IT Examiner School eBook

Internal Use Only

Risk Mitigation “Tools” • Properly identified risks prioritized for importance/criticality • Independent Audits • Appropriate IT policies, procedures, and standards • Appropriate IT system & application security controls and timely monitoring • Vulnerability Assessment and Pen Tests • Dual controls/separation of duties • Cybersecurity reviews/audits • Strong vendor management controls

19

Internal Use Only

Risk Assessment from a Management Component Perspective  The Board is responsible for communicating their risk tolerance to management  Management is responsible for performing the risk assessment, ensuring that the RA is complete, accurate, and reasonable, and reporting the results to the Board  Risk acceptance decisions should be made at the Board level  Review Board minutes for support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.)