risk awareness and communication
advertisement
ISACA® The recognized global leader in IT governance, control, security and assurance High-level session overview 1. CRISC background information 2. Part I—The Big Picture 2 CRISC BACKGROUND INFORMATION 3 About the CRISC Exam • The content of the 2012 CRISC Review Manual is based on the CRISC job practice found at www.isaca.org/criscjobpractice • There are 5 domains in the CRISC job practice • The CRISC exam is a practice-based exam. Simply reading the material in this manual will not properly prepare candidates for the exam. • No representations or warranties are made by ISACA in regard to this or other ISACA publications assuring candidates’ passage of the CRISC exam. This publication was produced independently of the CRISC Certification Committee, which has no responsibility for the content of this manual. 4 About the CRISC Exam • The CRISC certification is designed to meet the growing demand for professionals who can integrate enterprise risk management (ERM) with discrete IS control skills. The technical skills and practices the CRISC certification promotes and evaluates are the building blocks of success in this growing field, and the CRISC designation demonstrates proficiency in this role. 5 Exam Relevance Ensure that the CRISC candidate… Has the practical knowledge required to perform the tasks described in the task and knowledge statements. The percentages listed with the domains indicate the emphasis or percentage of questions that will appear on the exam from each domain. For a description of each domain’s task and knowledge statements, visit www.isaca.org/criscjobpractice. Note: The concepts introduced in In this manual are considered a fundamental part of the CRISC job practice. 6 About the CRISC Exam • The exam in 200 multiple choice questions. • CRISC exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. • All questions are designed with one best answer. • The candidate is asked to choose the correct or best answer from the options. • Good preparation for the CRISC exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids and review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids that can help prepare for the exam 7 Manual Setup The CRISC Review Manual 2012 is organized into two parts: • Part I— Risk Management and Information Systems Control Theory and Concepts • Part II— Risk Management and Information Systems Control in Practice 8 Additional Resources • Study Questions, Answers and Explanations • Glossary • Suggested Resources for Further Study • List of Exhibits • The CRISC candidate also may find it useful to study the CRISC™ Review, Questions, Answers & Explanations Manual 2012, which consists of 100 multiple-choice study questions. 9 CRISC Review Course Part I The Big Picture: How Risk Management Relates to Risk Governance Section Overview • Exam Relevance • Discuss specific topics within the chapter • Case Study • Sample Questions • Key Terms (Definition and Acronyms) • Suggested Reading 11 Learning Objectives As a result of completing this chapter, the CRISC candidate should be able to: Differentiate between risk management and risk governance Identify the roles and responsibilities for risk management Distinguish between various risk management methodologies Apply and differentiate the standards, practices and principles of risk management List the main tasks related to risk governance Recognize relevant risk management standards, frameworks and practices Explain the meaning of key risk management concepts, including risk appetite and risk tolerance 12 ® ISACA Trust in, and value from, information systems Section Topic RISK MANAGEMENT Section Topics • Risk Management • Essentials of Risk Governance – Risk Appetite and Risk Tolerance – Risk Awareness and Communication – Risk Culture 15 Overview of Risk Management Risk Management: • Is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives. • Holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of communicating, consulting, establishing the context; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. 16 Risk • Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. • Risk—the potential for events and their consequences, contains both: – Opportunities for benefit (upside) – Threats to success (downside) 17 Risk and Opportunity Management Guiding Principles for Effective Risk Management • Maintain Business Objective Focus • Integrate IT Risk Management Into Enterprise Risk Management (ERM) • Balance The Costs And Benefits Of Managing Risk • Promote Fair And Open Communication • Establish Tone At The Top And Assign Personal Accountability • Daily Process With Continuous Improvement 18 Responsibility vs. Accountability Responsibility—belongs to those who must ensure that the activities are completed successfully. Accountability—applies to those who either own the required resources or those who have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes. 19 Responsibility vs. Accountability 20 Risk Management Roles and Responsibilities The CRISC executes on: – Risk evaluation – Risk response activities The CRISC functions within the