IT RISK ASSESMENT TEMPLATE

RISK FACTORS RISK MEASUREMENT PROCESS (Worksheet 7b) PREPARED BY: DATE: INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells. 2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11. 3. Alter the weights in Cells C15..L15 to suit your risk model. The weights should sum to 1.00 (shown in Cell M15). 4. Enter the auditable units of the audit universe in column B. The associated Audit Numbers may be assigned and entered in column A. 5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each risk factor used in the model. The total risk score will be shown in column M. 6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units. FACTORS F1 F2 F3 F4 F5 F6 F7 WEIGHTS 0.1 0.1 0.1 0.1 0.1 0.1 0.1 AUDIT # AUDIT UNIVERSEYEAR: RISK FACTORS F1 Wksht7b.xls F2 F3 F4 F5 F6 F7 F8 low, 3= high) for each F9 F10 prioritze the auditable units. F8 F9 F10 TOTAL 0.1 0.1 0.1 1.00 000000000000000000000000000000000000000000SORTED RISK ASSESMENT MATRIX Worksheet Contributed 8/8/00 by Bonnie_Chan@deanfoods.com AUDITOR: AUDIT: DATA CENTER RISK IDENTIFICATION DATE: THREATS UNAUTHORIZED EMPLOYEE SOFTWARE FAILURE DATA BACK UP FAILURE HARDWARE FAILURE RANK 1 2 3 4 RANK COMPONENTS 1 POLICIES AND PROCEDURE 2 HARDWARE HIGHEST RISK = 3 3 SOFTWARE In the left-most quadrant 4 PHYSICAL PROTECTION 5 LOGICAL PROTECTION 6 PEOPLE 7 POWER xxINSTRUCTIONS: 1. Enter Auditor, Date, Audit in the spaces provided. 2. Enter Components (up to a maximum of 12) in Cells B8..B20. 3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5). # THREAT Threats can be documented by listing them in Cells B27..B38. T1 4. Rank the Threats by choosing the most significant (assigning it the highest number) T2 and the least significant (assigning it "1"), and so for with next-most and next-least. T3 If there are 9 Threats, the highest value = 9, etc. T4 Place the rankings in the RANK row Cells C6..N6. T5 5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows), T6 using Cell C6 as the Primary Key and Sort Order Descending. T7 6. Similarly, rank the Components using Cells A8..A20, with the most important component T8 receiving the highest value (if 10 Components, the highest = 10, etc.). T9 7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns), T10 using Cell A8 as the Primary Key and Sort Order Descending. T11 8. The matrix should now be sorted to reflect the highest risks in the upper left corner T12 and the lowest risks in the lower right corner (depending on matrix size). The matrix will register the number of cells to be marked HIGH RISK (Cell H10).by Bonnie_Chan@deanfoods.com ı AUDIT: DATA CENTER RISK IDENTIFICATION FIRE INTRUDERS DATA CORRUPTI ON HACKERS NATURAL DISASTER POWER OUTAGE KEY COMPONENT FAILURE 5 6 7 8 9 10 11 Axis (T1..T12 in Cells C5..N5). assigning it the highest number) with next-most and next-least. with the most important component highest = 10, etc.). B20 (2 columns), risks in the upper left corner on matrix size). marked HIGH RISK (Cell H10). wksht3c.xlsRisks Source /Cause Effects Integrity Data corruption, Errors, Omissions Data corruption Definition: This risk encompasses all of the risks associated with the authorization, completeness, and accuracy of transactions as they are entered into, processed by, summarized by and reported on by the various application systems deployed by an organization. These risks pervasively apply to each and every aspect of an application system used to support a business process Integrity can be lost from: programming errors, processing (maintenance) errors, management errors Relevance No effective communication Not getting "the right data/information to the right: =>person =>process/system at the right time to allow the right action to be taken Definition: the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken."Access Inappropriate security access set-up Confidentiality violation, data lost or data corruption eiher by virus infection, worm, trojan attack programs etc Definition: Access risk focuses on the risk associated with inappropriate access to systems, data or information. It encompasses the risks of improper segregation of duties, risks associated with the integrity of data and databases, and risks associated with information confidentiality. Integrity can be lost from: programming errors, processing (maintenance) errors, management errors Inappropriate access to processing environment and the programs or data that are stored in that environment. Inappropriate access to the network itself. Unprotected physical devices from damage, theft and inappropriate access. Availability => Natural disasters (Fire, Flood etc) causing hardware and software failure. => Power outage => Theft Short term /Long term business disruptions to system Lack or weak monitoring performance Infrastructure Lack or weak organization planning Disorganized and disfunctional IT decisions. Lack of proactive security policies and procedures or inconsistent one among IS and divisions. Definition:the organization does not have an effective information technology infrastructure (hardware, networks, software, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and wellcontrrolle fashion. These risks are associated with the series of Information Technology (I/T) processes used to define, develop, maintain and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., customer service, accounts