BEM 393 Test 2

COSO ERM Principles

Governance and Culture

Strategy and Objective Setting

Review and Revision

Info, Communication, Reporting

ISO 310000

First global standard risk management standard that aligns with coso

Principles (Value Creattion and Protection) > Process (Comms + Consultation) and (Monitoring + Review)

Residual Risk

Should be </= risk appetite

Business Process

Set of coordinated activities linked with each other for purposes of achieving an objective.

COSO

widely recognized framework for managing risk

Project

Relatively unique activity, long period of time, complex sequencing, not done continuously

Operating Process

continuous, core process through which a business achieves its objectives - ie in manufacturing the process through which a company creates and sells products

Management and Support Activities

processes that oversee and support core value creation process

ex: hr, payroll, legal, accounting, etc

Key Links

processes that have a direct role in managing risk

secondary risk

processes that manage risk indirectly

Business Process Outsourcing

ex: payroll, customer care, IT

1) mgt still accountable for the risk
2) need to ensure adequate system of internal controls exists
3) Ensure means for monitoring effectiveness of controls
4) Obtain assurances reports from vendor

Value at Risk (VaR)

measures potential loss of mkt value for a position for a given confidence level and holding period. works best for liquid trading securities over short holding periods.

• Under estimates extreme losses and performs poorly in stressed markets

Expected Shortfall Model

Represents the expected losses in a portfolio for risk beyond the VaR confidence level. Takes into consideration extreme markt conditions

Asset/Liability Management

measures the risk that faces banks due to duration mismatch between assets and liabilities (Market Risk)

ex: 1980s S&L crisis

Credit Risk

the economic loss suffered due to default of a borrower or counterparty.

Asymmetrical risk

Basel III

regulatory framework on bank capital adequacy, stress testing, and market liquidity risk.

1. More equity

2. Supervisory monitorings

3. prescribed public discourse + mkt discipline

RAROC

Risk Adjusted Returns on Capital

RAROC < KE = destry value

RAROC > KE adds value

Economic Capital

the amount of capital required fund ongoing operations and growth and to absorb unexpected loss.

FORWARD LOOKING INDICATOR OF FUTURE PERFORMANCE

Edge Devices

hardware components located at the boundary of a network—close to data sources or users—that process, analyze, and transmit data locally rather than relying solely on a centralized cloud or data center. They reduce latency, minimize bandwidth usage, and enable real-time, decentralized decision-making in IoT, AI, and industrial applications.

Man in the Middle

Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.

Trust Services Framework

The assumption that internal users are inherently trustworthy, known as implicit trust, has resulted in many costly data breaches,

Zero Trust

cybersecurity approach that denies access to an enterprise's digital resources by default and grants authenticated users and devices tailored, siloed access to only the applications, data, services and systems they need to do their jobs

Insider Threat

a cybersecurity risk that comes from within the organization — usually by a current or former employee or other person who has direct access to the company network, sensitive data and intellectual property (IP), as well as knowledge of business processes, company policies or other information that would help carry out such an attack

Explicit Verification

Identities need to be verified, and access requests need to be authenticated and authorized appropriately

Assumption of breach

Setting up architecture in a way that minimizes damage in the event of a breach is critical. Otherwise, security professionals can do little to thwart lateral and internal attacks.

Principles of Zero Trust

Explicit Verification

Assumption of Breach

The Principle of Least Privilege

Principle of Least Privilege

demands that users and devices are only granted the minimum level of access necessary to perform their business tasks.

Software supply chain

Confirming it went through pipleine and ensuring it went through security scans

Code provenance

the verifiable history of software, detailing its origin, creators, and modifications from source to deployment

Microsegmentation

network security architecture that establishes security zone boundaries at the level of individual workloads within data centers and cloud environments, which allows workloads to be isolated and secured

P > D + C

 P is time it takes an attacker to break through preventive controls

 D is time it takes to detect an attack is in progress

 C is time it takes to respond to the attack and take corrective action