRISC candidate should be able
to:
• Associate business strategies, goals, objectives, information,
processes, technologies and initiatives with risk
• Explain the principles of risk ownership within the organizational
structure
• Identify standards, frameworks and leading practices related to
risk
• Differentiate between threats and vulnerabilities
• Apply risk identification, classification, quantitative/qualitative
assessment and evaluation techniques
50
Domain 1
Learning Objectives—cont.
After completing this chapter, the CRISC candidate
should be able to:
• Describe the key elements of a risk register
• Describe risk scenario development tools and
techniques
• Help develop and support risk awareness training
tools and techniques
• Translate laws and regulations into business risk
requirements
• Relate security concepts to risk assessment
51
Task Statements
No.
Task Statements (TS)
TS1.1
Collect information and review documentation to ensure that risk scenarios are identified
and evaluated.
TS1.2
Identify legal, regulatory and contractual requirements and organizational policies and
standards related to information systems to determine their potential impact on the
business objectives.
TS1.3
Identify potential threats and vulnerabilities for business processes, associated data and
supporting capabilities to assist in the evaluation of enterprise risk.
TS1.4
Create and maintain a risk register to ensure that all identified risk factors are
accounted for.
TS1.5
Assemble risk scenarios to estimate the likelihood and impact of significant events to
the enterprise.
TS1.6
Analyze risk scenarios to determine their impact on business objectives.
TS1.7
Develop a risk awareness program and conduct training to ensure that stakeholders
understand risk and contribute to the risk management process and to promote a
risk-aware culture.
TS1.8
Correlate identified risk scenarios to relevant business processes to assist in identifying
risk ownership.
TS1.9
Validate risk appetite and tolerance with senior leadership and key stakeholders to
ensure alignment.
52
Knowledge Statements
No.
Knowledge Statements (KS) – Knowledge of:
KS1.1
Standards, frameworks and leading practices related to risk
identification, assessment and evaluation
KS1.2
Techniques for risk identification, classification, assessment
and evaluation
KS1.3
Quantitative and qualitative risk evaluation methods
KS1.4
Business goals and objectives
KS1.5
Organizational structures
KS1.6
Risk scenarios related to business processes and initiatives
KS1.7
Business information criteria
KS1.8
Threats and vulnerabilities related to business processes and
initiatives
53
Knowledge Statements—cont.
No.
Knowledge Statements (KS) – Knowledge of:
KS1.9
Information systems architecture (e.g., platforms, networks,
applications, databases and operating systems)
KS1.10
Information security concepts
KS1.11
Threats and vulnerabilities related to third-party management
KS1.12
Threats and vulnerabilities related to data management
KS1.13
Threats and vulnerabilities related to the system development
life cycle
KS1.14
Threats and vulnerabilities related to project and program
management
KS1.15
Threats and vulnerabilities related to business continuity and
disaster recovery management
54
Knowledge Statements
No.
Knowledge Statements (KS) – Knowledge of:
KS1.16
Threats and vulnerabilities related to management of IT
operations
KS1.17
The elements of a risk register
KS1.18
Risk scenario development tools and techniques
KS1.19
Risk awareness training tools and techniques
KS1.20
Principles of risk ownership
KS1.21
Current and forthcoming laws, regulations and standards
KS1.22
Threats and vulnerabilities associated with emerging
technologies
55
IT Risk in the Risk Hierarchy
Enterprise Risk is comprised of:
56
IT Risk Categories
57
High Level Process Phases
The high-level process phases of the risk
identification, assessment and evaluation process
are:
Collect
data
Analyze
risk
Maintain
risk profile
58
Risk Scenario
Development
59
Risk Scenario
Components
60
Systemic, Contagious or Obscure
Risk
Systemic
Risk
• Outcome of
an event with
business
partner that
affects an
entire area or
industry
Contagious
Risk
• Events that
happen to
several
business
partners in a
short time
frame
61
Obscure
Risk
• Risk that has
not yet
occurred
(nonhistorical) and
is unlikely or
difficult to
fathom
Generic IT Risk Scenarios
62
Generic IT Risk Scenarios—cont.
63
Risk Factors—cont.
64
Business Related IT Risk
Types
The risk that…
Type
Investment or
expense risk
Access or
security risk
Integrity risk
Relevance risk
Availability risk
The IT investment fails to provide value for money or is otherwise
excessive or wasteful. This includes consideration of the overall IT
investment portfolio.
Confidential or otherwise sensitive information may be divulged or made
available to those without appropriate authority. An aspect of this risk is
noncompliance with local, national and international laws related to privacy
and protection of personal information.
