PrepAway - Latest Free Exam Questions & Answers

Assessing IT risks is BEST achieved by:

Assessing IT risks is BEST achieved by:

PrepAway - Latest Free Exam Questions & Answers

A.
evaluating threats associated with existing IT assets and IT projects.

B.
using the firm’s past actual loss experience to determine current exposure.

C.
reviewing published loss statistics from comparable organizations.

D.
reviewing IT control weaknesses identified in audit reports.

Explanation:

To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative
risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk
assessment process, but by themselves are not sufficient.Basing an assessment on past losses
will not adequately reflect inevitable changes to the firm’s IT assets, projects, controls and
strategic environment. There are also likely to be problems with the scope and quality of the loss
data available to beassessed. Comparable organizations will have differences in their IT assets,

control environment and strategic circumstances. Therefore, their loss experience cannot be used
to directly assess organizational IT risk. Control weaknesses identified during audits will be
relevant in assessing threat exposure and further analysis may be needed to assess threat
probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT
assets and projects will have recently been audited, and there may not be a sufficient assessment
of strategic IT risks.


Leave a Reply