risk governance framework established within the enterprise 21 Section Topic ESSENTIALS OF RISK GOVERNANCE Relevance of Risk Governance • Risk is an integral part of business • Risk is a core factor related to the stability, growth and success of the organization • Risk represents the opportunity for growth and levels of profit • Risk poses the possibility of loss or damage to the business objectives • Risk governance addresses the oversight of the business risk strategy of the enterprise 23 Overview of Risk Governance • Risk governance is the domain of the enterprises senior management and shareholders. • This group is responsible for: – Establishing the organizations risk culture and acceptable levels of risk – Setting up the risk framework – Ensuring effectiveness of the risk management function 24 Objectives of Risk Governance Risk governance has three main objectives: 1. Establishing and maintaining a common risk view 2. Integrating risk management into the enterprise 3. Making risk-aware business decisions 25 Foundation of Risk Governance An effective risk governance foundation requires: An understanding and consensus with respect to the risk appetite and risk tolerance of the enterprise An awareness of risk and of the need for effective communication about risk throughout the enterprise 26 An understanding of the elements of risk culture Objectives of Risk Governance—cont’d. 1. Establishing and maintaining a common risk view – Determines which controls are necessary to mitigate risk – Determines how risk based controls are integrated into business processes and IS – Risk governance function oversees the operations of the risk management team 27 Objectives of Risk Governance—cont’d. 2. Integrating risk management into the enterprise – Enforces a holistic ERM approach for the enterprise – Requires integration of RM into every departments, function, system and geographical location 28 Objectives of Risk Governance—cont. 3. Making risk-aware business decisions – Consider the full range of opportunities and consequences each statement through out the enterprise; society, and the environment 29 Essentials of Risk Governance RISK APPETITE AND TOLERANCE Risk Appetite and Risk Tolerance Definitions • Risk appetite—The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission • Risk tolerance—The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives 31 Risk Appetite and Risk Tolerance—cont’d. How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude • Frequency—How often is the event expected to occur? • Magnitude—What is the impact to the enterprise when the event occurs? 32 Risk Appetite and Risk Tolerance—cont’d. Applicable Guidelines for Risk Appetite and Risk Tolerance • Connectivity of risk appetite and risk tolerance • Review and approval of exceptions to risk tolerance standards • Risk appetite and tolerance change over time • Cost of risk mitigation options can affect risk tolerance 33 Essentials of Risk Governance RISK CULTURE Risk Culture Overview Overview of a Risk-Aware Culture • Allows for open discussions about risk components • Acceptable levels of risk are understood and maintained • Begins at the top (board and executive) – Set direction – Communicate risk-aware decision making – Reward effective risk management behaviors • Implies that all levels are aware of how and when to respond to adverse IT events 35 Risk Culture • Risk-Aware Culture is a series of behaviors – Behaviors toward taking risk – Behavior toward negative outcomes – Behavior toward policy compliance • Symptoms of inadequate or problematic risk culture include: – Misalignment between real risk appetite and translation into policies – Existence of a “blame culture” 36 Section Topics RISK MANAGEMENT FRAMEWORKS, STANDARDS AND PRACTICES Relevance of Risk Management Frameworks, Standards and Practices Risk Management Frameworks, standards and practices matter to the CRISC because they: • Provide a view of “things to watch” • Act as a guide to focus efforts • Help achieve business objectives • Provide credibility • Save time and cost 38 Frameworks • Framework – Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processes – The Risk IT Framework is an example 39 Standards Standards – Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. • Standards are usually intended for compliance purposes • IT Audit and Assurance Standards are an example 40 Practices Practices are frequent or unusual actions performed as an application of knowledge. • Practices are issued by a “recognized authority” • Leading Practices are actions that optimally apply knowledge in a particular area. • Practices are usually derived from supplement/support standards and frameworks • The Risk IT Practitioner Guide is an example 41 Essentials of Risk Governance RISK AWARENESS AND COMMUNICATION Risk Awareness and Communication Description • Risk awareness—is about acknowledging that risk is an integral part of the business • Risk communication—stresses that is risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout the enterprise 43 Risk Awareness and Communication—cont’d. Good vs. Poor Communication • Benefits of