The board's primary role in the governance of enterprise IT (GEIT) is to provide direction and oversight, not to perform operational risk analysis. Upon being informed of potential cyberthreats, the board's immediate and most appropriate next action is to direct executive management to assess the situation. Engaging the Chief Information Officer (CIO) to evaluate the risk ensures that the threats are properly analyzed by the accountable party. This evaluation will provide the board with the necessary information to make informed strategic decisions regarding risk appetite, tolerance, and the adequacy of response plans.

A. Evaluate the security incident response process: This is a reactive measure. The board first needs to understand the nature and potential impact of the specific threats before evaluating the process designed to handle them.

B. Reevaluate the risk tolerance of the organization: Reevaluating risk tolerance is a significant strategic activity that should be based on a formal risk assessment, not just the initial notification of possible threats.

C. Ask the CIO to report on a risk response: A risk response can only be formulated after the risk has been properly identified and evaluated. Asking for a response plan is premature.

1. ISACA

CGEIT Review Manual

8th Edition (2020): Domain 4

Risk Optimization

Task 4.2

states the board's role is to "Ensure that IT risk is identified

analyzed

mitigated

managed

monitored and communicated." The board fulfills this by directing management (such as the CIO) to perform the analysis (evaluation) as the initial step in the process.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018): The governance objective EDM03

Ensure Risk Optimization

outlines the board's role. Practice EDM03.02

"Direct risk management

" involves directing the establishment of key risk indicators and risk profiles. This directive function begins by tasking management with evaluating new

potential risks to inform the board.

3. ISACA

COBIT 2019 Framework: Introduction and Methodology (2018): The COBIT Core Model distinguishes between governance and management. Governance bodies (the board) evaluate

direct

and monitor (EDM). Management plans

builds

runs

and monitors (PBRM). Therefore

the board directs management (the CIO) to perform the evaluation. (p. 31

Figure 4.1).