RISK FACTORS RISK MEASUREMENT PROCESS (Worksheet 7b)

PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
. !lter t"e #ei$"ts in Cells C1%..L1% to suit your risk &odel.
'"e #ei$"ts s"ould su& to 1.00 (s"o#n in Cell )1%*.
+. Enter t"e auditable units o, t"e audit uni-erse in colu&n B.
'"e associated !udit .u&bers &ay be assi$ned and entered in colu&n !.
%. E-aluate eac" auditable unit (audit* by assi$nin$ a score (1/ lo#, / "i$"* ,or eac"
risk ,actor used in t"e &odel. '"e total risk score #ill be s"o#n in colu&n ).
0. '"e spreads"eet data &ay be sorted (reco&&ended* to priorit1e t"e auditable units.
FACTORS F F! F" F# F$ F% F7
WEI&'TS () () () () () () ()
AUDIT * AUDIT UNI+ERSE
YEAR: RISK FACTORS
F
2ks"t3b.4ls F!
F"
F#
F$
F%
F7
F,
%. E-aluate eac" auditable unit (audit* by assi$nin$ a score (1/ lo#, / "i$"* ,or eac" F-
risk ,actor used in t"e &odel. '"e total risk score #ill be s"o#n in colu&n ). F(
0. '"e spreads"eet data &ay be sorted (reco&&ended* to priorit1e t"e auditable units.
F, F- F( TOTA.
() () () )((
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
56R'ED R758 !55E5)E.' )!'R79 2orks"eet
AUDITOR: AUDIT: DATA CENTER RISK IDENTIFICATION
DATE:

THREATS
RANK 1 2 +
RANK COMPONENTS
1
2 :!RD2!RE :7;:E5' R758 /
56F'2!RE 7n t"e le,t<&ost =uadrant
+
%
0 PE6PLE
3 P62ER

4
4
7.5'R>C'76.5? 1. Enter !uditor, Date, !udit in t"e spaces pro-ided.
2. Enter Co&ponents (up to a &a4i&u& o, 12* in Cells B@..B20.
. !ssi$n '"reats (up to a &a4i&u& o, 12* to t"e '"reat !4is ('1..'12 in Cells C%...%*.
A ':RE!' '"reats can be docu&ented by listin$ t"e& in Cells B23..B@.
'1 +. Rank t"e '"reats by c"oosin$ t"e &ost si$ni,icant (assi$nin$ it t"e "i$"est nu&ber*
'2 and t"e least si$ni,icant (assi$nin$ it B1B*, and so ,or #it" ne4t<&ost and ne4t<least.
' 7, t"ere are C '"reats, t"e "i$"est -alue / C, etc.
'+ Place t"e rankin$s in t"e R!.8 ro# Cells C0...0.
'% %. >se t"e BData 5ortB co&&and to rearran$e Cells C%...0 (2 ro#s*,
'0 usin$ Cell C0 as t"e Pri&ary 8ey and 5ort 6rder Descendin$.
'3 0. 5i&ilarly, rank t"e Co&ponents usin$ Cells !@..!20, #it" t"e &ost i&portant co&ponent
'@ recei-in$ t"e "i$"est -alue (i, 10 Co&ponents, t"e "i$"est / 10, etc.*.
'C 3. >se t"e BData 5ortB co&&and to rearran$e Cells !@..B20 (2 colu&ns*,
'10 usin$ Cell !@ as t"e Pri&ary 8ey and 5ort 6rder Descendin$.
'11 @. '"e &atri4 s"ould no# be sorted to re,lect t"e "i$"est risks in t"e upper le,t corner
'12 and t"e lo#est risks in t"e lo#er ri$"t corner (dependin$ on &atri4 si1e*.
'"e &atri4 #ill re$ister t"e nu&ber o, cells to be &arked :7;: R758 (Cell :10*.
>.!>':6R7DED
E)PL6YEE
56F'2!RE
F!7L>RE
D!'! B!C8
>P F!7L>RE
:!RD2!RE
F!7L>RE
P6L7C7E5 !.D
PR6CED>RE
P:Y57C!L
PR6'EC'76.
