Information Technology Reference
In-Depth Information
Risk can be reduced by applying measures such as access controls which
limit access to authorised users only.
8.
Moderate risk vs moderate impact
- In this case, management would be
more concerned with the moderate impact and its possible cost. Since the
risk is moderate, the risk should be investigated further and management
should put in place appropriate mitigation. An example would be loss of net-
work equipment due to lightning. The risk might be reduced due to measures
taken to protect the equipment, such as using surge protectors. The impact
might also be reduced if spare equipment is kept for emergencies.
9.
Moderate risk vs high impact
- High impact automatically means that action
should be taken to protect the asset. Moderate risk also means that chances
are there that the event might take place. Secure email system might have
moderate risk but high impact if the data is stolen or corrupted.
IT Risk Policy and Procedures
An enterprise should have a risk policy or framework so that they are able to implement an
effective risk regime. The policy is a guide on how a risk framework will be implemented
and managed in the enterprise. It is recommended that the policy should be based on ac-
cepted best practice or international standards such as ISO 31000, COBIT 5 for Risk, ISO
27005, and ISO 22301.
A policy is also a guide to the IS audit team so that they can have a clear understanding
of management intention and risk appetite. The IS audit team might, in addition, appraise
themselves on enterprise risk by reviewing IT risk processes implemented in the enterprise.
The IS auditor should not only read the risk policy but also verify that the policy is op-
erational. There are various mechanisms which can indicate that the policy is operational,
such as risk organisational structures, reports and reporting systems, and monitoring sys-
tems and procedures.
The format and contents of the risk strategy and policy will defer from one enterprise to the
other but would generally contain the following details.
Risk strategy
- The strategy will highlight how the board and management plan to manage
risk in the enterprise. This will be expressed as part of the overall enterprise strategy. Risk
strategy will also include risk governance.
Risk assessment
- This is the identification of risks on enterprise assets and systems. Assets
here include human assets who are trained and used by the enterprise as productive assets.
Risk assessment can be carried out on a periodic basis or when new projects are being im-
plemented.
Search WWH ::
Custom Search