Data cannot be relied on because they are unauthorized, incomplete or
inaccurate
The organization does not get the right information to the right people (or
process or systems) at the right time to allow the right action to be taken
Services or that data are not available when needed
Infrastructure risk An enterprise does not have an IT infrastructure and systems that can
effectively support the current and future needs of the business in an
efficient, cost-effective and well-controlled fashion (includes hardware,
networks, software, people and processes)
Project ownership IT projects fail to meet objectives through lack of accountability and
risk
commitment
65
IT Project-Related Risk
Design Risk
Implementation Risk
Sponsorship Risk
Leadership Risk
Scope Risk
Technical Risk
Skill Risk
Transiting Risk
Political Risk
Personnel Risk
Scope Risk
Operational Risk
• Management Risks
• Technical Risks
• Cultural Risks
66
CRISC Review Course
Part I—
Risk Management and Information Systems Control
Theory and Concepts
Domain 2:
Risk Response
Task Statements
No.
Task Statement (TS)
TS2.1
Identify and evaluate risk response options and provide
management with information to enable risk response decisions.
TS2.2
Review risk responses with the relevant stakeholders for
validation of efficiency, effectiveness and economy.
TS2.3
Apply risk criteria to assist in the development of the risk profile
for management approval.
TS2.4
Assist in the development of risk response action plans to
address risk factors identified in the organizational risk profile.
TS2.5
Assist in the development of business cases supporting the
investment plan to ensure risk responses are aligned with the
identified business objectives.
68
Knowledge Statements
No.
Knowledge Statement (KS) Knowledge of:
KS2.1
Standards, frameworks and leading practices related to risk
response
KS2.2
Risk response options
KS2.3
Cost/benefit analysis and return on investment (ROI)
KS2.4
Risk appetite and tolerance
KS2.5
Organizational risk management policies
KS2.6
Parameters for risk response selection
KS2.7
Project management tools and techniques
KS 2.8
Portfolio, investment and value management
KS2.9
Exception management
KS2.10
Residual risk
69
The Risk Response Process
70
Risk Response
Prioritization Options
71
Process Phases
Phase 1
Articulate
risk
Phase 2
Manage
risk
72
Phase 3
React to
risk event
Phase 1—Articulate Risk
• Ensure that information on the true state of
exposures and opportunities is made
available.
• Tasks:
1. Communicate Risk Analysis results
2. Report Risk Management activities
3. Interpret Risk Assessment findings
4. Identify business opportunities
73
Phase 2—Manage Risk
Manage risk to ensure that measures for seizing strategic
opportunities and reducing risk to an acceptable level are
managed as a portfolio.
Tasks:
1. Inventory controls
2. Monitor operational alignment
3. Respond to discovered risk exposures and
opportunities
4. Implement Controls
5. Report IT risk response plan progress
74
Phase 3—React To Risk Events
React to ensure that measures for seizing
immediate opportunities or limiting magnitude of
loss from events are activated in a timely and
effective manner.
Tasks:
1. Maintain incident response plans
2. Monitor risk
3. Initiate incident response
4. Communicate lessons learned from risk events
75
Phase 3—React To Risk Events
Task 1—Maintain incident response plans
1. Prepare for materialization of threats
2. Maintain open communication about risks
3. Build RTO into action plans
4. Define pathways of escalation
5. Verify incident response plans are adequate
76
Phase 3—React To Risk Events
Task 2—Monitor risk
1. Monitor the environment
2. When control limit breached; escalate or confirm
3. Categorize incidents
4. Communicate business impact
5. Continue to take action and drive desired outcome
6. Ensure policy is followed with clear accountability for
follow-up actions
77
Phase 3—React To Risk Events
Task 3—Initiate incident response
1. Take action to minimize in-progress incident impact
2. Identify impact category
3. Inform stakeholders of incident
4. Identify time requirements to carry out plan
5. Ensure correct action is taken
78
Phase 3—React To Risk Events
Task 4—Communicate lessons learned from
risk events
1.
Examine past events and missed opportunities
2.
Determine where failure stemmed from
3.
Research root cause
4.
Determine underlying problem
5.
Identify tactical corrections
6.
Identify and correct underlying root causes
7.
Identify root cause of incidents
8.
Request additional risk analysis as needed
9.
Communicate root cause, response requirements, process
79
improvements
CRISC Review Course
Part I—
Risk Management and Information Systems Control
Theory and Concepts
Domain 3:
Risk Monitoring
80
Task Statements
TS Nr.
Task Statement
TS3.1
Collect and validate data that measures key risk indicators
(KRI) to monitor and communicate their status to relevant
stakeholders.
