ISACA® - 4by44by4.ru/sites/default/files/0verview-crisc_part_1_the_big_picture...About the CRISC...
-
Upload
nguyenhanh -
Category
Documents
-
view
218 -
download
0
Transcript of ISACA® - 4by44by4.ru/sites/default/files/0verview-crisc_part_1_the_big_picture...About the CRISC...
About the CRISC Exam
The content of the 2011 CRISC Review Manual is based on the CRISC job practice found at www.isaca.org/criscjobpracticeThere are 5 domains in the CRISC job practiceThe CRISC exam is a practice-based exam. Simply reading the material in this manual will not properly prepare candidates for the exam.No representations or warranties are made by ISACA in regard to this or other ISACA publications assuring candidates’ passage of the CRISC exam. This publication was produced independently of the CRISC Certification Committee, which has no responsibility for the content of this manual.
About the CRISC Exam
The CRISC certification is designed to meet the growing demand for professionals who can integrate enterprise risk management (ERM) with discrete IS control skills. The technical skills and practices the CRISC certification promotes and evaluates are the building blocks of success in this growing field, and the CRISC designation demonstrates proficiency in this role.
Exam Relevance
Ensure that the CRISC candidate…Has the practical knowledge required to perform the tasks described in the task and knowledge statements.
The percentages listed with the domains indicate the emphasis or percentage of questions that will appear on the exam from each domain. For a description of each domain’s task and knowledge statements, visit www.isaca.org/criscjobpractice.
Note: The concepts introduced in In this manual are considered a fundamental part of the CRISC job practice.
Domain 1; 31%
Domain 2; 17%Domain 3; 17%
Domain 4; 17%
Domain 5; 18%
% of Total Exam Questions
About the CRISC Exam
The exam in 200 multiple choice questions.CRISC exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards. All questions are designed with one best answer. The candidate is asked to choose the correct or best answer from the options.Good preparation for the CRISC exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA offers study aids and review courses to exam candidates. See www.isaca.org/criscbooks to view the ISACA study aids that can help prepare for the exam
Manual Setup
The CRISC Review Manual 2011 is organized into three parts:Part I—The Big Picture: How Risk Management Relates to Risk GovernancePart II—Risk Management and Information Systems Control Theory and ConceptsPart III— Risk Management and Information Systems Control in Practice
Additional Resources
Study Questions, Answers and ExplanationsGlossarySuggested Resources for Further StudyList of Exhibits
The CRISC candidate also may find it useful to study the CRISC™ Review, Questions, Answers & Explanations Manual 2011, which consists of 100 multiple-choice study questions.
Section Overview
Exam RelevanceDiscuss specific topics within the chapter Case StudySample QuestionsKey Terms (Definition and Acronyms)Suggested Reading
Part 1Learning Objectives
As a result of completing this chapter, the CRISC candidate should be able to:
q Differentiate between risk management and risk governanceq Identify the roles and responsibilities for risk managementq Distinguish between various risk management methodologiesq Apply and differentiate the standards, practices and principles of risk
managementq List the main tasks related to risk governanceq Recognize relevant risk management standards, frameworks and
practicesq Explain the meaning of key risk management concepts, including risk
appetite and risk tolerance
Section Topics
Risk ManagementEssentials of Risk Governance
Risk Appetite and Risk Tolerance
Risk Awareness and Communication
Risk Culture
Overview of Risk Management
Risk Management:Is the process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives.Holistically covers all concepts and processes affiliated with managing risk, including the systematic application of management policies, procedures and practices; the tasks of communicating, consulting, establishing the context; and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.
Risk
Risk reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk—the potential for events and their consequences, contains both:
Opportunities for benefit (upside)Threats to success (downside)
Risk and Opportunity Management
Guiding Principles for Effective Risk Management
1. Maintain Business Objective Focus2. Integrate IT Risk Management Into Enterprise Risk
Management (ERM)3. Balance The Costs And Benefits Of Managing Risk4. Promote Fair And Open Communication5. Establish Tone At The Top And Assign Personal
Accountability6. Daily Process With Continuous Improvement
Responsibility vs. Accountability
Responsibility—belongs to those who must ensure that the activities are completed successfully.
Accountability—applies to those who either own the required resources or those who have the authority to approve the execution and/or accept the outcome of an activity within specific risk management processes.
Risk ManagementRoles and Responsibilities
The CRISC executes on:
Risk evaluation
Risk response activities
The CRISC functions within the risk governance framework established within the enterprise
Relevance of Risk Management Frameworks,
Standards and PracticesRisk Management Frameworks, standards and practices matter to the CRISC because they:
Provide a view of “things to watch”Act as a guide to focus effortsHelp achieve business objectivesProvide credibilitySave time and cost
Frameworks
Framework – Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processesThe Risk IT Framework is an example
Standards
Standards – Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposesIT Audit and Assurance Standards are an example
Practices
Practices are frequent or unusual actions performed as an application of knowledge.Practices are issued by a “recognized authority”Leading Practices are actions that optimally apply knowledge in a particular area.Practices are usually derived from supplement/support standards and frameworksThe Risk IT Practitioner Guide is an example
Relevance of Risk Governance
Risk is an integral part of businessRisk is a core factor related to the stability, growth and success of the organizationRisk represents the opportunity for growth and levels of profitRisk poses the possibility of loss or damage to the business objectivesRisk governance addresses the oversight of the business risk strategy of the enterprise
Overview of Risk Governance
Risk governance is the domain of the enterprises senior management and shareholders.This group is responsible for:
Establishing the organizations risk culture and acceptable levels of risk
Setting up the risk framework
Ensuring effectiveness of the risk management function
Objectives of Risk Governance
Risk governance has three main objectives:
1. Establishing and maintaining a common risk view2. Integrating risk management into the enterprise3. Making risk-aware business decisions
Foundation ofRisk Governance
An effective risk governance foundation requires :1. An understanding and consensus with respect to the risk appetite and risk
tolerance of the enterprise2. An awareness of risk and of the need for effective communication about
risk throughout the enterprise3. An understanding of the elements of risk culture
Objectives of Risk Governance—cont.
1. Establishing and maintaining a common risk viewDetermines which controls are necessary to mitigate risk
Determines how risk based controls are integrated into business processes and IS
Risk governance function oversees the operations of the risk management team
Objectives of Risk Governance—cont.
2. Integrating risk management into the enterprise Enforces a holistic ERM approach for the enterprise
Requires integration of RM into every departments, function, system and geographical location
Objectives of Risk Governance—cont.
3. Making risk-aware business decisionsConsider the full range of opportunities and consequences each statement
through out the enterprise; society, and the environment
Risk Appetite and Risk Tolerance
DefinitionsRisk appetite—The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission
Risk tolerance—The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives
Risk Appetite and Risk Tolerance—cont.
How Risk Appetite relates to risk scenarios with varying Frequency and Magnitude
Frequency—How often is the event expected to occur?
Magnitude—What is the impact to the enterprise when the event occurs?
Risk Appetite and Risk Tolerance—cont.
Applicable Guidelines for Risk Appetite and Risk Tolerance
Connectivity of risk appetite and risk toleranceReview and approval of exceptions to risk tolerance standardsRisk appetite and tolerance change over timeCost of risk mitigation options can affect risk tolerance
Risk Awareness and Communication
Description
Risk awareness—is about acknowledging that risk is an integral part of the business
Risk communication—stresses that is risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout the enterprise
Risk Awareness and Communication—cont.
Good vs. Poor Communication
Benefits of good communication include contributing to managements understanding of exposures, awareness, and transparency to external stakeholders
Consequences of poor communication include a false sense of confidence relating to exposure, incorrect perception by external stakeholders and perception that the enterprise lacks transparency with external stakeholders
Risk Awareness and Communication—cont.
Types of Risk Information To Be Communicated
Expectations from risk management (strategy, policies, procedures, awareness, training, etc.)Current risk management capability (risk management, process maturity)Status with regard to IT risk (risk profile, key risk indicators, loss data, etc.)
Key Concepts ofRisk Governance
Elements of Effective Communication
ClearConciseUsefulTimelyAimed at the correct target audienceAvailable on a need-to-know basis
Key Concepts ofRisk Governance
Stakeholder Communication Inputs and Outputs
It is important for the CRISC to know what types of information should come from and go to various stakeholders
Risk Culture—cont.
Overview of a Risk-Aware Culture
ü Allows for open discussions about risk componentsü Acceptable levels of risk are understood and
maintainedü Begins at the top (board and executive)
Set direction
Communicate risk-aware decision making
Reward effective risk management behaviors
ü Implies that all levels are aware of how and when to respond to adverse IT events
Risk Culture
Risk-Aware Culture is a series of behaviors
Behaviors toward taking risk
Behavior toward negative outcomes
Behavior toward policy compliance
Symptoms of inadequate or problematic risk culture include:
Misalignment between real risk appetite and translation into policies
Existence of a “blame culture”
Case Study
Company XYZ has four offices located in the US, Canada, China, and Egypt.The company currently has four separate risk management plans and programs and while the offices all serve independent functions and have separate technology infrastructures, the plans are not integrated nor have ever been shared.The company plans to IPO in the US later this year and the companies CEO and board of directors has just directed the enterprise to build a centralized risk management and governance program.
You are the CRISC for your location’s IT shop. Based on the topics discussed in this chapter, how would you participate?
Practice Question 1
X-1. Risk management should consider the following aspect(s) of risk:
– Thresholds– Consequences– Both, opportunities and threats– Both, opportunities and thresholds
Practice Question 2
X-2. What factors chance risk appetite and tolerance:
– New technology– New organizational structures– New market conditions– All of the above
Practice Question 3
X-3. Which of the following statements is true:
● Risk tolerance is the amount of risk the company is willing to accept
● Risk appetite is the acceptable variance relative to objective achievement
● Risk tolerance is the acceptable variance relative to objective achievement
● Risk tolerance level is based on the enterprise’s ability to absorb loss
Practice Question 4
X-4. What risk components should be communicated?