good communication include contributing to managements understanding of exposures, awareness, and transparency to external stakeholders • Consequences of poor communication include a false sense of confidence relating to exposure, incorrect perception by external stakeholders and perception that the enterprise lacks transparency with external stakeholders 44 Risk Awareness and Communication—cont’d. Types of Risk Information To Be Communicated • Expectations from risk management (strategy, policies, procedures, awareness, training, etc.) • Current risk management capability (risk management, process maturity) • Status with regard to IT risk (risk profile, key risk indicators, loss data, etc.) 45 Key Concepts of Risk Communications Elements of Effective Communication • Clear • Concise • Useful • Timely • Aimed at the correct target audience • Available on a need-to-know basis 46 Key Concepts of Risk Communications Stakeholder Communication Inputs and Outputs • It is important for the CRISC to know what types of information should come from and go to various stakeholders 47 Dodatki iz podrobnih domen 48 CRISC Review Course Part I— Risk Management and Information Systems Control Theory and Concepts Domain 1: Risk Identification, Assessment and Evaluation 49 Domain 1 Learning Objectives After completing this chapter, the CRISC candidate should be able to: • Associate business strategies, goals, objectives, information, processes, technologies and initiatives with risk • Explain the principles of risk ownership within the organizational structure • Identify standards, frameworks and leading practices related to risk • Differentiate between threats and vulnerabilities • Apply risk identification, classification, quantitative/qualitative assessment and evaluation techniques 50 Domain 1 Learning Objectives—cont. After completing this chapter, the CRISC candidate should be able to: • Describe the key elements of a risk register • Describe risk scenario development tools and techniques • Help develop and support risk awareness training tools and techniques • Translate laws and regulations into business risk requirements • Relate security concepts to risk assessment 51 Task Statements No. Task Statements (TS) TS1.1 Collect information and review documentation to ensure that risk scenarios are identified and evaluated. TS1.2 Identify legal, regulatory and contractual requirements and organizational policies and standards related to information systems to determine their potential impact on the business objectives. TS1.3 Identify potential threats and vulnerabilities for business processes, associated data and supporting capabilities to assist in the evaluation of enterprise risk. TS1.4 Create and maintain a risk register to ensure that all identified risk factors are accounted for. TS1.5 Assemble risk scenarios to estimate the likelihood and impact of significant events to the enterprise. TS1.6 Analyze risk scenarios to determine their impact on business objectives. TS1.7 Develop a risk awareness program and conduct training to ensure that stakeholders understand risk and contribute to the risk management process and to promote a risk-aware culture. TS1.8 Correlate identified risk scenarios to relevant business processes to assist in identifying risk ownership. TS1.9 Validate risk appetite and tolerance with senior leadership and key stakeholders to ensure alignment. 52 Knowledge Statements No. Knowledge Statements (KS) – Knowledge of: KS1.1 Standards, frameworks and leading practices related to risk identification, assessment and evaluation KS1.2 Techniques for risk identification, classification, assessment and evaluation KS1.3 Quantitative and qualitative risk evaluation methods KS1.4 Business goals and objectives KS1.5 Organizational structures KS1.6 Risk scenarios related to business processes and initiatives KS1.7 Business information criteria KS1.8 Threats and vulnerabilities related to business processes and initiatives 53 Knowledge Statements—cont. No. Knowledge Statements (KS) – Knowledge of: KS1.9 Information systems architecture (e.g., platforms, networks, applications, databases and operating systems) KS1.10 Information security concepts KS1.11 Threats and vulnerabilities related to third-party management KS1.12 Threats and vulnerabilities related to data management KS1.13 Threats and vulnerabilities related to the system development life cycle KS1.14 Threats and vulnerabilities related to project and program management KS1.15 Threats and vulnerabilities related to business continuity and disaster recovery management 54 Knowledge Statements No. Knowledge Statements (KS) – Knowledge of: KS1.16 Threats and vulnerabilities related to management of IT operations KS1.17 The elements of a risk register KS1.18 Risk scenario development tools and techniques KS1.19 Risk awareness training tools and techniques KS1.20 Principles of risk ownership KS1.21 Current and forthcoming laws, regulations and standards KS1.22 Threats and vulnerabilities associated with emerging technologies 55 IT Risk in the Risk Hierarchy Enterprise Risk is comprised of: 56 IT Risk Categories 57 High Level