ITA IT Risk Assessment Matrix
ITA IT Risk Assessment Matrix
ITA IT Risk Assessment Matrix
Advisory
Date
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights
reserved. Printed in the U.S.A.
This document has not been risk reviewed. The information contained in this document is presented for example purposes only. This document is provided as a reference for layout , structure and format;
and should be tailored to the specific client needs and engagement objectives. This template should be modified for your specific client situation. Professional judgment, based on individual
circumstances, must be used when considering the use of this template.
ABCD For Internal Use Only
Impact
The following impact table has been developed to assist in prioritizing identified risks (i.e., at the departmental or functional level for IT).
Consequence Category
Limited Moderate Severe Critical
Funding/ Low Financial Loss (<5% of Medium Financial Loss (5% to High Financial Loss (15% to Major Financial Loss (>
Financial Department Budget). 15% of Department Budget). 25% of Department Budget). 25% of Department
Budget).
Reputation Little visibility to customers, Some impact on communication Not able to communicate for Not able to communicate
suppliers or public. with business partners. an extended period with and Public awareness of
business partners. Cannot issue through media or
Consequence Factors
Legal Complaints, with no financial Single contract dispute (low Single contract dispute (high Events resulting in class
impact. value). value), multiple contract actions against.
disputes.
Customer Service Complaints with no delivery Small customer or small branch Large branch, multiple Not able to service any
impact. affected. branches or large customer customers.
affected.
Personnel An event, the impact of An event, where the An event that requires An event where data is lost
expense which can be absorbed consequences can be absorbed significant additional and additional manpower
through normal activity. but will require overtime and manpower and expense to and expense is required for
information may not be current. recover. Possibility of some a protracted period.
data loss.
Likelihood
Likelihood is assessed as how likely is it that the business will be exposed to a specific risk considering factors such as:
1 - Anticipated frequency
2 - The external environment
3 - The procedures, tools, skills currently in place
4 - Staff commitment, morale, attitude
5 - History of previous events
51-75% Probable
26-50% Moderate
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD
Likelihood
For Internal Use Only
0-25% Unlikely
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
AS400
Business Continuity
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
Hyperion Security
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
JDE Security
JDE/GPS Interface
Financial Risks
Integrity Risks
Operational Risks
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
JDE/OMS Interface
Financial Risks
Integrity Risks
Operational Risks
JDE/PeopleSoft Interface
Financial Risks
Integrity Risks
Operational Risks
JDE/VPRM Interface
Financial Risks
Integrity Risks
Operational Risks
NA Firewall
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
PeopleSoft Security
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
Software Licenses
Unix Security
Virus Software
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
IT Governance
Data Retention
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
Financial Risks
Integrity Risks
Operational Risks
Financial Risks
Integrity Risks
Operational Risks
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
Entity Score
Liliana DeLeon:
Global Project System (GPS) 10.8 Proposed
Do you have a source 2008
and Audits Estimated Weeks When to Audit:
year for this information (in
In-House Software Development 10.7 Penetration Test 4 Proposed Jan-June
these tables??? If they are
Business Continuity 10.2 just examples we can add a
Cross System SOD 4 Proposed July-Dec
text box that says "For
PeopleSoft Security 8.7 Example Purposes
GPS Only" 4
IT Governance 7.9 Privacy / Location of Data 4
Hyperion Security 7.7 BIA / Business Continuity 3
Privacy & Confidentiality of Data 7.8 IT SOX & Remediation 4
JDE Security 7.2 TOTAL 23
VPRM Security (VPRM by AVEVA is an integrate6.7
NA Firewall 3.4
AS400 3.8
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
JDE/GPS Interface 0
JDE/OMS Interface 0 Removed from auditable entity - Incorporated into GPS Review
JDE/PeopleSoft Interface 0 Removed from auditable entity - Incorporated into OMS Review
JDE/VPRM Interface 0 Removed from auditable entity - Incorporated into PeopleSoft Review
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
Weeks
28
7
43
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
AS400 3 1 0 0 3.8 4
3 1 0 0 11
- 5 1 1 0 18
- 2.75 0.75 0.3 0 25
- 32
- 39
- 46
Business Continuity 3 3 3 5 10.2 53
3 3 3 5 60
