Information Technology Reference
In-Depth Information
Asset identification
- Assets can be categorised as critical and non-critical assets. Manage-
ment can also rate the risks of various assets.
Risk treatment
- When risks are identified and impact assessed, it is possible to recommend
an appropriate treatment. The policy will include various ways of treating risks or accepting
risks.
Risk register
- The register is basically a list of risks which the enterprise is facing based on
the nature of its business and how these risks would be mitigated. The risk register would
highlight various risks and related information.
Risk monitoring
- The policy will also indicate how risks in the enterprise will be mon-
itored, including procedures and tools which will be used. Risk monitoring would include
regular IS audits by both internal and external auditors.
Risk plan
- The policy will also indicate the need for a risk plan and how it will be imple-
mented. Many large enterprises have fully functioning risk departments which develop and
implement the risk plan.
The IS auditor will be required to review the implementation of a risk policy covering all or
some of the areas as stipulated in the risk policy. The IS auditor will hold interviews with
the board and senior management in order to determine how the policy is being implemen-
ted. Other stakeholders would include departmental heads, suppliers, and customers.
Enterprises implement and use risk procedures in order to establish controls in business
processes. Where business procedures are properly implemented, it is likely that risk ex-
posure will be minimized.
The IS auditor will, for example, be required to audit IT procedures, such as creation of
user accounts. This procedure may require that a request for creation of a new user account
is submitted by a user department for approval. The request is then authorised by the line
manager and IT manager depending on the structure in the enterprise. The IT department
will only create the new account upon completion of the authorisation procedures.
IT Project Risk
Enterprises implement various IT projects during a particular period, and each project
comes with it various risks which have an impact on the overall risk profile of an enterprise.
Failure of a project might have an impact on the operations of the enterprise.
Projects are initiated to update current systems in part or the whole system. In other cases,
projects may be used to completely replace a system. In order to successfully implement
projects, enterprises need to ensure that proper plans are developed for the projects.
We have seen private and public enterprises having massive project failures because of
poor identification and treatment of risks. The overall risk policy of the enterprise should
Search WWH ::
Custom Search