L6;7C!L
PR6'EC'76.
!>D7'?
DATA CENTER RISK IDENTIFICATION
F7RE 7.'R>DER5 :!C8ER5
% 0 3 @ C 10 11

. !ssi$n '"reats (up to a &a4i&u& o, 12* to t"e '"reat !4is ('1..'12 in Cells C%...%*.
+. Rank t"e '"reats by c"oosin$ t"e &ost si$ni,icant (assi$nin$ it t"e "i$"est nu&ber*
and t"e least si$ni,icant (assi$nin$ it B1B*, and so ,or #it" ne4t<&ost and ne4t<least.
0. 5i&ilarly, rank t"e Co&ponents usin$ Cells !@..!20, #it" t"e &ost i&portant co&ponent
recei-in$ t"e "i$"est -alue (i, 10 Co&ponents, t"e "i$"est / 10, etc.*.
3. >se t"e BData 5ortB co&&and to rearran$e Cells !@..B20 (2 colu&ns*,
@. '"e &atri4 s"ould no# be sorted to re,lect t"e "i$"est risks in t"e upper le,t corner
and t"e lo#est risks in t"e lo#er ri$"t corner (dependin$ on &atri4 si1e*.
'"e &atri4 #ill re$ister t"e nu&ber o, cells to be &arked :7;: R758 (Cell :10*.
#ks"tc.4ls
D!'!
C6RR>P'7
6.
.!'>R!L
D75!5'ER
P62ER
6>'!;E
8EY
C6)P6.E.'
F!7L>RE

R/sks So0r1e 2 C30se E44e1ts
I5te6r/t7 Data corruption
De4/5/t/o5:

Re8e9351e .o e,,ecti-e co&&unication
Data corruption, Errors,
6&issions
'"is risk enco&passes all o, t"e risks
associated #it" t"e aut"ori1ation,
co&pleteness, and accuracy o,
transactions as t"ey are entered into,
processed by, su&&ari1ed by and
reported on by t"e -arious
application syste&s deployed by an
or$ani1ation. '"ese risks per-asi-ely
apply to eac" and e-ery aspect o, an
application syste& used to support a
business process
7nte$rity can be lost ,ro&?
pro$ra&&in$ errors,
processin$

(&aintenance*
errors,
&ana$e&ent
errors
.ot $ettin$ Bt"e ri$"t
dataEin,or&ation to t"e ri$"t?
/Fperson
/FprocessEsyste& at t"e ri$"t
ti&e to allo# t"e ri$"t action
to be taken
De4/5/t/o5: t"e usability and
ti&eliness o, in,or&ation t"at is eit"er
created or su&&ari1ed by an
application syste&.is t"e risk
associated #it" not $ettin$ Bt"e ri$"t
dataEin,or&ation to t"e ri$"t
personEprocessEsyste& at t"e ri$"t
ti&e to allo# t"e ri$"t action to be
taken.B
A11ess
De4/5/t/o5:

A93/83b/8/t7
7nappropriate security access
set<up
Con,identiality -iolation, data
lost or data corruption ei"er
by -irus in,ection, #or&,
troGan attack pro$ra&s etc
!ccess risk ,ocuses on t"e risk
associated #it" inappropriate access
to syste&s, data or in,or&ation. 7t
enco&passes t"e risks o, i&proper
se$re$ation o, duties, risks
associated #it" t"e inte$rity o, data
and databases, and risks associated
#it" in,or&ation con,identiality.
7nte$rity can be lost ,ro&?
pro$ra&&in$ errors,
processin$

(&aintenance*
errors,
&ana$e&ent
errors
7nappropriate access to
processin$ en-iron&ent and
t"e pro$ra&s or data t"at are
stored in t"at en-iron&ent.
7nappropriate access to t"e
net#ork itsel,.
>nprotected p"ysical de-ices
,ro& da&a$e, t"e,t and
inappropriate access.
