Sunteți pe pagina 1din 25

RISK FACTORS RISK MEASUREMENT PROCESS (Worksheet 7b) PREPARED BY: DATE: INSTRUCTIONS: 1.

Enter Year, Prepared By, and Date in appropriate Cells. 2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11. 3. Alter the weights in Cells C15..L15 to suit your risk model. The weights should sum to 1.00 (shown in Cell M15). 4. Enter the auditable units of the audit universe in column B. The associated Audit Numbers may be assigned and entered in column A. 5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each risk factor used in the model. The total risk score will be shown in column M. 6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units. FACTORS WEIGHTS AUDIT UNIVERSE F1 0.1 F2 0.1 F3 0.1 F4 0.1 F5 0.1 F6 0.1 F7 0.1

AUDIT #

YEAR: Wksht7b.xls

w, 3= high) for each in column M. e the auditable units. F8 0.1 F9 0.1 F10 0.1 TOTAL 1.00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

RISK FACTORS F1 F2 F3 F4 F5 F6 F7 F8 F9 F10

0 0 0 0 0 0 0

Contributed 8/8/00 by Bonnie_Chan@deanfoods.com SORTED RISK ASSESMENT MATRIX Worksheet AUDITOR: DATE: AUDIT:

DATA CENTER RISK IDENTIFICATIO

RANK

THREATS RANK COMPONENTS POLICIES AND PROCEDURE HARDWARE SOFTWARE PHYSICAL PROTECTION LOGICAL PROTECTION PEOPLE POWER

UNAUTHORIZED EMPLOYEE 1

SOFTWARE FAILURE

DATA BACK HARDWARE UP FAILURE FAILURE 2 3 4

1 2 3

HIGHEST RISK = In the left-most quadrant

5 6 7

x x INSTRUCTIONS:

# T1 T2 T3 T4 T5 T6 T7 T8 T9 T10 T11 T12

THREAT

1. Enter Auditor, Date, Audit in the spaces provided. 2. Enter Components (up to a maximum of 12) in Cells B8..B20. 3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5). Threats can be documented by listing them in Cells B27..B38. 4. Rank the Threats by choosing the most significant (assigning it the highest number) and the least significant (assigning it "1"), and so for with next-most and next-least. If there are 9 Threats, the highest value = 9, etc. Place the rankings in the RANK row Cells C6..N6. 5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows), using Cell C6 as the Primary Key and Sort Order Descending. 6. Similarly, rank the Components using Cells A8..A20, with the most important component receiving the highest value (if 10 Components, the highest = 10, etc.). 7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns), using Cell A8 as the Primary Key and Sort Order Descending. 8. The matrix should now be sorted to reflect the highest risks in the upper left corner and the lowest risks in the lower right corner (depending on matrix size). The matrix will register the number of cells to be marked HIGH RISK (Cell H10).

by Bonnie_Chan@deanfoods.com AUDIT:

TA CENTER RISK IDENTIFICATION

DATA CORRUPTI FIRE INTRUDERS ON HACKERS 5 6 7 8

NATURAL DISASTER 9

POWER OUTAGE

KEY COMPONENT FAILURE 10 11

Axis (T1..T12 in Cells C5..N5).

gning it the highest number) h next-most and next-least.

th the most important component est = 10, etc.). 20 (2 columns),

isks in the upper left corner on matrix size). HIGH RISK (Cell H10). wksht3c.xls

Risks Integrity

Source / Cause Data corruption, Errors, Omissions

Effects Data corruption

Definition: This risk encompasses all of the risks Integrity can be lost from: associated with the authorization, programming errors, completeness, and accuracy of processing transactions as they are entered into, processed by, summarized by and (maintenance) reported on by the various application errors, systems deployed by an organization. management These risks pervasively apply to each errors and every aspect of an application system used to support a business process

Relevance

No effective communication

Not getting "the right data/information to the right: =>person =>process/system at the right time to allow the right action to be taken

Definition: the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken."

Access

Inappropriate security access set-up

Confidentiality violation, data lost or data corruption eiher by virus infection, worm, trojan attack programs etc

Definition: Access risk focuses on the risk associated with inappropriate access to systems, data or information. It encompasses the risks of improper segregation of duties, risks associated with the integrity of data and databases, and risks associated with information confidentiality.

