International Labour Office
Information and Technology Management Department (INFOTEC)
Column 1
Description of Inherent Risk
A malware infection results in the loss/corruption of
data, stolen identities, loss of intellectual property or
unavailability of critical ILO systems/services or
misuse of ILO information assets to attack third party
systems or to communicate inappropriate information.
1 systems.
Inappropriate use of ILO IT systems results in financial
fraud, misconduct, legal liability or loss of reputation.
2 5
Inadequate information security risk perception results
in deficient IT strategy, lack of resources for risk
mitigation, inadequate risk acceptance, inadequate
risk transfer, or excessive spending on implementing a
risk treatment plan.
3 4
A cyber-attack on critical ILO systems or related
infrastructure including telecommunication systems
results in severe disruption of ICT services or loss of
vital organizational records for a prolonged period of
time, or results in financial loss.
4 5
The proliferation of decentralized IT solutions
implemented and managed by user departments with
short-term needs in mind, results in solutions which
are not compliant with the ILO’s supported IT
architecture, information security policies, standards
5 and strategy making them ineffective, costly and
difficult to maintain/sustain.
Existing ILO applications are rigid and therefore
unable to fully leverage available benefits from rapid
advances in technology, making it difficult to ensure
delivered IT solutions remain fit for purpose over time.
6 4. The ILO's planning and budgeting process does not take into account the
The variety and complexity of consumer devices used
to support mobile working results in unauthorized
sharing of confidential ILO information and breach of
privacy.
7 5
RISK REGISTER
Last Update: December 2015
Inherent Risk
Column 2 Column 4 Column 5 Column 6
Assessment (prior to remedial action) Assessment (prior to remedial action)
Root Cause(s) Remedial Action
Impact * Likelihood ** Ascribed total Impact * Likelihood ** Ascribed total
1. There is a shortage of resources (staff and non/staff) and expertise to 1. Implementation of end-point anti-virus protection on all
support the protective technologies. ILO equipment.
2. Software/technology vulnerabilities are not addressed in a timely manner 2. Patch management is implemented.
by the vendors or not identified by vendors before being identified by
malicious parties. 4. Periodic penetration testing of critical information
systems.
3. The ILO or implementing partners are not able to test and implement
critical patches in a timely manner. 5. Capturing of logs from servers and desktops with end-
point anti-virus protection to carry out data analytics on
4. Users access information systems from insufficiently protected devices. infections by previously unknown malware.
5. ILO data is stored and processed on insufficiently protected information 6. Strengthening of the ILO password policy.
5 5 25 4 4 16
7. Capturing logs from internet proxy servers to identify the
6. Information systems with critical ILO data are not segregated from level of impact by malware infections.
unprotected information systems.
8. Minimizing use of accounts with administrative privileges.
7. Lack of user awareness.
8. Inappropriate use of the Internet.
9. Use of excessive access privileges.
10. Lack of information security incident management.
1. Inadequate policies or lack of policy enforcement. 1. Polices governing the use of IT have been established.
2. Lack of accountability. 2. Capturing of logs from servers and desktops with end-
point anti-virus protection to prepare reports on
3. Lack of management direction. inappropriate or malicious Internet access.
4. Lack of audit and monitoring. 3. IAO, IOAC and the ILO's External Auditor regularly audit
4 20 IT systems. 4 3 12
5.Lack of risk awareness.
4. The ILO has established an information security
6. Lack of application and operational controls. awareness program.
5. Application controls are in place to monitor access and
segregation of duties.
1.Insufficient staff and non-staff resources for information security risk 1. Electronic Information security policy is defined.
management
2. IT Security officer provides 6-months reports to CIO and
2. Lack of management direction. DDG/MR on information security incidents that are
reported to information security and assurance unit, or that
3.Lack of measuring key risk indicators. are detected by monitoring systems.
4.Inadequate reporting of key risk indicators. 3. Information security monitoring systems are collecting
4 16 4 3 12
data from end-points, from network firewalls and from proxy
5. Lack of follow-up on information security recommendations. servers and statistical analysis is performed to measure
related risk indicators.
6. Inadequate information security incident reporting and related follow-up.
7. Inadequate policy and related enforcement.
1.Insufficient protection of computer networks and telecommunication 1.DDoS protection implemented by ILO and implementing
equipment either by ILO or implementing partners. partners.
2.Critical ILO data communicated over channels with insufficient or non- 2. Application layer encryption and Virtual Private Networks
