IT °Å¹ö³Í½º, ÅëÁ¦, º¸¾È ±×¸®°í º¸Áõ ¾÷°èÀÇ ±Û·Î¹ú ¸®´õ
 
 
HOME > Ä¿¹Â´ÏƼ > ¼­Æò & ¹ø¿ª¹°
  Àü»ç À§Çè °ü¸®¿¡¼­ÀÇ IT ½Ã³ª¸®¿À ºÐ¼® By Urs Fischer, CISA, CRISC, CPA Swiss
  ±Û¾´ÀÌ : ½ÅÀÎö     ³¯Â¥ : 11-05-04 21:12     Á¶È¸ : 5289     Ãßõ : 11     Æ®·¢¹é ÁÖ¼Ò

Àü»ç À§Çè °ü¸®¿¡¼­ÀÇ IT ½Ã³ª¸®¿À ºÐ¼®

 

By Urs Fischer, CISA, CRISC, CPA Swiss

 

ISACA Journal Volume 2, 2011

 

½Ã³ª¸®¿À´Â À§Çè Ã¥ÀÓÀÚÀÇ º´±â â°í¿¡ ÀÖ´Â ÇÑ°¡Áö °­·ÂÇÑ µµ±¸À̴ٽ󪸮¿À´Â Àü¹®°¡µéÀÌ Á¤»óÀûÀÎ Áú¹®¿¡ ´äÇϴµ¥ ±×¸®°í ¿¹»óÇÏÁö ¸øÇÏ´Â Áú¹®À» ÁغñÇϴµ¥ µµ¿òÀÌ µÈ´Ù. ½Ã³ª¸®¿À ºÐ¼®Àº Àü»ç À§Çè °ü¸®(ERM: enterprise risk management)¿¡ À־ ¡®»õ·Ó°í¡¯ °¡Àå ÁÁÀº ½Ç¹«ÀÌ´Ù(±×¸² 1 ÂüÁ¶). ¶ÇÇÑ, ½Ã³ª¸®¿À ºÐ¼®Àº ISACAÀÇ À§Çè IT ÇÁ·¹ÀÓ¿öÅ©ÀÇ °¡Àå Áß¿äÇÑ ÀýÂ÷ÀÌ´Ù. 1, 2

 

 

À§Çè ½Ã³ª¸®¿À ºÐ¼®Àº IT À§ÇèÀ» º¸´Ù ±¸Ã¼ÀûÀÌ°í ½ÇüÀûÀ¸·Î ¸¸µé°í ±×¸®°í ÀûÁ¤ÇÑ À§Çè ºÐ¼® ¹× Æò°¡¸¦ ÇÒ ¼ö ÀÖ°Ô ÇØÁÖ´Â Å×Å©´ÐÀÌ´Ù. 3 ±×°ÍÀº IT À§ÇèÀÇ º¹ÀâÇÑ »ç¾È¿¡ ´ëÇØ Çö½Ç¼º, ÅëÂû, Á¶Á÷Àû Âü¿©, °³¼±µÈ ºÐ¼® ¹× ±¸Á¶¸¦ ³º´Â ÇÙ½É Á¢±Ù¹æ¹ýÀÌ´Ù.

½Ã³ª¸®¿À ºÐ¼® È帧

 

IT À§Çè °ü¸®¿¡ ´ëÇÑ µµÀü °¡¿îµ¥ Çϳª´Â À߸øµÉ ¼ö ÀÖ´Â ¸ðµç °Í¿¡ °ÉÃÄ ÀÖ´Â °ü·Ã À§ÇèµéÀ» È®ÀÎÇÏ´Â °ÍÀÌ´Ù. ÀÌ·¯ÇÑ µµÀüÀ» ±Øº¹ÇÒ ¼ö ÀÖ´Â Å×Å©´ÐÀº À§Çè ½Ã³ª¸®¿ÀÀÇ °³¹ß ¹× ÀÌ¿ëÀÌ´Ù. ÀÏ´Ü ÀÌ·¯ÇÑ ½Ã³ª¸®¿ÀµéÀÌ °³¹ßµÇ¸é, ±×°ÍµéÀº ½Ã³ª¸®¿À ¹ß»ýÀÇ ºóµµ¿Í ºñÁî´Ï½º ¿µÇâÀ» ÆÇ´ÜÇÏ´Â À§Çè ºÐ¼® °úÁ¤¿¡ »ç¿ëµÈ´Ù.