Process Phases The high-level process phases of the risk identification, assessment and evaluation process are: Collect data Analyze risk Maintain risk profile 58 Risk Scenario Development 59 Risk Scenario Components 60 Systemic, Contagious or Obscure Risk Systemic Risk • Outcome of an event with business partner that affects an entire area or industry Contagious Risk • Events that happen to several business partners in a short time frame 61 Obscure Risk • Risk that has not yet occurred (nonhistorical) and is unlikely or difficult to fathom Generic IT Risk Scenarios 62 Generic IT Risk Scenarios—cont. 63 Risk Factors—cont. 64 Business Related IT Risk Types The risk that… Type Investment or expense risk Access or security risk Integrity risk Relevance risk Availability risk The IT investment fails to provide value for money or is otherwise excessive or wasteful. This includes consideration of the overall IT investment portfolio. Confidential or otherwise sensitive information may be divulged or made available to those without appropriate authority. An aspect of this risk is noncompliance with local, national and international laws related to privacy and protection of personal information. Data cannot be relied on because they are unauthorized, incomplete or inaccurate The organization does not get the right information to the right people (or process or systems) at the right time to allow the right action to be taken Services or that data are not available when needed Infrastructure risk An enterprise does not have an IT infrastructure and systems that can effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion (includes hardware, networks, software, people and processes) Project ownership IT projects fail to meet objectives through lack of accountability and risk commitment 65 IT Project-Related Risk Design Risk Implementation Risk Sponsorship Risk Leadership Risk Scope Risk Technical Risk Skill Risk Transiting Risk Political Risk Personnel Risk Scope Risk Operational Risk • Management Risks • Technical Risks • Cultural Risks 66 CRISC Review Course Part I— Risk Management and Information Systems Control Theory and Concepts Domain 2: Risk Response Task Statements No. Task Statement (TS) TS2.1 Identify and evaluate risk response options and provide management with information to enable risk response decisions. TS2.2 Review risk responses with the relevant stakeholders for validation of efficiency, effectiveness and economy. TS2.3 Apply risk criteria to assist in the development of the risk profile for management approval. TS2.4 Assist in the development of risk response action plans to address risk factors identified in the organizational risk profile. TS2.5 Assist in the development of business cases supporting the investment plan to ensure risk responses are aligned with the identified business objectives. 68 Knowledge Statements No. Knowledge Statement (KS) Knowledge of: KS2.1 Standards, frameworks and leading practices related to risk response KS2.2 Risk response options KS2.3 Cost/benefit analysis and return on investment (ROI) KS2.4 Risk appetite and tolerance KS2.5 Organizational risk management policies KS2.6 Parameters for risk response selection KS2.7 Project management tools and techniques KS 2.8 Portfolio, investment and value management KS2.9 Exception management KS2.10 Residual risk 69 The Risk Response Process 70 Risk Response Prioritization Options 71 Process Phases Phase 1 Articulate risk Phase 2 Manage risk 72 Phase 3 React to risk event Phase 1—Articulate Risk • Ensure that information on the true state of exposures and opportunities is made available. • Tasks: 1. Communicate Risk Analysis results 2. Report Risk Management activities 3. Interpret Risk Assessment findings 4. Identify business opportunities 73 Phase 2—Manage Risk Manage risk to ensure that measures for seizing strategic opportunities and reducing risk to an acceptable level are managed as a portfolio. Tasks: 1. Inventory controls 2. Monitor operational alignment 3. Respond to discovered risk exposures and opportunities 4. Implement Controls 5. Report IT risk response plan progress 74 Phase 3—React To Risk Events React to ensure that measures for seizing immediate opportunities or limiting magnitude of loss from events are activated in a timely and effective manner. Tasks: 1. Maintain incident response plans 2. Monitor risk 3. Initiate incident response 4. Communicate lessons learned from risk events 75 Phase 3—React To Risk Events Task 1—Maintain incident response plans 1. Prepare for materialization of threats 2. Maintain open communication about risks 3. Build RTO into action plans 4. Define pathways of escalation 5. Verify incident response plans are adequate 76 Phase 3—React To Risk Events Task 2—Monitor risk 1. Monitor the environment 2. When control limit breached; escalate or confirm 3. Categorize incidents 4. Communicate business impact 5. Continue to take action and drive desired outcome 6. Ensure policy is followed with clear accountability for follow-up actions 77 Phase 3—React To Risk Events Task 3—Initiate incident response 1. Take action to minimize in-progress incident