/F .atural disasters (Fire,
Flood etc* causin$ "ard#are
and so,t#are ,ailure.
/F Po#er outa$e
/F '"e,t
5"ort ter& E Lon$ ter&
business disruptions to
syste&
Lack or #eak &onitorin$
per,or&ance
I54r3str01t0re
De4/5/t/o5:
Lack or #eak or$ani1ation
plannin$
Disor$ani1ed and
dis,unctional 7' decisions.
Lack o, proacti-e security
policies and procedures or
inconsistent one a&on$ 75
and di-isions.
t"e or$ani1ation does not "a-e an
e,,ecti-e in,or&ation tec"nolo$y
in,rastructure ("ard#are, net#orks,
so,t#are, people and processes* to
e,,ecti-ely support t"e current and
,uture needs o, t"e business in an
e,,icient, cost<e,,ecti-e and #ell<
controlled ,as"ion. '"ese risks are
associated #it" t"e series o,
7n,or&ation 'ec"nolo$y (7E'*
processes used to de,ine, de-elop,
&aintain and operate an in,or&ation
processin$ en-iron&ent (e.$.,
co&puter "ard#are, net#orks, etc.*
and t"e associated application
syste&s (e.$., custo&er ser-ice,
accounts payable, etc.*.
Do:3/5 Po8/1/es
>ser 7nter,ace Proper se$re$ation o, duties
Processin$
7nter,ace
Data
'"e ade=uacy o, pre-enti-e andEor detecti-e
controls t"at ensure t"at only -alid data can
be entered into a syste& and t"at t"e data is
co&plete
Balancin$ and reconciliation controls to
ensure t"at data processin$ "as been
co&plete and ti&ely
'o ensure t"at data t"at "as been processed
andEor su&&ari1ed is ade=uately and
co&pletely trans&itted to and processed by
anot"er application syste& t"at it ,eeds
dataEin,or&ation to.
!de=uate data &ana$e&ent controls
includin$ bot" t"e securityEinte$rity o,
processed data and t"e e,,ecti-e
&ana$e&ent o, databases and data
structures.
Data, !pplications,
Report
Business Process
!pplication
.et#ork
P"ysical
:o# to separate inco&patible duties #it"in
an or$ani1ation and "o# to pro-ide t"e
correct le-el o, e&po#er&ent to per,or& a
,unction.
De,ine t"e internal application security
&ec"anis&s t"at pro-ide users #it" t"e
speci,ic ,unctions necessary ,or t"e& to
per,or& t"eir Gobs.
Data H Data
)ana$e&ent
Policies on securityrelated to users access to
speci,ic data or databases #it"in t"e
en-iron&ent.
Processin$
En-iron&ent
5ecure t"e "ost co&puter syste& #"ere
application syste&s and related data are
stored and processed ,ro&.
5ecure t"e &ec"anis& used to connect
users #it" a processin$ en-iron&ent.
Policies and procedures related to P"ysical
security o, p"sical 75 de-ices.
Critical 75 syste&,
applications and
data.
Risks t"at can be a-oided by &onitorin$
per,or&ance proacti-ely by addressin$
syste&s issues be,ore a proble& occurs
Backups and contin$ency plannin$ policies
and procedures #"ere restoreEreco-ery
tec"ni=ues can be used to &ini&i1e t"e
e4tent o, a disruption.
75 depart&ent
&ission and
or$ani1ation
De,ine "o# 7E' #ill i&pact t"e business and
"o# 7E' is articulated. 7t is i&portant to "a-e
ade=uate e4ecuti-e le-el support and buy<in
to t"is direction and an ade=uate
or$ani1ational (people and process* plannin$
to ensure t"at 7E' e,,orts #ill be success,ul.
!pplication syste&
de,inition and
deploy&ent
Ensure t"at application syste&s &eet bot"
business and user needs. '"ese processes
enco&pass t"e process o, deter&inin$
#"et"er to buy an e4istin$ application
syste& or to de-elop a custo& solution.
