ITA IT Risk Assessment Matrix

ABCD
Information Technology Advisory Services (ITAS)
ITA IT Risk Assessment Matrix
This Service is not permitted for audit clients or their

affiliates. Delete This Note
For Internal Use Only
Advisory
Date
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights
reserved. Printed in the U.S.A.
This document has not been risk reviewed. The information contained in this document is presented for example purposes only. This document is provided as a reference for layout , structure and format;
and should be tailored to the specific client needs and engagement objectives. This template should be modified for your specific client situation. Professional judgment, based on individual
circumstances, must be used when considering the use of this template.
ABCD For Internal Use Only
Impact
The following impact table has been developed to assist in prioritizing identified risks (i.e., at the departmental or functional level for IT).
Consequence Category
Limited Moderate Severe Critical
Funding/ Low Financial Loss (<5% of Medium Financial Loss (5% to High Financial Loss (15% to Major Financial Loss (>
Financial Department Budget). 15% of Department Budget). 25% of Department Budget). 25% of Department
Budget).
Reputation Little visibility to customers, Some impact on communication Not able to communicate for Not able to communicate
suppliers or public. with business partners. an extended period with and Public awareness of
business partners. Cannot issue through media or
Consequence Factors
report company results. other information source.
Legal Complaints, with no financial Single contract dispute (low Single contract dispute (high Events resulting in class
impact. value). value), multiple contract actions against.
disputes.
Customer Service Complaints with no delivery Small customer or small branch Large branch, multiple Not able to service any
impact. affected. branches or large customer customers.
affected.
Personnel An event, the impact of An event, where the An event that requires An event where data is lost
expense which can be absorbed consequences can be absorbed significant additional and additional manpower
through normal activity. but will require overtime and manpower and expense to and expense is required for
information may not be current. recover. Possibility of some a protracted period.
data loss.
Likelihood
Likelihood is assessed as how likely is it that the business will be exposed to a specific risk considering factors such as:
1 - Anticipated frequency
2 - The external environment
3 - The procedures, tools, skills currently in place
4 - Staff commitment, morale, attitude
5 - History of previous events
76-100% Almost Certain

Likelihood
51-75% Probable
26-50% Moderate
© 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
ABCD
Likelihood
For Internal Use Only
0-25% Unlikely
Risk Assessment Detail Report

Risk Impact Likelihood Major Changes Last Audit
AS400
Financial Risks Severe Moderate No Changes

Integrity Risks Severe Moderate No Changes
Operational Risks Critical Moderate Minor Changes
Business Continuity
Financial Risks Severe Probable Many Changes Prior to 2003

Integrity Risks Severe Probable Many Changes Prior to 2003
Operational Risks Severe Probable Many Changes Prior to 2003
Cell Phone Mgmt & Usage
Financial Risks Moderate Moderate No Changes Prior to 2003

Integrity Risks Limited Unlikely No Changes Prior to 2003
Operational Risks Moderate Moderate No Changes Prior to 2003
Desktop & Technical Support
Financial Risks Moderate Moderate No Changes

Integrity Risks Severe Probable No Changes
Operational Risks Severe Probable No Changes
Engineering (CAD) Systems - UNIX
Financial Risks Severe Moderate Various Changes

Integrity Risks Moderate Moderate Various Changes
Operational Risks Critical Moderate Various Changes
Enterprise Voice Network

Integrity Risks Limited Unlikely No Changes Prior to 2003
Operational Risks Moderate Probable No Changes Prior to 2003
Global Project System (GPS)
Financial Risks Critical Probable Various Changes Prior to 2003

Integrity Risks Critical Probable Various Changes Prior to 2003
Operational Risks Critical Probable Various Changes Prior to 2003
Global Vendor Master
Financial Risks Severe Probable No Changes

Operational Risks Moderate Moderate No Changes
Hyperion Security
Financial Risks Critical Probable Many Changes
Integrity Risks Severe Probable Many Changes

Operational Risks Severe Probable Many Changes
In-House Software Development
Financial Risks Severe Probable Many Changes Prior to 2003

Integrity Risks Critical Moderate Many Changes Prior to 2003
Operational Risks Critical Probable Many Changes Prior to 2003
IT Asset Management & Procurement
Financial Risks Severe Probable No Changes

