Let’s talk today about IT risk assessment. When should we perform such risk assessments and what impact them might have on our business.
The main goal of the IT risk assessment – is to ensure the normal and uninterruptable processing of your business. This involves normal operation of your application systems, operating systems, network equipment, database, etc. That is why the IT risk assessment process should be incorporated in every IT process. For example, let’s look at the change management process. When you plan to make any changes to your IT infrastructure, you should ensure that such changes will not negatively impact your normal operation and your business will continue to opera and generate money for you. The best way to achieve this goal is to perform preliminary IT risk assessment for each changes to IT infrastructure (application systems changes, database changes, network changes, operating system changes).
By performing IT risk assessment you should consider the following questions:
· How this change will affect existing operations?
· Will we need to disrupt our operations? If so, for how long? What would be the cost of disruption?
· What organizational units will be affected?
· How much this change will cost to the business?
· How this change will affect the existing hardware?
· How this change will affect the existing software?
· What actions must be accomplished to ensure normal operations after change implementation?
· Do we have a complete set of backup data for each affected system?
· Can we restore the previous state of the affected systems in case of failure during change implementation?
All these questions must have appropriate answers while performing an IT risk assessment.
Now let’s look at another very important part of our IT processes. It is our Business Continuity strategy. While creating of this strategy you must complete a process called Business Impact Analysis – this is for identifying of all processes and systems which should be included in the Continuity strategy. But also it would be a good practice to complete an IT risk assessment at this stage. By doing so, you need to consider the impact of your current IT systems to your Continuity strategy and the impact of the Continuity strategy to your IT systems. Such IT risk assessment can help identify any potential vulnerabilities in the processes which can be exploited in future and fail the Continuity of operations.
My personal belief is that today’s organizations should always remember about significant impact of modern IT infrastructure on their day-to-day business activities, and they should perform comprehensive IT risk assessment before considering any changes to the existing IT processes and infrastructure.
Your risk assessment procedures must be always formal and you should retain your IT risk assessment reports for future reference and resolution of possible questions.
Wednesday, September 8, 2010
Saturday, August 28, 2010
What is IT Audit?
An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes but is not limited to efficiency and security protocols, development processes, and IT governance or oversight. The goal is to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:
Will the organization's computer systems be available for the business at all times when required? (Availability)
Will the information in the systems be disclosed only to authorized users? (Confidentiality)
Will the information provided by the system always be accurate, reliable, and timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.
Will the organization's computer systems be available for the business at all times when required? (Availability)
Will the information in the systems be disclosed only to authorized users? (Confidentiality)
Will the information provided by the system always be accurate, reliable, and timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.
Sunday, August 22, 2010
Type of SAS-70 Auditing
Type of SAS 70 Audit: Type I and Type II
TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.
Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).
Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.
TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.
Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).
Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.
Subscribe to:
Posts (Atom)