PART 3 – CISA Domain2 – Governance and Management of IT

PART 3 – CISA Domain2 – Governance and Management of IT
What is Risk Management?
What are the steps involved with Risk Management?
What is Human Resource Management?
What are the Sourcing Methods?

7.Risk Management:
This is the process of identifying weaknesses and threats to information resources used by an organisation in achieving business goals and determining what countermeasures can be taken to reduce risk to acceptable levels.
This includes identifying, analyzing and evaluating IT processes in order to treat, monitor, and communicate the risk.
The Board can choose to deal with the risk in any one of the following ways
Avoid the risk. Eliminate the cause.
Reduce the risk of loss by monitoring, implementing and monitoring the appropriate controls
Transfer (deflect, or allocate) – Share risk with partners, transfer via insurance coverage, contractual agreements, or other means
Accept–Formally acknowledge that there is a risk and keep an eye on it.

Keep in mind: It is important to identify IT risks and evaluate the potential consequences.
Step 2: Evaluation of vulnerabilities and threats

Threat – A person or event that could have a negative impact on a valuable resource is called a threat. Common threats include:
Errors
Malicious damage/attack
Fraud
Theft
Failure of equipment/software
Vulnerability – Vulnerability is a term that refers to weaknesses in a system. They make it possible for dangerous outcomes to occur and can even make them more dangerous. These are some examples:
Mangel of user knowledge
Security functionality is lacking
Inadequate user education/knowledge (e.g., poor password selection)
Technology that has not been tested
Transmission of unprotected communication
Step 3 – Evaluation the impact – Threats that exploit vulnerabilities are often referred to as an impact.

A direct financial loss in the near term
Indirect and ultimate financial loss over the long-term
These losses include: Direct loss of money (cash, credit)
Breach of law (e.g., unauthorized disclosure)
Loss of reputation/goodwill
Endangering customers or staff
Breach of confidence
Loss of business opportunity
Reduction in operational efficiency/performance
Business activity interruption

Step 4 – Calculation of Risk – One common way to combine the elements is to calculate each threat: probability x magnitude of effect. This will give you an estimate of the overall risk.
Step 5 – Evaluation and response to Risk
These controls are also known as safeguards or countermeasures. They include actions, devices and procedures.
Management can use residual risk, which is the level of risk left after all controls have been applied, to further reduce risk by identifying areas that require more control.

8.Human Resource Management
Background checks are the first step in any Hiring process.
A vacation (or holiday) is a requirement that a person other than the regular employee performs a job function at least once a year. This reduces the chance of illegal or improper acts. It is possible to uncover fraudulent activity during this period, provided that there has not been any collusion between employees to cover up possible discrepancies. Mandatory leave is a control measure.
Rotating jobs provides additional control to reduce the risk of fraud or malicious acts. This is because the same person does not do the same tasks all the time.