Operational Risks Severe Probable No Changes
JDE Security
Financial Risks Severe Probable Many Changes

JDE/GPS Interface
Financial Risks
Integrity Risks
Operational Risks
JDE/OMS Interface
Financial Risks
Integrity Risks
Operational Risks
JDE/PeopleSoft Interface
Financial Risks
Integrity Risks
Operational Risks
JDE/VPRM Interface
Financial Risks
Integrity Risks
Operational Risks
Lotus Notes Security

Integrity Risks Moderate Moderate No Changes Prior to 2003
Operational Risks Critical Probable No Changes Prior to 2003
NA Firewall
Financial Risks Moderate Moderate Minor Changes
Integrity Risks Moderate Moderate Minor Changes

Operational Risks Critical Moderate Minor Changes
Opportunity Management System (OMS)
Financial Risks Severe Moderate No Changes Prior to 2003

Integrity Risks Moderate Moderate No Changes Prior to 2003
Operational Risks Critical Moderate No Changes Prior to 2003
Oracle Database - VPRM, OMS, Hyperion
Financial Risks Severe Moderate Minor Changes

Integrity Risks Moderate Moderate Minor Changes
Operational Risks Severe Probable Minor Changes
PeopleSoft Security
Financial Risks Moderate Moderate Many Changes Prior to 2003

Integrity Risks Severe Probable Many Changes Prior to 2003
Operational Risks Severe Moderate Many Changes Prior to 2003
Physical Security of IT Assets

Integrity Risks Moderate Probable No Changes Prior to 2003
Operational Risks Severe Probable No Changes Prior to 2003
Raptor (telnet software for JDE)
Financial Risks Critical Moderate No Changes

Integrity Risks Moderate Moderate No Changes
Operational Risks Critical Moderate No Changes
Remote Network Access - Citrix & NFUSE

Integrity Risks Moderate Moderate No Changes
Operational Risks Critical Moderate No Changes
Software Licenses
Financial Risks Severe Moderate Minor Changes

Integrity Risks Limited Unlikely Minor Changes
Operational Risks Severe Probable Minor Changes
Unix Security

Integrity Risks Moderate Moderate Various Changes
Operational Risks Critical Moderate Various Changes
Virus Software
Integrity Risks Severe Moderate No Changes

Operational Risks Critical Probable No Changes
VPRM Security (VPRM by AVEVA is an integrated resource management software suite)
Financial Risks Moderate Probable Many Changes

Windows Active Directory

Integrity Risks Severe Probable Various Changes
Operational Risks Critical Probable Various Changes
IT Governance
Financial Risks Moderate Probable Minor Changes Prior to 2003

Integrity Risks Severe Probable Minor Changes Prior to 2003
Operational Risks Severe Probable Minor Changes Prior to 2003
Data Retention
Financial Risks Severe Probable Various Changes

Integrity Risks Limited Unlikely Various Changes
Operational Risks Severe Probable Various Changes
New Entities Identified for 2008 Start Here
Privacy & Confidentiality of Data
Financial Risks Severe Probable Various Changes Prior to 2003

Integrity Risks Limited Unlikely Various Changes Prior to 2003
Operational Risks Severe Probable Various Changes Prior to 2003
Financial Risks
Integrity Risks
Operational Risks
Financial Risks
Integrity Risks
Operational Risks
Entity Score
Liliana DeLeon:
Global Project System (GPS) 10.8 Proposed
Do you have a source 2008
and Audits Estimated Weeks When to Audit:
year for this information (in
In-House Software Development 10.7 Penetration Test 4 Proposed Jan-June
these tables??? If they are
Business Continuity 10.2 just examples we can add a
Cross System SOD 4 Proposed July-Dec
text box that says "For
PeopleSoft Security 8.7 Example Purposes
GPS Only" 4
IT Governance 7.9 Privacy / Location of Data 4
Hyperion Security 7.7 BIA / Business Continuity 3
Privacy & Confidentiality of Data 7.8 IT SOX & Remediation 4
JDE Security 7.2 TOTAL 23
VPRM Security (VPRM by AVEVA is an integrate6.7
Windows Active Directory 6.3 Proposed Assistance/Consulting Reviews Estimated Weeks