Integrity can be lost from: programming errors, processing (maintenance) errors, management errors

Inappropriate access to processing environment and the programs or data that are stored in that environment. Inappropriate access to the network itself. Unprotected physical devices from damage, theft and inappropriate access. Availability => Natural disasters (Fire, Flood etc) causing hardware and software failure. => Power outage => Theft Lack or weak monitoring performance Short term / Long term business disruptions to system

Infrastructure

Lack or weak organization planning

Disorganized and disfunctional IT decisions. Lack of proactive security policies and procedures or inconsistent one among IS and divisions.

Definition: the organization does not have an effective information technology infrastructure (hardware, networks, software, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and wellcontrolled fashion. These risks are associated with the series of Information Technology (I/T) processes used to define, develop, maintain and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., customer service, accounts payable, etc.).

Domain User Interface

Policies Proper segregation of duties

The adequacy of preventive and/or detective controls that ensure that only valid data can be entered into a system and that the data is complete

Processing

Balancing and reconciliation controls to ensure that data processing has been complete and timely To ensure that data that has been processed and/or summarized is adequately and completely transmitted to and processed by another application system that it feeds data/information to. Adequate data management controls including both the security/integrity of processed data and the effective management of databases and data structures.

Interface

Data

Data, Applications, Report

Business Process How to separate incompatible duties within an organization and how to provide the correct level of empowerment to perform a function. Application Define the internal application security mechanisms that provide users with the specific functions necessary for them to perform their jobs.

Data & Data Management

Policies on securityrelated to users access to specific data or databases within the environment.

Processing Environment

Secure the host computer system where application systems and related data are stored and processed from.

Network

Secure the mechanism used to connect users with a processing environment. Policies and procedures related to Physical security of phsical IS devices.

Physical

Critical IS system, Risks that can be avoided by monitoring applications and performance proactively by addressing data. systems issues before a problem occurs

Backups and contingency planning policies and procedures where restore/recovery techniques can be used to minimize the extent of a disruption.

IS department mission and organization

Define how I/T will impact the business and how I/T is articulated. It is important to have adequate executive level support and buy-in to this direction and an adequate organizational (people and process) planning to ensure that I/T efforts will be successful.

Application system Ensure that application systems meet both definition and business and user needs. These processes deployment encompass the process of determining whether to buy an existing application system or to develop a custom solution. These processes also ensure that any changes to application systems (whether they are purchased or developed) follow a defined process that ensures that critical process/control points are consistently adhered to (e.g., all changes are tested and approved by users prior to implementation).

Logical security and security administration

Ensure that the organization adequately addresses the "Access risks" by establishing, maintaining and monitoring a comprehensive system of internal security that meets managements policies with respect to the integrity and confidentiality of the data and information within the organization and an organizations need to reduce it Empowerment and Fraud risks to acceptable levels.

Computer and Ensure that information systems and related network operations network environments are operated in a secured and protected environment as intended by management and that information processing responsibilities performed by operations personnel (as opposed to users) are defined, measured and monitored. They also involve the proactive efforts typically performed by I/T personnel to measure and monitor computer and network performance to ensure that systems are consistently available to users at a satisfactory performance level.

Business data center recovery

Policies designed to address the "Availability risks" by ensuring that adequate planning has been performed to ensure that information technologies will be available to users when they need them.

COMPONENTS

THREATS INTEGRITY RISK Rank This risk encompasses all of the risks associated with the authorization, completeness, and accuracy of transactions as they are entered into, processed by, summarized by and reported on by the various application systems deployed by an organization. These risks pervasively apply to each and every aspect of an application system used to support a business process

RELEVANCE RISK the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken."

ACCESS RISK Access risk focuses on the risk associated with inappropriate access to systems, data or information. It encompasses the risks of improper segregation of duties, risks associated with the integrity of data and databases, and risks associated with information confidentiality.

AVAILABILITY RISK

INFRASTRUCTURE RISKS the organization does not have an effective information technology infrastructure (hardware, networks, software, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and wellcontrolled fashion. These risks are associated with the series of Information Technology (I/T) processes used to define, develop, maintain and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., customer service, accounts payable, etc.).