existent encryption. implemented for communicating confidential ILO data and
metadata.
3. Insufficient access control to information systems with critical ILO data
5 25 4. Periodic security assessment and penetration testing of 5 3 15
4.ILO data and metadata not adequately classified and handled. critical communication systems.
5. Lack of awareness on cyber-threats. 5. Capturing of logs from network firewalls to detect
potential cyber attacks.
6. Lack of information security incident management.
6. Exchange threat intelligence data with other UN system
agencies.
1. Lack of effective IT Governance to fully address decentralized IT. 1. INFOTEC carried out analysis of decentralized IT and
provided recommendations to the ITGC and external
2. Departments/Regions do not comply with existing IT Policies and IT auditor. Pending decision.
Standards.
2. IAO carried out an assessment. Report is pending.
3. Heavy reliance on Excolls to deliver IT solutions which bypass existing
PROCUREMENT and INFOTEC controls. 3. An RFP was issued to ensure work being carried out in
4 5 20 Departments is awarded to financially and technically viable 4 4 16
4. Lack of planning by Departments/Regions to ensure implemented IT suppliers.
solutions are funded so they can be sustained over the long-term.
4. The INFOTEC Project Management function has
5. Departments want to maintain autonomy, flexibility and control over IT implemented templates and methodologies to ensure any
solutions rather than go through the ILO central IT function. new IT initiatives are properly costed over a 5-year period
to ensure funding is available.
1. The rules and regulations of the Office are embedded in automated 1. INFOTEC is working with external service providers to
processes resulting in heavily customized solutions which take an extensive address gaps in IT skills of ILO staff.
amount of time to change.
2. INFOTEC is decommissioning/re-writing applications
2. INFOTEC is not staffed with capacity/skills to support an unlimited number based on older technologies which are no longer strategic.
of new technologies.
3. A organizational change management function is under
3. The disruption and rate of adoption of new technologies by staff in change- consideration.
adverse Organization is difficult to overcome without any formal
organizational change management structure in place. 4. INFOTEC is working with FINANCE to establish a
mechanism to carry over funding across biennia and/or
4 4 16 chargeback for services delivered. 4 4 16
capital funding required to implement and sustain large-scale technology
change over multiple biennia. The process to secure funding is not aligned 5. The Office is carrying out an external review of
with the pace of technology change. administrative processes with a goal to simplify and
streamline.
5. The cost to modernize and transform key technologies, applications and
services is often prohibitive.
ILO is not able to define and/or enforce policies and procedure to address
information security risks related to the use of emerging technologies.
1. The size and portability of mobile devices makes them easy targets for 1. INFOTEC has standardized on specific models of
theft. devices and versions of operating systems.
2. Staff have the capability to download malicious applications which 2. INFOTEC has implemented mobile policies which require
compromise the security of the device. a PIN and PUK on all mobile devices.
3. Staff accessing their mobile device can use unsecure WiFi connections 3. INFOTEC has implemented Active Sync which makes it
possible to remotely wipe an ILO mobile device in the event
4. Staff using smartphones may click on links with embedded malware it is lost or hacked.
5 25 3 3 9
5. Staff may not ensure the latest versions of software are running on their 4. An Information Security Awareness Program has been
device exposing the device to security breaches or leaks. implemented to educate staff on the risks associated with
mobile computing. An IGDS has been issued requiring this
6. Staff share their ILO mobile devices with family members and other training for all users of mobile devices.
individuals.
5. An IGDS has been issued instructing staff on the use of
mobile devices.
1 of 2
 Inherent Risk
Column 1 Column 2 Column 4 Column 5 Column 6
Assessment (prior to remedial action) Assessment (prior to remedial action)
Description of Inherent Risk Root Cause(s) Remedial Action
Impact * Likelihood ** Ascribed total Impact * Likelihood ** Ascribed total
Continuous reductions to INFOTEC’s budget along 1. Staff are unwilling to take on additional responsibilities other than those in 1. INFOTEC invests heavily in staff training and
their Job Description. development
with aging staff with limited ability to acquire new
skills to keep pace with technology results in the 2. Budget cuts make it difficult to fund new posts targeted at bringing in new 2.The impact of budget cuts are clearly communicated.
inability of INFOTEC to effectively support critical IT IT talent.
operations and services. 3. A review to modernize IT-related job descriptions is
3. Staff supporting critical IT services take extended leave of absence for planned for 2016.
personal/health-related reasons.

