95 Questions
What is risk?
The likelihood of an event and its impact
How is risk most often associated?
With uncertainties and deviations from expected results
What does likelihood refer to in the context of risk?
The potential of a risk event
What is the purpose of the glossaries at the end of the guide?
To serve as a tool for understanding risk terminology and relationships among the terms
What is risk defined as?
The probability of a situation with uncertain frequency and magnitude of loss or gain
Which term describes a weakness that can be exploited by a threat?
Vulnerability
What type of risk is associated with future business plans and strategies?
Strategic risk
What comprises pressures on an asset class and can be broken down into subcategories such as currency risk and interest-rate risk?
Market risk
What is the potential that a borrower or creditor will fail to meet financial obligations?
Credit risk
At what level within an enterprise are decisions required to implement actions made?
Project level
According to the ISACA Risk IT Framework, what does risk management involve?
IT/OT/business managers, risk management professionals, and external stakeholders
What is the purpose of audits mentioned in the text?
To ensure adherence to standards and verify accuracy of records
What is the role of business continuity in managing I&T-related risks?
It is crucial for preserving critical business functions and minimizing I&T-related risks
What does the three-tier defense system for managing I&T-related risk include?
First line managing risk, second line overseeing risk, and third line offering independent testing
What do policies outline according to the text?
High-level principles for decision-making
What is the consequence of inadequate business continuity planning?
Hindering recovery goals
What do effective risk management practices shape according to the text?
Selection and sustenance of controls
What is the role of controls in responding to risk according to the text?
Controls serve as a means of responding to risk
What is the focus of operational level IT risk management?
Short-term goals for ongoing business service continuity
What is the focus of standards according to the text?
Guidance and authority for enterprise practices
Which type of I&T-related risk involves alterations affecting business and technical environments?
Change Risk
Who should proper adherence to policies and standards lead to according to the text?
Better support, cost control, authority, and certification
What is the main consequence of an IT system failure for most enterprises?
Significant potential consequences
Who does the ISACA Risk IT Framework mention as being involved in risk management?
Top executives, IT/OT/business managers, and external stakeholders
Which risk management level deals with medium-term goals for program and short-term goals for project delivery?
Program/project levels
Who plays a vital role in managing I&T-related risks?
Collaboration between incident management and business continuity teams only
What do various authoritative risk management standards and sources offer for handling I&T-related risk?
Customized best practices
What does the I&T risk framework provide for understanding and management of I&T-related risk?
Comprehensive view of I&T-related risk
Which type of I&T-related risk involves unauthorized access or use of technology and data?
Cyber and Information Security Risk
What is the focus of strategic level IT risk management?
Long-term strategic objectives
What is the main focus of I&T Operations and Service Delivery Risk?
Impacting enterprise value through poorly performing IT systems and services
What does I&T Benefit/Value Enablement Risk involve?
Enabling value or impeding it
What do recognized risk management reference sources offer for handling I&T-related risk?
Customized best practices
What is the purpose of a procedure in the context of operations?
To define the tasks performed in specific steps
What can result from lack of adherence to standards and procedures?
Inconsistent and unreliable operations
What type of controls rely on technology, devices, or equipment?
Technical controls
What is the purpose of compensating controls?
Minimize errors and omissions
Which type of controls address risk in different ways such as preventive, detective, corrective, or compensating?
General controls
What do I&T controls within an information system cover?
Sensitive or critical functions only
What do Input, Processing, Output, and Application controls classify as?
General controls
What is the primary function of physical controls?
Require regular maintenance
What do preventive controls aim to do?
Avoid the occurrence of unwanted events
What is the role of a detective control?
Identify vulnerabilities in controls
In which section is the use and examples of preventive, detective, corrective, and compensating controls described?
Section 4.6 Control Assessment in this study guide.
Which type of risk arises from a control not functioning correctly?
Control risk
What is the focus of the glossaries at the end of the guide?
To explain key risk terms
What does likelihood refer to in the context of risk?
The probability of something happening
What is the main consequence of an IT system failure for most enterprises?
Adverse impact on business objectives
What do preventive controls aim to do?
Stop risks before they occur
What is the primary focus of environmental risk?
Threats to natural resources, human health, and wildlife
Which type of risk is associated with future business plans and strategies?
Strategic risk
What do preventive controls aim to do?
Intervene before an incident occurs to reduce the likelihood of its occurrence
What is the potential consequence of inadequate business continuity planning?
Significant disruptions to an enterprise's operations and financial stability
What term describes a weakness that can be exploited by a threat?
Vulnerability
Which level within an enterprise deals with day-to-day activities?
Operational level
What does likelihood refer to in the context of risk?
The probability of a situation with uncertain frequency and magnitude of loss (or gain)
What type of I&T-related risk involves unauthorized access or use of technology and data?
Operational risk
What is the role of controls in responding to risk according to the text?
Address risk in different ways such as preventive, detective, corrective, or compensating
What comprises pressures on an asset class and subcategories such as currency risk and interest-rate risk?
Market risk
What does the three-tier defense system for managing I&T-related risk include?
Physical, technical, and administrative controls
What is the primary focus of I&T-related risk management at the program level?
Dealing with medium-term goals to deliver strategic objectives
According to recognized risk management reference sources, which framework provides a comprehensive view of I&T-related risk?
OCTAVE Framework
What is the main consequence of cyber and information security risk?
Involving unauthorized access or use of technology and data
What is the role of preventive controls in I&T-related risk management?
Aim to prevent risks from occurring or reduce their impact
Which type of I&T-related risk involves alterations affecting business and technical environments?
Change Risk
At what level within an enterprise are decisions required to implement actions made in operational level IT risk management?
Operational level
What do various authoritative risk management standards and sources offer for handling I&T-related risk?
