Information Technology Reference
In-Depth Information
Possible impact is one attribute which should be included on the risk register. The impact
on the enterprise is a critical event and requires monitoring regularly. It is also important to
identify risk owners. These are people who are responsible for managing a particular risk.
A risk register is a useful tool for IS auditors as it provides the necessary information on
the risks the enterprise is facing and how the enterprise is responding to the risks.
Example of IT Risk Register
Risk
Rate
(1-5)
Risk
ID
Probability
(1-5)
Impact
(1-5)
Action
Time
Risk
Risk Category
Mitigation Contingency
Student Adminis-
tration System
Backup
data
Use backed
up data
< 5
minutes
1A
4
5
5
Loss of data
Payment Re-
ceipting System
Wrong account
posting
Apply in-
put control
Reverse
transaction
< 48
hours
2A
2
1
1
Use sec-
ondary
server
Transport Monit-
oring Software
Vehicle tracking
failure
Use backup
system
< 2
hours
3A
2
5
2
Unauthorised
posting of res-
ults
Apply ac-
cess
controls
Examination Pro-
cessing System
Reserve
posting
< 24
hours
4A
4
5
3
Backup
emails
Use backed
up data
< 1
hour
5A
2
5
4
Email Server
Deleted emails
Figure 6.3 IT Risk Register
IT Risk Management Plan
A risk management plan is a document which an enterprise develops in order to have an ef-
fective risk management response. The plan supports the enterprise's risk governance and
strategy. The plan would also outline how the identified risks will be used to assess impact
on the enterprise and the response from management.
The risk management plan is an important tool which should be available in hard copy or
soft copy to all users in the enterprise. The plan may be integrated with a risk register so
that links between risks and action plans can be clearly shown.
IT Risk Assessment Plan
Search WWH ::
Custom Search