 

±×¸² 2´Â IT À§Çè ½Ã³ª¸®¿À°¡ 2°¡Áö ´Ù¸¥ ¹æ¹ýÀ¸·Î °³¹ßµÉ ¼ö ÀÖÀ½À» º¸¿©ÁØ´Ù:

  • ÇÏÇâ½Ä Á¢±Ù, ÀÌ°ÍÀº Àü¹ÝÀûÀÎ ºñÁî´Ï½º ¸ñÀû¿¡¼­ Ãâ¹ßÇÏ¿© ºñÁî´Ï½º ¸ñÀû¿¡ ¿µÇâÀ» ¹ÌÄ¡´Â °¡Àå °ü·ÃÀÖ°í °¡´É¼ºÀÖ´Â IT À§Çè ½Ã³ª¸®¿ÀÀÇ ºÐ¼®À» ¼öÇàÇÑ´Ù.
  • »óÇâ½Ä Á¢±Ù, ÀÌ°ÍÀº ÀϹÝÀûÀÎ ½Ã³ª¸®¿À ¸ñ·ÏÀ» °¡Áö°í ÀÏ·ÃÀÇ º¸´Ù ±¸Ã¼ÀûÀÎ ¸ÂÃãÇü ½Ã³ª¸®¿ÀµéÀ» Á¤ÀÇÇϴµ¥ »ç¿ëµÈ´Ù.

 

ÀÌ·¯ÇÑ Á¢±Ù¹æ¹ýµéÀº ¼­·Î º¸¿ÏÀûÀ̸ç ÇÔ²² È°¿ëµÇ¾î¾ß ÇÑ´Ù. ½ÇÁ¦·Î À§Çè ½Ã³ª¸®¿ÀµéÀº ½ÇÁúÀûÀÎ ºñÁî´Ï½º À§Çèµé°ú °ü·ÃÀÌ ÀÖÀ¸¸ç ¿¬°èµÇ¾î¾ß¸¸ ÇÑ´Ù. ÇÑÆí, ¿¹½ÃÀûÀÎ ÀÏ¹Ý À§Çè ½Ã³ª¸®¿ÀµéÀ» ÀÌ¿ëÇÏ´Â °ÍÀº ¾î¶°ÇÑ À§Çèµµ °£°úÇÏÁö ¾ÊÀ¸¸é¼­ IT À§Çè¿¡ ´ëÇÑ º¸´Ù Á¾ÇÕÀûÀÌ°í ¿ÏÀüÇÑ ½Ã°¢À» Á¦°øÇϵµ·Ï º¸ÀåÇϴµ¥ µµ¿òÀÌ µÈ´Ù.

 

´ÙÀ½Àº ÀÏ·ÃÀÇ (ºñÁî´Ï½º À§Çè°ú) ¿¬°üµÈ Áß¿äÇÑ À§Çè ½Ã³ª¸®¿ÀµéÀ» °³¹ßÇϴµ¥ µµ¿òÀÌ µÇ´Â °ÍÀ¸·Î ÀÔÁõµÈ ½ÇÁúÀûÀÎ Á¢±Ù¹æ¹ýÀÌ´Ù:

