Script on ISPROF

Control Activities:

In other words, control activities (or controls) are procedures management implement
to safeguard assets, keep accurate and complete information, as well as achieve established
business goals and objectives.

The COBIT framework was created by ISACA to bridge the crucial gap between
technical issues, business risks and control requirements. COBIT can be implemented in any
organization from any industry to ensure quality, control and reliability of information
systems.

My Explanation on COBIT: So unsa may uses ni COBIT, COBIT can help the organization
na ma meet ang business challenges in regulatory compliance, risk management and aligning
IT strategy with organizational goals.

There are 3 types of controls:

Preventive Control: Examples of preventive controls include hiring qualified personnel,

segregating employee duties, and controlling physical access.

Detective Control: Examples of a detective control include performing reconciliations of

bank accounts, trial balances, etc.

Detective controls are designed to find errors or problems after the transaction has
occurred. Detective controls are essential because they provide evidence that preventive
controls are operating as intended, as well as offer an after-the-fact chance to detect
irregularities.

Corrective Control: Examples include maintaining backup copies of files and correcting
data entry errors.

Corrective controls are designed to correct the errors and irregularities and ensure that
similar errors are not repeated once they are discovered. Corrective controls are built in the
form of procedures and manuals for the reference of the employees. Some controls are built
into the system, which automatically corrects the errors or prevents the occurrence of errors.
Information and Communication:

Relevant – In this scenario, the decision being made is whether to extend credit to a
customer. This decision involves assessing the customer's creditworthiness, which requires
relevant information to make an informed choice.

Reliable – The term "reliable" refers to the quality of being trustworthy and
consistent. Reliable information is information that can be depended upon to be accurate,
consistent, and true to the best of its ability.

Free from bias – Bias refers to a tendency or inclination to favor one perspective,
opinion, or outcome over others. Information that is free from bias is objective and impartial,
presenting facts and evidence without distorting or skewing them to serve a particular agenda
or viewpoint.

Dependable – Dependable information is information that can be relied upon to be

consistent and accurate over time. It is consistent in its quality and reliability, making it a
trustworthy source of knowledge or data.

Trusted – Trusted information is information that is held in high regard and

considered reliable and credible by others. It has earned the confidence and trust of its users
or audience due to its track record of accuracy, credibility, and dependability.

Complete – When we say that information is complete, it means that it includes all
the necessary or important aspects of an event or activity. In other words, nothing essential is
left out or omitted. For example, if someone provides a complete summary of a meeting, it
would cover all the key points discussed, decisions made, action items assigned, and any
other pertinent information. Similarly, a complete report on a project would include details
about its objectives, scope, progress, challenges faced, and outcomes achieved.

Timely – When we say that information is timely, it means that it is provided or made
available at the right moment or within an appropriate timeframe to facilitate decision-
making. In other words, the information is delivered when it is needed, allowing individuals
or organizations to make informed decisions promptly.

Understandable – When we say that information is understandable, it means that it is

presented in a clear, coherent, and meaningful manner that can be easily comprehended by
the intended audience. In other words, the information is structured and communicated in a
way that minimizes confusion, ambiguity, or misunderstanding.

Verifiable – When information is described as verifiable, it means that the

conclusions or findings derived from the information can be confirmed or corroborated by
multiple independent sources or individuals. In other words, the information is reliable and
trustworthy because it can be independently verified by different parties, leading to consistent
results or conclusions.

Accessible – When information is described as accessible, it means that it is readily

available and easily obtainable when needed. Accessibility ensures that individuals or users
can quickly locate, retrieve, and utilize the information without unnecessary barriers or
constraints.

Monitoring:

Monitoring in the context of risk management involves the ongoing process of

systematically reviewing and evaluating the effectiveness of risk mitigation strategies and
controls implemented by an organization. The primary objective of monitoring is to ensure
that these strategies and controls remain relevant, adequate, and aligned with the
organization's risk management objectives.

Examples of monitoring activities may include having internal audits or internal

control evaluations; assessing for effective supervision; monitoring against established and
approved budgets; tracking purchased software and mobile devices; conducting periodic
external, internal, and/or network security audits; bringing on board a Chief Information
Security Officer and forensic specialists; installing fraud detection software; and
implementing a fraud hotline, among others.

Chief Risk Officer (CRO)

These risk limits should be published and available to the business units, as each
business manager will be held accountable for assessing the line of business’ risks, creating a
risk action plan, and determining if their risks fall within or outside of the established
tolerances.

As part of the strategic planning process each year, business managers should be
required to complete a risk assessment of his or her area. Included in that is a risk assessment
of the business risks of each application or system that the line of business owns. COBIT or
similar standards like NIST, the International Organization for Standardization/International
Electro Technical

Available Guidance:

"Available guidance" refers to the wealth of established standards, frameworks, and

best practices developed by reputable organizations that provide guidance on conducting risk
assessments effectively. These standards serve as valuable resources for organizations
seeking to implement robust risk management processes and ensure compliance with industry
regulations.