impact 2. Identify impact category 3. Inform stakeholders of incident 4. Identify time requirements to carry out plan 5. Ensure correct action is taken 78 Phase 3—React To Risk Events Task 4—Communicate lessons learned from risk events 1. Examine past events and missed opportunities 2. Determine where failure stemmed from 3. Research root cause 4. Determine underlying problem 5. Identify tactical corrections 6. Identify and correct underlying root causes 7. Identify root cause of incidents 8. Request additional risk analysis as needed 9. Communicate root cause, response requirements, process 79 improvements CRISC Review Course Part I— Risk Management and Information Systems Control Theory and Concepts Domain 3: Risk Monitoring 80 Task Statements TS Nr. Task Statement TS3.1 Collect and validate data that measures key risk indicators (KRI) to monitor and communicate their status to relevant stakeholders. TS3.2 Monitor and communicate key risk indicators (KRI) and management activities to assist relevant stakeholders in their decision-making process. TS3.3 Facilitate independent risk assessments and risk management process reviews to ensure they are performed efficiently and effectively. TS3.4 Identify and report on risk, including compliance, to initiate corrective action and meet business and regulatory requirements. 81 Knowledge Statements KS Nr. Knowledge of KS3.1 Standards, frameworks and leading practices related to risk monitoring KS3.2 Principles of risk ownership KS3.3 Risk and compliance reporting requirements, tools and techniques KS3.4 Key performance indicator (KPIs) and key risk indicators (KRIs) KS3.5 Risk assessment methodologies KS3.6 Data extraction, validation, aggregation and analysis tools and techniques KS3.7 Various types of reviews of the organization’s risk monitoring process (e.g. internal and external audits, peer reviews, regulatory reviews, quality reviews) 82 ESSENTIALS • Risk Indicators and Key Risk Indicators • Data Extraction, Validation, Aggregation and Analysis • Capability Maturity Modeling • Treat Analysis • Risk Reporting 83 Key Risk Indicators • KRIs are like signals – Indicate warning thresholds – Allow tracking and reporting – Highlight trends in developing or potential risk 84 Risk Indicator Types and Parameters Types of KRIs • Logs • Alarms • Reports Parameters: • Size and complexity of enterprise • Type of market in which the enterprise operates • Strategy focus of the enterprise 85 Criteria for KRI Selection • Impact – Controls covering high impact risks • Effort – Controls that are easy to monitor • Reliability – Close relationship between the risk and the control • Sensitivity – Accurately reflect changes in risk 86 Benefits of Selecting Right KRIs • Forecast developing risks – Trends/preventative • Post-incident review – Analysis and lessons learned – Better future risk response • Document trends – Watch developing risks over time 87 CRISC Review Course Part I— Risk Management and Information Systems Control Theory and Concepts DOMAIN 4: INFORMATION SYSTEMS CONTROL DESIGN AND IMPLEMENTATION 88 Domain 4 Learning Objectives As a result of completing this chapter, the CRISC candidate should be able to – – – – List different control categories and their effects Judge control strength. Explain the importance of balancing control cost and benefit. Leverage understanding of the SDLC process to implement IS controls efficiently and effectively. – Differentiate between the four high-level stages of the SDLC. – Relate each SDLC phase to specific tasks and objectives. – Apply core project management tools and techniques to the implementation of IS controls. 89 Task Statements No. Task Statements (TS) TS4.1 Interview process owners and review process design documentation to gain an understanding of the business process objectives. TS4.2 Analyze and document business process objectives and design to identify required information systems controls. TS4.3 Design information systems controls in consultation with the process owners to ensure alignment with business needs and objectives. TS4.4 Facilitate the identification of resources (e.g., people, infrastructure, information, architecture) required to implement and operate information systems controls at an optimal level. TS4.5 Monitor the information systems control design and implementation process to ensure that it is implemented effectively and within time, budget and scope. TS4.6 Provide progress reports on the implementation of information systems controls to inform stakeholders and to ensure that deviations are promptly addressed. 90 Task Statements No. Task Statements (TS) TS4.7 Test information systems controls to verify effectiveness and efficiency prior to implementation. TS4.8 Implement information systems controls to mitigate risk. TS4.9 Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives. TS4.10 Assess and recommend tools to automate information systems control processes. TS4.11 Provide documentation and training to ensure that information systems controls are effectively performed. TS4.12 Ensure that all controls are assigned control owners to establish accountability. TS4.13 Establish control criteria to enable control life cycle management. 