Risk assessment > Detailed risk analysis
|
Risk assessment > Detailed risk analysis |
|
Currently, CobiT does not include a risk analysis methodology.
Risks are determined from evaluating the threats (deliberate or accidental), the vulnerability, and the business consequence to the organisation in this regard. The primary role of risk analysis is to support the selection of controls:
 |
to counter the unique set of security risks to the organisation's assets |
|
to meet statutory and contractual requirements |
|
to conform with the organisation's unique set of principles, objectives and requirements for information processing |
Assessment of risk should take into account:
|
the nature of the business information and systems |
|
the business purpose for which the information is used |
|
the environment in which the system is used and operated |
|
the protection provided by the controls in place. |
1. Threats
CONFIDENTIALITY
Deliberate disclosure
Commercial espionage
Criminal infiltration
Eavesdropping
Interception of communication links
Internal circumvention of access privileges
Outsiders gain sight of printouts
Unauthorised access to confidential data
INTEGRITY
Computer fraud
Creation of fictious input documents
Deliberate manipulation of input documents
Suppression of input documents
Deliberate manipulation of programs
Unauthorised data file modification
Deliberate manipulation of job streams
Deliberate tampering with hardware Error
Errors on completion of input documents
Incomplete input of transactions
Errors on data capture
Program error
Operator error
Hardware malfunctionAVAILABILITY
Restriction on access to premises Fire
Flooding
Physical attack
Environmental equipment
Support services
Software malfunction
Software incompatibility
Hardware malfunction
Hardware incompatibility
Communication failure
Misuse of computing resources
Contamination of software
Loss of Assets
No Disaster Recovery Plan
Loss of processing ability
Loss of stores and non-movable assets
Theft of media
Loss of key staff
Industrial action
2. Vulnerability
Dependence on information technology
Networks present opportunities for access
Distributed processing as central control is reduced
Terminals and workstations
Printout disposal procedures
Temporary staff
3. Business Consequences
Business consequences of potential breaches in security can be categorised as either operational, financial loss or intangible consequences. Examples of these are listed below.
Embarrassment
Wages, Salaries and Pensions not paid leading to industrial action
Breach of confidentiality
Unavailability of services
Loss of processing facilities
Loss of supplier, employee, investor and customer confidenceLoss of Revenue
Delayed banking, invoicing, collecting leading to interest loss
Increased uncollectible debts
Subsidies not being claimedIncreased Cost of Business
Loss of data and the associated recovery time Additional cost of processing back-logs
Legal costs
Penalties for failing to comply with statutory or contractual obligations
Additional public relations costsFinancial Misstatement
Property valuations
Inaccurate processing, data corruption or loss of system integrity
Inaccurate costing systemsCompetitive disadvantage
Loss of business
Loss of customers
Legal Liability
Public liability Loss of Public Trust
Grossly inaccurate processing
Major scandal Regulatory, Statutory or Contractual Liability
Lack of provision of adequate services
Copyright legislation
Data Protection legislation
Public Accountability
4. Business Impact
Where required, this would be a measure of the financial losses arising from both tangible and intangible consequences suffered by an organisation.
Generally, a minimum or "Baseline" level of controls should be in place to provide an adequate and necessary degree of protection for the majority of situations. CobiT is often the basis for this minimum level of control
In response to specific threats identified through a risk analysis exercise, additional countermeasures may be warranted at times. Further controls would be necessary where there are legal and contractual obligations, as well as when there is a need to maintain professional standards of good practice.
|