Risk Management Flashcards
We rate risks based on
- The most important critical data, which is most of the time financial
- Anything that can negatively impact the business.
- Regulatory requirements
- Noncompliance
When should Risk Assessments be performed?
It should be done annually or when their is a new system or vender to ensure due diligence is being performed.
What is residual risk
It’s the risk remaining after controls are put in place to mitigate the risk as much as possible. You can never fully eliminate a risk but can reduce the likelihood of it being a threat.
What is inherited risk?
It’s the risk before any controls are implemented.
Ex. The inherent risk to your network can be high, but once you implement firewall, IDS, IPS, Anti-virus and web filtering, you can reduce the risk and now it’ll have residual risk score.
Risk Control Self-Assessment
First, we review the audit universe, which contains all risk associated with the business units. Each business unit performs their own internal risk assessment to identify their area of high risk. Since business units define their own procedures based of management directives, they are aware of the risk associated with their applications/systems.
Risk assessment
Is performed to know areas of high risk. It is an evaluation/assessment of risk associated with the business units process/operations based on risk tolerance and will rate each risk to low, medium or high depending on the risk tolerance.
First thing is to understand the business environment and identify risk. Ensure management has controls in place to identify and manage risk
Risk management
Comprehensive inventory process of hardware, assets, and software. Once the execution of the risk is established, risk management ensures risk assessment are completed and the risk is communicated throughout the organization. The risk should be framed, assest, monitored and responded to in a timely manner based on the risk level.
Audit ranking universe
- Known issues in area
- Inherent risk
- Management input
- Benefits of Audit
Incident Management
Remedy Ticketing System
- I understand the company’s incident management process.
- I check how tickets are prioritized and service level agreement.
- I understand their low, medium and High SLA classification
- I test the process for operation effectiveness.
Risk Management Cycle
- Asset identification (asset is same as system, database, applications) high risk, high cost assets
- Risk analysis(identify potential risks/vulnerabilities associated with asset)
- Risk treatment management can accept the risk (make sure they document the acceptance of the risk in the Board of Director minutes), mitigate the risk(reduce inherent risk to residual risk by applying appropriate controls), transfer risk (share risk with another entity such an insurance company), and avoid the risk- the organization discontinues activity associated with the risk)