TS3.2
Monitor and communicate key risk indicators (KRI) and
management activities to assist relevant stakeholders in their
decision-making process.
TS3.3
Facilitate independent risk assessments and risk management
process reviews to ensure they are performed efficiently and
effectively.
TS3.4
Identify and report on risk, including compliance, to initiate
corrective action and meet business and regulatory
requirements.
81
Knowledge Statements
KS Nr.
Knowledge of
KS3.1
Standards, frameworks and leading practices related to risk
monitoring
KS3.2
Principles of risk ownership
KS3.3
Risk and compliance reporting requirements, tools and
techniques
KS3.4
Key performance indicator (KPIs) and key risk indicators
(KRIs)
KS3.5
Risk assessment methodologies
KS3.6
Data extraction, validation, aggregation and analysis tools
and techniques
KS3.7
Various types of reviews of the organization’s risk monitoring
process (e.g. internal and external audits, peer reviews,
regulatory reviews, quality reviews)
82
ESSENTIALS
• Risk Indicators and Key Risk Indicators
• Data Extraction, Validation, Aggregation and
Analysis
• Capability Maturity Modeling
• Treat Analysis
• Risk Reporting
83
Key Risk Indicators
• KRIs are like signals
– Indicate warning
thresholds
– Allow tracking and
reporting
– Highlight trends in
developing or potential
risk
84
Risk Indicator Types and
Parameters
Types of KRIs
• Logs
• Alarms
• Reports
Parameters:
• Size and complexity of
enterprise
• Type of market in which the enterprise operates
• Strategy focus of the enterprise
85
Criteria for KRI Selection
• Impact
– Controls covering high impact risks
• Effort
– Controls that are easy to monitor
• Reliability
– Close relationship between the risk and the control
• Sensitivity
– Accurately reflect changes in risk
86
Benefits of Selecting Right KRIs
• Forecast developing risks
– Trends/preventative
• Post-incident review
– Analysis and lessons learned
– Better future risk response
• Document trends
– Watch developing risks over time
87
CRISC Review Course
Part I—
Risk Management and Information Systems Control
Theory and Concepts
DOMAIN 4:
INFORMATION SYSTEMS CONTROL
DESIGN AND IMPLEMENTATION
88
Domain 4 Learning Objectives
As a result of completing this chapter, the CRISC
candidate should be able to
–
–
–
–
List different control categories and their effects
Judge control strength.
Explain the importance of balancing control cost and benefit.
Leverage understanding of the SDLC process to implement
IS controls efficiently and effectively.
– Differentiate between the four high-level stages of the SDLC.
– Relate each SDLC phase to specific tasks and objectives.
– Apply core project management tools and techniques to the
implementation of IS controls.
89
Task Statements
No.
Task Statements (TS)
TS4.1
Interview process owners and review process design documentation
to gain an understanding of the business process objectives.
TS4.2
Analyze and document business process objectives and design to
identify required information systems controls.
TS4.3
Design information systems controls in consultation with the process
owners to ensure alignment with business needs and objectives.
TS4.4
Facilitate the identification of resources (e.g., people, infrastructure,
information, architecture) required to implement and operate
information systems controls at an optimal level.
TS4.5
Monitor the information systems control design and implementation
process to ensure that it is implemented effectively and within time,
budget and scope.
TS4.6
Provide progress reports on the implementation of information
systems controls to inform stakeholders and to ensure that
deviations are promptly addressed.
90
Task Statements
No.
Task Statements (TS)
TS4.7
Test information systems controls to verify effectiveness and
efficiency prior to implementation.
TS4.8
Implement information systems controls to mitigate risk.
TS4.9
Facilitate the identification of metrics and key performance indicators
(KPIs) to enable the measurement of information systems control
performance in meeting business objectives.
TS4.10
Assess and recommend tools to automate information systems
control processes.
TS4.11
Provide documentation and training to ensure that information
systems controls are effectively performed.
TS4.12
Ensure that all controls are assigned control owners to establish
accountability.
TS4.13
Establish control criteria to enable control life cycle management.
91
Knowledge Statements
No.
Knowledge Statements (KS) Knowledge Of:
KS4.1
Standards, frameworks and leading practices related to information
systems control design and implementation
KS4.2
Business process review tools and techniques
KS4.3
Testing methodologies and practices related to information systems
control design and implementation
KS4.4
Control practices related to business processes and initiatives
KS4.5
The information systems architecture (e.g., platforms, networks,
applications, databases and operating systems)
KS4.6
Controls related to information security
KS4.7
Controls related to third-party management
92
Knowledge Statements
No.