Customization based on enterprise size
What is the focus of strategic level IT risk management?
'Future business plans and strategies'
What does the I&T risk framework provide for understanding and management of I&T-related risk?
'Comprehensive view of potential risk scenarios'
'Which term describes a weakness that can be exploited by a threat?'
'Vulnerability'
'What is the main purpose of compensating controls?'
'To reduce the impact of risks when primary controls fail'
'What does likelihood refer to in the context of risk?'
'The probability of a risk event occurring'
According to the ISACA Risk IT Framework, what is the primary function of audits?
To offer management assurance regarding the effectiveness of control frameworks
What does the three-tier defense system for managing I&T-related risk include?
Second line offering independent testing and assurance
What is the focus of standards according to the text?
Providing guidance for enterprise practices
What does likelihood refer to in the context of risk?
The probability of a risk occurring
What is the main focus of I&T Operations and Service Delivery Risk?
Developing operational capabilities
What does I&T Benefit/Value Enablement Risk involve?
Enabling benefits and value from I&T investments
What can result from lack of adherence to standards and procedures?
Increased liability and circumvention
What is the potential that a borrower or creditor will fail to meet financial obligations?
Credit risk
What type of controls rely on technology, devices, or equipment?
Physical controls
What is the purpose of the glossaries at the end of the guide?
To offer definitions of key terms and concepts
What does the ISACA Risk IT Framework provide for understanding and management of I&T-related risk?
A comprehensive framework for identifying current and emerging I&T-related risks
Who does the ISACA Risk IT Framework mention as being involved in risk management?
Top executives, IT/OT/business managers, risk management professionals, and external stakeholders
What is the primary purpose of specific procedures mentioned in the text?
To define the tasks performed for carrying out processes
What type of controls rely on technology, devices, or equipment according to the text?
Technical controls
What role do compensating controls play in risk management?
Reduce the risk of existing control weaknesses
What do I&T controls within an information system cover?
Various aspects such as organization, system development, and business continuity planning
What is the focus of strategic level IT risk management?
Altering business and technical environments
What is the primary function of general controls in enterprises?
Maintaining a balance between technical, managerial, and physical control types
What are preventive controls designed to do in I&T-related risk management?
Reduce the likelihood of risks
Which level within an enterprise requires decisions to implement actions in operational level IT risk management?
Program delivery level
What does input, processing, output, and application controls classify as?
IT-related risks in an enterprise
What is the main role of physical controls in enterprises?
Maintain a balance between technical, managerial, and physical control types
What does likelihood refer to in the context of risk?
The probability of risks occurring
Study Notes
-
I&T-related risk is a part of overall business risk and is associated with the use, ownership, operation, involvement, influence, and adoption of I&T within an enterprise.
-
Most enterprises depend heavily on their IT systems, making potential consequences of an IT system failure significant.
-
IT risk management involves addressing risks at operational, program/project, and strategic levels.
-
Operational level focuses on short-term goals for ongoing business service continuity.
-
Program and project levels deal with medium-term and short-term goals, respectively, to deliver strategic objectives; risk management includes dealing with issues through program or strategic-level risk policies.
-
I&T-related risks include multiple types:
-
I&T Benefit/Value Enablement Risk: enabling value or impeding it
-
I&T Program and Project Delivery Risk: prone to failure, causing budget/schedule overruns, customer dissatisfaction, or not meeting expectations
-
I&T Operations and Service Delivery Risk: impacting enterprise value through poorly performing IT systems and services
-
Change Risk: alterations affecting business and technical environments, potentially rendering initially effective controls ineffective
-
Cyber and Information Security Risk: involving unauthorized access or use of technology and data
-
Various authoritative risk management standards and sources offer best practices for handling I&T-related risk, requiring customization.
-
Recognized risk management reference sources include ISACA Risk IT Framework, COSO Enterprise Risk Management, ISO 27005, ISO 31000, IEC 31010, NIST Special Publications, and the OCTAVE Framework.
-
An I&T risk framework provides a comprehensive view of I&T-related risk, aiding in understanding and management.
-
The ISACA Risk IT Framework, 2nd Edition, helps identify current and emerging I&T-related risks, develop operational capabilities, leverage existing compliance systems, integrate risk beyond technical controls, promote risk awareness, frame risk within business context, and focus risk management resources.
-
Risk management is a strategic necessity for enterprises, involving top executives, IT/OT/business managers, risk management professionals, and external stakeholders.
-
Business continuity is crucial for preserving critical business functions and minimizing I&T-related risks. Collaboration between incident management and business continuity teams is vital. An inadequate business continuity plan could hinder recovery goals.
-
Audits are formal inspections to ensure adherence to standards, verify accuracy of records, and offer management assurance regarding the effectiveness of control frameworks, risk management programs, and compliance efforts.
-
Effective risk management shapes the selection and sustenance of controls, and inadequate I&T-related risk management may lead to incorrectly designed, poorly implemented, or improperly operated information security controls.
-
A three-tier defense system for managing I&T-related risk includes the first line managing risk and establishing controls, the second line overseeing risk and monitoring controls, and the third line offering independent testing and assurance.
-
Controls, composed of processes, policies, procedures, practices, infrastructure, applications, and organizational structures, serve as a means of responding to risk.
-
Policies are documents outlining high-level principles for decision-making, empowering risk management, and mandating compliance across departments. Standards, sanctioned by external bodies, provide guidance and authority for enterprise practices.
-
Proper adherence to policies and standards ensures better support, cost control, and authority, and may lead to certification. Policies must be effectively communicated and enforced to prevent circumvention or increased liability.
Test your knowledge about business risk management levels and their emphasis on short-term and strategic goals. Explore the practices and competencies related to information risks and business strategy.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free