Risk Introduction and Overview PDF

Chat with Document Download Quiz & Flashcards

Document Details

LowRiskCarnelian733

Uploaded by LowRiskCarnelian733

Cooper Union for the Advancement of Science and Art

2015

ISACA

Tags

risk management business risk information security enterprise risk

Related

Summary

This document provides a foundational overview of risk terminology in the context of business. It introduces key terms like likelihood, impact, threats, and vulnerabilities, and explains how risk is calculated and managed.

Full Transcript

#### **Risk Introduction and Overview** ##### **1.1 Risk Terminology** Every enterprise experiences risk. Risk is the result of uncertainties to which an enterprise is exposed that threaten its ability to achieve its business goals and objectives. To identify, measure, assess and manage risk, risk...

#### **Risk Introduction and Overview** ##### **1.1 Risk Terminology** Every enterprise experiences risk. Risk is the result of uncertainties to which an enterprise is exposed that threaten its ability to achieve its business goals and objectives. To identify, measure, assess and manage risk, risk-related professionals are expected to know and use an extensive, common, risk vocabulary that allows a consistent approach to address and openly communicate about risk within an enterprise. Key risk terms are explained throughout this study guide. When a new term is introduced and defined, it is included in the "Terminology" section at the end of each chapter and the summary "Glossary" at the end of the guide. These glossaries are a useful tool for grasping a thorough knowledge of risk terminology and understanding the relationships among the terms. ###### **1.1.1 Common Risk Terms** There are many definitions of risk that exist today. ISACA uses the following definition of risk. Risk is the combination of the likelihood of an event and its impact. Risk is most often associated with uncertainties and deviations from expected results that can have an adverse impact to an enterprise and threaten its ability to meet its business objectives. Risk refers to the likelihood and impact that exists from a combination of assets, threats and control conditions. Likelihood describes the potential of a risk event. Likelihood is the probability of something happening. Other terms used to describe the potential of a risk event include: l **Frequency**---A measure of the rate by which events occur over a certain period of time. l **Probability** --- A mathematical-driven measure of the possibility of a specific outcome as a ratio of all possible outcomes. Probability represents the extent to which an event is likely to occur, measured by the ratio of the studied cases or cases in question to the whole number of cases. Impact is the term that is used to describe the result of a risk event. Impact is defined as the magnitude of loss resulting from a threat exploiting a vulnerability. Other terms used to describe the result of a risk event include: l **Magnitude** --- A measure of the potential severity of loss or the potential gain from realized events/scenarios. l **Consequence** --- The magnitude of loss resulting from a threat exploiting a vulnerability (used interchangeably with impact). An event is something that happens at a specific place and/or time. Other terms used to describe an event include: l **Incident** --- Any event that is not part of the ordinary (standard) operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service. l **Exploit** --- An event where the attacker takes advantage of a vulnerability. l **Attack** --- An attempt to gain unauthorized access or make use of an asset. To better appreciate risk, the various elements within an enterprise that can affect risk must be well understood. Having a strong grasp of risk terminology is essential to understanding risk management and for being able to properly communicate about risk. It is important to be able to distinguish between a risk, a threat and a vulnerability, because these terms are often used incorrectly as synonyms (see **figure 1.1**). This figure is built-on throughout the study guide as additional terms and factors are introduced. **Figure 1.1---Simple View of Threats, Vulnerabilities and Risk** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Source: ISACA, *CRISC Review Manual, 6^th^ Edition*, USA, 2015, figure 1.9, [*www.isaca.org/bookstore/crisc-exam-resources/crr6ed*](http://www.isaca.org/bookstore/crisc-exam-resources/crr6ed) A threat is anything that is capable of acting against an asset in a manner that can result in harm. Threats are aimed at exploiting enterprise vulnerabilities. A vulnerability is a control condition that is deemed to be deficient relative to requirements of the threat levels being faced by the enterprise. Vulnerabilities represent a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events. ##### **1.2 Business Risk** Risk is a critical part of business. Unless an enterprise is willing to take a risk, it will not be able to realize the benefits associated with risk. Business risk is the probability a situation with uncertain frequency and magnitude of loss (or gain) that could prevent the enterprise from meeting its business objectives. Taking too much risk may lead to an increased likelihood of business failure and/or financial loss. ###### **1.2.1 Types of Business Risk** An enterprise can be subject to a number of different types of business risk (**figure 1.2**). The following business/enterprise risk types are common to most enterprises: l Strategic risk l Environmental risk l Market risk l Credit risk l Operational risk l Compliance risk l Project Risk +-----------------------------------------------------------------------+ | **Figure 1.2---Business/Enterprise Risk Types** | +=======================================================================+ | -- -- -- -- -- -- -- -- -- -- -- -- -- | | | | | | -- -- -- -- -- -- -- -- -- -- -- -- -- | +-----------------------------------------------------------------------+ | Source: Adapted from ISACA, *Risk IT Framework, 2^nd^ Edition*, USA, | | 2020, figure 1.1, | | [*www.isaca.org/bookstore/bookstore-risk-digital/ritf2*](http://www.i | | saca.org/bookstore/bookstore-risk-digital/ritf2) | +-----------------------------------------------------------------------+ ###### **Strategic risk** Strategic risk is associated with future business plans and strategies of an enterprise. These can include planning for expansion, entering new markets and enhancing the business infrastructure. Examples of events that can cause strategic risk include: l Sudden changes in customer preferences l Executive turnover l Game-changing technological disruptions l Erosion of brand power l Large-scale initiatives that do not deliver as expected l Commoditization of enterprise products or business mode (e.g., product or mode no longer considered unique) ###### **Environmental Risk** Environmental risk represents threats to natural resources, human health and wildlife. Examples of events that can cause environmental risk include: l Exploiting oil reserves discovered in a national park, which could harm or destroy some of the park wildlife l Carcinogenic risk caused by airborne pollutants l Pollution from factories and vehicles l Use of household pesticides l Discharge of hazardous chemicals into local water bodies ###### **Market Risk** Market risk comprises pressures on an asset class. Market risk can be broken down into subcategories according to the type of pressured asset, including: l Currency risk l Interest-rate risk l Equity risk l Property risk l Foreign-exchange risk l Commodity risk Examples of events that can cause market risk include: l Recession and depression l War l Inflation ###### **Credit Risk** Credit risk is the potential that a borrower or creditor will fail to meet financial obligations in accordance with agreed terms. Examples of events that can cause credit risk include: l Poor or falling cash flow from operations l Rising interest rates l Callable loans l Changes in the nature of the marketplace that adversely affect the enterprise l Technological changes l Increase in competitors l Regulatory changes l Sociopolitical situation within a country, or among countries in a global market l Stability and regulatory practices of a government, or governments in a global market l Damage to assets for which the enterprise is the insurer ###### **Operational Risk** Operational risk is the potential for losses caused by inadequate systems or controls, human error, mismanagement, or natural disasters. Examples of events that can cause operational risk include: l Employee errors l Systems failures l Fire, floods and other physical losses l Epidemics and pandemics l Fraud, theft and other criminal activity ###### **Compliance Risk** Compliance risk is the probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards or codes of conduct applicable to the enterprise industry. Compliance risk represents the potential for financial loss, sanctions or damage to reputation and brand value caused by a failure to comply with legal or regulatory requirements. Examples of events that can cause compliance risk include: l Failing to comply with laws or regulations l Failing to adhere to ethical standards or codes of conduct applicable to the enterprise's industry Understanding how these types of risk can affect an enterprise and how to assess risk is important to the risk management process. ###### **Project Risk** Project risk is risk that the project will fail to meet its intended objectives and deliver results according to the project charter. Even the smallest IT project can get very complex due to internal and external variables. An IT project has many inter-connected attributes and one small delay in one area can easily affect the entire initiative. In all projects, there are events that no one can predict. However, some adverse events are common and result in project risks that should be clear to an experienced risk manager and project manager. ###### **1.2.2 Levels of Risk** Risk can exist at four levels within an enterprise, as shown in **figure 1.3**. +-----------------------------------------------------------------------+ | **Figure 1.3---Levels of Risk** | +=======================================================================+ | | +-----------------------------------------------------------------------+ | Source: ISACA, *IT Governance Domain Practices and Competencies: | | Information Risks: Whose Business* | | | | *Are They?*, USA, 2005, figure 1 | +-----------------------------------------------------------------------+ ###### **Strategic Level** The strategic level is where choices are made about risk in relation to innovation and plans for delivering the business strategy. At the strategic level, it needs to be understood that accepting risk is an essential element of business today and success comes to those enterprises that detect, identify and manage risk most effectively. The program, project and operational levels are concerned with delivery of the enterprise strategy. ###### **Program and Project Level** The focus at the program and project levels is on medium-term goals to deliver the enterprise strategic objectives. These are the levels at which choices about risk are made. At any time during the life of a program, there may be circumstances or situations that can have a detrimental impact on the program. Such circumstances or situations are the risk and issues that the program must manage and resolve. Dealing with issues at the project level requires a program risk policy or a strategic-level risk policy to give overall guidance and direction on how risk should be