IT RISK FUNDAMENTALS

- Common risk terminology and types of risk - Risk-related business functions - How the three lines of defense are important to the risk management process - General and I&T controls and their role in the risk management process

- Articulate the purpose, objectives and importance of risk governance and risk management. - Summarize how risk management fits within an enterprise governance strategy. - Explain how an enterprise decides the amount of risk it is willing to accept (risk appetite, tolerance and capacity). - Describe the structure, roles and responsibilities of risk stakeholders. - Summarize the risk management process and workflow.

- Categorize enterprise assets and how they are valued. - Describe the factors that can put enterprise assets at risk. - Explain the different types of threats and vulnerabilities that exist. - Identify IT areas of concern that can lead to I&T-related risk. - Describe the risk identification process. - Summarize how to apply risk identification methods. - Define the types and benefits of risk scenarios. - Describe how to develop a risk scenario.

- Explain the risk assessment process. - Describe frequency and magnitude and how they apply to a risk scenario. - Explain the risk analysis process and available approaches. - Apply risk analysis methods and techniques. - Explain how to rank and prioritize risk. - Describe risk aggregation and it applies to risk maps. - Summarize how to document risk (risk register). - Explain how to assess the current state of controls. - Define risk and control ownership.

- Explain the risk response process and the importance of alignment with business objectives. - Illustrate risk response strategies and examples of each. - Outline control design and implementation and control activities that can reduce risk to acceptable levels. - Articulate the role that incident management, business continuity and disaster recovery play in mitigating risk. - Define the characteristics of inherent and residual risk. - Explain how to select and prioritize risk response alternatives. - Describe how to document and communicate risk responses. - Define the elements of a risk response plan.

- Gather available sources of data to monitor and report on risk. - Articulate how to monitor risk through the use of key risk indicators (KRIs) and key performance indicators (KPIs). - Describe how to monitor existing controls. - Explain risk reporting guidelines and types. - Outline the importance of an ongoing risk monitoring process and a proactive and continuous approach to risk management.