Opportunity Management System (OMS) 6 Effectiveness of Application Usage* 8
Physical Security of IT Assets 6 Hyperion® Upgrade 2
Lotus Notes Security 6 OneWorld Upgrade 2
Data Retention 4.8 IT Governance 4
Unix Security 4.8 Selected reviews of Lummus systems / processes 4
Engineering (CAD) Systems - UNIX 4.8 TOTAL 20
IT Asset Management & Procurement 4.5
Enterprise Voice Network 4.5
Global Vendor Master 3.5 Total Audit Plan Weeks 43

Virus Software 4 *depends on number of applications
Cell Phone Mgmt & Usage 4
NA Firewall 3.4
Oracle Database - VPRM, OMS, Hyperion 3.9
AS400 3.8
Raptor (telnet software for JDE) 3.5
Software Licenses 3.4
Desktop & Technical Support 3.5
Remote Network Access - Citrix & NFUSE 3
JDE/GPS Interface 0
JDE/OMS Interface 0 Removed from auditable entity - Incorporated into GPS Review
JDE/PeopleSoft Interface 0 Removed from auditable entity - Incorporated into OMS Review
JDE/VPRM Interface 0 Removed from auditable entity - Incorporated into PeopleSoft Review
Weeks
28
7
43
AS400 3 1 0 0 3.8 4
3 1 0 0 11
- 5 1 1 0 18
- 2.75 0.75 0.3 0 25
- 32
- 39
- 46
Business Continuity 3 3 3 5 10.2 53
3 3 3 5 60
- 3 3 3 5 67
- 2.25 2.25 2.7 3 74
- 81
- 88
- 95
Cell Phone Mgmt & Usage 1 1 0 5 4 102
0 0 0 5 109
- 1 1 0 5 116
- 0.5 0.5 0 3 123
- 130
- 137
- 144
Desktop & Technical Support 1 1 0 0 3.5 151
3 3 0 0 158
- 3 3 0 0 165
- 1.75 1.75 0 0 172
- 179
- 186
- 193
Engineering (CAD) Systems - UNIX 3 1 2 0 4.8 200
1 1 2 0 207
- 5 1 2 0 214
- 2.25 0.75 1.8 0 221
- 228
- 235
- 242
Enterprise Voice Network 1 1 0 5 4.5 249
0 0 0 5 256
- 1 3 0 5 263
- 0.5 1 0 3 270
- 277
- 284
-
Global Project System (GPS) 5 3 2 5 10.8
5 3 2 5
- 5 3 2 5
- 3.75 2.25 1.8 3
-
-
-
Global Vendor Master 3 3 0 0 3.5
3 3 0 0
- 1 1 0 0
- 1.75 1.75 0 0
-
-
-
Hyperion Security 5 3 3 0 7.7
3 3 3 0
- 3 3 3 0
- 2.75 2.25 2.7 0
-
-
-
In-House Software Development 3 3 3 5 10.7
5 1 3 5
- 5 3 3 5
- 3.25 1.75 2.7 3
-
-
-
IT Asset Management & Procurement 3 3 0 0 4.5
3 3 0 0
- 3 3 0 0
- 2.25 2.25 0 0
-
-
-
JDE Security 3 3 3 0 7.2
3 3 3 0
- 3 3 3 0
- 2.25 2.25 2.7 0
-
-
-
JDE/GPS Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/OMS Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/PeopleSoft Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
JDE/VPRM Interface 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
Lotus Notes Security 1 1 0 5 6
1 1 0 5
- 5 3 0 5
- 1.75 1.25 0 3
-
-
-
NA Firewall 1 1 1 0 3.4
1 1 1 0
- 5 1 1 0
- 1.75 0.75 0.9 0
-
-
-
Opportunity Management System (OMS) 3 1 0 5 6
1 1 0 5
- 5 1 0 5
- 2.25 0.75 0 3
-
-
-
Oracle Database - VPRM, OMS, Hyperion 3 1 1 0 3.9
1 1 1 0
- 3 3 1 0
- 1.75 1.25 0.9 0
-
-
-
PeopleSoft Security 1 1 3 5 8.7
3 3 3 5
- 3 1 3 5
- 1.75 1.25 2.7 3
-
-
-
Physical Security of IT Assets 1 1 0 5 6
1 3 0 5
- 3 3 0 5
- 1.25 1.75 0 3
-
-
-
Raptor (telnet software for JDE) 5 1 0 0 3.5
1 1 0 0
- 5 1 0 0
- 2.75 0.75 0 0
-
-
-
Remote Network Access - Citrix & NFUSE 3 1 0 0 3
1 1 0 0
- 5 1 0 0
- 2.25 0.75 0 0
-
-
-
Software Licenses 3 1 1 0 3.4
0 0 1 0
- 3 3 1 0
- 1.5 1 0.9 0
-
-
-
Unix Security 3 1 2 0 4.8
1 1 2 0
- 5 1 2 0
- 2.25 0.75 1.8 0
-
-
-
Virus Software 3 1 0 0 4
3 1 0 0
- 5 3 0 0
- 2.75 1.25 0 0
-
-
-
VPRM Security (VPRM by AVEVA is an integ 1 3 3 0 6.7
3 3 3 0
- 3 3 3 0
- 1.75 2.25 2.7 0
-
-
-
Windows Active Directory 3 1 2 0 6.3
3 3 2 0
- 5 3 2 0
- 2.75 1.75 1.8 0
-
-
-
IT Governance 1 3 1 5 7.9
3 3 1 5
- 3 3 1 5
- 1.75 2.25 0.9 3
-
-
-
Data Retention 3 3 2 0 4.8
0 0 2 0
- 3 3 2 0
- 1.5 1.5 1.8 0
-
-
-
Privacy & Confidentiality of Data 3 3 2 5 7.8
0 0 2 5
- 3 3 2 5
- 1.5 1.5 1.8 3
-
-
-
- 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
- 0 0 0 0 0
- 0 0 0 0
- 0 0 0 0
- 0 0 0 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
1 AS400
1 Business Continuity
1 Cell Phone Mgmt & Usage
1 Desktop & Technical Support
1 Engineering (CAD) Systems - UNIX
1 Enterprise Voice Network
1 Global Project System (GPS)
1 Global Vendor Master
1 Hyperion Security
1 In-House Software Development
1 IT Asset Management & Procurement
1 JDE Security
1 JDE/GPS Interface
1 JDE/OMS Interface
1 JDE/PeopleSoft Interface
1 JDE/VPRM Interface
1 Lotus Notes Security
1 NA Firewall
1 Opportunity Management System (OMS)
1 Oracle Database - VPRM, OMS, Hyperion
1 PeopleSoft Security
1 Physical Security of IT Assets
1 Raptor (telnet software for JDE)
1 Remote Network Access - Citrix & NFUSE
1 Software Licenses
1 Unix Security
1 Virus Software
1 VPRM Security (VPRM by AVEVA is an integrated resource management software suite)
1 Windows Active Directory
1 IT Governance
1 Data Retention
1 Privacy & Confidentiality of Data
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
CoBIT Objectives
PO1 Define a strategic IT plan
PO2 Define the information architecture