Knowledge Statements (KS) Knowledge Of:
KS4.8
Controls related to data management
KS4.9
Controls related to the system development life cycle
KS4.10
Controls related to project and program management
KS4.11
Controls related to business continuity and disaster recovery
management
KS4.12
Controls related to management of IT operations
KS4.13
Software and hardware certification and accreditation practices
KS4.14
The concept of control objectives
KS4.15
Governance, risk and compliance (GRC) tools
KS4.16
Tools and techniques to educate and train users
93
CRSIC Involvement
The CRISC must be involved in:
• Assessing the level of risk to business processes
• Determining the level of business risk associated
with information systems
• Determining information system security
requirements based on IS risk
• Selecting the appropriate IS controls to meet the
security requirements and mitigate risk
94
CRISC involvement—Cont.
The CRISC must be involved in:
• Designing or overseeing the design of the controls
for Information Systems
• Implementing and testing IS controls
• Setting KRIs and other measurements to
determine the effectiveness of the IS controls
• Reporting on the current risk and control
effectiveness
• Initiating projects to implement new controls where
necessary
95
Control Categories
Compensating
Controls
Corrective
Controls
Detective
Controls
Deterrent
Controls
Directive
Controls
Preventative
Controls
96
Control Types and Effects
Exhibit 4.1: Control Category Interdependencies
97
Control Strength
Meaningful control design considerations
include:
Design
effectiveness
Operating
effectiveness
98
Alignment
with
operating
environment
Control Costs and Benefits
Cost-benefit Analysis helps:
• Provide a monetary impact view of risk
• Determine the cost of protecting what is important
• Make smart choices based on potential:
– Risk mitigation costs
– Losses (risk exposure)
99
Potential Loss Measures
The three common measurements for
potential loss include:
Employee
productivity
impacts
Revenue
losses
100
Direct-cost
loss events
Total Cost of Ownership For
Controls
Consider TCO for the full life cycle of the control or
countermeasure including elements:
– Acquisition costs
– Deployment and implementation costs
– Recurring maintenance costs
– Testing and assessment costs
– Compliance monitoring and enforcement
– Inconvenience to users
– Reduced throughput of controlled processes
– Training in new procedures or technologies as applicable
– End of life decommissioning
101
CRISC Review Course
Part I—
Risk Management and Information Systems Control
Theory and Concepts
DOMAIN 5:
INFORMATION SYSTEMS CONTROL
MAINTENANCE AND MONITORING
102
Task Statements
No.
Task Statement (TS)
TS5.1
Plan, supervise and conduct testing to confirm continuous efficiency and
effectiveness of information systems controls.
TS5.2
Collect information and review documentation to identify information systems
control deficiencies.
TS5.3
Review information systems policies, standards and procedures to verify that they
address the organization’s internal and external requirements.
TS5.4
Assess and recommend tools and techniques to automate information systems
control verification processes.
TS5.5
Evaluate the current state of information systems processes using a maturity
model to identify the gaps between current and targeted process maturity.
TS5.6
Determine the approach to correct information systems control deficiencies and
maturity gaps to ensure that deficiencies are appropriately considered and
remediated.
TS5.7
Maintain sufficient, adequate evidence to support conclusions on the existence
and operating effectiveness of information systems controls.
TS5.8
Provide information systems control status reporting to relevant stakeholders to
enable informed decision-making
103
Knowledge Statements
No.
Knowledge Statement (KS) Knowledge of:
KS5.1
Standards, frameworks and leading practices related to information systems
control monitoring and maintenance
KS5.2
Enterprise security architecture
KS5.3
Monitoring tools and techniques
KS5.4
Maturity models
KS5.5
Control objectives, activities and metrics related to IT operations and business
processes and initiatives
KS5.6
Control objectives, activities and metrics related to incident and problem
management
KS5.7
Security testing and assessment tools and techniques
104
Knowledge Statements—cont.
No.
