Risk Assessment checklist ISMS

Category Sub Category

Contractual Risk MSA/SOW Commitment

Penalty Clause

Contract renewal/SOW sign off.

Operational Scope and Assumptions

Estimation

Process Model

Quality of Documentation

Quality of Data

Review process

Metrics

Configuration management

Change Management

Process Capability

CSAT

Reusable component

Financial Risks OM
 Financial Risks

DSO

Rate Card

Pricing

Invoicing

UnApproved Credit Receipt

Recurring Cost

Penalties

People Risks Skill Availability

Bulge Mix

Background Verification

Talent Building

Re-Skilling
Attrition
Cool off

Team Motivation

Re badging
Distributed Development
Process Awareness

Roles & Relationships

Information Security Network Security

Data encryption

IP Protection

Confidentiality

IP Exposure
Publicity Clause
 Open Source Software

Training and awareness

Non-Disclosure Agreement

BCP

Critical Applications

Disaster Recovery

BCP testing

Data Back up

Infrastructure for BCM

Technology & Infrastructure Development & Test Environment

Communication Link

Third Party Software

Installation Equipment

Development Systems

Built-in-Back up

Process Linkages / Dependencies Third Party Commitment

Back to Back OLA

Linkage Process

Vendor Support

Regulatory Risk Geo specific regulations

Regulatory Demands
Regulatory Risk

Visa regulations

Cultural Risks Diverse Culture

Familiarity with Customer

Inadequate representation

Poor Communitarian

Cultural Differences

Acceptance Risk Acceptance plan and criteria

Deemed Acceptance
Risk Assessment checklist ISMS
Questions Does this lead to a risk? (Yes / No / N/A)
Are there any gaps/counter agreements in what is committed
in MSA/SOW? Are there any difficult to meet clauses?

Are there any specific clauses and penalties that could trigger
litigation?
Is there any delay in getting the contract signed/renewed? Any
Process effort spent where SOWs are not signed off?

Are the following articulated/factored in the estimates,

proposal, SoW/Contract?
(1) "In scope" and "Out of scope" (2) Critical assumptions (3)
Client side commitments
Has the delivery team (PM/ML/Tech Lead) reviewed and
signed off on the estimation & schedule? Is there any concern
in meeting the defined effort and schedule estimates?

Is the process model suited to meet Process requirements?

Is the quality of existing documentation (Requirements,

Architecture/Design, Standards, SMTD etc.) is good and
exhaustive? Is there any impact in Process
effort/schedule/quality because of this?
Is the quality of current data is well defined and not too
complex for conversion?
Is the review plan in place? Is the periodicity and method is
defined and adequate to ensure good quality? Is the response
time for reviews agreed upon?
Are metrics been defined appropriately? Are the measurement
tools, score cards, governance tools defined and agreed
upon? Are the objectives clearly defined and agreed upon?

Is the configuration management plan defined? Is it adequate

to maintain version control?
Is the change management plan adequate and signed off for
any changes in Process requirements? Is there a process in
place for negotiation and approval? Is there a deemed
acceptance clause agreed upon? Are the CRs raised in line
with provisions made? Are there any CRs which are
rejected/likely-to-be-rejected (Mention the effort spent and $
impact in your response) ?

Have norms (Process Capability) been identified for all main

and sub process metrics? Is the Process geared up to meet
committed levels of metrics? Do you see a challenge in
meeting the metrics objectives (like effort, schedule, defect-
rate, SLA etc.)? Is there likely to be an effort overrun of delay
in meeting the committed timelines?

When was the last CSAT obtained? What is the trend? Any
indications to show that customer is not satisfied?
Are the reusable component usage adequate to meet the
demands of Process?
What are the key challenges you foresee in meeting your
topline and OM targets?
Do we see any issues in terms of DSO (Days Sales
outstanding)?
Do we have any plan in place to address rate changes? Is the
rate inline with the competency level of the team? As the team
competency index enhances over the period of the
engagement, does the rate increase or is the rotation planned?

Do we have a pricing model challenges - in terms of making it

more malleable
Do we see any issues in invoicing? Delays, accuracy,
completeness?
Are there open CRs (not raised/not paid)? What is the effort
spent or the $ impact for open CRs?
Are there any recurring costs that have not been factored in?

