Evaluating the Implementation of Risk Management and Governance

Previous page
Table of content
Next page

IT governance encompasses the information systems, strategy, and people. This control helps ensure that IT is aligned with the organization's strategy and goals. The board of directors and executive officers are ultimately accountable for functionality, reliability, and security within IT governance.

Within the IT governance structure, there should be clearly defined roles and responsibilities. The IT department should implement best practices in its operational and development methodology and should have a structured approach to project and change management. Overall, the IT governance structure ensures the efficient and effective use of resources in the secure and reliable deployment and maintenance of information systems.

An important area of IT governance is risk management. Risk management is the process that enables IT managers to balance the operational and economic costs of protective measures, and achieve gains in mission objectives by protecting the IT systems and data that support business objectives. In the development of a risk-management plan, ISACA states that the organization must do the following:

  • Establish the purpose of the risk-management program. In establishing the purpose for the program, the organization will be better prepared to evaluate the results and determine its effectiveness.

  • Assign responsibility for the risk-management plan. To ensure the success of the risk-management plan, the organization should designate an individual or team responsible for developing and implementing the risk-management plan. The team should coordinate efforts across the organization in identifying risks and defining strategies to mitigate the risk.

As stated in Chapter 1, "The Information Systems (IS) Audit Process," risk can be defined as the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level (mitigation), and maintaining that level of risk. In developing the risk-management plan, the organization should identify organizational assets as well as the threats and vulnerabilities associated with these assets. After identifying potential vulnerabilities, the IS auditor should perform a business impact analysis (BIA) of the threats that would exploit the vulnerabilities.


Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.


The IS auditor can use qualitative or quantitative analysis during the BIA to assess the potential impacts, or degree of loss, associated with the assets. Quantitative impacts are easily measured because they can result in a direct loss of money, opportunity, or disruption. Qualitative impacts are harder to measure because they result in losses associated with damage to reputation, endangerment of staff, or breach of confidence. In other words, a quantitative approach attempts to assign real numbers to the cost of threats and the amount of damage, whereas a qualitative approach uses a ranking method to analyze the seriousness of the threat against the sensitivity of the asset.


Quantitative risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate.


When the BIA is complete, the organization must determine whether the risk is acceptable. If not, the IS auditor can evaluate the existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk. The controls, called countermeasures, can be actions, devices, procedures, or techniques. After the organization has applied controls to the asset, the remaining risk is called residual risk. The organization's management sets acceptable risk levels; if the residual risk falls below that level, further controls are not required. The IS auditor can evaluate this control to see whether an excessive level of control is being used. The removal of excessive controls can result in cost savings to the organization. The organization's acceptance of residual risk takes into account the organizational policy, risk-management plan and measurement, and the cost-effectiveness of implementing controls.

The risk-management process provides management with an effective method of understanding risk and achieving a cost-effective balance when applying countermeasures. The risk-management program must be supported by senior management and must have a designated individual or team to be successful.

In most organizations, the executive director works with the board of directors to define the purpose for the risk-management program. In clearly defining the risk-management program goals, senior management can evaluate the results of risk management and determine its effectiveness. The risk-management team should be utilized at all levels within the organization and needs the help of the operations staff and board members to identify areas of risk and to develop suitable mitigation strategies.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
The Java Tutorial: A Short Course on the Basics, 4th Edition
Mastering Delphi 7
PMP Practice Questions Exam Cram 2
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy