Introduction to IT Risk Management

Question 1

Risk

Answer 1

Combination of the probability of an event and its consequence; can also be an adverse event that can threaten an organization’s assets, exploit its vulnerabilities, and cause harm

Question 2

Governance

Answer 2

Accountability for protection of the assets of an organization

Question 3

Who is accountable for governance?

Answer 3

Board of Directors

Question 4

Who is responsible for managing the day-to-day operations of the organization in alignment with strategic mandates approved by the board?

Answer 4

Senior management

Question 5

An important part of governance

Answer 5

Risk management

Question 6

Corporate governance

Answer 6

The system by which organizations are evaluated, directed, and controlled

Question 7

Corporate governance of IT

Answer 7

The system by which the current and future use of IT is evaluated, directed, and controlled

Question 8

The objective of any governance system

Answer 8

To enable organizations to create value for their stakeholders

Question 9

The governance objective of any organization

Answer 9

Value creation

Question 10

Value creation is comprised of…

Answer 10

1. Benefits realization
2. Risk optimization
3. Resource optimization

Question 11

Governance answers which four questions?

Answer 11

1. Are we doing the right things?
2. Are we doing them the right way?
3. Are we getting them done well?
4. Are we getting the benefits?

Question 12

Management focuses on

Answer 12

planning, building, running and monitoring within the directions set by the governance system to create value by achieving objectives

Question 13

Risk management foresees

Answer 13

the challenges to achieving these objectives and attempts to lower the chances and impacts of them occurring

Question 14

4 main objectives of risk governance

Answer 14

1. Establish and maintain a common risk view
2. Integrate risk management into the enterprise
3. Make risk-aware business decisions
4. Ensure that risk management controls are implemented and operating correctly

Question 15

The risk governance function must oversee the operations of the ____

Answer 15

Risk management team

Question 16

Effective risk governance establishes the ___ of risk for the enterprise

Answer 16

Common view

Question 17

What is a holistic ERM (enterprise risk management)?

Answer 17

Integrating risk management across the enterprise into every department, function,system, and geographic location

Question 18

What is the objective of ERM?

Answer 18

To establish the authority to require all business processes to undergo a risk analysis on a periodic basis or when there is a significant change to the internal/external environment

Question 19

How do we make a risk-aware business decision?

Answer 19

The risk governance function must consider the full range of opportunities and consequences of each such decision and its impact on the enterprise, society, and environment

Question 20

Governance requires ___ and ____ to ensure that the enterprise is following up on the implementation and monitoring of controls to ensure that the controls are effective to mitigate risk and protect organizational assets.

Answer 20

Oversight and due diligence

Question 21

What is risk management?

Answer 21

Coordinated activities to direct and control an enterprise with regard to risk

Question 22

Risk

Answer 22

A challenge to achieving objectives

Question 23

Risk management as an activity

Answer 23

Undertaken to foresee challenges and lower the chances of those challenges occurring and their impact

Question 24

ISO

Answer 24

International Organization for Standardization

Question 25

IEC

Answer 25

International Electrotechnical Commission

Question 26

What does ISO/IEC 31000 state about risk?

Answer 26

Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected - positive and/or negative.

Question 27

What does ISO/IEC 27005 state?

Answer 27

Information security risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

Question 28

Risk management starts with..

Answer 28

understanding the organization

Question 29

How do you assess an organization’s context?

Answer 29

Evaluating the intent of capability of threats; the relative value of, and trust required in, assets, and the respective relationship of vulnerabilities that threats could exploit

Question 30

Considerations in risk management:

Answer 30

1. Vulnerability to changes in economic and political conditions
2. Changes in market trends and patterns
3. Emergence of new competition
4. Impact of new legislation
5. Existence of potential natural disaster
6. Constraints caused by legacy systems
7. Strained labor relations and inflexible management

Question 31

Risk is an influencing factor that must be evaluated at the following levels:

Answer 31

1. Strategic level
2. Business unit level
3. Information Systems level

Question 32

IT risk management is…

Answer 32

the implementation of a risk strategy that reflects the culture,appetite, and tolerance levels of the senior management; considers technology and budgets; and addresses the requirements of regulation and compliance

Question 33

IT Risk Identification

Answer 33

Includes determining the risk context and risk framework; the process of identifying and documenting risk; should result in listing and documenting of risk; first step in the IT risk management life cycle

Question 34

IT Risk Assessment

Answer 34

Second step in the IT risk management cycle; the effort to assess risk, including prioritization of risk

Question 35

IT Risk Response and Mitigation

Answer 35

Third step in the IT risk management cyvle; address the risk appetite and tolerance of the organization and the need to find cost-effective ways to address risk

Question 36

IT Risk and Control Monitoring and Reporting

Answer 36

Fourth step in the IT risk management cycle; controls and risk management efforts are monitored and results are reported back to senior management

Question 37

Who determines the need to return to other phases of the IT risk management life cycle?

Answer 37

Senior management

Question 38

What is IT’s primary responsibility?

Answer 38

To support business requirements

Question 39

The relationship between IT and the business unit is a

Answer 39

CSF (Critical Success Factor)

Question 40

IT risk strategy is driven by

Answer 40

business risk strategy

Question 41

IT risk assessment is a precursor to

Answer 41

BIA (business impact analysis)

Question 42

Business continuity starts where

Answer 42

risk management ends

Question 43

BCP

Answer 43

business continuity plan

Question 44

Provides assurance to management on the effectiveness of the IS control framework, IT risk management, and compliance

Answer 44

IS Audit

Question 45

Risks associated with IS Audit

Answer 45

1. Competence of the IS Audit personnel

2. Independence of the audit

Question 46

Information security is usually based on

Answer 46

risk

Question 47

NIST

Answer 47

National Institute of Standards and Technology

Question 48

The effectiveness of the information security program is based on…

Answer 48

a foundation of thorough and accurate IT risk management

Question 49

IT risk drives…

Answer 49

the selection of controls and justifies the choice and operation of a control

Question 50

Every control should be traced back to

Answer 50

a specific IT risk that the control is designed to mitigate

Question 51

Control Risk

Answer 51

Risk of:

1. selection of wrong control
2. incorrect configuration of the control
3. improper operation of the control
4. failure to monitor and review the control
5. inadequacy of the control to address new threats

Question 52

Project Risk

Answer 52

Risk that a project may fail

Question 53

Determining project failure:

Answer 53

1. Over budget
2. Over the allotted time schedule
3. Failure to meet customer needs and expectations

Question 54

Change Risk

Answer 54

Risk from changes in:
1. Technology
2. Regulations
3. Business process
4. Functionality
5. Architecture
6. Users
7. Operational environment
rendering the original controls ineffective

Question 55

Important task of the risk practioner

Answer 55

manage risk on a continuous basis and to be aware of emerging risk, new threats, new technologies,changes in culture, and increased legislation and/or regulation