● Expectations from process owners● Status with regard to IT risk● Future risk exposure● Status with regard to Operational Risk
Practice Question 5
X-5. The IT risk action plan is an output communication from?
– CRISC– Chief Information Officer– IT Management– Chief Risk Officer and the Enterprise Risk
Management Committee
Acronym Review
Review Guide Reference
Source/Page
Acronyms Definition
I-D-1 CRO Chief Risk Officer
I-D-1 CIO Chief Information Officer
I-F-2 ERM Enterprise Risk Management
Definition Review
Review Guide Reference
Source/Page
Word Definition
I-C-1 Risk Reflects the combination of the likelihood of events occurring and the impact those events have on the enterprise. Risk means the potential for events and
their consequences—contains both: Opportunities for benefit (upside) & Threats to success (downside)
I-D-1 Responsibility Belongs to those who must ensure that the activities are completed successfully
I-D-1 Accountability Applies to those who own the required resources; has the authority to approve the execution and/or accept the outcome of an activity within specific risk
management processes
I-E-2 Standards Establish mandatory rules, specifications and metrics used to measurecompliance against quality, value, etc. Standards are usually intended for
compliance purposes and to provide assurance to others who interact with a process or outputs of a process
I-E-2 Practices Are frequent or usual actions performed as an application of knowledgeThey are issued by a “recognized authority” that is appropriate to the subject matter. Issuing bodies may include professional associations and academic
institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review. Note: Practices usually are derived from and supplement/support standards and
frameworks and are the least formal of the three.
Definition Review
Review Guide Reference
Source/Page
Word Definition
I-E-2 Leading Practice An action that optimally applies knowledge in a particular area
I-F-3 Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision)
I-F-3 Risk Tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to
measure the related objective)
I-F-6 Risk Awareness Is about acknowledging that risk is an integral part of the business. This does not imply that all risk is to be avoided or eliminated, but
rather that:• Risk is well understood and known.
• IT risk issues are identifiable.• The enterprise recognizes and uses the means to manage risk.
Big Picture – Exercise 1Your
AnswerFor each identify is it is considered a Framework, Standard or
Practice:Correct Answer
COBIT® 4.1 Framework
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) Practice
PCI Data Security Standard (PCI DSS) Standard
NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the RiskManagement Framework to Federal Information Systems
Practice
ISO 31000:2009 (at the time of this manual’s publication, the newest forgeneral purpose risk management)
Standard
The Risk IT Framework Framework
The Risk IT Practitioner Guide Practice
Big Picture – Exercise 2Your Answer Identify the stakeholder for risk communication flow
input and outputCorrect Answer
Input - Current IT risk exposure/profile Executive managementand board
Output - Potential IT risk issues All Employees
Input - Audit findings Risk control functions
Output - Support on risk awareness initiatives Human resources (HR)
Input - Enterprise appetite for IT risk Chief information officer(CIO)
Output - Financial information with regard to IT and IT programmes/projects (budget, actual, trends, etc.)
Chief financial officer(CFO)
Output - Audit findings Compliance and audit
Big Picture – Exercise 2Your Answer Identify the stakeholder for risk communication flow
input and outputCorrect Answer
Input - Control and compliance monitoring External Auditor
Output - Key performance objectives Executive managementand board
Input - Ongoing changes to IT risk factors Business managementand business process
ownersOutput - IT risk mitigation strategy and plan, including assignment
of responsibility and development of metricsIT management
(including security andservice management)
Input - Summary IT risk reports, including residual risk, controls maturity levels and audit findings
Insurer
Input - Risk awareness expectations All Employees
Input - IT risk register Chief risk officer (CRO)and enterprise risk
committee
Big Picture – Exercise 2Your Answer Identify the stakeholder for risk communication flow
input and outputCorrect Answer
Output - Audit findings External Auditor
Input - Key performance objectives Chief financial officer(CFO)
Output - IT risk reports Risk control functions
Input - In general, all communications intended for the board and executive management
Regulator
Input - Executive summary risk reports Investors
Output - Insurance coverage (property, business interruption, directors and officers)
Insurer
Output - Business impact of the IT risk and impacted business units Chief information officer(CIO)
Big Picture – Exercise 2Your Answer Identify the stakeholder for risk communication flow
input and outputCorrect Answer
Input - Risk awareness expectations Human resources (HR)
Output - Enterprise appetite for IT risk Chief risk officer (CRO)and enterprise risk
committeeOutput - Risk tolerance levels for their portfolio of investments Investor
Input - IT risk RACI charts Compliance and audit
Output - Control and compliance monitoring Business managementand business process
ownersOutput - Requirements for controls and
reportingRegulator
Input - Key performance objectives IT management(including security andservice management)