managed. ###### **Operational Level** The emphasis at the operational level is on short-term goals to ensure ongoing continuity of business services. The context of risk management varies significantly from the strategic (enterprise) level to the IT operations level. At a minimum, risk needs to be properly analyzed, even if no immediate action is taken, because the awareness of risk often influences strategic decisions for the better. Often, the most damaging I&T-related risk is one that is not well understood or communicated. At the operational level, risk management involves responding to the potential impact on the business, identifying the issues and making sure that the risk that has the highest likelihood and impact of occurring is being addressed. ##### **1.3 I&T-related Risk** I&T-related risk is a part of overall business risk and is associated with the use, ownership, operation, involvement, influence and adoption of I&T within an enterprise. Most enterprises are highly dependent on their IT systems. The more an enterprise relies on its IT systems, the more serious the potential consequences of an I&T-related failure. An IT system failure can have a great impact on the business supported by the IT system. ###### **1.3.1 I&T Risk Types** The I&T-related risk types include: l I&T benefit/value enablement risk l **I**&T program and project delivery risk l I&T operations and service delivery risk l Cyber and information security risk The relationship between business/enterprise risk and I&T-related risk is depicted in **figure 1.4**. **Figure 1.4---I&T-related Risk Relative to Business/Enterprise Risk** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Source: ISACA, *Risk IT Framework, 2^nd^ Edition*, USA, 2020, figure 1.1, [*www.isaca.org/bookstore/bookstore-risk-digital/ritf2*](http://www.isaca.org/bookstore/bookstore-risk-digital/ritf2) ###### **I&T Benefit/Value Enablement Risk** I&T benefit/value enablement risk refers to the opportunities to use technology to improve the efficiency or effectiveness of business processes or as an enabler for new business initiatives. Conversely, this I&T-related risk type also includes the risk of missing new business opportunities because of inadequate I&T-related capabilities. IT involvement is critical and can play different roles in the risk-opportunity relationship, as an enabler of value and as an impediment. l **Value enabler**---New business initiatives almost always depend on some involvement of IT. In this role, IT can: l **Value impediment**---I&T-related activities and processes can result in an array of negative consequences, such as: **--** IT-enabled business projects or investments often fail to deliver expected results, so value is not delivered. ###### **I&T Program and Project Delivery Risk** I&T program and project delivery risk refers to the contribution of IT to new or improved business solutions, usually in the form of projects and programs. ###### **Project Risk** Many projects fail; numerous studies of IT projects indicate that a majority of IT projects can be considered failures. Failure of a particular project may be defined as going over the allotted budget or the allotted time scheduled, or not delivering what the project promised. A project may also be deemed a failure if it delivers what it promised, but the deliverables do not meet customer needs and expectations. Project risk is from a failed IT project that poses a significant risk to an enterprise, manifesting as lost market share, failure to seize new opportunities or other adverse impacts on customers, shareholders and staff. Identifying the risk associated with a project and successfully managing that risk are very likely to result in higher levels of project success and stakeholder satisfaction. ###### **I&T Operations and Service Delivery Risk** I&T operations and service delivery risk is related to the performance of IT systems and services. A poorly performing IT operation can bring destruction or reduction of value to the enterprise. ###### **Change Risk** Risk is not static. Change risk is a change in technology, regulations, business processes, functionality, architecture, users and other variables that affect the enterprise business and technical environments and the levels of risk associated with systems in operation. For instance, when intentional changes are made to the configuration or architecture of a system, that change may result in controls that were originally effective as designed becoming ineffective. ###### **Cyber and Information Security Risk** Cyber and information security risk is the danger, harm or loss related to the use of, or dependence on, information and communications technology, electronic data, and digital or electronic communications. Typically, the realization of cyber and information security risk involves unauthorized access and/or unauthorized use of information and communications technology. I&T-related risk often arises at critical nodes between (or among) interconnected environments, including points of access to the Internet. These interconnections are vital to business and mission, and, therefore, often entail the most acute information security and cybersecurity risk. ###### **1.3.2 Risk Standards and Guidance** Many authoritative risk management standards and guidance are available as sources of good practice for the management of I&T-related risk. These references are managed and published by authoritative bodies and kept current. They help to form a basis for a risk management program, but require an enterprise to tailor the practices to meet its specific enterprise goals. Among the most recognized risk management reference sources are: l *ISACA Risk IT Framework, 2nd Edition* l *Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management --- Integrated Framework* l *International Organization for Standardization (ISO^®^)* l *National Institute of Standards and Technology (NIST) Special Publications (SPs)* l *Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Framework* ###### **1.3.3 Risk IT Framework** An I&T risk framework is a useful reference for a comprehensive view of I&T-related risk to help understand and manage it. The ISACA *Risk IT Framework, 2nd Edition*^121^ explains I&T-related risk and helps to: l Identify current and emerging risk throughout the extended enterprise l Develop appropriate operational capabilities to ensure that business processes continue operating through adverse events l Leverage investments in compliance or internal control systems already in place to optimize I&T-related risk l Recognize I&T-related risk that exceeds the scope of technical controls and IT-related tools and techniques to integrate into the risk management program l Raise awareness of the balance between the benefits of technology and external partners (on the one hand), and the potential impact of cyberthreats, internal control failures, and risk introduced by vendors, suppliers and partners (on the other hand) l Promote risk awareness, accountability and responsibility throughout the enterprise l Frame I&T-related risk within a business context to understand aggregate exposure in terms of enterprise value l Focus internal and external risk management resources to maximize enterprise objectives ###### **1.3.4 Risk-Related Business Functions** Risk management is an all-encompassing, strategic requirement in any enterprise. Risk management requires the involvement of: l Top executives and board members who set strategic direction and monitor risk at the enterprise level l Managers of IT, OT and business departments who are responsible for day-to-day operational decision making and the integration of risk management processes into daily work l Risk management professionals l External stakeholders, such as clients, regulators, suppliers and partners Many other functions within an enterprise are involved in the risk management process. These include but are not limited to: l Business continuity l Audit l Information security ###### **Risk and Business Continuity** The management of I&T-related risk is closely linked with business continuity. This business function is concerned with the preservation of critical business functions and the ability of the enterprise to survive an adverse event that may impact the ability of the enterprise to meet its mission and goals. Through risk management, the enterprise attempts to reduce all I&T-related risk to an acceptable level. It is important that incident management and business continuity teams work together to identify possible threats and put in place the mechanism to detect, contain and recover from an adverse event. If the business continuity plan (BCP) is inadequate or inaccurate, the enterprise may not be able to meet its goals for recovery after an incident. ###### **Risk and Audit** An audit is a formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. An audit is a methodical and structured review that requires competence and knowledge in the subject matter of the area being audited. As such, an auditor must be familiar with the technology being used, the significance of operating conditions and the requirements of the enterprise. The audit function is an important part of governance that provides management with assurance regarding the effectiveness of the control framework, risk management program and compliance efforts. An enterprise must diligently demonstrate an adequate control environment and risk management program. For that reason, audits should be conducted by objective, skilled and independent personnel able to assess risk, identify vulnerabilities, document findings and provide recommendations on how to address issues that are discovered. ###### **Risk and Information Security** Risk management drives the selection of controls and justifies their initial and continued operation. If the management of I&T-related risk is not conducted properly, information security controls are almost certain to be incorrectly designed, poorly implemented and improperly operated. Every control should be traceable back to a specific I&T-related risk that the control is designed to mitigate. ###### **1.3.5 Three Lines of Defense** The governance and management of I&T-related risk require an enterprise to establish a proper defense system comprising the three lines of defense. l The first line of defense owns and manages risk. Within the first line of defense, control functions are established, such as IT control within the IT department. l The second line of defense oversees risk and monitors controls. It is independent of the first line of defense and can challenge the effectiveness of controls and management of risk across the enterprise. l The third line of defense is internal audit, which provides independent testing and assurance. **Figure 1.5** provides examples of the functions in the three lines of defense. These processes and/or the three lines of defense participate in the risk management process by identifying risk, gathering information and conducting tests and reviews. +-----------------------------------------------------------------------+ | **Figure 1.5---Three Lines of Defense** | +=======================================================================+ | +--------------------------------+--------------------------------+ | | | +---------------------------+ | -- -- -- | | | | | **Examples:** | | | | | | | | | -- -- -- | | | | | Information technology | | | | | | | (IT) | | | | | | | | | | | | | | Information security (IS) | | | | | | | Cybersecurity | | | | | | +---------------------------+ | | | | +--------------------------------+--------------------------------+ | +-----------------------------------------------------------------------+ ##### **1.4 Controls** Controls are a means of responding to risk and are normally composed of processes, policies, procedures, practices, infrastructure, applications and organizational structures. ###### **1.4.1 Policies, Standards and Procedures** A policy is a document that records a high-level principle or course of action that has been decided on. The intended purpose is to influence and guide present and future decision making to be in line with the philosophy, objectives and strategic plans that the enterprise management teams establish. Policies empower risk management and should clearly state the position of senior management toward the protection of information, which allows the development of procedures, standards and baselines that reflect management priorities. Executive sponsorship also provides a mandate that all departments comply with policy requirements. An enterprise may have several layers of policy to allow delegation of authority. A high-level policy may be issued by senior management as a way to address the objectives of the enterprise mission and vision statement. This overarching policy does not have a technical focus, which prevents the policy from becoming outdated when technology changes. High-level policy may direct compliance with laws and good practices, and is likely to state the goal of managing risk through protecting the enterprise assets, including the I&T systems that support business operations. High-level policies are instrumental in determining the approach of the enterprise toward risk management and acceptable levels of risk. Technical and functional policies include specifics regarding technology use, such as remote access, acceptable use and passwords. These policies are subject to change as technology changes and new systems are developed. Policies must be developed and communicated. If not, the enterprise has no means of enforcing standards of behavior, which increases the risk that the behavior that occurs may be inappropriate. A lack of enforcement may also lead to circumvention of controls or increased liability, because the enterprise recognizes the need for a policy but does not follow its own rules. A standard is a requirement, code of practice or specification approved by a recognized external body, such as the International Organization for Standardization (ISO) or a regulatory agency. A standard mandates not only what must be done but also the way in which an enterprise must comply,^\[1\]^ and organizations meeting the requirements of standards may be certified as compliant. Standards can help implement policy, limit risk and support efficient business operations. Many enterprises believe that the value of standards is the authority and perception of excellence that they provide., which In lieu of formal certification, an enterprise may base its practices and operations on external standards such as an ISO standard, or it may develop its own standards, such as requiring all staff to use the same product, operating system or desktop. Proper use of a standard facilitates support and maintenance, provides better cost control, and provides authority for the practices and procedures of the enterprise because a standard requires the implementation of certain practices. A procedure is a document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes. A procedure is more granular than standards and supports their implementation. Procedures are created to define the ways in which the processes should be carried out. Procedures are invaluable as a means of implementing the intent of policy, because they define the tasks that people perform. By defining actions in consistent and measurable ways, the enterprise can greatly increase the probability that an operation is conducted according to good practice and that any abnormal operations are detected. A lack of standards and procedures makes it difficult to carry out activities in a systematic manner and may result in undependable, inconsistent operations and elevated risk. Procedures should be published and used. It is common for procedures to be followed for only a short time, after which point, experienced staff begin to work from memory. This practice should be discouraged in any environment in which precision is important, such as shutdown procedures for power plants or industrial machinery, or complex monetary transactions. ###### **1.4.2 Risk Relationship to Control** There is a direct relationship between risk and control that demonstrates that risk is addressed through control and control is justified by the risk it addresses. This relationship is shown in **figure 1.6**. +-----------------------------------------------------------------------+ | **Figure 1.6---Risk in Relation to Control** | +=======================================================================+ | Controls are Justifies | +-----------------------------------------------------------------------+ | Source: ISACA, *CRISC Review Manual, 6^th^ Edition*, USA, 2015, | | figure 1.30, | | [*www.isaca.org/bookstore/crisc-exam-resources/crr6ed*](http://www.is | | aca.org/bookstore/crisc-exam-resources/crr6ed) | +-----------------------------------------------------------------------+ ###### **Control Risk** A control is chosen to manage and mitigate risk. Control risk is risk to an enterprise from a control that is not operating correctly and may not prevent a failure or compromise. The selection of the wrong control, the incorrect configuration of the control, the improper operation of the control, the failure to monitor and review the control, or the inadequacy of the control to address new threats can introduce the risk of control failure. Control risk is discussed in more detail in Section 5.4 Risk States. ###### **1.4.3 General Controls** It is important that an enterprise maintain a correct balance