Information Technology Reference
In-Depth Information
tial in the office, they are not critical to the operation of the university compared to the
student administration and course-delivery system.
Once critical assets have been identified, it is now possible to identify risks related to crit-
ical assets. It will not serve the enterprise any good to spend time trying to identify risks
for non-critical assets because the enterprise can do without them for a while without major
impact on the operations of the enterprise.
The risks to the university distance-learning systems include loss of data through damage to
database systems, the web portal not being available because the system has been hacked,
theft of data through internal collusion, and system malfunctioning.
Identified risks can be categorized as high, moderate, or low risk. High-risk assets require
high-level attention whilst low-risk assets will require minimal attention, if not none, de-
pending on its impact level. Categorizations of risk enables an enterprise to rate asset risks
and determine how much effort should be applied in treating risks.
So far, we have identified critical assets and high-risk assets. Figure 6.1 below will help
outline what we have achieved so far.
#
Asset
Cost
Criticality
Risk Rating
1
High
High
ERP System
Critical
2
Network Equipment
Critical
High
High
3
High
High
Data and Information
Critical
4
Low
Low
Office Application System
Non-Critical
5
High
High
Messaging System
Critical
6
Low
Fire Suppression System
Critical
Medium
7
Scanning Software
Non-Critical
Low
Low
Figure 6.1 List of Critical IT Assets
In the diagram above, assets 1, 2, 3, 5, and 6 are critical to the operations of the enterprise
and have high replacement cost apart from the fire suppression system, which might have
low to medium costs assuming the system is localised to the data centre. High-value assets
are normally high-risk assets.
In order to assess the riskiness of a particular asset, the IS auditor should also identify
threats to that asset. Some assets might have high risk but without possible threats. Where
Search WWH ::
Custom Search