  1. Á¶Á÷À» À§ÇÑ À§Çè ½Ã³ª¸®¿ÀÀÇ ±¸Ã¼ÀûÀÎ ÃʾÈÀ» ¸¸µå´Âµ¥ À־ ¿¹½ÃÀûÀÎ ÀÏ¹Ý À§Çè ½Ã³ª¸®¿Àµé4À» ÀÌ¿ëÇÑ´Ù.
  2. Ãʾȿ¡ ´ëÇØ Á¶Á÷ÀÇ ºñÁî´Ï½º ¸ñÀû¿¡ ¸ÂÃç °ËÁõÇÑ´Ù.
  3. °ËÁõ °á°ú¸¦ ¹ÙÅÁÀ¸·Î ¼±ÅÃµÈ ½Ã³ª¸®¿À¸¦ Á¤Á¦ÇÑ´Ù; Á¶Á÷¿¡ ¹ÌÄ¡´Â À§ÇèÇÑ Á¤µµ5¿¡ µû¶ó¼­ ½Ã³ª¸®¿ÀµéÀ» ¼öÁغ°µµ ºÐ·ùÇÑ´Ù.
  4. ½Ã³ª¸®¿À ¼ö¸¦ °ü¸®°¡´ÉÇÑ ¹üÀ§·Î °¨¼Ò½ÃŲ´Ù.6
  5. ´ÙÀ½ Áֱ⿡ ÀçÆò°¡ÇÒ ¶§, °ü·ÃÀÌ ÀÖ´Ù¸é »ó¼¼ÇÑ ºÐ¼®À» ÇÒ ¼ö ÀÖµµ·Ï ¸ñ·ÏÀÇ ¸ðµç À§ÇèµéÀ» º¸Á¸ÇÑ´Ù.
  6. ¸í½ÃµÈ ½Ã³ª¸®¿À¿¡ ÀÇÇØ ´Ù·ç¾îÁöÁö ¾ÊÀº »ç°í(incident)µé¿¡ ´ëóÇϱâ À§ÇÏ¿© ½Ã³ª¸®¿À ¼Ó¿¡ ¡®¹Ì¸í½Ã »ç°Ç(unspecified event)¡¯À» Æ÷ÇÔ½ÃŲ´Ù.

ÀÏ´Ü ÀÏ·ÃÀÇ À§Çè ½Ã³ª¸®¿ÀµéÀº Á¤ÀÇµÇ°í ³ª¸é À§Çè ºÐ¼®À» À§ÇØ »ç¿ëµÉ ¼ö ÀÖ´Ù. À§Çè ºÐ¼®¿¡¼­´Â ½Ã³ª¸®¿ÀÀÇ ºóµµ¿Í ¿µÇâÀÌ Æò°¡µÈ´Ù. ¿µÇâ Æò°¡¿¡ À־ Áß¿äÇÑ ±¸¼º¿ä¼ÒµéÀº ´ÙÀ½ Àå¿¡¼­ ¼³¸íÇÒ À§Çè ¿äÀεéÀÌ´Ù.

 

ÀÌ°ÍÀº ·ÎÄÏ °úÇÐÀÌ ¾Æ´Ï´Ù, ±×·¸´Ù¸é ¿Ö Á¶Á÷Àº À§Çè ½Ã³ª¸®¿À¸¦ º¸´Ù ÀÚÁÖ Á¤±âÀûÀ¸·Î ÀÌ¿ëÇÏÁú ¸øÇϴ°¡? »ç½Ç À§Çè ½Ã³ª¸®¿À¸¦ °³¹ßÇÏ´Â °ÍÀº º¸±â º¸´Ù ¾î·Æ´Ù´Â Á¡À» ¸í½ÉÇ϶ó. ÇÑ°¡Áö ÁÁÀº ½Ã³ª¸®¿À Á¶Â÷µµ ±¸ÃàÇϴµ¥ ½Ã°£ÀÌ °É¸®°í Àü»çÀûÀÎ ¸¹Àº ¿µ¿ªµé¿¡¼­ ÁÁÀº ÀÔ·Â(input)À» ÇÊ¿ä·Î ÇÑ´Ù. ÇϹ°¸ç, ¸ðµç (½Ã³ª¸®¿À) ¼¼Æ®¿¡ ´ëÇؼ­´Â ¸¹Àº ½Ã°£ ¹× ¿¡³ÊÁöÀÇ ÅõÀÚ°¡ ÇÊ¿äÇÑ °ÍÀº ´ç¿¬ÇÏ´Ù.

À§Çè ¿ä¼Òµé

 

À§Çè ¿ä¼ÒµéÀº À§Çè ½Ã³ª¸®¿ÀÀÇ ºóµµ ±×¸®°í/¶Ç´Â ºñÁî´Ï½º ¿µÇâÀ» Á¿ìÇÏ´Â ¿ä¼ÒµéÀÌ´Ù. ±×µéÀº ¼­·Î ´Ù¸¥ ¼ºÁúÀ» Áö´Ò ¼ö ÀÖÀ¸¸ç, ´ÙÀ½ 2°¡Áö ÁÖ¿ä ¹üÁÖ·Î ºÐ·ùµÉ ¼ö ÀÖ´Ù.

  • ȯ°æÀû ¿ä¼Òµé, ÀÌ°ÍÀº ³»ºÎ ¹× ¿ÜºÎ ¿ä¼Ò·Î ³ª´· ¼ö ÀÖ´Ù±â¾÷ÀÌ ±×µé¿¡ ´ëÇؼ­ °®´Â ÅëÁ¦ Á¤µµÀÇ Â÷ÀÌ¿¡ µû¶ó¼­:
    • ³»ºÎ ȯ°æ ¿ä¼ÒµéÀº ´ëºÎºÐ ±â¾÷ÀÇ ÅëÁ¦ÇÏ¿¡ ÀÖ´Ù.
    • ¿ÜºÎ ȯ°æ ¿ä¼ÒµéÀº ´ëºÎºÐ ±â¾÷ÀÇ ÅëÁ¦¹Û¿¡ ÀÖ´Ù.
  • ¿ª·®, ¿¹¸¦ µé¾î, ¸¹Àº IT-°ü·Ã È°µ¿µé·Î ÀÎÇØ ±â¾÷ÀÌ ¾ó¸¶³ª ÁÁÀº°¡. À̰͵éÀº ISACAÀÇ 3°¡Áö ÁÖ¿ä ÇÁ·¹ÀÓ¿öÅ©¿¡ µû¶ó¼­ ±¸ºÐµÉ ¼ö ÀÖ´Ù:
    • IT À§Çè °ü¸® ¿ª·®±â¾÷ÀÌ ¡®Risk IT¡¯¿¡ Á¤ÀÇµÈ À§Çè °ü¸® ÇÁ·Î¼¼½º¸¦ ÀÌÇàÇϴµ¥ À־ÀÇ ¼º¼÷ ¼öÁØ
    • IT ¿ª·®—COBIT¿¡¼­ Á¤ÀÇµÈ IT ÇÁ·Î¼¼½ºµéÀÌ ¾ó¸¶³ª ¹Ù¶÷Á÷ÇÑ°¡
    • IT-°ü·Ã ºñÁî´Ï½º ¿ª·®(ȤÀº °¡Ä¡ °ü¸®) —¡®Val IT¡¯ ÇÁ·Î¼¼½ºµéÀ» °üÅëÇÏ¿© Ç¥ÇöµÈ

 

À§Çè ¿ä¼ÒµéÀÇ Á߿伺Àº ±×°ÍµéÀÌ IT À§Çè¿¡ ¹ÌÄ¡´Â ¿µÇâ¿¡ ´Þ·ÁÀÖ´Ù. À§Çè ¿ä¼ÒµéÀº IT ½Ã³ª¸®¿ÀÀÇ ºóµµ¿Í ¿µÇâ¿¡ ¸Å¿ì Å©°Ô ¿µÇâÀ» ³¢Ä¡¸ç, ºóµµ¿Í ¿µÇâÀ» Æò°¡ÇÏ´Â °úÁ¤¿¡¼­ ¸ðµç À§Çè ºÐ¼® µ¿¾È¿¡ °í·ÁÇÏ¿©¾ß ÇÑ´Ù. ±×¸² 3Àº À§Çè ¿ä¼ÒµéÀ» ³ªÅ¸³»°í ÀÖ´Ù. 7

À§Çè ½Ã³ª¸®¿ÀÀÇ ±¸¼º¿ä¼Ò

 

ÇÑ°¡Áö IT À§Çè ½Ã³ª¸®¿À´Â, ±×°ÍÀÌ ¹ß»ýÇßÀ» ¶§¿Í ¹ß»ýÇÑ´Ù¸é, ºñÁî´Ï½º ¿µÇâÀ» ³¢Ä¥ ¼ö ÀÖ´Â ÇϳªÀÇ IT-°ü·Ã »ç°Ç(event)¿¡ ´ëÇÑ ¼­¼úÀÌ´Ù. À§Çè ºÐ¼® ¸ñÀû¿¡ ´ëÇÑ ¿ÏÀüÇÏ°í À¯¿ëÇÑ À§Çè ½Ã³ª¸®¿À¸¦ À§Çؼ­´Â, À§Çè ½Ã³ª¸®¿ÀµéÀº ±×¸² 4¿¡¼­ º¸¿©ÁÖ´Â ºÐ¸íÇÑ ±¸¼º¿ä¼ÒµéÀ» Æ÷ÇÔÇÏ¿©¾ß ÇÑ´Ù.

½Ã³ª¸®¿À °³¹ß

 

½Ã³ª¸®¿À »ç¿ëÀº À§Çè °ü¸®¿¡ ´ëÇÑ ºñ°áÀ̸ç, ±×·± Å×Å©´Ð(=½Ã³ª¸®¿À)Àº ¾î¶°ÇÑ ±â¾÷¿¡µµ Àû¿ëµÉ ¼ö ÀÖ´Ù. °¢ ±â¾÷Àº À§Çè ºÐ¼®À» ½Ç½ÃÇÏ´Â ½ÃÀÛ ½ÃÁ¡¿¡ (¾Õ¿¡¼­ ¼­¼úÇÑ ±¸¼º¿ä¼ÒµéÀ» Æ÷ÇÔÇÏ´Â) ÀÏ·ÃÀÇ ½Ã³ª¸®¿ÀµéÀ» ¸¸µé ÇÊ¿ä°¡ ÀÖ´Ù. ÇÑ°¡Áö ½Ã³ª¸®¿À¸¦ ¸¸µå´Â °ÍÀº ¸ðµç ±¸¼º¿ä¼ÒÀÇ °³°³ÀÇ °¡´ÉÇÑ °¡Ä¡°¡ °áÇÕµÈ °ÍÀ» ÀǹÌÇÑ´Ù. ´ÙÀ½Àº, °³º° Á¶ÇÕµéÀº °ü·Ã¼º ¹× Çö½Ç¼ºÀ» À§ÇØ Æò°¡µÇ¾î¾ß ÇÏ°í, ±×¸®°í °ü·Ã¼ºÀÌ ÀÖ´Â °ÍÀ¸·Î ÆǸíµÇ¾îÁö¸é À§Çè µî·ÏºÎ¿¡ µîÀçµÈ´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀº Çö½ÇÀûÀ¸·Î °¡´ÉÇÏÁö ¾Ê´Ù. ¿Ö³ÄÇÏ¸é ³Ê¹«µµ ¸¹Àº ¼öÀÇ ½Ã³ª¸®¿ÀµéÀ» ¾ç»êÇÒ ¼ö Àֱ⠶§¹®ÀÌ´Ù. °³¹ßµÇ°í ºÐ¼®µÉ ½Ã³ª¸®¿ÀÀÇ ¼ö´Â °ü¸®ÇÒ ¼ö ÀÖ´Â °Íº¸´Ù ÈξÀ ÀûÀº ½Ã³ª¸®¿À ¼ýÀÚ¸¦ À¯ÁöÇØ¾ß Çϴµ¥, ±× ÀÌÀ¯´Â (½Ã³ª¸®¿À°¡ ³Ê¹« ¸¹À¸¸é) ¸ðµç °¡´ÉÇÑ Á¶ÇÕÀÌ (ÇÔ²²) À¯ÁöµÉ ¼ö ¾ø±â ¶§¹®ÀÌ´Ù. 8

