セクション: ボリューム D

New regulatory requirements impacting IT are those that impose new obligations, restrictions, or standards on how an organization uses, manages, or secures its IT systems, data, or services1. Examples of such regulations include the GDPR, the CCPA, the HIPAA, or the PCI-DSS2. New regulatory requirements impacting IT can pose significant challenges and risks for an organization, such as:
* Compliance costs and efforts, such as updating policies, procedures, and systems, training staff, or hiring experts
* Noncompliance penalties and consequences, such as fines, lawsuits, sanctions, or reputational damages
* Operational disruptions or inefficiencies, such as system changes, data migrations, or service interruptions
* Competitive disadvantages or opportunities, such as losing or gaining customers, partners, or markets3 The first step that should be done when a company is made aware of new regulatory requirements impacting IT is to review the risk tolerance and appetite. Risk tolerance is the acceptable level of variation that an organization is willing to accept around its risk appetite. Risk appetite is the amount and type of risk that an organization is willing to take in order to meet its strategic objectives. By reviewing the risk tolerance and appetite, the company can:
* Establish a clear and consistent understanding of the organization's goals, values, and expectations
* regarding the new regulatory requirements impacting IT
* Assess the current and potential impacts of the new regulatory requirements impacting IT on the organization's performance, operations, or assets
* Determine the level of risk exposure and acceptance that the organization is comfortable with, and identify the risk thresholds or limits that should not be exceeded
* Align the risk management strategies and actions with the organization's risk tolerance and appetite, and prioritize the most critical and urgent risks to be addressed
* Communicate and report the risk tolerance and appetite to the stakeholders and regulators, and ensure transparency and accountability References = Regulating emerging technology | Deloitte Insights, Ten Key Regulatory Challenges of 2024 - kpmg.com, The Risks of Non-Compliance with Data Protection Laws, [Risk Tolerance - COSO], [Risk Appetite - COSO], [Risk Appetite and Tolerance - IRM]

is incorrect. The present IT budget is just one of the components of the strategic plan. Answer: A is incorrect. The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.