CGEITEXAMPREP#3

RiskManagement
SteveKruse Sr.SolutionsPrincipal,RSA

Agenda:RequiredKnowledge*
WhatisITRisk?
* AligntheITriskmanagementprocesseswiththeenterprisebusinessriskmanagement framework(wherethisexists). EnsureaconsistentapplicationoftheriskmanagementframeworkacrosstheenterpriseIT environment.. EnsureaconsistentapplicationoftheriskmanagementframeworkacrosstheenterpriseIT environment. Ensurethatriskassessmentandmanagementisincludedthroughouttheinformationlife cycle. Defineriskmanagementstrategies,andprioritizeresponsestoidentifiedriskstomaintainrisk levelswithintheappetiteoftheenterprise Implementtimelyreportingonriskeventsandresponsestoappropriatelevelsof management(includingtheuseofkeyriskindicators,asappropriate). Establishmonitoringprocessesandpracticestoensurethecompletenessandeffectivenessof establishedriskmanagementprocesses.

WhatisanITRiskManagementFramework?
*

HowisRiskManaged?
* * * * *

HowisRiskCommunicated&Monitored?

* From CGEIT Job Practice (Risk Management domain)

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

WHATISITRISK?

SomeRiskCategories
ImportantpointtodefineITriskbeyondjustCIA Confidentiality,IntegrityAvailability typesofriskalso include: HazardriskLiabilitytorts,Propertydamage,Natural catastropheFinancialrisk,Pricingrisk Assetrisk,Currencyrisk,Liquidityrisk,Technology obsolescence OperationalriskCustomersatisfaction,Productfailure, Integrity StrategicrisksCompetition,Socialtrend,Capital availability,Reputationalrisk Securityrisks

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

InformationProperties
ITresponsibilitytodevelopandpreserve multipleinformationproperties(perCOBIT)
effectiveness efficiency confidentiality integrity availability reliability compliance

Security

Managingsecurityisonlypartofmanaging ITRisk

This broader definition of IT Risk is also driven by Regulations

Level1 Level2 UnauthorizedActivity TheftandFraud TheftandFraud SystemSecurity EmployeeRelations SafeEnvironment DiversityandDiscrimination Suitability,Disclosure,andFiduciary ProductFlaws ImproperBusinessorMarketPractices AdvisoryActivities Selection,Sponsorship,andExposure DisastersandOtherEvents Systems TransactionCapture,Execution,and Maintenance MonitoringandReporting CustomerIntakeandDocumentation CustomerAccountManagement

SOX BaselII:

InternalFraud ExternalFraud

EmploymentPractices

Clients,Products,andBusinessPractices

DamagetoPhysicalAssets

BusinessDisruptionsandSystemFailures ExecutionDeliveryandProcessManagement

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

A Risk Framework incorporating the broader definitions

U.K.OfficeofGovernmentandCommerce(OGC)
ManagementofRisk(M_o_R)Framework

StrategicLevel
Decisionson businessstrategy

ProgramLevel

Decisions transforming strategyintoaction

ProjectLevel OperationalLevel

Decisionsrequired toenable implementationof actions

WHATISANITRISKMANAGEMENT FRAMEWORK?
8

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

ITRiskFrameworks
Intendedtoensuretheappropriaterecognition andtreatmentofrisk BestPractices Frameworksdefine
Requiredmanagementactivity Scope Rolesandresponsibilities Mechanisms|Methods Artifacts Assurancerequirements

10

RiskFrameworks
COSOERM
Appliestoallaspectsofenterpriserisk ITriskmanagedasaspecialcase SpecializedITriskframeworksshouldbeconsideredasaspecialcase

OCTAVE
CarnegieMellonsSoftwareEngineeringInstitutescontribution

ISO31000
Riskframeworkgenerallyapplied(operational,technical,enterprise) Supercedes AS/NZS4360:2004asexistinglegislatedstandardonrisk management

ITriskaddressedasacomponentserviceorprojectmanagement, eg, ITIL(ISO20000),PMBOK

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

11

RiskArtifacts
RiskRegister
Captureallrelevantrisks OriginsinProjectManagement

OCTAVEThreatTree HeatMaps
SpecializedITriskframeworkappliedtoinformationsecurity

GapAssessment CurrentandDesiredStates

12

RiskRegister
Collectionofidentifiedrisks
TypicallyratedonImpactandLikelihoodestimates Expandsbeyondprojectstoenterpriseregisters
Risk number 1 2 3 4 5 Risk name Risk Owner Key issues Residual risk score Raw risk score Rank (based on residual score) Previous rank Status green/orange/ red

Impact of risk 1 Insignificant 2 Minor 3 Moderate 4 Serious 5 Very serious

Likelihood of risk 1 Very low 2 Low 3 Medium 4 High 5 Very high If likelihood was assessed as very low (e.g. earthquake) it could be given a score of less than 1 such that even highest impact risks could attract on overall score of less than 5. Total residual risk score (likelihood x impact) and traffic light 16 Low (green traffic light) 8 12 Medium (green/orange light) 14 20 High (orange/red light) Over 20 Very high (red light)
*Register and rating methodology courtesy Cambridge University

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

13

OCTAVEThreatTree
Human Actors Using Physical Access Asset Access Actor Motive Outcome Impact Values ISO 17799 Clauses 9. incident Management 6. Comm. Management 3. Asset Classification Approach 4. Personnel Security 8. Sys. Development 10. Continuity Mgmt. 5. Physical Security 1. Security Policies 7. Access Control 2. Org. Security 11. Compliance Confidentiality Availability Probability

Integrity

inside

disclosure accidental modification interruption loss/destruction disclosure deliberate modification interruption loss/destruction

H L M H L L L H L L H M M

L M L L L M L L L L L L L

X X X X X X X X X X X X X

IP Data physical

disclosure accidental modification interruption outside loss/destruction disclosure deliberate modification interruption loss/destruction

Mitigate

Accept

14

HeatMap
Map current risks onto heat map to identify current risks and their potential likelihood and impact. Can be transposed from a risk register: Numbers from numbered risks are plotted on the map to quickly depict which risks are potentially most damaging if actualized
Likelihood and Impact VH H M L VL M L VL VL VL VL H M L VL VL L VH H M L VL M VH H M L VL H VH H M L VL VH

Legend VL L M H VH Very Low Low Medium High Very High

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

15

HeatMap

16

GapAnalysis CurrentandDesired
MaturityLevels ISO27002 Major Clauses SecurityPolicies OrganizationalSecurity AssetClassification PersonnelSecurity PhysicalSecurity CommunicationsManagement AccessControl SystemDevelopment IncidentManagement ContinuityManagement Compliance CurrentState DesiredState Adhoc Repeatable Defined Measured Optimized X O X O X O X O X O X O X O X O X O X O X O X O

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

HOWISRISKMANAGED?

17

18

ClassicRiskFormula ImpactxLikelihood Anotherpopular(ITcentric)perspective: RealizedThreatonAssetwithVulnerability ISOsnewdefinition: ISO31000effectofuncertaintyonobjectives

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

10

HOWISRISKCOMMUNICATED& MONITORED?
19

20

RiskGovernance howarewedeterminingthe managementoftheriskprogram?

CitedbyGeorgeWesterman inhisarticleBuildingITRisk ManagementEffectiveness,oneoftheCGEITsuggested articles. Westermans 4As Availability,Access,Accuracyand Agility hisbookITRisk
Databaseofrisk theriskregister Tracking,trendingofrisks

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

11

InformationSecurityGovernance: GuidanceforBoards
Purposeofinfosecgovernance:
Alignmentw/businessstrategy(avoidfocusonpastwars) Riskmanagement Efficientuseofresources Monitoringandreportingofappropriateriskmetrics Optimizevalueofsecurityinvestments

Roles&responsibilities
Board
Defineglobalriskprofile Settone Resourceinfosec Obtainindependentassurancefromauditors(internalorexternal) Insistthatmanagementmakessecurityinvestmentsmeasurable&reportson securityprogrameffectiveness
21

InformationSecurityGovernance:GuidanceforBoards

Roles&responsibilities
Sr.Management
Oversightforsecurityandcontrolframework:policy,standards,practicesand procedures,measures Appropriateriskidentification Securityinfrastructure Monitoring Reviewsofeffectiveness IncorporationintoSDLC

Questions InfosecGovernanceDeliverables(bydomain) Maturitymodel

IT focusisassociatedw/lowerlevelsofmaturity

22

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

12

23

RiskAwarenessandCulture
RiskAwareness
Thoseclosesttotheprocess/technology/program havethegreatestknowledgeofthe potentialrisks Again,thesecanbebusiness(nontechnical)risks Weasriskprofessionalsmusttapthatknowledge Whatkeepsyouupatnight?and otheropenendedquestions

Properawarenessfostersariskculture
OKtotalkaboutrisks OKtotakerisks OKtofail(ifmanagedappropriately)

24

KeyRiskIndicators KRIs Measuretoindicatehowriskyanactivityis PrimaryusetoreportriskprofilestoSr. Management accordingtoRiskManagement Association(RMA)2005survey Proprietarywithineachorganization,nocommon setofKRIs

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

13

25

EnterpriseRiskManagementneedsaconsistentand universalwaytoarticulateriskthroughoutthe environment Quantifyingriskinto$anotherapproachtotalk thelanguageofbusiness

26

Roles&responsibilities
Riskmustbecommunicatedthroughouttheorganization Variousorganizationstructuresproposed
ChiefRiskOfficer RiskManagersinBusinessUnits

ITGIrecommends
RiskManagementPlan subjecttoperiodicreview ITExecutiveCommitteetoreviewtheplan
Committeereviewspriorities Approvesallocationofresourcestomitigateprioritizedrisks

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

14

27

Monitoring,ReviewingandTrendingRisk
Managementofrisktakesalifecycleapproach Obtainassuranceofeffectiveness

Alignmentofriskmanagementwithbusiness objectives Understandingtherisklandscapeallowsthe organizationtotakejudiciousgreaterriskswhen appropriate(changetheriskappetite)

28

PracticeQuestion
Whichofthefollowingwouldbeimplementedatthe highestlevelofanenterprise? A. Anenterpriseriskregister B. Ariskmanagementboard C. Ariskowner D. Ariskcouncil

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

15

29

Answer
Whichofthefollowingwouldbeimplementedatthe highestlevelofanenterprise?
A. B. C. D. Anenterpriseriskregisterisamanagementtoolthatisusedwithinthe contextoftheriskmanagementboard Ariskmanagementboardismadeupofmanagerswhoareresponsible forthereportingoftheenterprisesriskresponsetotheboard Althoughthehighestlevelofmanagementisresponsibleforrisk,therisk owneristiedtoalowlevelproject,program,orbusinessunit. Theriskcouncilisdefinedeitherbytheenterpriseboardorthe marketplaceitself.

Reference:ISACA;ITGovernancePracticesandCompetencies:Information Risks:WhoseBusinessAreThey?

GOVERNANCE RISK & COMPLIANCE TOOLS

30

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

16

RiskManagementSnapshot

Results from the April 2009 Archer Technologies Risk Management Working Group poll. Results from the September 2009 Archer Technologies Risk Management Working Group poll.

The2008globalfinancialcrisishasraisedawarenessforbusinessorientedriskmanagement onissuessuchasITsecurityandfinancialreporting,aswellastheneedtohavea comprehensiveunderstanding ofriskacrosstheorganization.Despitetheseheightened concerns,mostorganizationscontinuetostrugglewithsilosofriskmanagementactivities thatfailtoprovideanintegratedframeworkfortheseefforts. PaulProctor,DouglasMcKibben. AnOverviewofITandEnterpriseRiskManagement.Gartner,Inc.December,2008.

ArchersApproachtoGRC
Archer Policy Management
Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Governance Corporate Objectives Policies Control Standards Authoritative Sources Control Procedures Exception Requests

Archer Risk Management

Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance. Risk

Question Library Metrics

Quarterly Risk Review

Risk Register

Loss Events

Assessments Findings Remediation Plans

Archer Compliance Management

Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.

Compliance

Manual Scoping

Automated

Test Results

Testing

Archer Enterprise Management

Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.

Enterprise Management

Devices Business Hierarchy Product/Services Business Processes

Facilities

Information

Applications

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

17

RiskManagementProcess
RiskRegister LossEvents Metrics QuarterlyRiskReviews QuestionLibrary Assessments Findings ExceptionRequests RemediationPlans
Question Library Risk Register Metrics

Assessments

Quarterly Risk Reviews

Loss Events

Findings

Exception Requests

Remediation Plans

ATopDownRiskApproach
RiskRegister

AffectedBusiness Units RiskNature

Metrics

RiskOwnership SourceInformation
Loss ImpactScore Events

LossAmounts LikelihoodScore
Quarterly RiskResponse Risk

InherentReview RiskScore ResidualRiskScore

Question Library

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

18

FollowonTopDown
RiskRegister Metrics

Status Ownership Loss

Events Objective

HowtoCalculate ImpactedBusiness Processes Measurement Quarterly Frequency Financial Valuation Risk &Recovery Review Threshold Type and Summary Value OffsetTransactions Current Value Root Cause Analysis Date Measured Failed Controls Question
Library Violated Policies

TopDownContinued
RiskRegister Metrics

Loss Events

Quarterly Risk Review

Statuses Submitter & Question Library Reviewer Review&Due Type &Status Dates PolicyReferences AnswerInheritance

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

19

ABottomUpRiskApproach

FraudAssessment
Remediation Plans Application Assessment

FacilityAssessment Information Asset Requests Assessment DeviceAssessment

Findings Exception

Assessments

BottomUpContinued
Status Authoritative SourceReferences ControlStandards ApprovalWorkflow FindingDescription
Remediation Plans Finding Response

RemediationStatus andDates
Exception Requests

Findings

Assessments

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

20

Status Status CostAnalysis Exception ApprovalWorkflow Declaration RelatedFindings Impacted Related Control Standards Vulnerabilities Related Configuration Compensating Check Results Controls