91 Knowledge Statements No. Knowledge Statements (KS) Knowledge Of: KS4.1 Standards, frameworks and leading practices related to information systems control design and implementation KS4.2 Business process review tools and techniques KS4.3 Testing methodologies and practices related to information systems control design and implementation KS4.4 Control practices related to business processes and initiatives KS4.5 The information systems architecture (e.g., platforms, networks, applications, databases and operating systems) KS4.6 Controls related to information security KS4.7 Controls related to third-party management 92 Knowledge Statements No. Knowledge Statements (KS) Knowledge Of: KS4.8 Controls related to data management KS4.9 Controls related to the system development life cycle KS4.10 Controls related to project and program management KS4.11 Controls related to business continuity and disaster recovery management KS4.12 Controls related to management of IT operations KS4.13 Software and hardware certification and accreditation practices KS4.14 The concept of control objectives KS4.15 Governance, risk and compliance (GRC) tools KS4.16 Tools and techniques to educate and train users 93 CRSIC Involvement The CRISC must be involved in: • Assessing the level of risk to business processes • Determining the level of business risk associated with information systems • Determining information system security requirements based on IS risk • Selecting the appropriate IS controls to meet the security requirements and mitigate risk 94 CRISC involvement—Cont. The CRISC must be involved in: • Designing or overseeing the design of the controls for Information Systems • Implementing and testing IS controls • Setting KRIs and other measurements to determine the effectiveness of the IS controls • Reporting on the current risk and control effectiveness • Initiating projects to implement new controls where necessary 95 Control Categories Compensating Controls Corrective Controls Detective Controls Deterrent Controls Directive Controls Preventative Controls 96 Control Types and Effects Exhibit 4.1: Control Category Interdependencies 97 Control Strength Meaningful control design considerations include: Design effectiveness Operating effectiveness 98 Alignment with operating environment Control Costs and Benefits Cost-benefit Analysis helps: • Provide a monetary impact view of risk • Determine the cost of protecting what is important • Make smart choices based on potential: – Risk mitigation costs – Losses (risk exposure) 99 Potential Loss Measures The three common measurements for potential loss include: Employee productivity impacts Revenue losses 100 Direct-cost loss events Total Cost of Ownership For Controls Consider TCO for the full life cycle of the control or countermeasure including elements: – Acquisition costs – Deployment and implementation costs – Recurring maintenance costs – Testing and assessment costs – Compliance monitoring and enforcement – Inconvenience to users – Reduced throughput of controlled processes – Training in new procedures or technologies as applicable – End of life decommissioning 101 CRISC Review Course Part I— Risk Management and Information Systems Control Theory and Concepts DOMAIN 5: INFORMATION SYSTEMS CONTROL MAINTENANCE AND MONITORING 102 Task Statements No. Task Statement (TS) TS5.1 Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls. TS5.2 Collect information and review documentation to identify information systems control deficiencies. TS5.3 Review information systems policies, standards and procedures to verify that they address the organization’s internal and external requirements. TS5.4 Assess and recommend tools and techniques to automate information systems control verification processes. TS5.5 Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity. TS5.6 Determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated. TS5.7 Maintain sufficient, adequate evidence to support conclusions on the existence and operating effectiveness of information systems controls. TS5.8 Provide information systems control status reporting to relevant stakeholders to enable informed decision-making 103 Knowledge Statements No. Knowledge Statement (KS) Knowledge of: KS5.1 Standards, frameworks and leading practices related to information systems control monitoring and maintenance KS5.2 Enterprise security architecture KS5.3 Monitoring tools and techniques KS5.4 Maturity models KS5.5 Control objectives, activities and metrics related to IT operations and business processes and initiatives KS5.6 Control objectives, activities and metrics related to incident and problem management KS5.7 Security testing and assessment tools and techniques 104 Knowledge Statements—cont. No. Knowledge Statement (KS) Knowledge of: KS5.8 Control objectives, activities and metrics related to information systems architecture (platforms, networks, applications, databases and operating systems) KS5.9 Control objectives, activities and metrics related to information security KS5.10 Control