SlideShare a Scribd company logo

IT Risk Assessments

Download as PPTX, PDF
Brian Campbell
Brian Campbell

Rockland Professional Services provides IT risk assessment services to clients. Their methodology involves 4 phases: 1) Understanding the business, 2) Identifying the IT universe, 3) Conducting a risk assessment, and 4) Preparing a report. They identify critical applications and infrastructure, assess risks based on impact and likelihood, and produce a risk heat map and IT audit plan to summarize the results.

1 of 9
Rockland Professional Services, LLC © 2016 All Rights Reserved IT Risk Assessments Developing the IT Audit Plan
Rockland Professional Services, LLC © 2016 All Rights Reserved 2 2. Identify the IT Universe Methodology 1. Understand the Business 3. Conduct the Risk Assessment 4. Prepare the Report Introduction IT Risk Assessments Table of Contents
Rockland Professional Services, LLC © 2016 All Rights Reserved 3 IT Risk Assessments Introduction Rockland Professional Services, LLC ("Rockland Pros"​) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance. Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA). To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. ~ Revised Standards, Effective 1 January 2017
Rockland Professional Services, LLC © 2016 All Rights Reserved 4 IT Risk Assessments Methodology Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan. Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below. Understand the Business • Understand the organization’s strategies and key business objectives. • Understand how the organization structures its business operations. • Understand how the organization structures the IT service support model. • Obtain agreement on how the organization structures its business operations and IT service support model. Identify the IT Universe • Identify the applications used to support the critical business operations. • Identify the infrastructure used to support the critical applications. • Identify the current IT projects and initiatives. • Obtain agreement on the scope of the IT Universe. Conduct the Risk Assessment • Assess the critical applications based on a standard set of risk factors. • Assess the supporting infrastructure based on a standard set of risk factors. • Assess the IT processes based on a standard set of risk factors. • Assess the organization’s project management capabilities based on a standard set of risk factors. • Obtain agreement on the results of the risk assessment (i.e., significance, likelihood). Prepare the Report • Summarize the critical data obtained through out the IT risk assessment. • Prepare a risk heat map. • Draft an IT audit plan. • Obtain agreement on the final report.
Rockland Professional Services, LLC © 2016 All Rights Reserved 5 IT Risk Assessments Understanding the Business Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization. During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models. Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives. Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.
Rockland Professional Services, LLC © 2016 All Rights Reserved 6 IT Risk Assessments Identify the IT Universe The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization. Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities: This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment. Review Documentation Conduct Interviews Facilitate Workshops Submit Questionnaires Identify the IT Universe Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report
Rockland Professional Services, LLC © 2016 All Rights Reserved 7 IT Risk Assessments Conduct the Risk Assessment Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood. Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria. Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk. Criteria System Changes Availability / Stability Sensitivity Complexity Level of Customization Transaction Volume Criteria Reliability / Consistency Technology Leverage Results Management Resource Skill Level Complexity / Coordination Level Criteria Criticality Project Management Experience Executive Ownership Process & Control Re- engineering Development Platform Project Budget Criteria Strategic Operational Legal / Regulatory Compliance Financial Reporting Financial Exposure Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria Risk Ranking Weight 20% 15% 20% 15% 15% 15% Risk Ranking Weight 20% 20% 20% 20% 20% Risk Ranking Weight 20% 10% 10% 20% 20% 20% Risk Ranking Weight 20% 20% 20% 20% 20% Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria
Rockland Professional Services, LLC © 2016 All Rights Reserved 8 IT Risk Assessments Prepare the Report Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following: • An overview of the risk assessment, including the approach and methodology. • The IT universe – inventory of the applications, infrastructure, IT processes and projects. • Risk heat maps that compare likelihood and impact of the IT universe. • Interviewee list of personnel who participated in the risk assessment. • The risk criteria used to conduct the assessment.
Rockland Professional Services, LLC © 2016 All Rights Reserved 9 Contact Information Brian T Campbell Managing Partner Office: 845.418.4829 Mobile: 917.623.5679 E-mail: brian.campbell@rocklandpros.com

Recommended

GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
InSync Conference
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
EnterpriseGRC Solutions, Inc.
 
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
Dane Roberts
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
AstalapulosListestos
 
#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session
Dane Roberts
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
AstalapulosListestos
 

Recommended

GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
InSync Conference
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
EnterpriseGRC Solutions, Inc.
 
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
Dane Roberts
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
AstalapulosListestos
 
#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session
Dane Roberts
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
AstalapulosListestos
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guide
AstalapulosListestos
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud Service
Dane Roberts
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A PurohitSwetana Purohit
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls
Dane Roberts
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance services
Niraj Choudhary
 
How to Audit Non Financial Information
How to Audit Non Financial InformationHow to Audit Non Financial Information
How to Audit Non Financial Information
Hernan Huwyler, MBA CPA
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
CaseWare IDEA
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
International Federation of Accountants
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
CenapSerdarolu
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcing
accenture
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
Dane Roberts
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Robert Stroud
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?
Ellie Ahmadi
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
Ed Sattar
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offering
accenture
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
Risk Management Institution of Australasia
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
Ismail aboulezz
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guide
AstalapulosListestos
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
Mike Wright
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
goreankush1
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
koushikDutta62
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the LensRobert Koehler, MsPM, PgMP, PMP, CGEIT
 

More Related Content

What's hot

Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guide
AstalapulosListestos
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud Service
Dane Roberts
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls
Dane Roberts
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance services
Niraj Choudhary
 