Are there any penalties / bonuses associated with the

Process? Is it being tracked? Is there a likely hood of penalty?

Is the competency index in line with Process requirements? Is

employee productivity in line with Process requirements from
day-1? Will we get right skilled resources in time?

Is there any impact of operational parameters on supply chain

(Bulge mix)?
Do we need to change BGV (Back Ground Verification)
process in the light of new expectations from customer?

Is training infrastructure (duration, content etc.) for building

talent -adequate?
Is (re)skilling aligned to process and customer needs?
Do we foresee attrition?
Are we addressing contractual obligations like cool off periods?

Are the members adequately motivated for the Process? Is

there a good interface with customer, other contractors, senior
and/or peer managers?
Do you foresee rebadging risks?
Are distributed development sites coordinated?
Are all staff members aware of the process that is to be
followed?
Are the roles and reporting relationships clear?
Are the physical, logical, network security controls as per
contractual requirements / adequate to establish infosec
controls? Are the security requirements more stringent than
the current state of the practice or Process experience?

Is there clarity on data encryption responsibilities and is the

costing agreed upon?
Can we assure IP (Intellectual Property) protection for our
customers? Do we have controls in place for this?
Do you have enough controls in place to ensure
confidentiality?
Do you see exposure/leak for Wipro's IP?
Do you have enough controls in place to ensure compliance to
publicity clause?
Is there OSS (Open Source Software) used in accounts?

Has everyone in the team gone through info sec induction,

customer specific IS training, R 101, quarterly training?

Has everyone in the team signed Wipro / customer NDA,

Confidentiality agreements?
Does the Process have an approved BCP? Are we geared up
for scenarios like Bangalore down, India down?

Are there any gaps w.r.t. customer expectations on critical

applications and what is being practiced?
Do you have recovery objectives stated in your BCP? Are the
Recovery objectives, agreed upon and signed off by the
customer?
Have you tested the BCP to check if the recovery objectives
are achievable?
If data backup is being maintained offshore, in case of an
outage, has the recovery capacity been stated?
Do we have infrastructure that is scalable for BCP support?

Are the necessary hardware for development and testing is

available? Are there any issues in the availability of (a)
Workstation (b) Processing power (c) Memory (d) Storage
capacity?
Is there any risk related to upkeep of link (maintenance,
monitoring, reporting, ensuring QoS, bandwidth utilization) and
providing access to customer for these reports?

Do we have access to source code in case of default by the

third-party software supplier?
All necessary installation equipment and tools are available to
support the installation?
Is development system supportive and usable in all phases,
activities and functions? Is the Process team familiar with the
development systems?
Does the system suffer from software bugs, downtime and
insufficient built-in-back-up?
Is the third-party committed to ensure compatibility and support
of its software for a period equal to Wipro's responsibility
toward the client?
If sub-contracting and assignment to third party is defined in
the contract, do we have back to back OLAs for the Process
commitments? Are the downstream SLAs linked to with
upward SLAs (vendor management, supply management, 3rd
party contracts etc.)?

Are Process dependencies on linkage Process known? Have

processes been set to study and handle impact of delays?

Are Timely expertise or vendor support available at all times?

Do we understand the geo specific regulations required for our

business?
Do we see a gap in meeting regulatory demands?
Are we complying with visa regulations and do we have
adequate traction built to understand new regulations in the
goes we operate in?
Does the Process require us to interact with people from
diverse culture?
Is the Process team familiar with the customer and other
stakeholders?
Do we have adequate representation in the Process to
understand customer, vendor, team - language? Has the
Process made arrangements to understand the customs/
habits of the customer/ vendor/ partner?
Are there any customer issues such as: lengthy document-
approval cycle, poor communication, inadequate domain
expertise etc.
Are we aligned to the cultural differences and do we have
controls in place to de-risk cultural gaps in terms of
understanding on critical parameters? Is our onsite
representative(s) trained on cultural diversities and is he/she
equipped to handle them?

Is there an agreement on acceptance criteria? Is the

acceptance plan prepared and signed off? Is there any
concern/challenge in meeting the acceptance criteria?
Is there a deemed acceptance clause mentioned in the
contract?
Comments