'"ese processes also ensure t"at any
c"an$es to application syste&s (#"et"er
t"ey are purc"ased or de-eloped* ,ollo# a
de,ined process t"at ensures t"at critical
processEcontrol points are consistently
ad"ered to (e.$., all c"an$es are tested and
appro-ed by users prior to i&ple&entation*.
Lo$ical security
and security
ad&inistration
Ensure t"at t"e or$ani1ation ade=uately
addresses t"e B!ccess risksB by
establis"in$, &aintainin$ and &onitorin$ a
co&pre"ensi-e syste& o, internal security
t"at &eets &ana$e&entIs policies #it"
respect to t"e inte$rity and con,identiality o,
t"e data and in,or&ation #it"in t"e
or$ani1ation and an or$ani1ationIs need to
reduce it E&po#er&ent and Fraud risks to
acceptable le-els.
Co&puter and
net#ork
operations
Ensure t"at in,or&ation syste&s and related
net#ork en-iron&ents are operated in a
secured and protected en-iron&ent as
intended by &ana$e&ent and t"at
in,or&ation processin$ responsibilities
per,or&ed by operations personnel (as
opposed to users* are de,ined, &easured
and &onitored. '"ey also in-ol-e t"e
proacti-e e,,orts typically per,or&ed by 7E'
personnel to &easure and &onitor co&puter
and net#ork per,or&ance to ensure t"at
syste&s are consistently a-ailable to users at
a satis,actory per,or&ance le-el.
Business data
center reco-ery
Policies desi$ned to address t"e B!-ailability
risksB by ensurin$ t"at ade=uate plannin$
"as been per,or&ed to ensure t"at
in,or&ation tec"nolo$ies #ill be a-ailable to
users #"en t"ey need t"e&.
T'REATS INTE&RITY RISK RE.E+ANCE RISK ACCESS RISK INFRASTRUCTURE RISKS
COMPONENTS Rank
Rank
0 0 0 0 0
!PPL7C!'76.
.E'26R8
A+AI.ABI.ITY
RISK
'"is risk enco&passes all
o, t"e risks associated
#it" t"e aut"ori1ation,
co&pleteness, and
accuracy o, transactions
as t"ey are entered into,
processed by,
su&&ari1ed by and
reported on by t"e
-arious application
syste&s deployed by an
or$ani1ation. '"ese risks
per-asi-ely apply to eac"
and e-ery aspect o, an
application syste& used
to support a business
process
t"e usability and ti&eliness o,
in,or&ation t"at is eit"er
created or su&&ari1ed by an
application syste&.is t"e risk
associated #it" not $ettin$ Bt"e
ri$"t dataEin,or&ation to t"e
ri$"t personEprocessEsyste& at
t"e ri$"t ti&e to allo# t"e ri$"t
action to be taken.B
!ccess risk ,ocuses on
t"e risk associated #it"
inappropriate access to
syste&s, data or
in,or&ation. 7t
enco&passes t"e risks
o, i&proper se$re$ation
o, duties, risks
associated #it" t"e
inte$rity o, data and
databases, and risks
associated #it"
in,or&ation
con,identiality.
t"e or$ani1ation does not "a-e an
e,,ecti-e in,or&ation tec"nolo$y
in,rastructure ("ard#are, net#orks,
so,t#are, people and processes* to
e,,ecti-ely support t"e current and
,uture needs o, t"e business in an
e,,icient, cost<e,,ecti-e and #ell<
controlled ,as"ion. '"ese risks are
associated #it" t"e series o,
7n,or&ation 'ec"nolo$y (7E'*
processes used to de,ine, de-elop,
&aintain and operate an
in,or&ation processin$
en-iron&ent (e.$., co&puter
"ard#are, net#orks, etc.* and t"e
associated application syste&s
(e.$., custo&er ser-ice, accounts
payable, etc.*.
!PPL7C!'76.