8 4. IT staff do not have the ability to effectively learn and support new 4 5 20 4 4 16
technologies within the Office.

5. Staff supporting critical IT operation and services are not performing at an

acceptable level. HR policies in place make it difficult to effectively address
underperformance.

6. Business processes are not able to evolve in-line with industry best
practice and/or similar processes in other UN agencies.

Lack of effective planning to meet urgent adhoc 1. Increased oversight from external entities (e.g. DFIND, MOPAN, IATI, 1.The INFOTEC PGMS highlights project risks in the ITGC
etc.) to ensure the ILO is delivering value for money. for mitigation.
demands results in increased costs, conflicting
priorities, resource constraints, delays in delivery and 2. Internal and external audit pressure to comply with IT best practices (e.g. 2. The PGMS estimates the TCO to address adhoc
IT solutions of lower quality. ISO, ISAE, ITIL, COBIT, etc.). demand.
9 3. Increased levels of cyber crime requires additional systems and processes 4 4 16 4 3 12
to be put in place to monitor and react quickly to threats.

4. Increased accountability and pressure to meet the needs of ILO governing

organs (e.g. GB, IOAC, etc.)

The inability to govern IT and ensure oversight of
structure, standards, policies, procedures and
priorities in a timely manner negatively impacts the
planning and delivery of critical IT solutions.
1. ILO decision-makers are focused on their specific areas of responsibility 1.An IT Governance Charter has been established to
than to the Office as a whole. facilitate the work of the ITGC.
2. Implementation of policies and procedures takes an inordinate amount of 2. The ITGC has met on an ad-hoc basis to address critical
time resulting in a proliferation of non-compliant IT solutions. decisions requiring timely response.

3. Lack of cohesion with other Office-wide strategies results in decisions that 3. Various Office-wide strategies are being aligned in the
are not strategic nor sustainable. upcoming P&B.
10 3 4 12 3 3 9
4. Meeting frequency and follow-up on action items are not sufficient to meet
the changing demand.

5. The effort required to overcome conflict or disagreement results in IT

decisions and IT solutions which are not optimal or compliant with
information security policies.

The structure, processes and systems supporting the
governance and management of ILO content are
fragmented and disorganized leading to important
information being redundant, unreliable, unavailable,
unusable and in breach of information security
11
policies, hindering the productivity of staff carrying
out the substantive work of the Office.
1. A policy is not in place to classify critical data. 1.A "Classification of ILO Information Assets" policy is being
published clarifying the roles and responsibilities with
2. Data owners are not held accountable for data integrity. respect to information classification.
3. Critical data is held in multiple systems and categorized in an inconsistent 2. The consolidation of functions and processes around the
manner. management of is under review.
3 5 15 3 5 15
4. The processes and systems to capture and tag data do not exist. 3. The ILO Gateway has been implemented to integrate
policy, statistical and normative data within a structured
5. No systematic review takes place to ensure data does not already exist taxonomy.
and should be shared as opposed to being redundant.

* IMPACT assessment
1- Negligible 2 - Low 3 - Moderate 4 - High 5 - Extreme

Occurrence of the
Occurrence of the Occurrence of the
Occurrence of the Occurrence of the event event would
event would have event would seriously
event would possibly would affect continuity, severely affect
some effect on jeopardize continuity,
affect continuity, but reputation or outcome continuity, reputation
continuity, reputation or
not reputation, and could result in or outcome and
reputation, outcome outcome and result in
outcome or timing suspension result in extended
or timing suspension
suspension

** LIKELIHOOD assessment
1 - Rare 3 - Possible 4 - Likely 5 - Almost Certain

Event could occur at Event is expected to Event is expected to

Event is unlikely to occur regardless of
some time, even if occur in certain occur in most
whether remedial action is taken
remedial action is taken circumstances circumstances

2 of 2