Rank APPLICATION SYST APPLICATION NETWORK 0 0 0 0 0

Total Integrity User Interface Risk COMPONENTS whether there are adequate restrictions over which individuals in an organization are authorized to perform business/system functions based on their job need and the need to enforce a reasonable segregation of duties. Other risks in this area relate to the adequacy of preventive and/or detective controls that ensure that only valid data can be entered into a system and that the data is complete.

Processing

Error Processing

Interface whether there are adequate preventive or detective controls to ensure that data that has been processed and/or summarized is adequately and completely transmitted to and processed by another application system that it feeds data/information to.

Change Management These risks are associated with inadequate change management processes include user involvement and training as well as the process by which changes to any aspect of an application system is both communicated and implemented.

whether there are adequate whether there are preventive or detective adequate processes balancing and reconciliation and other system controls to ensure that data methods to ensure that processing has been any data complete and timely. This risk entry/processing area also encompasses risks exceptions that are associated with the accuracy captured are and integrity of reports adequately corrected (whether or not they are and reprocessed printed) used to summarize accurately, completely results and/or make business and on a timely basis decisions.

Rank 0

Data These risks are associated with inadequate data management controls including both the security/integrity of processed data and the effective management of databases and data structures. Integrity can be lost because of programming errors (e.g., good data is processed by incorrect programs), processing errors (e.g., transactions are incorrectly processed more than once against the same master file), or management/process errors (e.g., poor management of the systems maintenance process).

THREATS Total Relevance Risk the usability and timeliness of information that is either created or summarized by an application system.is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken." COMPONENTS Rank Rank

Total Access THREATS Risk

COMPONENTS Rank Rank 0

The Business organizational Process decisions as to how to separate incompatible duties within an organization and to provide the correct level of empowerment to perform a function.

Application

Data & Data Management

Processing Environment

Network

Physical

where application systems and related data are stored and processed from. The The internal The mechanism access risk in this area application security to provide users is driven by the risk of mechanisms that with access to inappropriate access to provide users with specific data or processing environment the specific functions databases and the programs or necessary for them to within the data that are stored in perform their jobs. environment that environment.

environment. The access risk in this area is driven by the risk of inappropriate access to the network itself.

Protecting physical devices from damage, theft and inappropriate access.

THREATS Total Availability Risk Risks that can be avoided by monitoring performance COMPON Rank ENTS Rank and proactively addressing systems issues before a problem occurs

Risks associated with short term disruptions to system

where restore/recovery techniques can be used to minimize the extent of a disruption

Risk associated with disasters

those cause longerterm disruptions in information processing and which focus on controls such as backups and contingency planning

THREATS Total Organization Infrastruct Planning ure Risk

Application system definition and deployment

Logical security and security administration

COMPON Rank ENTS that the definition of how I/T will impact the business are clearly defined and articulated. It is important to have adequate executive level support and buy-in to this direction and an adequate organizational (people and process) planning to ensure that I/T efforts will be successful. in this area ensure that The processes in application systems this area ensure meet both business and that the user needs. These organization processes encompass adequately the process of addresses the determining whether to Access risks by buy an existing establishing, application system or to maintaining and develop a custom monitoring a solution. These comprehensive processes also ensure system of that any changes to internal security application systems that meets (whether they are managements purchased or policies with developed) follow a respect to the defined process that integrity and ensures that critical confidentiality of process/control points the data and are consistently information within adhered to (e.g., all the organization changes are tested and and an approved by users prior organizations to implementation). need to reduce it Empowerment and Fraud risks to acceptable levels.

Computer and Data & Business data center network operation database recovery managem ent

this area ensure that information systems and related network environments are operated in a secured and protected environment as intended by management and that information processing responsibilities performed by operations personnel (as opposed to users) are defined, measured and monitored. They also involve the proactive efforts typically performed by I/T personnel to measure and monitor computer and network performance to ensure that systems are consistently available to users at a satisfactory performance level.

The processes in this area are designed to address the Availability risks by ensuring that adequate planning has been performed to ensure that information technologies will be available to users when they need them.