5Y5'
User I5ter431e Pro1ess/56 Error Pro1ess/56 I5ter431e
COMPONENTS
Rank
0
Tot38 I5te6r/t7
R/sk
Ch356e
M3536e:e5t
#"et"er t"ere are ade=uate
restrictions o-er #"ic" indi-iduals in
an or$ani1ation are aut"ori1ed to
per,or& businessEsyste& ,unctions
based on t"eir Gob need and t"e need
to en,orce a reasonable se$re$ation
o, duties. 6t"er risks in t"is area
relate to t"e ade=uacy o, pre-enti-e
andEor detecti-e controls t"at ensure
t"at only -alid data can be entered
into a syste& and t"at t"e data is
co&plete.
#"et"er t"ere are ade=uate
pre-enti-e or detecti-e
balancin$ and reconciliation
controls to ensure t"at data
processin$ "as been
co&plete and ti&ely. '"is risk
area also enco&passes risks
associated #it" t"e accuracy
and inte$rity o, reports
(#"et"er or not t"ey are
printed* used to su&&ari1e
results andEor &ake business
decisions.
#"et"er t"ere are
ade=uate processes
and ot"er syste&
&et"ods to ensure t"at
any data
entryEprocessin$
e4ceptions t"at are
captured are
ade=uately corrected
and reprocessed
accurately, co&pletely
and on a ti&ely basis
#"et"er t"ere are
ade=uate pre-enti-e or
detecti-e controls to
ensure t"at data t"at "as
been processed andEor
su&&ari1ed is
ade=uately and
co&pletely trans&itted to
and processed by
anot"er application
syste& t"at it ,eeds
dataEin,or&ation to.
'"ese risks are
associated #it"
inade=uate c"an$e
&ana$e&ent
processes include
user in-ol-e&ent
and trainin$ as #ell
as t"e process by
#"ic" c"an$es to
any aspect o, an
application syste&
is bot"
co&&unicated and
i&ple&ented.
D3t3
'"ese risks are associated #it"
inade=uate data &ana$e&ent
controls includin$ bot" t"e
securityEinte$rity o, processed data
and t"e e,,ecti-e &ana$e&ent o,
databases and data structures.
7nte$rity can be lost because o,
pro$ra&&in$ errors (e.$., $ood data
is processed by incorrect pro$ra&s*,
processin$ errors (e.$., transactions
are incorrectly processed &ore t"an
once a$ainst t"e sa&e &aster ,ile*,
or &ana$e&entEprocess errors (e.$.,
poor &ana$e&ent o, t"e syste&s
&aintenance process*.
T'REATS 'otal Rele-ance Risk
COMPONENTS Rank
Rank
t"e usability and ti&eliness o, in,or&ation
t"at is eit"er created or su&&ari1ed by
an application syste&.is t"e risk
associated #it" not $ettin$ Bt"e ri$"t
dataEin,or&ation to t"e ri$"t
personEprocessEsyste& at t"e ri$"t ti&e to
allo# t"e ri$"t action to be taken.B
T'REATS A;;8/13t/o5 Net<ork Ph7s/138
COMPONENTS Rank
Rank
0
'otal
!ccess
Risk
B0s/5ess
Pro1ess
D3t3 = D3t3
M3536e:e5t
Pro1ess/56
E59/ro5:e5t
'"e
or$ani1ational
decisions as to
"o# to
separate
inco&patible
duties #it"in
an
or$ani1ation
and to pro-ide
t"e correct
le-el o,
e&po#er&ent
to per,or& a
,unction.
'"e internal
application security
&ec"anis&s t"at
pro-ide users #it"
t"e speci,ic ,unctions
necessary ,or t"e&
to per,or& t"eir Gobs.
'"e
&ec"anis& to
pro-ide users
#it" access to
speci,ic data or
databases
#it"in t"e
en-iron&ent
#"ere application
syste&s and related
data are stored and
processed ,ro&. '"e
access risk in t"is area
is dri-en by t"e risk o,
inappropriate access to
processin$ en-iron&ent
and t"e pro$ra&s or
data t"at are stored in
t"at en-iron&ent.
en-iron&ent.