COBIT:

COBIT, which stands for Control Objectives for Information and Related
Technologies, is a widely recognized IT governance framework developed by ISACA
(Information Systems Audit and Control Association). It provides organizations with a
comprehensive set of best practices, guidelines, and principles for effective governance and
management of IT-related activities. COBIT serves as a valuable resource for organizations
seeking to enhance their IT governance practices, improve risk management capabilities, and
achieve alignment between IT and business objectives. Its internationally recognized
framework and control objectives provide organizations with a structured approach to
addressing IT challenges and opportunities effectively.

COBIT helps organizations create optimal value from IT by maintaining a balance

between realizing benefits and optimizing risk levels and resource use.

ISO/IEC:

The ISO/IEC 27000 family of standards is a comprehensive set of international

standards developed by the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) to address information security
management systems (ISMS).

It supports the general concepts specified in ISO/ IEC 27001, and applies to
organizations within most types of industries (e.g., commercial/private, government, non-for-
profit, etc.). The ISO/IEC 27005:2011 as well as the rest of the family of ISO/IEC standards
all assists organizations manage the security of assets, including, but not limited to, financial
information, intellectual property, employee details, or information entrusted by third parties.

National Institute of Standards and Technology:

 Providing a standard framework for managing and assessing organizations'

Information Systems (IS) risks entails establishing a structured approach to
identify, evaluate, and address potential risks to an organization's information
assets and systems. This framework serves as a systematic methodology for
understanding, quantifying, and mitigating risks, thereby enhancing the overall
security and resilience of an organization's IS environment.
 Allowing for making risk-based determinations while ensuring cost-effective
implementations means that organizations can use risk assessment findings to
prioritize their actions and allocate resources efficiently
 Describing a more flexible and dynamic approach for monitoring information
security status enables organizations to adapt to evolving threats and
challenges effectively, enhance their ability to detect and respond to security
incidents, and safeguard their critical assets and information against cyber
threats.
 supporting a bottom-up approach in information security centers on
empowering individual IS stakeholders to take proactive measures to protect
their systems and contribute to the organization's overall security posture. By
fostering a culture of Shared responsibility, collaboration, and innovation,
organizations can enhance their resilience to security threats and promote a
more robust and adaptive security environment.
 Promoting a top-down approach related to information security focuses on
strategic leadership, centralized governance, and alignment with corporate
objectives to address specific IT-related issues from a holistic and corporate-
wide perspective. By leveraging executive support and direction, organizations
can enhance their resilience to IT-related threats and protect their assets,
reputation, and stakeholders' trust.

ISACA:
 The Information Systems Audit and Control Foundation is an associated not-for-profit
foundation committed to expanding the knowledge base of the profession through a
commitment to research.

ISACA plays a pivotal role in advancing the field of IT audit, control, and security by
providing a global platform for professional development, knowledge sharing, and
collaboration. Through its membership, certifications, resources, and advocacy efforts,
ISACA contributes to the ongoing growth and success of IT professionals and organizations
worldwide.

Insurance as Part of IT Risk Assessment:

This provides an overview of the reasons for and the methods of risk analysis,
insurance alternatives, and what to look for in IT insurance coverage.

Conclusion:

A key component of efficient risk management is risk assessment, which gives

businesses the information they need to recognize, assess, and address possible risks and
weaknesses. Organizations may make well-informed decisions, effectively manage resources,
and prioritize measures to protect their assets, reputation, and stakeholders' interests by
methodically examining risks across several dimensions. Risk assessment promotes proactive
risk management, continuous improvement, and organizational resilience in addition to
increasing resilience to uncertainties and disruptions. The significance of rigorous risk
assessment methods in helping firms traverse a dynamic and ever-changing risk landscape
cannot be emphasized, as they are the foundation for developing resilient and adaptable
organizations that can thrive in a constantly changing environment.

Cyber Insurance:

Cyber insurance, also known as cyber liability insurance or cyber risk insurance, is a
type of insurance policy designed to protect businesses, organizations, and individuals from
financial losses and liabilities resulting from cyber-related incidents. These incidents may
include data breaches, cyberattacks, ransomware attacks, business interruption due to cyber
incidents, network failures, and other cybersecurity breaches. Cyber insurance, also known as
cyber liability insurance or cyber risk insurance, is a type of insurance policy designed to
protect businesses, organizations, and individuals from financial losses and liabilities
resulting from cyber-related incidents. These incidents may include data breaches,
cyberattacks, ransomware attacks, business interruption due to cyber incidents, network
failures, and other cybersecurity breaches.