Knowledge Statement (KS) Knowledge of:
KS5.8
Control objectives, activities and metrics related to information systems
architecture (platforms, networks, applications, databases and operating
systems)
KS5.9
Control objectives, activities and metrics related to information security
KS5.10
Control objectives, activities and metrics related to third-party management
KS5.11
Control objectives, activities and metrics related to data management
KS5.12
Control objectives, activities and metrics related to the system development life
cycle
KS5.13
Control objectives, activities and metrics related to project and program
management
KS5.14
Control objectives, activities and metrics related to software and hardware
certification and accreditation practices
KS5.15
Control objectives, activities and metrics related to business continuity and
disaster recovery management
KS5.16
Applicable laws and regulations
105
Determine Monitoring Method
and Frequency
Managements judgment factors include:
• Its objectives
• Its risks
• Its controls
• The persuasiveness of information that is
available about its controls
106
Select & Implement Automated
Monitoring Tools
Selection Criteria:
•
•
•
•
•
•
•
•
•
Sustainability
Scalability
Customizability
Ownership
Impact on Performance
Usability of Existing Tools
Tool Complexity
Transferability
Cost/Benefit
107
Clarify Reporting
Requirements and
Exceptions
Cause and Effect Diagram Steps:
1. Agree on effect or problem statement
2. Identify major categories of failure
3. Link the potential or observed control failures to the
categories
4. Discuss the control failure points with the project team
5. Revise the monitoring process and repeat testing as
necessary
108
Clarify Reporting
Requirements and
Exceptions
Specifications
IT Knowledge
New Technology
Approvals
User Approval
Not Obtained
User Availablity
IT Management
Approval Not Obtained
User Knowledge
of Process
Software
Change Failures
Skipping
User Acceptance
Testing
Bypass
Change Control
Process
Incomplete
Data
Testing
Code Movement
Root Causes identified
109
CASE STUDY &
PRACTICE QUESTIONS
Case Study
• Company XYZ has four offices located in the US, Canada,
China, and Egypt.
• The company currently has four separate risk management plans
and programs and while the offices all serve independent
functions and have separate technology infrastructures, the
plans are not integrated nor have ever been shared.
• The company plans to IPO in the US later this year and the
companies CEO and board of directors has just directed the
enterprise to build a centralized risk management and
governance program.
You are the CRISC for your location’s IT shop. Based on the topics discussed
in this chapter, how would you participate?
111
Practice Question 1
X-1.
Risk management should consider the following
aspect(s) of risk:
A.
Thresholds
B.
Consequences
C.
Both, opportunities and threats
D.
Both, opportunities and thresholds
112
Practice Question 2
X-2.
What factors chance risk appetite and tolerance:
A.
New technology
B.
New organizational structures
C.
New market conditions
D.
All of the above
113
Practice Question 3
X-3. Which of the following statements is true:
A.
Risk tolerance is the amount of risk the company is
willing to accept
B.
Risk appetite is the acceptable variance relative to
objective achievement
C.
Risk tolerance is the acceptable variance relative to
objective achievement
D.
Risk tolerance level is based on the enterprise’s ability
to absorb loss
114
Practice Question 4
X-4. What risk components should be communicated?
A.
Expectations from process owners
B.
Status with regard to IT risk
C.
Future risk exposure
D.
Status with regard to Operational Risk
115
Practice Question 5
X-5. The IT risk action plan is an output communication
from?
A.
CRISC
B.
Chief Information Officer
C.
IT Management
D.
Chief Risk Officer and the Enterprise Risk Management
Committee
116
DEFINITIONS AND ACRONYMS
Acronym Review
Review Guide
Reference
Source/Page
xiii
Acronyms
Definition
CRO
Chief Risk Officer
CIO
Chief Information Officer
ERM
Enterprise Risk Management
118
Definition Review
Review Guide
Reference
Source/Page
Word
Definition
5
Risk
Reflects the combination of the likelihood of events occurring and the impact
those events have on the enterprise. Risk means the potential for events and
their consequences—contains both: Opportunities for benefit (upside) & Threats
to success (downside)
7
Responsibility
Belongs to those who must ensure that the activities are completed successfully
7
Accountability
Applies to those who own the required resources; has the authority to approve
the execution and/or accept the outcome of an activity within specific risk
management processes
15
Standards
Establish mandatory rules, specifications and metrics used to measure
compliance against quality, value, etc. Standards are usually intended for
compliance purposes and to provide assurance to others who interact with a
process or outputs of a process
15
Practices
Are frequent or usual actions performed as an application of knowledge
They are issued by a “recognized authority” that is appropriate to the subject
matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally
based on a combination of research, expert insight and peer review. Note:
Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.
119
Definition Review
Review Guide
Reference
Source/Page
Word
Definition
15
Leading Practice
An action that optimally applies knowledge in a particular area
9
Risk Appetite
The broad-based amount of risk a company or other entity is
willing to accept in pursuit of its mission (or vision)
10
Risk Tolerance
The acceptable variation relative to the achievement of an
objective (and often is best measured in the same units as those
used to measure the related objective)
61
Risk Awareness
Is about acknowledging that risk is an integral part of the
business. This does not imply that all risk is to be avoided or
eliminated, but rather that:
• Risk is well understood and known.
• IT risk issues are identifiable.
• The enterprise recognizes and uses the means to manage risk.
120