Risk Management Flashcards

1
Q

We rate risks based on:

A

1) The most important critical data, which is most of the time financial
2) Anything that can negatively impact the business.
3) Regulatory requirements
4) Noncompliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When should Risk Assessments be performed?

A

1) It should be done annually or

2) when their is a new system or vender to ensure due diligence is being performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is residual risk?

A

It’s the risk remaining after controls are put in place to mitigate the risk as much as possible. You can never fully eliminate a risk but can reduce the likelihood of it being a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is inherited risk?

A

It’s the risk before any controls are implemented.

Ex. The inherent risk to your network can be high, but once you implement firewall, IDS, IPS, Anti-virus and web filtering, you can reduce the risk and now it’ll have residual risk score.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Control Self-Assessment

A

First, we review the audit universe, which contains all risk associated with the business units. Each business unit performs their own internal risk assessment to identify their area of high risk. Since business units define their own procedures based of management directives, they are aware of the risk associated with their applications/systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk assessment

A

Is performed to know areas of high risk. It is an evaluation/assessment of risk associated with the business units process/operations based on risk tolerance and will rate each risk to low, medium or high depending on the risk tolerance.

First thing is to understand the business environment and identify risk. Ensure management has controls in place to identify and manage risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk management

A

Comprehensive inventory process of hardware, assets, and software. Once the execution of the risk is established, risk management ensures risk assessment are completed and the risk is communicated throughout the organization. The risk should be framed, assest, monitored and responded to in a timely manner based on the risk level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Audit ranking universe

A
  • Known issues in area
  • Inherent risk
  • Management input
  • Benefits of Audit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Incident Management

Remedy Ticketing System

A
  • I understand the company’s incident management process.
  • I check how tickets are prioritized and service level agreement.
  • I understand their low, medium and High SLA classification
  • I test the process for operation effectiveness.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Management Cycle

A
  1. Asset identification (asset is same as system, database, applications) high risk, high cost assets
  2. Risk analysis (identify potential risks/vulnerabilities associated with asset)
  3. Risk treatment management can accept the risk (make sure they document the acceptance of the risk in the Board of Director minutes), mitigate the risk(reduce inherent risk to residual risk by applying appropriate controls), transfer risk (share risk with another entity such an insurance company), and avoid the risk- the organization discontinues activity associated with the risk)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly