Organizations employ a variety of standardized tools and approaches in order to understand threats to their assets and information resources, including the use of technology to commit crimes such as theft, fraud or extortion, or to disrupt the provision of goods and services to customers. Equally important is that these threats may arise from inadvertent errors or omissions in the acquisition, use, configuration or changes to application systems, data and enabling information technology infrastructures.

Specialized skills are needed to

• assess an organization’s exposure to both threats and internal control deficiencies, as well as the level of inherent and residual risks

• report on residual risk exposures, as well as support the timely and effective resolution of identified control deficiencies.