Prepared by Sally Chan,
CGEIT, ACIS, CMA
Based on Volume 2, 2011—Risk Management—What Is Your Capacity?
Value— 1 Hour of CISA/CISM/CGEIT/CRISC Continuing Professional Education (CPE) Credit
TRUE OR FALSE
3. The American Institute of Certified Public Accountants (AICPA)
states that audit services are reserved for financial audit, and
thus, what the service auditor does is attest. Attest services are
very definitive; management identifies specific procedures and
the auditor then performs exactly those procedures.
4. A noteworthy difference between SAS 70 and
SOC-1/SSAE 16 is the users of the report. SAS 70 was
designed for multiple users and basically went into the
public domain. SOC-1/SSAE 16 restricts use of the report to
service/user managements and user auditors; that is, it cannot
be used as a marketing tool to prospects.
5. The SOC- 3 report is intended for use by stakeholders such
as customers, regulators, business partners, suppliers and
directors, whereas SOC- 2 is for anyone interested.
6. One of the proposed steps to identify the target application for
further analysis is to schedule a workshop with representation
from both the business and the controls assessment team and
to start the workshop by restating the objective and describing
the problem in terms of costs and compliance.
7. When contemplating the option of control reevaluation,
whereby the application system controls are substituted to a
strong manual control, the selling point is that, in instances
such as weak IT controls with limited use of automated
controls, it is often cheaper and more effective to implement
key manual controls rather than rely on automation.
8. Approaches to IT risk scenarios—top down or bottom up—are
not complementary. The approaches should be used sequentially.
9. The importance of risk factors lies in the influence they have on
IT risk. They are heavy influencers of the frequency and impact
of IT scenarios and should be taken into account during every
risk analysis, when frequency and impact are assessed.
10. Scenarios expand one’s thinking, uncover inevitable or near-inevitable futures, and protect against “groupthink.” They help
executives ask better questions and prepare for the unexpected.
11. There are numerous methods and practices that can be used
to evaluate the information security and risk management
(ISRM) program and capabilities of an organization,
including surveys, interviews, artifact and evidence reviews,
benchmarking, capability maturity modeling, and capability
alignment with industry-recognized and industry-leading
12. The information security program functional inventory
components include business operation risk and compliance,
whereas the information risk management program functional
inventory components include the chief information security
officer (CISO) and enterprise resiliency.
13. Key indicators of business acceptance of ISRM include the
time in the development cycle of products and services at
which ISRM programs and capabilities are engaged and the
number of policy exception requests that are applied for by the
business and then granted by the ISRM organization.
14. Enterprise risk management (ERM) often has the maturity or
knowledge to properly incorporate information risk into their
assessment, ranking and reporting. Consequently, the ISRM
program and capabilities do not need to work closely with the
ERM organization or associated stakeholders to understand
their needs or to assist them with their activities.
15. Some of the key industry standards (or good practices) with
which ISRM organizations and capabilities may elect to
demonstrate alignment include ISO 27001-27008 and 31000
16. A proactive business model would embrace an agenda that
recognizes the critical role information privacy plays in
the successful realization of business objectives and would
transition toward a holistic privacy management archetype.
17. The data custodian is responsible for ensuring that the data
elements within the organization are in good health in terms
of accuracy, completeness and consistency. The data steward
enforces business rules on information, validates the security
over information, approves access requests and maintains
currency of access groups.
18. The IT privacy control layer safeguards the long-term best
interest of the privacy program by establishing controls to
address any control weaknesses and promote compliance with
laws and industry-leading practices, governance portfolios, and
risk management strategies. The key elements of the control
layer include risk management, compliance, audit and assurance.