PO3 Determine the technological direction
PO4 Define IT processes, organization and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Mange IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage projects
AI1 Identify automated solutions
AI2 Acquire and maintain application software
AI3 Acquire and maintain technology infrastructure

AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install and accredit solutions and changes
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desks and incidents
DS9 Manage the configuration

DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance

ME4 Provide IT governance
Risk Assessment Categories Notes / Comments

IT Governance
PeopleSoft® Security, Hyperion® Security, JDE® Security, VPRM Security,
Windows Active Directory, OMS, Lotus Notes® Security, UNIX® Security,
Engineering (CAD) Systems, Enterprise Voice Network, Oracle® Database,
AS400®,
IT Governance
IT Governance, IT Asset Management & Procurement
IT Governance, IT Asset Management & Procurement
IT Governance
IT Governance
IT Governance
tested via SOX and special projects; could test
PMO function
tested via SOX and special projects; could test
PMO function; Effectiveness of Application
IT Governance Usage for 2008
PeopleSoft Security, Hyperion Security, JDE Security, VPRM Security, OMS,
Lotus Notes Security, Engineering (CAD) Systems
Windows Active Directory, UNIX Security, Enterprise Voice Network, Oracle
Database, AS400, NA Firewall
IT Governance
Tested via SOX
Tested via SOX
tested via SOX and special projects
IT Governance
per inquiry limited third parties
IT Governance
IT Governance and Business Continuity
PeopleSoft Security, Hyperion Security, JDE Security, VPRM Security,
Windows Active Directory, OMS, Lotus Notes Security, UNIX Security,
Engineering (CAD) Systems, Enterprise Voice Network, Oracle Database,
AS400, NA Firewall Penetration Test for 2008 to test all concurrently
Considering looking at cost structure and
allocation of IT spend
per inquiry limited incidents, but probably need