°á·Ð

½Ã³ª¸®¿À´Â À§Çè°ú ±âȸ¸¦ ÀÌÇؽÃÅ°´Âµ¥ À־ ¸Å¿ì °­·ÂÇÑ 3°¡Áö ÀåÁ¡À» °®°í ÀÖ´Ù. 9

 

ù°, ½Ã³ª¸®¿À´Â »ç¶÷ÀÇ »ç°í ¿µ¿ªÀ» ³ÐÈù´Ù. »ç¶÷Àº ½Ã³ª¸®¿À°¡ ¸¹Àº °¡´ÉÇÑ °á°ú¹°À» °³¹ßÇÏ°Ô µÇ¸é (À̸¦ ¹ÙÅÁÀ¸·Î) ´õ¿í Æø³Ð°Ô »ý°¢ÇÒ °ÍÀÌ´Ù. »ç¹°ÀÌ (±×Åä·Ï) »¡¸® ÁÁ¾ÆÁú ¼ö ÀÖ°í ȤÀº ³ªºüÁú ¼ö ÀÖ´Â »óÅÂ¿Í ÀÌÀ¯¸¦ º¸¿©ÁÜÀ¸·Î½á, »ç¶÷µéÀº ¹Ì·¡¿¡ Àû¿ëÇÒ ¼ö ÀÖ´Â ¾î´À Á¤µµÀÇ °¡´É¼ºÀ» À§ÇØ ÀڽŵéÀÇ Áغñ¸¦ Çâ»ó½Ãų ¼ö ÀÖ´Ù.

 

µÑ°, ½Ã³ª¸®¿À´Â ÀüÇô ÇÇÇÒ ¼ö ¾ø´Â ȤÀº °ÅÀÇ ÇÇÇÒ ¼ö ¾ø´Â ¾ÕÀ¸·ÎÀÇ ÀϵéÀ» µéÃç³½´Ù. ½Ã³ª¸®¿À¸¦ °³¹ßÇϴµ¥ À־, »ç¶÷Àº ¹Ì¸® Á¤ÀǵÈƯÈ÷ ¿¹»óÄ¡ ¸øÇÑ (Áß°£) °á°ú¹°À» »ìÇÊ °ÍÀε¥, ±×°ÍÀº °¡²û ½Ã³ª¸®¿À °³¹ß ÇÁ·Î¼¼½º¿¡¼­ ¹ß°ßÇÏ°Ô µÇ´Â »õ·Î¿î ÅëÂûÀÇ °¡Àå °­·ÂÇÑ ¿øõ(source)ÀÌ´Ù.

 