How to Audit Non Financial Information
How to Audit Non Financial InformationHow to Audit Non Financial Information
How to Audit Non Financial Information
Hernan Huwyler, MBA CPA
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
CaseWare IDEA
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
International Federation of Accountants
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
CenapSerdarolu
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcing
accenture
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
Dane Roberts
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Robert Stroud
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?
Ellie Ahmadi
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
Ed Sattar
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offering
accenture
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
Risk Management Institution of Australasia
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
Ismail aboulezz
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guide
AstalapulosListestos
 

What's hot (18)

Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guide
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud Service
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A Purohit
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance services
 
How to Audit Non Financial Information
How to Audit Non Financial InformationHow to Audit Non Financial Information
How to Audit Non Financial Information
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcing
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offering
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guide
 

Similar to IT Risk Assessments

WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
Mike Wright
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
goreankush1
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
koushikDutta62
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan MMohan M
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qsPhong Ho
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
Eryk Budi Pratama
 
Project Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceProject Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceValue Amplify Consulting
 
CV_Dale Bloom
CV_Dale BloomCV_Dale Bloom
CV_Dale Bloom
Dale Bloom
 
Dennis Batdorf resume
Dennis Batdorf resumeDennis Batdorf resume
Dennis Batdorf resume
Dennis Batdorf
 
Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur
 
Cognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challengeCognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challenge
Alan Hsiao
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007David Cunningham
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysis
webmentorman
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 

Similar to IT Risk Assessments (20)

WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qs
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Project Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceProject Portfolio Optimization and Governance
Project Portfolio Optimization and Governance
 
CV_Dale Bloom
CV_Dale BloomCV_Dale Bloom
CV_Dale Bloom
 
Dennis Batdorf resume
Dennis Batdorf resumeDennis Batdorf resume
Dennis Batdorf resume
 
Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur_resume_c1
Lily Dzur_resume_c1
 
Cognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challengeCognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challenge
 
Nitish resume
Nitish resumeNitish resume
Nitish resume
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysis
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 

Recently uploaded

falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
Ben Wann
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
NathanBaughman3
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
LR1709MUSIC
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
Kumar Satyam
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
Safe PaaS
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
usawebmarket
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
BBPMedia1
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
Naaraayani Minerals Pvt.Ltd
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 

Recently uploaded (20)

falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 

IT Risk Assessments

  • 1. Rockland Professional Services, LLC © 2016 All Rights Reserved IT Risk Assessments Developing the IT Audit Plan
  • 2. Rockland Professional Services, LLC © 2016 All Rights Reserved 2 2. Identify the IT Universe Methodology 1. Understand the Business 3. Conduct the Risk Assessment 4. Prepare the Report Introduction IT Risk Assessments Table of Contents
  • 3. Rockland Professional Services, LLC © 2016 All Rights Reserved 3 IT Risk Assessments Introduction Rockland Professional Services, LLC ("Rockland Pros"​) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance. Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA). To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. ~ Revised Standards, Effective 1 January 2017
  • 4. Rockland Professional Services, LLC © 2016 All Rights Reserved 4 IT Risk Assessments Methodology Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan. Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below. Understand the Business • Understand the organization’s strategies and key business objectives. • Understand how the organization structures its business operations. • Understand how the organization structures the IT service support model. • Obtain agreement on how the organization structures its business operations and IT service support model. Identify the IT Universe • Identify the applications used to support the critical business operations. • Identify the infrastructure used to support the critical applications. • Identify the current IT projects and initiatives. • Obtain agreement on the scope of the IT Universe. Conduct the Risk Assessment • Assess the critical applications based on a standard set of risk factors. • Assess the supporting infrastructure based on a standard set of risk factors. • Assess the IT processes based on a standard set of risk factors. • Assess the organization’s project management capabilities based on a standard set of risk factors. • Obtain agreement on the results of the risk assessment (i.e., significance, likelihood). Prepare the Report • Summarize the critical data obtained through out the IT risk assessment. • Prepare a risk heat map. • Draft an IT audit plan. • Obtain agreement on the final report.
  • 5. Rockland Professional Services, LLC © 2016 All Rights Reserved 5 IT Risk Assessments Understanding the Business Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization. During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models. Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives. Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.
  • 6. Rockland Professional Services, LLC © 2016 All Rights Reserved 6 IT Risk Assessments Identify the IT Universe The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization. Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities: This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment. Review Documentation Conduct Interviews Facilitate Workshops Submit Questionnaires Identify the IT Universe Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report
  • 7. Rockland Professional Services, LLC © 2016 All Rights Reserved 7 IT Risk Assessments Conduct the Risk Assessment Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood. Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria. Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk. Criteria System Changes Availability / Stability Sensitivity Complexity Level of Customization Transaction Volume Criteria Reliability / Consistency Technology Leverage Results Management Resource Skill Level Complexity / Coordination Level Criteria Criticality Project Management Experience Executive Ownership Process & Control Re- engineering Development Platform Project Budget Criteria Strategic Operational Legal / Regulatory Compliance Financial Reporting Financial Exposure Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria Risk Ranking Weight 20% 15% 20% 15% 15% 15% Risk Ranking Weight 20% 20% 20% 20% 20% Risk Ranking Weight 20% 10% 10% 20% 20% 20% Risk Ranking Weight 20% 20% 20% 20% 20% Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria
  • 8. Rockland Professional Services, LLC © 2016 All Rights Reserved 8 IT Risk Assessments Prepare the Report Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following: • An overview of the risk assessment, including the approach and methodology. • The IT universe – inventory of the applications, infrastructure, IT processes and projects. • Risk heat maps that compare likelihood and impact of the IT universe. • Interviewee list of personnel who participated in the risk assessment. • The risk criteria used to conduct the assessment.
  • 9. Rockland Professional Services, LLC © 2016 All Rights Reserved 9 Contact Information Brian T Campbell Managing Partner Office: 845.418.4829 Mobile: 917.623.5679 E-mail: brian.campbell@rocklandpros.com