between technical, managerial (administrative) and physical control types (see **figure 1.7**). **Figure 1.7---Control Types** -------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Category** **Description** Managerial (administrative) These are related to the oversight, reporting, procedures and operations of a process. These include controls such as policy, procedures, balancing, employee development and compliance reporting. Technical Technical controls are also known as logical controls and are provided through the use of a technology, piece of equipment or device. Examples of technical controls include firewalls, network or host-based intrusion detection systems (IDSs), passwords and antivirus software. A technical controls requires proper managerial (administrative) controls to operate correctly. Physical Physical controls are locks, fences, closed-circuit TV (CCTV) and devices that are installed to physically restrict access to a facility or hardware. Physical controls require maintenance. Implementation of a technical control, such as a firewall, requires training for the staff who manage or operate it, correct procedures for its configuration, assignment of responsibilities for its monitoring, and schedules for regular testing. If these coinciding controls are not in place, stakeholders may develop a false sense of security, resulting in unidentified vulnerabilities, an ineffective use of resources and greater risk than anticipated or intended. Controls can be: l **Preventive**---Preventive controls directly address risk. l **Detective**---Detective controls warn of violations or attempted violations l **Corrective**---Corrective controls remediate impact If a control weakness exists, a compensating control should be implemented. Compensating controls are internal controls that reduce the risk of an existing or potential control weakness, resulting in errors and omissions. The use of controls to mitigate and manage risk is described throughout this study guide. Specifically, the use of, and examples of preventive, detective, corrective and compensating controls is covered in Section 4.6 Control Assessment. ###### **1.4.4 I&T Controls** General controls can be translated into I&T controls. A well-designed information system should have controls built in for all its sensitive or critical functions. For example, the general procedure to ensure that adequate safeguards over access to assets and facilities can be translated into an IT-related set of control procedures, covering access safeguards over computer programs, data and equipment. I&T control procedures should include:^142^ l Strategy and direction of the IT function l General organization and management of the IT function l Access to IT resources, including data and programs l Systems development methodologies and change control l Operations procedures l Systems programming and technical support functions l Quality assurance (QA) procedures l Physical access controls l Business continuity planning/Disaster recovery planning l Networks and communication technology (e.g., local area networks, wide area networks, wireless) l Database administration l Protection and detective mechanisms against internal and external attacks I&T controls are in place to maintain information integrity and the security of information assets handled within business processes within an enterprise or its outsourced operation. I&T controls are generally classified as: l Input l Processing l Output l Application ###### **Input Controls** Input controls are techniques and procedures used to verify, validate and edit data to ensure that only correct data are entered into the computer. Input control procedures must ensure that every transaction to be processed is entered, processed and recorded accurately and completely. These controls should ensure that only valid and authorized information is input and these transactions are processed only once. These include machine and manual inputs. ^2\ 14^ [ISACA, *COBIT^®^* *2019 Framework: Governance and Management Objectives,* USA, 2018*, www.isaca.org/bookstore/bookstore-cobit\_19digital/wcb19fgm,* also offers a complete and good overview of general IT controls.](http://www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19fgm) ###### **Processing Controls** Processing controls (and procedures) are used to ensure the reliability of application program processing. Processing controls are meant to ensure the completeness and accuracy of accumulated data. They ensure that data in a file/database remain complete and accurate until changed as a result of authorized processing or modification routines. ###### **Application Controls** Application controls are the policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved. These controls help ensure data accuracy, completeness, validity, verifiability and consistency, thus achieving data integrity and data reliability. Implementation of these controls helps ensure that systems maintain integrity; applicable system functions operate as intended; and information contained by the system is relevant, reliable, secure and available when needed. ##### **1.5 Summary of Terminology** It is important to recognize and understand I&T-related risk terminology. The following terms were introduced in this chapter (**figure 1.8**). **Figure 1.8--- Chapter 1 Terminology** ----------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Term** **Definition** **Attack** An event or attempt to gain unauthorized access or use of an asset **Audit** A formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met **Business risk** Business risk is the probability a situation with uncertain frequency and magnitude of loss (or gain) that could prevent the enterprise from meeting its business objectives. **Change risk** A change in technology, regulation, business process, functionality, architecture, user and other variables that affect the enterprise business and technical environments and the level of risk associated with systems in operation **Compliance risk** The probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards or codes of conduct applicable to the enterprise's industry **Consequence** The magnitude of loss resulting from a threat exploiting a vulnerability (used interchangeably with impact) **Control** The means of managing risk, including policies, procedures, guidelines, practices or organizational structures **Credit risk** The potential that a borrower or creditor will fail to meet financial obligations in accordance with agreed terms **Cyber and information security risk** The danger, harm or loss related to the use of, or dependence on, information and communications technology, electronic data, and digital or electronic communications **Environmental risk** Threats to natural resources, human health and wildlife **Event** Something that happens at a specific place and/or time **Exploit** An event where the attacker takes advantage of a vulnerability **Figure 1.8--- Chapter 1 Terminology *(cont.)*** --------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ **Term** **Definition** **Frequency** A measure of the rate by which events occur over a certain period of time **Incident** Any event that is not part of the ordinary operation of a service that causes, or may cause, an interruption to, or a reduction in, the quality of that service **Impact** Magnitude of loss resulting from a threat exploiting a vulnerability **I&T operations and service delivery risk** Risk related to the performance of IT systems and services. A poorly performing IT operation can bring destruction or reduction of value to the enterprise. **I&T-related risk** A part of overall business risk associated with the use, ownership, operation, involvement, influence and adoption of I&T within an enterprise **Likelihood** The probability of something happening **Magnitude** A measure of the potential severity of loss or the potential gain from realized events/scenarios **Market risk** Pressures on an asset class **Operational risk** The potential for losses caused by inadequate systems or controls, human error or mismanagement and natural disasters **Policy** A document that records a high-level principle or course of action that has been decided on **Probability** A mathematically driven measure of the possibility of a specific outcome as a ratio of all possible outcomes **Procedure** A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards **Project risk** A failed IT project that poses a significant risk to an enterprise, manifesting as lost market share, failure to seize new opportunities or other adverse impacts on customers, shareholders and staff **Risk** The combination of the likelihood of an event and its impact **Standard** A mandatory requirement, code of practice or specification approved by a recognized external standards organization **Strategic risk** The risk associated with an enterprise's future business plans and strategies **Threat** Anything that is capable of acting against an asset in a manner that can result in harm. Threats are aimed at exploiting enterprise vulnerabilities. **Threat agent** Methods and things used to exploit a vulnerability. **Uncertainty** The difficulty of predicting an outcome due to limited knowledge of all components **Vulnerability** Control condition that is deemed to be deficient relative to requirements of the threat levels being faced by the enterprise. Vulnerabilities represent a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events. #### **Chapter 1 Knowledge Check** Review questions are provided as a means to support the content presented within this study guide and serve as a gauge or assessment of knowledge of I&T-related risk topics. One question is provided for each topic. For individuals intending to earn the ISACA IT Risk Fundamentals Certificate, these questions are written to depict the type of questions that may appear on the exam. These questions will not specifically appear on the exam, but similar ones may appear. ##### **REVIEW QUESTIONS** 1\. Which of the following statements **BEST** describes the relationship between threats and vulnerabilities? A. Threats are aimed to exploit vulnerabilities. 2\. The risk of a sudden and impactful change in customer preferences for an enterprise's core products is a primary example of: 3\. Which of the following I&T-risk related activities is part of the second line of defense within a good governance structure? 4\. Which of the following documents empowers risk management and clearly describes how IT will be governed and managed within an enterprise? Answers on page 38 ### **Chapter 1 ANSWER KEY** #### **R eview Questions** 1\.. **A.** **Threats are aimed at exploiting enterprise vulnerabilities, which are control conditions that are deemed to be deficient relative to requirements of the threat levels being faced by the enterprise.** 2\. **A. Strategic risk involves an enterprise's future business plans and strategies. A sudden and impactful change in customer preferences for an enterprise's core products would represent a risk to these future plans and strategies, either positively or negatively.**. 3\. A. Establishing I&T controls, such as IT control within the IT department, is part of the first line of defense, which is responsible for owning and managing risk. 4\. A. An IT standard is a mandatory requirement, code of practice or specification. IT standards are implemented to comply with the requirements and direction of an IT policy to limit risk and support efficient business operations. \[1\] Standards differ from frameworks, which state only what is to be accomplished and not how to do it.

Use Quizgecko on...
Browser
Open
Browser
Browser