Intro to IT risk management

Question 1

What is risk?

Answer 1

combination of the probability of an event and its consequence

Question 2

What factors are considered when evaluating risk?

Answer 2

The mission of the organization, its assets, threat and vulnerability, likelihood, impact

Question 3

What is governance?

Answer 3

Accountability for protection of the assets of an organization.

Question 4

Describe corporate governance

Answer 4

system by which organizations are evaluated, directed and controlled.

governance of IT is the system by which the current and future use of IT is evaluated, directed and controlled.

Question 5

what is the objective of governance?

Answer 5

to enable organizations create value for their stakeholders or to promote value creation. value creation is in turn comprised of benefits realization, risk optimization and resource optimization.

Question 6

explain the intersection between governance and management?

Answer 6

management focuses on planning, building, running and monitoring activities in alignment with the direction set by the governance body to create value by achieving its objectives

Question 7

List objectives of risk governance

Answer 7

1. establish and maintain a common risk view
2. integrate risk management into the enterprise
3. make risk aware business decisions
4. ensure that risk management controls are implemented and operating correctly

effective risk governance helps ensure that risk management practices are embedded in the enterprise, enabling it to secure optimal risk adjusted return.

Question 8

what is risk management?

Answer 8

defined as the coordinated activities to direct and control an enterprise with regard to risk

Question 9

List the risk management considerations

Answer 9

• dependencies on supply chain
• impact of new legislation
• vulnerability to changes in economic or political conditions

Question 10

what is IT operations and service delivery ?

Answer 10

delivered services fall short of service level agreements

Question 11

what is IT risk management?

Answer 11

the implementation of a risk strategy that reflects the culture, appetite, and tolerance levels of organizational management; considers technology and budgets; and addresses the requirements of regulation and compliance.

An effective IT risk management strategy is critical to an organization’s ability to effectively and efficiently execute its overall business strategy.

Question 12

List the steps of the IT risk management process

Answer 12

IT risk identification, IT risk assessment, Risk response and mitigation and risk and control monitoring and reporting.

Question 13

Describe the relationship between risk and business continuity?

Answer 13

the business continuity function is concerned with the preservation of critical business functions and the ability of the organization to survive an adverse event that may impact the ability of the organization to meet its goals.

through risk management, the organization attempts to reduce all IT risk to an acceptable level. the risk team works with the business continuity team to identify possible threats and put in place the mechanism to detect, contain and recover from an adverse event if it should happen.

Question 14

Describe the relationship between risk and audit?

Answer 14

the audit function is an important part of corporate governance that provides management with assurance regarding the effectiveness of the control framework.

audits should be conducted by a skilled personnel able to assess risk, identify vulnerabilities, document findings and provide recommendations on how to address audit issues.

Question 15

Describe the relationship between risk and information security?

Answer 15

IT risk management drives the selection of controls and justifies their initial and continued operation. if the IT risk management activity is not conducted properly, information security controls are most certain to be incorrectly designed, poorly implemented and improperly overstated. each control should be traceable back to a specific IT risk and the risk practitioner should be able to demonstrate the purpose of each control and explain the reasoning behind its selection.

Question 16

what is control risk?

Answer 16

the selection of the wrong control, the incorrect configuration of the control, the improper operation of the control, the failure to monitor and review the control, or the inadequacy of the control to address new threats that may introduce the risk of control failure

Question 17

what is project risk?

Answer 17

failure of a particular project may be defined by it going over its allotted budget or the allotted time scheduled or if it does not deliver what it promised.

project failure may pose a risk to an organization, manifesting as lost market share, failure to seize new opportunities or other adverse impacts on customers.

Question 18

what is change risk?

Answer 18

changes in technology, regulations, business process, functionality, architecture, users and other variables that affect the business and technical environments of the organization may affect the levels of risk associated with systems in operation.

risk level of a particular system may also change because of intentional changes to its configuration or architecture that result in the controls that were originally effective as designed being ineffective.

Question 19

what are capabilities of the IT risk management program?

Answer 19

1. comprehensive - thorough and detailed
2. complete ( carried through to the end)
3. auditable (reviewable by an independent third party)
4. justifiable ( based on sound reasoning)
5. compliant ( with policy, laws and/or regulations)
6. monitored (subject to review and accountability)
7. enforced (consistent, mandated and required)
8. up to date ( current with changing laws, tech and business processes)
9. managed ( adequately resourced, with oversight and support)