±×¸®°í, ¸¶Áö¸·À¸·Î, ½Ã³ª¸®¿À´Â ¡®Áý´Ü»ç°í(groupthink)¡¯ÀÇ Æó´ÜÀ» ¸·´Â´Ù. °¡²û, Á¶Á÷ÀÇ »óÇÏ°ü°è´Â Åä·ÐÀÇ ÀÚÀ¯·Î¿î È帧À» ¸·´Â´Ù. Á÷¿øµéÀº ÀÚ½ÅÀÇ ÀÇ°ßÀ» °ú°¨È÷ À̾߱âÇϱâ Àü¿¡ ÃÖ°í Ã¥ÀÓÀÚ°¡ ÀÇ°ßÀ» °³ÁøÇÒ ¶§±îÁö ±â´Ù¸®´Âµ¥(ƯÈ÷ ȸÀǼ®»ó¿¡¼­), ±×·¸°Ô µÇ¸é ±×°ÍÀº Á¾Á¾ Ã¥ÀÓÀÚÀÇ ÀÇ°ßÀ» ³î¶øµµ·Ï ¹Ý¿µÇÑ´Ù. ½Ã³ª¸®¿À´Â Á¶Á÷µéÀÌ »ó¹ÝµÈ »ç°í¿¡ ´ëÇÑ Á¤Ä¡ÀûÀÎ ¾ÈÀüÇÑ Çdz­Ã³¸¦ Á¦°øÇÔÀ¸·Î½á ÀÌ·¯ÇÑ µ£¿¡ °É¸®Áö ¾Êµµ·Ï ÇØÁØ´Ù.

 

½Ã³ª¸®¿À°¡ ¸ðµç ÇØ´äÀ» Á¦°øÇÏÁö ¾ÊÁö¸¸, °æ¿µÁøÀÌ ´õ ÁÁÀº Áú¹®À» Çϵµ·Ï ±×¸®°í ¿¹»óÄ¡ ¸øÇÑ Áú¹®À» ÁغñÇϴµ¥ µµ¿òÀ» ÁØ´Ù. »ç½Ç ±×°ÍÀÌ ½Ã³ª¸®¿À¸¦ ¸Å¿ì °¡Ä¡ÀÖ´Â µµ±¸·Î ¸¸µé¾î ÁØ´Ù.

Endnotes

1 ISACA, The Risk IT Framework, USA, 2009
2 ISACA, The Risk IT Practitioner Guide, USA, 2009
3 Risk analysis is the actual estimation of frequency and magnitude/impact of a risk scenario. Risk assessment is a slightly broader term and includes the preliminary and ancillary activities around risk analysis, i.e., identification of detailed risk scenarios and definition of responses.
4 The Risk IT Practitioner Guide provides a list of generic IT risk scenarios. This list can be used as a basis to build the enterprise¡¯s own set of relevant risk scenarios.
5 Critical entities deserve to have risk scenarios defined at a detailed level; non-critical entities can do with quite generic scenarios that are not elaborated in too much detail. Note that the entity can be an organisational unit, but can also be something cross-organisational, e.g., a grouping of similar business processes and activities.
6 ¡®Manageable¡¯ does not signify a fixed number, but should be in line with the overall importance (size) and criticality of the unit. There is no general rule, but if scenarios are reasonably and realistically scoped, the enterprise should expect to develop at least a few dozen scenarios.
7 Risk factors are discussed in detail in The Risk IT Practitioner Guide.
8 Some guidance and considerations for the development and maintenance of manageable numbers of relevant scenarios can be found in The Risk IT Practitioner Guide.
9 Based on Roxburgh, Charles; ¡®The Use and Abuse of Scenarios¡¯, McKinsey Quarterly, November 2009

 

Urs Fischer, CISA, CRISC, CPA Swiss

is an independent IT governance, risk and compliance consultant. From 2003 to 2010, he was vice president and head of IT governance and risk management for the Swiss Life Group. Previously, he was head of IT audit for the SwissLife Audit Department based in Zurich, Switzerland. Since 1989, Fischer has worked in the IT governance, audit and security areas and has gained extensive IT governance, risk management and information systems compliance experience. Involved in the development of CoBIT¢ç 4.0 and 4.1, he is also helping with the development of CoBIT 5. A member of ISACA¡¯s Guidance and Practice Committee, in June 2010, he received the John Lainhart IV Award from ISACA.