'"e access
risk in t"is
area is dri-en
by t"e risk o,
inappropriate
access to t"e
net#ork itsel,.
Protectin$
p"ysical
de-ices ,ro&
da&a$e, t"e,t
and
inappropriate
access.
T'REATS Tot38 A93/83b/8/t7 R/sk
Rank
Rank
0
R/sks th3t 135 be
39o/>e> b7
:o5/tor/56
;er4or:351e
R/sks 3sso1/3te>
</th short ter:
>/sr0;t/o5s to
s7ste:
COMPON
ENTS
and proacti-ely
addressin$ syste&s
issues be,ore a
proble& occurs
#"ere
restoreEreco-ery
tec"ni=ues can be
used to &ini&i1e
t"e e4tent o, a
disruption
R/sk 3sso1/3te>
</th >/s3sters
t"ose cause lon$er<
ter& disruptions in
in,or&ation
processin$ and #"ic"
,ocus on controls
suc" as backups and
contin$ency plannin$
T'REATS
Rank
0
'otal
7n,rastruct
ure Risk
Or635/?3t/o5
P8355/56
A;;8/13t/o5 s7ste:
>e4/5/t/o5 35>
>e;8o7:e5t
.o6/138 se10r/t7
35> se10r/t7
3>:/5/str3t/o5
COMPON
ENTS
t"at t"e de,inition
o, "o# 7E' #ill
i&pact t"e
business are
clearly de,ined and
articulated. 7t is
i&portant to "a-e
ade=uate e4ecuti-e
le-el support and
buy<in to t"is
direction and an
ade=uate
or$ani1ational
(people and
process* plannin$
to ensure t"at 7E'
e,,orts #ill be
success,ul.
in t"is area ensure t"at
application syste&s
&eet bot" business
and user needs. '"ese
processes enco&pass
t"e process o,
deter&inin$ #"et"er to
buy an e4istin$
application syste& or
to de-elop a custo&
solution. '"ese
processes also ensure
t"at any c"an$es to
application syste&s
(#"et"er t"ey are
purc"ased or
de-eloped* ,ollo# a
de,ined process t"at
ensures t"at critical
processEcontrol points
are consistently
ad"ered to (e.$., all
c"an$es are tested and
appro-ed by users prior
to i&ple&entation*.
'"e processes in
t"is area ensure
t"at t"e
or$ani1ation
ade=uately
addresses t"e
!ccess risks by
establis"in$,
&aintainin$ and
&onitorin$ a
co&pre"ensi-e
syste& o,
internal security
t"at &eets
&ana$e&entIs
policies #it"
respect to t"e
inte$rity and
con,identiality o,
t"e data and
in,or&ation
#it"in t"e
or$ani1ation and
an or$ani1ationIs
need to reduce it
E&po#er&ent
and Fraud risks
to acceptable
le-els.
Co:;0ter 35>
5et<ork o;er3t/o5
D3t3 =
>3t3b3se
:3536e
:e5t
B0s/5ess >3t3 1e5ter
re1o9er7
t"is area ensure
t"at in,or&ation
syste&s and related
net#ork
en-iron&ents are
operated in a
secured and
protected
en-iron&ent as
intended by
&ana$e&ent and
t"at in,or&ation
processin$
responsibilities
per,or&ed by
operations
personnel (as
opposed to users*
are de,ined,
&easured and
&onitored. '"ey
also in-ol-e t"e
proacti-e e,,orts
typically per,or&ed
by 7E' personnel to
&easure and
&onitor co&puter
and net#ork
per,or&ance to
ensure t"at syste&s
are consistently
a-ailable to users at
a satis,actory
per,or&ance le-el.
'"e processes in t"is
area are desi$ned to
address t"e !-ailability
risks by ensurin$ t"at
ade=uate plannin$ "as
been per,or&ed to
ensure t"at in,or&ation
tec"nolo$ies #ill be
a-ailable to users #"en
t"ey need t"e&.