Professional Documents
Culture Documents
2
Risk Definition (continue)
Inherent Risk
Residual Risk
Acceptable Risk
3
Risk Management Process
) +
)
% *%
"( $
, &&"% - "
!" # $
*
%&
'#" "'
)
"( $ )
5
IT Objectives
CobiT’s Information Criteria can be used as a basis to define IT objectives
7 Criteria are
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
7
IT Risk Assessment
2. Risk Identification Reliability &
Integrity
People, Process & Technology
• System design (input,
process & output)
Internal & External
• Hackers &
Hazard, Uncertainty & Opportunity Unauthorised access
• Poor authority
Effectiveness & Confidentiality Availability granting procedures
Efficiency
9
IT Risk Assessment
3. Assessment : (Business Impacts & Likelihood)
Business Impacts
• Loss of valuable assets (system and data) • Nature of the system (open & close, new &
outdate technology)
• Delay in decision making process
• Existing Controls
• Etc.
11
Risk Assessment - Impacts
Assessing the Business Impacts – (e.g. Confidentiality)
0 1 2 3 4
Unauthorised
Disclosure cause
almost insignificant Unauthorised Unauthorised
damage Disclosure cause Disclosure
minor damage cause major
damage
Unauthorised Unauthorised Disclosure
Disclosure cause could threaten business
significant but survival.
tolerable.
12
Risk Assessment - Likelihood
Assessing the Likelihood - (e.g. confidentiality)
0 1 2 3 4
Almost impossible
Unlikely Likely
13
Example – Overall Business Impacts
21
Example – Overall Likelihood
22
Combine Impacts & Likelihood
Business Impact Risk Aversion Table
Effectiveness
Efficiency
Confidentiality
Integrity
Availability Materiality
Compliance
Reliability BIF
T&V Effectiveness
Efficiency
Confidentiality
Threats and Vulnerabilities Integrity
Availability
Effectiveness
Efficiency
Compliance
Confidentiality Reliability
Integrity
Availability
Compliance
Reliability
23
Inherent Risk
From assessment of
Impacts & Likelihood
ess
ialit
ce
cy
y
tiven
bility
ident
F Inherent Risk
plian
icien
libilit
rity
y
Effec
Relia
Integ
Com
Conf
Effic
Avai
Materiality
Planning and organisation Legends
PO Define a strategic IT plan H C Exposure
PO Define the information architecture H C C C Concern
PO Determine the technological direction H C Housekeeping
PO Define organisation and relationships H C OK
PO Manage the investment H C C
PO Communicate management aims and direction H C
PO Manage human resources H C
PO Ensure compliance with external requirements H C C
PO Assess risk H C E E H C C
PO Manage projects H C
PO Manage quality H C E C
25
Evaluate Controls
Delivery & Support
Delivery and support
DS Define service levels
DS Manage third-party services
DS Manage performance and capacity
DS Ensure continuous service
DS Ensure systems security
DS Identify and allocate costs
DS Educate and train users
DS Assist and advice customers
DS Manage the configuration
DS Manage problems and incidents
DS Manage data
DS Manage facilities
DS Manage operations
Monitoring
Monitoring
M Monitor the processes
M Assess internal control adequacy
M Obtain Independent Assurance
M Provide for independent audit
26
Residual Risks
ess
ialit
ce
n
cy
uatio
tiven
libility
bility
ident
plian
E Control Risk
Eval ol
icien
rity
r
y
Cont
Effec
Relia
Integ
Com
Conf
Effic
Avai
Materiality
Planning and organisation Legends
PO Define a strategic IT plan O H Exposure
PO Define the information architecture + O H H Concern
PO Determine the technological direction + + Housekeeping
PO Define organisation and relationships O H OK
PO Manage the investment + + O Overprotected
PO Communicate management aims and direction + O
PO Manage human resources O H
PO Ensure compliance with external requirements + O H
PO Assess risk O H C C O H C
PO Manage projects O H
PO Manage quality O H C C
27
Questionnaires Risk Materiality Control Risk
Aversion Intermediate Matrix
Business Impact
Matrix Result
Effectiveness
Efficiency Materiality
Confidentiality BIF
Integrity
T&V 0 1 2 3 4 Effectiveness
Availability Efficiency
0 0 0 0 0 0
ion s
Confidentiality
lit
gy
Compliance
e
es
ati on
ienc y
entia
plianc
n olo
itie s
bility
Evalu ol
b ility
tiven
1 0 0 1 2 3 Integrity
li cat
Control Risk
rity
tr
le
Reliability
Confid
Con
ic
Peop
Facil
Availi
Relia
T ech
Integ
Eff ec
Com
Eff ic
App
Availability
0 1 2 3 4 2 0 0.5 1.5 3 4
Compliance
3 0 1 2 4 4 Reliability
Materiality 4 4 4 1.5 1.5 1.5 1.5
Planning and organisation
4 0 1 2 4 4 0 1 2 3 4 PO 1 Define a strategic IT plan 2 C H
PO 2 Define the information architecture 1 E C C O
PO 3 Determine the technological direction 2 C H
Threats and Vulnerabilities PO 4 Define organisation and relationships 2 C H
PO 5 Manage the investment 2 C C O
PO 6 Communicate management aims and direction 1 E O
PO 7 Manage human resources 1 E E
Effectiveness PO 8 Ensure compliance with external requirements 1 E c O
PO 9 Assess risk 1 C C E c c O O
Efficiency PO 10 Manage projects 1 E E
Confidentiality PO 11 Manage quality 1 E E c O
Monitoring
Acquisition & Implementation M1 Monitor the process 1 E C C O O O O
Acquisition and implementation M2 Assess internal control adequacy 1 E E C O O O O
AI 1 Identify automated solutions 1 1
M3 1 E E C O O O O
Obtain independent assurance
AI 2 Acquire and maintain application software 1
M 4 Provide for Independent Audit 1 E E C O O O O
AI 3 Acquire and maintain technology architecture 1 3
AI 4 Develop and maintain procedures 1
AI 5 Install and accredit systems 1 5
AI 6 Managing changes 2 Legend: E Exposure H Housekeeping
0 1 2 3 4 C Concern O OK
c concern +
Delivery & Support
Delivery and support
DS 1 Define service levels 1 1
DS 2 Manage third-party services 1
DS 3 Manage performance and capacity 1 3
DS 4 Ensure continuous service 2
DS 5 Ensure systems security 2 5
DS 6 Identify and allocate costs 1
DS 7 Educate and train users 1 7
DS 8 Assist and advice customers 1
DS 9 Manage the configuration 1 9
DS 10 Manage problems and incidents 1
DS 11 Manage data 2 11
DS 12 Manage facilities 2
DS 13 Manage operations 1 13
0 1 2 3 4
Monitoring
Monitoring
M1 Monitor the processes 1 1
M2 Assess internal control adequacy 1
M3 Obtain Independent Assurance 1 3
29
M4 Provide for independent audit 1
0 1 2 3 4
Maturity Gap Analysis
% .
% /
% 0
% 1
% .2
.
PO1
PO1
3 4 5 M1 PO3
PO3
0 DS11
DS11 PO5
PO5
6
$(. DS10
DS10 PO9
PO9
$(7
$(0
DS5
DS5 PO10
PO10
$(.2 AI1
AI1
DS4
DS4
$(..
. DS1
DS1 AI2
AI2
AI6
AI6 AI5
AI5
30
Implementation Master Plan
2 3 6 .2 .7 .< 33
( %
%
;
( %
( : 9
89
'
. / !
31