- 3 3 3 5 67
- 2.25 2.25 2.7 3 74
- 81
- 88
- 95
Cell Phone Mgmt & Usage 1 1 0 5 4 102
0 0 0 5 109
- 1 1 0 5 116
- 0.5 0.5 0 3 123
- 130
- 137
- 144
Desktop & Technical Support 1 1 0 0 3.5 151
3 3 0 0 158
- 3 3 0 0 165
- 1.75 1.75 0 0 172
- 179
- 186
- 193
Engineering (CAD) Systems - UNIX 3 1 2 0 4.8 200
1 1 2 0 207
- 5 1 2 0 214
- 2.25 0.75 1.8 0 221
- 228
- 235
- 242
Enterprise Voice Network 1 1 0 5 4.5 249
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
0 0 0 5 256
- 1 3 0 5 263
- 0.5 1 0 3 270
- 277
- 284
-
Global Project System (GPS) 5 3 2 5 10.8
5 3 2 5
- 5 3 2 5
- 3.75 2.25 1.8 3
-
-
-
Global Vendor Master 3 3 0 0 3.5
3 3 0 0
- 1 1 0 0
- 1.75 1.75 0 0
-
-
-
Hyperion Security 5 3 3 0 7.7
3 3 3 0
- 3 3 3 0
- 2.75 2.25 2.7 0
-
-
-
In-House Software Development 3 3 3 5 10.7
5 1 3 5
- 5 3 3 5
- 3.25 1.75 2.7 3
-
-
-
IT Asset Management & Procurement 3 3 0 0 4.5
3 3 0 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
- 3 3 0 0
- 2.25 2.25 0 0
-
-
-
JDE Security 3 3 3 0 7.2
3 3 3 0
- 3 3 3 0
- 2.25 2.25 2.7 0
-
-
-
JDE/GPS Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/OMS Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/PeopleSoft Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/VPRM Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
- 0 0 0 0
-
-
-
Lotus Notes Security 1 1 0 5 6
1 1 0 5
- 5 3 0 5
- 1.75 1.25 0 3
-
-
-
NA Firewall 1 1 1 0 3.4
1 1 1 0
- 5 1 1 0
- 1.75 0.75 0.9 0
-
-
-
Opportunity Management System (OMS) 3 1 0 5 6
1 1 0 5
- 5 1 0 5
- 2.25 0.75 0 3
-
-
-
Oracle Database - VPRM, OMS, Hyperion 3 1 1 0 3.9
1 1 1 0
- 3 3 1 0
- 1.75 1.25 0.9 0
-
-
-
PeopleSoft Security 1 1 3 5 8.7
3 3 3 5
- 3 1 3 5
- 1.75 1.25 2.7 3
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
Physical Security of IT Assets 1 1 0 5 6
1 3 0 5
- 3 3 0 5
- 1.25 1.75 0 3
-
-
-
Raptor (telnet software for JDE) 5 1 0 0 3.5
1 1 0 0
- 5 1 0 0
- 2.75 0.75 0 0
-
-
-
Remote Network Access - Citrix & NFUSE 3 1 0 0 3
1 1 0 0
- 5 1 0 0
- 2.25 0.75 0 0
-
-
-
Software Licenses 3 1 1 0 3.4
0 0 1 0
- 3 3 1 0
- 1.5 1 0.9 0
-
-
-
Unix Security 3 1 2 0 4.8
1 1 2 0
- 5 1 2 0
- 2.25 0.75 1.8 0
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
Virus Software 3 1 0 0 4
3 1 0 0
- 5 3 0 0
- 2.75 1.25 0 0
-
-
-
VPRM Security (VPRM by AVEVA is an integ 1 3 3 0 6.7
3 3 3 0
- 3 3 3 0
- 1.75 2.25 2.7 0
-
-
-
Windows Active Directory 3 1 2 0 6.3
3 3 2 0
- 5 3 2 0
- 2.75 1.75 1.8 0
-
-
-
IT Governance 1 3 1 5 7.9
3 3 1 5
- 3 3 1 5
- 1.75 2.25 0.9 3
-
-
-
Data Retention 3 3 2 0 4.8
0 0 2 0
- 3 3 2 0
- 1.5 1.5 1.8 0
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
Privacy & Confidentiality of Data 3 3 2 5 7.8
0 0 2 5
- 3 3 2 5
- 1.5 1.5 1.8 3
-
-
-
- 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
1 AS400
1 Business Continuity
1 Cell Phone Mgmt & Usage
1 Desktop & Technical Support
1 Engineering (CAD) Systems - UNIX
1 Enterprise Voice Network
1 Global Project System (GPS)
1 Global Vendor Master
1 Hyperion Security
1 In-House Software Development
1 IT Asset Management & Procurement
1 JDE Security
1 JDE/GPS Interface
1 JDE/OMS Interface
1 JDE/PeopleSoft Interface
1 JDE/VPRM Interface
1 Lotus Notes Security
1 NA Firewall
1 Opportunity Management System (OMS)
1 Oracle Database - VPRM, OMS, Hyperion
1 PeopleSoft Security
1 Physical Security of IT Assets
1 Raptor (telnet software for JDE)
1 Remote Network Access - Citrix & NFUSE
1 Software Licenses
1 Unix Security
1 Virus Software
1 VPRM Security (VPRM by AVEVA is an integrated resource management software suite)
1 Windows Active Directory
1 IT Governance
1 Data Retention
1 Privacy & Confidentiality of Data
1 0
1 0
1 0
1 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
1 0
1 0
1 0
1 0
1 0
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
CoBIT Objectives
PO1 Define a strategic IT plan
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
IT Governance
IT Governance
tested via SOX and special projects; could test
PMO function
tested via SOX and special projects; could test
PMO function; Effectiveness of Application
IT Governance Usage for 2008
PeopleSoft Security, Hyperion Security, JDE Security, VPRM Security, OMS,
Lotus Notes Security, Engineering (CAD) Systems
Windows Active Directory, UNIX Security, Enterprise Voice Network, Oracle
Database, AS400, NA Firewall
IT Governance
Tested via SOX
Tested via SOX
tested via SOX and special projects
IT Governance
per inquiry limited third parties
IT Governance
IT Governance and Business Continuity
PeopleSoft Security, Hyperion Security, JDE Security, VPRM Security,
Windows Active Directory, OMS, Lotus Notes Security, UNIX Security,
Engineering (CAD) Systems, Enterprise Voice Network, Oracle Database,
AS400, NA Firewall Penetration Test for 2008 to test all concurrently
Considering looking at cost structure and
allocation of IT spend
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD For Internal Use Only
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.