Professional Documents
Culture Documents
SESSION 3
Job Practice
16. Organizational assets Every asset should have a defined risk owner who is
and business processes, consulted on assessment and monitoring results. The
including enterprise risk owner will assist in recommending responses that
aide in achieving business objectives.
management (ERM)
27. Risk response options The risk owner will consider the business objectives
(i.e., accept, mitigate, in the determination of whether to accept, mitigate,
avoid, transfer) and avoid or transfer a risk.
criteria for selection
23. Principles of risk and Each risk scenario should be assigned to a risk owner
control ownership to make sure the scenario is thoroughly analyzed.
29. Systems control design While a control owner is accountable for the control’s
and implementation, effectiveness, it is critical that controls are designed
including testing to achieve control objectives.
methodologies and
practices
User registration
Preventive Login screen Fence
process
Intrusion detection
Detective Audit Motion sensor
system (IDS)
Source: ISACA, CRISC Review Manual 6th Edition, USA, 2015, Figure 3.3
23. Principles of risk and Establishing clear lines of accountability and ensuring
control ownership control ownership are fundamental to the principles of
risk and control ownership.
Phase 1— The need for an IT system is expressed and the Identified risk is used to support the development of the
Initiation purpose and scope o the IT system is documented. system requirements.
Phase 2—
The IT system is designed, purchased, programmed, Risk identified during this phase can be used to support
Development or
developed or otherwise constructed. the security analyses of the IT system.
Acquisition
This phase may involve the disposition of information, Risk management activities are performed for system
Phase 5— hardware and software. Activities may include moving, components that will be disposed of or replaced to
Disposal archiving, discarding or destroying information and ensure proper disposal, appropriate handling of residual
sanitizing the hardware and software. data and secure and systematic system migration..
Source: ISACA, CISM Review Manual 14th Edition, USA, Exhibit 2.31
41.1 Control activities, objectives, The CRISC assists the control owner in the
practices and metrics development of control procedures to ensure the
related to business effectiveness and efficiency of each business
processes process.
41.2 Control activities, objectives, The CRISC assists the control owner in the
practices and metrics development of control procedures to ensure the
related to information effectiveness and efficiency of the Information
security, including Security program components.
technology certification and
accreditation practices
29. Systems control design and Ensuring that adequate systems and user
implementation, including acceptance testing is complete will better assure that
testing methodologies and the action plans were executed based on the
practices documented risk response.
Integration or Tests the system in relation to its overall environment to show how the
system testing components work when they are integrated or joined together along with the
interfaces between the components and the overall operation of the system.
Regression testing Involves testing the changes to a program to discover any new problems in the
operation of the program that were caused by the changes.
Fuzzing Process of testing input fields (controls) of a program. The process will test
allowable values, often the limit of the acceptable range of values and test
values that are beyond the allowable values.
Test Description
Recovery testing Checks the system’s ability to recover after a software or
hardware failure
Security testing Verifies that the modified/new system includes provisions for
appropriate access controls and does not introduce any security
holes that may compromise other systems
Data integrity The data are not altered manually, mechanically or electronically by a person, program or
substitution or by overwriting in the new system.
Storage and security of Data are backed up before conversion for future reference or any emergency that may
data under conversion arise out of data conversion program management.
Data consistency The field/record called for from the new application should be consistent with that of the
original application.
Business continuity The new application should be able to continue with newer records as added (or
appended) and help in ensuring seamless business continuity.