payable, etc.). Domain Policies User Interface Proper segregation of duties The adequacy of preventive and/or detective controls that ensure that only valid data can be entered into a system and that the data is complete Processing Balancing and reconciliation controls to ensure that data processing has been complete and timely Interface To ensure that data that has been processed and/or summarized is adequately and completely transmitted to and processed by another application system that it feeds data/information to. Data Adequate data management controls including both the security/integrity of processed data and the effective management of databases and data structures. Data, Applications, ReportBusiness Process How to separate incompatible duties within an organization and how to provide the correct level of empowerment to perform a function. Application Define the internal application security mechanisms that provide users with the specific functions necessary for them to perform their jobs. Data & Data Management Policies on securityrelated to users access to specific data or databases within the environment. Processing Environment Secure the host computer system where application systems and related data are stored and processed from. Network Secure the mechanism used to connect users with a processing environment. Physical Policies and procedures related to Physical security of phsical IS devices. Critical IS system, applications and data. Risks that can be avoided by monitoring performance proactively by addressing systems issues before a problem occurs Backups and contingency planning policies and procedures where restore/recovery techniques can be used to minimize the extent of a disruption. IS department mission and organization Define how I/T will impact the business and how I/T is articulated. It is important to have adequate executive level support and buy-in to this direction and an adequate organizational (people and process) planning to ensure that I/T efforts will be successful. Application system definition and deployment Ensure that application systems meet both business and user needs. These processes encompass the process of determining whether to buy an existing application system or to develop a custom solution. These processes also ensure that any changes to application systems (whether they are purchased or developed) follow a defined process that ensures that critical process/control points are consistently adhered to (e.g., all changes are tested and approved by users prior to implementation). Logical security and security administration Ensure that the organization adequately addresses the "Access risks" by establishing, maintaining and monitoring a comprehensive system of internal security that meets management’s policies with respect to the integrity and confidentiality of the data and information within the organization and an organization’s need to reduce it Empowerment and Fraud risks to acceptable levels. Computer and network operations Ensure that information systems and related network environments are operated in a secured and protected environment as intended by management and that information processing responsibilities performed by operations personnel (as opposed to users) are defined, measured and monitored. They also involve the proactive efforts typically performed by I/T personnel to measure and monitor computer and network performance to ensure that systems are consistently available to users at a satisfactory performance level. Business data center recovery Policies designed to address the "Availability risks" by ensuring that adequate planning has been performed to ensure that information technologies will be available to users when they need them. THREATS INTEGRITY RISK RELEVANCE RISK ACCESS RISK AVAILABILITY RISK INFRASTRUCTURE RISKS COMPONENTS Rank This risk encompasses all of the risks associated with the authorization, completeness, and accuracy of transactions as they are entered into, processed by, summarized by and reported on by the various application systems deployed by an organization. These risks pervasively apply to each and every aspect of an application system used to support a business process the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken." Access risk focuses on the risk associated with inappropriate access to systems, data or information. It encompasses the risks of improper segregation of duties, risks associated with the integrity of data and databases, and risks associated with information confidentiality. the organization does not have an effective information technology infrastructure (hardware, networks, software, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and wellcontrrolle fashion. These risks are associated with the series of Information Technology (I/T) processes used to define, develop, maintain and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., customer service, accounts payable, etc.). Rank APPLICATION SYST 0 0 0 0 0 APPLICATION NETWORKTotal Integrity Risk User Interface Processing Error Processing Interface Change Management COMPONENTS Rank whether there are adequate restrictions over which individuals in an organization are authorized to perform business/system functions based on their job need and the need to enforce a reasonable segregation of duties. Other risks in this area relate to the adequacy of preventive and/or detective controls that ensure that only valid data can be entered into a system and that the data is complete. whether there are adequate preventive or detective balancing and reconciliation controls to ensure that data processing has been complete and timely. This risk area also encompasses risks associated with the accuracy and integrity of reports (whether or not they are printed) used to summarize results and/or make business decisions. whether there are adequate processes and other system methods to ensure that any data entry/processing exceptions that are captured are adequately corrected and reprocessed accurately, completely and on a timely basis whether there are adequate preventive or detective controls to ensure that data that has been processed and/or summarized is adequately and completely transmitted to and processed by another application system that it feeds data/information to. These risks are associated with inadequate change management processes include user involvement and training as well as the process by which changes to any aspect of an application system is both communicated and implemented. 0Data These risks are associated with inadequate data management controls including both the security/integrity of processed data and the effective management of databases and data structures. Integrity can be lost because of programming errors (e.g., good data is processed by incorrect programs), processing errors (e.g., transactions are incorrectly processed more than once against the same master file), or management/process errors (e.g., poor management of the systems maintenance process). THREATS Total Relevance Risk COMPONENTS Rank the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken." RankTHREATS Total Access Risk Business Process Application Data & Data Management Processing Environment Network Physical COMPONENTS Rank organizational decisions as to how to separate incompatible duties within an organization and to provide the correct level of The internal application security mechanisms that provide users with the specific functions necessary for them to perform their jobs. The mechanism to provide users with access to specific data or databases within the environment where application systems and related data are stored and processed from. The access risk in this area is driven by the risk of inappropriate access to processing environment and the programs or data that are stored in that environment. environment. The access risk in this area is driven by the risk of inappropriate access to the network itself. Protecting physical devices from damage, theft and inappropriate access. Rank 0THREATS Total Availability Risk Risks that can be avoided by monitoring performance Risks associated with short term disruptions to system COMPON ENTS Rank Rank and proactively addressing systems issues before a problem occurs where restore/recovery techniques can be used to minimize the extent of a disruption 0Risk associated with disasters those cause longerteer disruptions in information processing and which focus on controls such as backups and contingency planning THREATS Total Infrastruct ure Risk Organization Planning Application system definition and deployment Logical security and security administration COMPON ENTS Rank that the definition of how I/T will impact the business are clearly defined and articulated. It is important to have adequate executive level support and buy-in to this direction and an adequate organizational (people and process) planning to ensure that I/T efforts will be successful. in this area ensure that application systems meet both business and user needs. These processes encompass the process of determining whether to buy an existing application system or to develop a custom solution. These processes also ensure that any changes to application systems (whether they are purchased or developed) follow a defined process that ensures that critical process/control points are consistently adhered to (e.g., all changes are tested and approved by users prior to implementation). The processes in this area ensure that the organization adequately addresses the Access risks by establishing, maintaining and monitoring a comprehensive system of internal security that meets management’s policies with respect to the integrity and confidentiality of the data and information within the organization and an organization’s need to reduce it Empowerment and Fraud risks to acceptable levels. 0Computer and network operation Data & database managem ent Business data center recovery this area ensure that information systems and related network environments are operated in a secured and protected environment as intended by management and that information processing responsibilities performed by operations personnel (as opposed to users) are defined, measured and monitored. They also involve the proactive efforts typically performed by I/T personnel to measure and monitor computer and network performance to ensure that systems are consistently available to users at a satisfactory performance level. The processes in this area are designed to address the Availability risks by ensuring that adequate planning has been performed to ensure that information technologies will be available to users when they need them.