Introduction to the Practitioner Guide 7
Structure of the Document ... 7
The Risk IT Process Model .. 7
Risk IT Positioning With Respect to COBIT and Val IT .. 8
Overview of the Guide—Mapping Against the Process Model . 8
1. Defining a Risk Universe and Scoping Risk Management .. 11
Risk Universe ... 11
Enterprise IT Risk Assessment . 12
Scoping IT Risk Management .. 14
2. Risk Appetite and Risk Tolerance ..... 15
Risk Appetite and Risk Tolerance Defined 15
Risk Appetite .... 15
Risk Tolerance .. 17
3. Risk Awareness, Communication and Reporting..... 19
Introduction 19
Risk Awareness and Communication .. 19
Key Risk Indicators and Risk Reporting .... 22
Risk Profile. 24
Risk Aggregation .... 25
Risk Culture 29
4. Expressing and Describing Risk . 31
Introduction ..... 31
Expressing Impact in Business Terms .. 34
Describing Risk—Expressing Frequency ... 37
Describing Risk—Expressing Impact .. 38
COBIT Business Goals Mapping With Other Impact Criteria .... 42
Risk Map .... 46
Risk Register .... 47
5. Risk Scenarios . 51
Risk Scenarios Explained ... 51
Risk Factors 53
Example Risk Scenarios ..... 57
Capability Risk Factors in the Risk Analysis Process . 69
Environmental Risk Factors in the Risk Analysis Process . 71
6. Risk Response and Prioritisation 75
Risk Response Options . 75
Risk Response Selection and Prioritisation 77
7. A Risk Analysis Workflow 81
8. Mitigation of IT Risk Using COBIT and Val IT .. 83
Appendix 1. Risk Concepts in Risk IT vs. Other Standards and Frameworks ..... 111
Comparison of Major Features ..... 111
Appendix 2. Risk IT and ISO 31000 . 113
ISO 31000 Risk Management—Guidelines on Principles and Implementation of Risk Management .... 113
Appendix 3. Risk IT and ISO 27005 . 117
ISO/IEC 27005:2008, IT—Security Techniques—Information Security Risk Management . 117
Appendix 4. Risk IT and COSO ERM ... 119
COSO Enterprise Risk Management—Integrated Framework ..... 119
Appendix 5. Vocabulary Comparisons: Risk IT vs. ISO Guide 73 and COSO ERM 123
Risk IT and ISO Guide 73 on Risk Management Vocabulary . 123
Risk IT and COSO ERM on Risk Management Vocabulary .. 125
Appendix 6. Risk IT Glossary ..... 129
List of Figures . 131
Other ISACA Publications .... 133
阅读(456) | 评论(0) | 转发(0) |