COSO ERM Framework PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document describes the COSO ERM Framework, a risk management framework. It outlines the key components of the framework, including governance and culture, strategy development, and risk-based decision making. This document details how different organizations function.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management COSO ERM Framework O COSO ERM framewor...
Certified Cybersecurity Technician Exam 212-82 Risk Management COSO ERM Framework O COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for ERM O CO0SO framework emphasizes that ERM involves those elements of the management process C0sO that enable management to make genuine risk-based decisions Mission, Strate, Strate Z= :g Implementation PP Enhanced vision & core 8Y. development Ly L e ey & Performance Value values values Formulation Formulation Governance Strategy & Raview & Review Information Objective- Performance @ R:v;:ion R:v;:lon @ Communication & @ Q & Culture Setting Reporting https://www.coso.org COSO ERM Framework Source: https.//www.coso.org The Committee of Sponsoring Organizations (COSO) of the Treadway Commission was established in the mid-1980s as part of the National Commission on Fraudulent Financial Reporting. It addresses the evolution of ERM and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. It emphasizes considering risk in both the strategy-setting process and driving performance. The COSO ERM Framework consists of a set of principles organized into five interrelated components supported by a set of principles. Mission, Business Implementation Enhanced vision & core Strategy Objective Objective development , : & Performance Value values Formulatior Formulation GOVOIRance GOVernance Strategy & Review & Information j - Performance. FC!zr:or:\tl::;catlon FC!z:\Or:\tl::;catlon & = ?:tj::;gve @ Revision @ o & Culture Figure 22.2: COSO ERM framework COSO ERM Components and Principles = Governance and Culture: Governance sets an organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and an understanding of risk in the entity. Module 22 Page 2369 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management = Strategy and Objective-Setting: ERM, strategy and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk. = Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. They are prioritized by severity in the context of risk appetite. An organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders. = Review and Revision: By reviewing entity performance, an organization can consider how well the components of ERM function over time and in light of substantial changes, and, thereafter, what revisions are needed. = |Information, Communication, and Reporting: ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across an organization. Module 22 Page 2370 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Certified Cybersecurity Technician Technician Exam Exam 212-82 212-82 Risk Management Risk Management COBIT Framework COBIT Framework QQ COBITis COBIT is anan ITIT governance governance framework and framework and supporting supporting toolset toolset that allows managers to bridge that allows managers to bridge the the gap between control requirements, gap between control requirements, technical issues technical issues and and business business risks risks QOQO COBIT COBIT emphasizes emphasizes regulatory regulatory compliance, helps compliance, helps organizations organizations increase the increase the value value attained attained from from IT, IT, enables alignment, enables alignment, and and simplifies simplifies implementation ofof the implementation the enterprise’s enterprise’s ITIT governance governance and and control control framework framework https://www.isaco.org Copyright Copyright PYTIE ©© bybyY Al B Rights Reserved, Reprodu F Strictly Y Prohibited COBIT Framework Source: https.//www.isaca.org https://www.isaca.org Control Objectives for Information Control Information and Related Technologies Technologies (COBIT) is a framework designed by ISACA for the governance and managemen by ISACA management t of enterprise information information (all technology and informatio informationn processing the enterprise establishes to achieve its goals, regardless of where this this occurs occurs in the enterprise) and technology technology,, aimed at the whole enterprise. Figure Figure 22.3: 22.3: COBIT COBIT framework framework Module Module 2222 Page Page 2371 2371 Certified Cybersecurity Certified Cybersecurity Technician Technician Copyright Copyright ©© byby EG-Council EC-Council AllAll Rights Rights Reserved. Reserved. Reproduction Reproduction is isStrictly Strictly Prohibited. Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management COBIT helps enterprises of all sizes Maintain high-quality information to support business decisions; Achieve strategic goals and realize business benefits through the effective and innovative use of IT; Achieve operational excellence through reliable and efficient application of technology; Maintain IT-related risk at an acceptable level; Optimize the cost of IT services and technology; and Support compliance with relevant laws, regulations, contractual agreements, and policies. COBIT Framework Internal Stakeholders Risk Management: Ensures the identification and management of all IT-related risk Assurance Providers: Manages dependencies on external service providers, provides IT assurance, and ensures an effective and efficient system of internal controls IT Managers: Provides guidance on how best to build and structure the IT department, manage performance of IT, run an efficient and effective IT operation, control IT costs, and align IT strategy to business priorities. Business Managers: Helps understand how to obtain the IT solutions that enterprises require and how best to exploit new technology for strategic opportunities Executive Management: Provides guidance on how to organize and monitor IT performance across the enterprise Boards: Provides insights on how to obtain value from the use of IT and explains relevant board responsibilities COBIT Framework External Stakeholders IT Vendors’ operations should establish that they are secure, reliable, and compliant with applicable rules and regulations. Business Partners should confirm that a business partner’s operations are secure, reliable, and compliant with applicable rules and regulations. Regulators should determine whether the enterprise is compliant with applicable rules and regulations, and advise that the enterprise has the right governance system in place to manage and sustain compliance. COBIT Framework Key Concept Principles Governance System Principles: The six principles are the core requirements for a governance system for enterprise information and technology. Provide Stakeholders Value: Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of IT. Module 22 Page 2372 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Holistic Approach: A governance system for enterprise IT is built from a number of components that can be of different types and that work together in a holistic way. Dynamic Governance System: A governance system should be dynamic. That is, each time one or more of the design factors are changed, the impact of these changes on the EGit system needs to be considered. Governance Distinct from Management: A governance system should clearly distinguish between governance and management activities and structures. Tailored to Enterprise Needs: A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components. End-to-End Governance System: A governance system should cover the enterprise end- to-end, focusing not only on the IT function, but on all technology and information processing the enterprise puts in place to achieve its goals. Governance Framework Principles Based on Conceptual Model: A governance framework should be based on a conceptual model, identifying the key components and relationships among components, to maximize consistency and allow automation. Open and Flexible: A governance framework should be open and flexible. It should allow the addition of new content and the ability to address new issues in the most flexible way, while maintaining integrity and consistency. Aligned to Major Standards: A governance framework should align to relevant major related standards, frameworks, and regulations. Module 22 Page 2373 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
