Auditing Disaster Recovery Management - Auditing Information Systems: Enhancing Performance of the Enterprise

Information Technology Reference

In-Depth Information

assessment is performed, the next stage would be to conduct a business impact analysis.

The analysis is normally performed by the enterprise risk management team or an external

risk consultant. The IS auditor might also perform a new impact analysis if it will help in

further understanding the risk environment and impact on the enterprise.

Impact on the enterprise can be rated as high, medium, and low. High impact, of course,

has a devastating effect on the business. We earlier gave an example of an enterprise losing

market share as a result of not being able to provide customer services because of a break-

down in IT systems. Medium impact might still have a disruptive effect on the enterprise.

Measures need to be taken to ensure that the impact is reduced. Low impact may be accept-

able to the enterprise as it is likely that the business may still continue with operations with

minimum disruption.

It is important to take into consideration the cost of the impact. High cost to the business

might mean that the enterprise might find problems in raising the necessary funds to recov-

er operations if they did not put in place mitigation measures such as insurance.

Risks facing the enterprise can be rated as high, medium, or low depending on the type of

risk and asset involved. The output of a risk analysis would include information on risk

rating. Ratings would help analysts focus on high-risk assets and their impact. Risk assess-

ment and treatment is covered in more detail in chapter 6.

In order to assess business impact in detail, it is important that we also look at classification

of assets and operations. Classifying assets would help determine which assets are critical

to the business. An enterprise makes use of various IT assets to provide the necessary sup-

port to the business. Below in figure 9.1, we have given examples of assets which could be

critical to the enterprise. Let us take an example of a private university offering distance-

learning degree programs.

#

Asset Description

Risk Rating

Criticality

1

Student Administration System

High

Critical

2

Payment Receiving Systems

High

Critical

3

Transport Monitoring Software

Medium

Non

4

Staff Catering Centre

Low

Non

5

Student Recreation Facilities

Low

Non

6

Examination Registration System

High

Critical

7

Student Counselling Centre

Low

Non

8

Internet Bandwidth

High

Critical

Auditing Information Systems: Enhancing Performance of the Enterprise

Search WWH ::

Custom Search

Home