objectives, activities and metrics related to third-party management KS5.11 Control objectives, activities and metrics related to data management KS5.12 Control objectives, activities and metrics related to the system development life cycle KS5.13 Control objectives, activities and metrics related to project and program management KS5.14 Control objectives, activities and metrics related to software and hardware certification and accreditation practices KS5.15 Control objectives, activities and metrics related to business continuity and disaster recovery management KS5.16 Applicable laws and regulations 105 Determine Monitoring Method and Frequency Managements judgment factors include: • Its objectives • Its risks • Its controls • The persuasiveness of information that is available about its controls 106 Select & Implement Automated Monitoring Tools Selection Criteria: • • • • • • • • • Sustainability Scalability Customizability Ownership Impact on Performance Usability of Existing Tools Tool Complexity Transferability Cost/Benefit 107 Clarify Reporting Requirements and Exceptions Cause and Effect Diagram Steps: 1. Agree on effect or problem statement 2. Identify major categories of failure 3. Link the potential or observed control failures to the categories 4. Discuss the control failure points with the project team 5. Revise the monitoring process and repeat testing as necessary 108 Clarify Reporting Requirements and Exceptions Specifications IT Knowledge New Technology Approvals User Approval Not Obtained User Availablity IT Management Approval Not Obtained User Knowledge of Process Software Change Failures Skipping User Acceptance Testing Bypass Change Control Process Incomplete Data Testing Code Movement Root Causes identified 109 CASE STUDY & PRACTICE QUESTIONS Case Study • Company XYZ has four offices located in the US, Canada, China, and Egypt. • The company currently has four separate risk management plans and programs and while the offices all serve independent functions and have separate technology infrastructures, the plans are not integrated nor have ever been shared. • The company plans to IPO in the US later this year and the companies CEO and board of directors has just directed the enterprise to build a centralized risk management and governance program. You are the CRISC for your location’s IT shop. Based on the topics discussed in this chapter, how would you participate? 111 Practice Question 1 X-1. Risk management should consider the following aspect(s) of risk: A. Thresholds B. Consequences C. Both, opportunities and threats D. Both, opportunities and thresholds 112 Practice Question 2 X-2. What factors chance risk appetite and tolerance: A. New technology B. New organizational structures C. New market conditions D. All of the above 113 Practice Question 3 X-3. Which of the following statements is true: A. Risk tolerance is the amount of risk the company is willing to accept B. Risk appetite is the acceptable variance relative to objective achievement C. Risk tolerance is the acceptable variance relative to objective achievement D. Risk tolerance level is based on the enterprise’s ability to absorb loss 114 Practice Question 4 X-4. What risk components should be communicated? A. Expectations from process owners B. Status with regard to IT risk C. Future risk exposure D. Status with regard to Operational Risk 115 Practice Question 5 X-5. The IT risk action plan is an output communication from? A. CRISC B. Chief Information Officer C. IT Management D. Chief Risk Officer and the Enterprise Risk Management Committee 116 DEFINITIONS AND ACRONYMS Acronym Review Review Guide Reference Source/Page xiii Acronyms Definition CRO Chief Risk Officer CIO Chief Information Officer ERM Enterprise Risk Management 118 Definition Review Review Guide Reference Source/Page Word Definition 5 Risk Reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk means the potential for events and their consequences—contains both: Opportunities for benefit (upside) & Threats to success (downside) 7 Responsibility Belongs to those who must ensure that the activities are completed successfully 7 Accountability Applies to those who own the required resources; has the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes 15 Standards Establish mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process 15 Practices Are frequent or usual actions performed as an application of knowledge They are issued by a “recognized authority” that is appropriate to the subject matter. Issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and frameworks and are the least formal of the three. 119 Definition Review Review Guide Reference Source/Page Word Definition 15 Leading Practice An action that optimally applies knowledge in a particular area 9 Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision) 10 Risk Tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective) 61 Risk Awareness Is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but rather that: • Risk is well understood and known. • IT risk issues are identifiable. • The enterprise recognizes and uses the means to manage risk. 120