ÀÇ°ß¾²±â

¹øÈ£ Á¦¸ñ ±Û¾´ÀÌ ³¯Â¥ Á¶È¸ Ãßõ
¹ø¿ª¿¡ ´ëÇÑ º¯ (1) ½ÅÀÎö 07-03-24 7828 17
38 ¿£ÅÍÇÁ¶óÀÌÁîÀÇ °³³ä ½ÅÀÎö 13-01-08 2402 8
37 ÅëÁ¦¸¦ Áø´ÜÇϱâ Àü¿¡ ´øÁ®¾ß ÇÒ 5°¡Áö Áú¹® By Brian Barnier, CGEIT ½ÅÀÎö 11-06-13 2672 9
36 Ŭ¶ó¿ìµå ÄÄÇ»ÆÃ, ¹ý±Ô ±×¸®°í µ¥ÀÌÅÍ º¸¾È À§Çè¿¡ °üÇÑ ÀÔ¹® By Carl Cadregari, and Alfonzo Cutaia, Esq (4) ½ÅÀÎö 11-05-31 5441 20
35 Àü»ç À§Çè °ü¸®¿¡¼­ÀÇ IT ½Ã³ª¸®¿À ºÐ¼® By Urs Fischer, CISA, CRISC, CPA Swiss ½ÅÀÎö 11-05-04 5290 11
34 º¸¾ÈÀÇ °¡Ä¡´Â ¹«¾ùÀΰ¡? By Steven J. Ross, CISA, CISSP, MBCP ½ÅÀÎö 11-04-17 3233 10
33 º¸¾È Á¤Ã¥À» ÀÛ¼ºÇÏ´Â ¹æ¹ý: ³×Æ®¿öÅ© º¸¾È Á¤Ã¥ ¸Å´º¾ó by Paul R. Meynen ½ÅÀÎö 11-03-25 3579 14
32 ¼ÒÇÁÆ® IT °Å¹ö³Í½º By Kazuhiro Uehara, CGEIT, CISA, CIA, PMP, and Sayaka Akino, CISA ½ÅÀÎö 11-01-31 3521 13
31 IS °³¹ß ÇÁ·ÎÁ§Æ®¿¡¼­ À§Çè °ü¸®¸¦ À§ÇÑ ¡®¿ä±¸»çÇ× ÁïÈZ¡¯ °ü¸® by Sachidanandam Sakthivel ½ÅÀÎö 11-01-20 3455 12
30 ÇÑ°¡Áö Áß¿äÇÑ Áú¹® by Steven J. Ross ½ÅÀÎö 11-01-11 3184 13
29 ¼­ºñ½º °¡¿ë¼º°ú ÀçÇØ º¹±¸ by Steven J. Ross ½ÅÀÎö 11-01-05 4572 13
28 ISO/IEC 38500 ¿¡ ±â¹ÝÇÑ IT °Å¹ö³Í½ºÀÇ ±Ùº» by Haris Hamidovic ½ÅÀÎö 10-12-02 5110 15
27 IT À§Çè ºÐ¼® – ºü¶ß¸°¡°A¡± By Eric J. Brown and William A. Yarberry Jr., ½ÅÀÎö 10-11-08 3765 20
26 Ŭ¶ó¿ìµå ÄÄÇ»ÆÃÀÇ ÇöȤ (Cloudy Daze) by Steven J. Ross ½ÅÀÎö 10-03-03 3935 16
25 IT °Å¹ö³Í½º¸¦ ÇÑ Â÷¿ø ²ø¾î¿Ã¸®±â À§ÇÑ 5°¡Áö ÆÁ By Brian Barnier ½ÅÀÎö 10-01-22 3340 14
24 ¿ä¾à: ¸Å·ÂÀÖ´Â ÀüÇâÀû °Å¹ö³Í½º ¸ÅÇÎ À̴ϼÅƼºê By ISACA (¹ø¿ªÀÚ Ãßõ) ½ÅÀÎö 09-08-10 3626 13
 1  2  3