BottomUpRisk3

Exception Attachments Remediation Reviewand Approvals

Exception Requests Plans

Findings

Assessments

RiskManagementReporting
Over140OutoftheBoxReports including:
RiskImpactandRatingSummary RisksbyInherentandResidualRating RisksbyCompanyObjective MetricStatusSummary NetTotalLossesbyBusinessUnitby Month OpenLossEventsbyBusinessUnit AllEventsbyBaselIICategories RiskAssessmentAverageResidualScores byBusinessUnit RiskFindingsbyStatus

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

21

END

41

ERM Components
ObjectiveSetting
Necessarypreconditionsofriskmanagement strategicobjectivesregarding operations,reportingandcompliance Positiveornegativeriskrelatedevents Impactandlikelihoodofidentifiedevents Avoidance,reduction,sharing,acceptance Controlsthatensurethatriskresponseiscompleted Processesthatlinktheabovecomponents Ensurethatalltheaboveprocessesworkeffectively

Eventidentification

Riskassessment Riskresponse Controlactivities Informationandcommunications Monitoring

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

22

COSO ERM Principles ERMisaprocessimplementedincontextofthe internalcontrolenvironment.Takesinto consideration:

Riskmanagementphilosophy Riskappetite BODattitude Integrityandethicalvalues

Implementedbypeople Reasonableassurance Supportsachievementofobjectives

COSO ERM Riskmanagementisessentialcomponentof COSOinternalcontrolmodel

Identifyrisk;estimateitssignificanceand frequency;determinewhatactionsshouldbetaken inresponse Generallackofacomprehensiveriskassessment process
Siloapproachespreclude:
Comparisonofriskacrossfunctionalcomponents Integratedmanagement

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

23

45

COSOERM
EightComponentsandFourObjectivesCategories
EightComponents
InternalEnvironment ObjectiveSetting EventIdentification RiskAssessment RiskResponse ControlActivities InformationandCommunication Monitoring Operations Compliance

FourObjectivesCategories
Strategy FinancialReporting

COSOERMFramework
Objectives Categories

Generalframeworkfor managementof enterpriserisk

Commonlanguage& approach

Component activity

ManagementofIT relatedrisks(eg infosec) shouldbeaddressedas specialcaseofERM

Enterprisecontext ITriskasjustanother kindofbusinessrisk

46

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

24

47

COSOERMComponentActivity

Controlactivity
Policiesandproceduresthatensurethatriskresponseactivity carriedout
E.g.,(trivial)notthepasswordpolicy,buttheAD&Winlogonmechanismthat enforcesthepolicy

Informationandcommunication
Outputs,indicators,reportsthatcoordinateothercomponent activities

Monitoring
Processesneededtodeterminetheeffectivenessofalltheother ERMcomponents

48

OtherERMFrameworks
ISO31000 recentworkbytheInternational OrganizationforStandards(November,2009)
ReplacedAS/NZS4360:2004

RiskIT ISACAsown
LeverageselementsofGeorgeWestermansworkat MIT,JackJonesFAIRMethodology(HeatMaps) Balanceriskwithopportunity littletonoriskmeans fewernecessarycontrolstoidentifyandworktowards opportunities

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

25

RiskITFramework

3rd ComponentofITGIs ITGovernance Framework

ValIT creationof businessvalue

RiskIT protectionof informationassets COBIT control& improveIT

49

RiskIT

Goal:ensureenterprisegovernanceofITrisk
ConnectsITriskwithbusinessobjectives AlignsITrelatedbusinessriskwithoverallenterpriserisk management
akintoITenabledbusinessinvestment/value

FrameworkspecializestheCOSOERMframeworktoITrisk
Emphasis(butnotexclusively)oninformationsecurityrisk

Frameworkprovides:
Riskmanagementgovernancepractices Endtoendprocessframework CatalogofgenericadverserelatedITrisk Tools&techniques Roles&responsibilities

50

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

26

51

RiskITComponents

52

RiskITProcessModel

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

27

53

RiskITProcessModel:Zoom

Foreachprocess, RISKITprovides:
Detailedcontrolactivities /objectives Inputs outputsforeachactivity RACIchart Goalsandmetrics(activity,process&domain) Maturitymodel

54

RiskITCompanionDocument

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.

CGEITEXAMPREP#3

28

55

COSOERM:formoreinfo
COSO.org http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf http://www.coso.org/documents/COSO_ERM.ppt

http://www.coso.org/ERM-IntegratedFramework.htm
especially recommended for security professionals

56

COSOERMEntity&UnitLevelRisk
Entitywideplusunitspecificrisks Unitlevelrisk

Riskshouldbeconsideredandmanagedatalllevelsofbusiness
Followorganizationchart?

Entitylevelrisk
Riskimpactingmultiplebusinessunits Rollupofunitlevelriskwithmaterialimpact

Copyright2011Tunitas Group. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2010CGEITPreparationClass. Nootheruseispermittedwithoutexpress writtenauthorization.