Virus Software to investigate identification abilities
PeopleSoft Security, Hyperion Security, JDE Security, VPRM Security,
Windows Active Directory, OMS, Lotus Notes Security, UNIX Security,
Engineering (CAD) Systems, Enterprise Voice Network, Oracle Database,
AS400, NA Firewall
Tested via SOX, Privacy Review for 2008
Tested via SOX and Implementation Reviews
Tested via SOX
IT Governance
IT Governance
Internal Audit is performing
Internal Audit is performing; who is monitoring
laws?
IT Governance

ITA IT Risk Assessment Matrix

Uploaded by

Copyright:

Available Formats

ITA IT Risk Assessment Matrix

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITA IT Risk Assessment Matrix

Uploaded by

Copyright:

Available Formats

ABCD

Information Technology Advisory Services (ITAS)

ITA IT Risk Assessment Matrix

This Service is not permitted for audit clients or their

report company results. other information source.

76-100% Almost Certain

Risk Assessment Detail Report

Financial Risks Severe Moderate No Changes

Financial Risks Severe Probable Many Changes Prior to 2003

Cell Phone Mgmt & Usage

Financial Risks Moderate Moderate No Changes Prior to 2003

Desktop & Technical Support

Financial Risks Moderate Moderate No Changes

Engineering (CAD) Systems - UNIX

Financial Risks Severe Moderate Various Changes

Enterprise Voice Network

Financial Risks Moderate Moderate No Changes Prior to 2003

Global Project System (GPS)

Financial Risks Critical Probable Various Changes Prior to 2003

Global Vendor Master

Financial Risks Severe Probable No Changes

Financial Risks Critical Probable Many Changes

Integrity Risks Severe Probable Many Changes

In-House Software Development

Financial Risks Severe Probable Many Changes Prior to 2003

IT Asset Management & Procurement

Financial Risks Severe Probable No Changes

Financial Risks Severe Probable Many Changes

Lotus Notes Security

Financial Risks Moderate Moderate No Changes Prior to 2003

Financial Risks Moderate Moderate Minor Changes

Integrity Risks Moderate Moderate Minor Changes

Opportunity Management System (OMS)

Financial Risks Severe Moderate No Changes Prior to 2003

Oracle Database - VPRM, OMS, Hyperion

Financial Risks Severe Moderate Minor Changes

Financial Risks Moderate Moderate Many Changes Prior to 2003

Physical Security of IT Assets

Financial Risks Moderate Moderate No Changes Prior to 2003

Raptor (telnet software for JDE)

Financial Risks Critical Moderate No Changes

Remote Network Access - Citrix & NFUSE

Financial Risks Severe Moderate No Changes

Financial Risks Severe Moderate Minor Changes

Financial Risks Severe Moderate Various Changes

Financial Risks Severe Moderate No Changes

Integrity Risks Severe Moderate No Changes

VPRM Security (VPRM by AVEVA is an integrated resource management software suite)

Financial Risks Moderate Probable Many Changes

Windows Active Directory

Financial Risks Severe Moderate Various Changes

Financial Risks Moderate Probable Minor Changes Prior to 2003

Financial Risks Severe Probable Various Changes

New Entities Identified for 2008 Start Here

Privacy & Confidentiality of Data

Financial Risks Severe Probable Various Changes Prior to 2003

Windows Active Directory 6.3 Proposed Assistance/Consulting Reviews Estimated Weeks

Enterprise Voice Network 4.5

Global Vendor Master 3.5 Total Audit Plan Weeks 43

Oracle Database - VPRM, OMS, Hyperion 3.9