Documents

Download Free IT Risk Assessment Report and Template Toolkit

This templates including Risk Register and IT Control for selected risk criteria such as:
Risk Assessment Matrix:
- Vulnerability
- Threat
- Risk
- Risk Sumary
- Risk Likelihood
- Rating
- Risk
- Impact
- Rating
- Overall Risk Rating
- Analysis ofRelevant Controls and Other Factors
- Recommendations

Download Free IT Risk Assessment Templates, this template is created using NIST-SP 800:30 standard for Risk Management Guide for Information Technology Systems. Covering some basic process during IT Risk Assessment that include: System Characterization, Threat Identification Vulnerability Identification, Control Analysis, Likelihood Determination,

This NIST Guidelines covers:
1. IT Risk Management
2. IT Risk Assessment
3. IT Risk Mitigations

Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.

So basically what is the simplest approach for ITGC? do we should check every changes and modification in our application and infrastructure? or do we should only focus to significant one? The simplest approach is by using minimum requirement by the government/regulation. So here is some scope of ITGC based on Sarbanes Oxley Section 404

Program Development Program Change
Acquire or develop application software The organization's system development life cycle (SDLC) includes security, availability and processing integrity requirements of the organization.

Acquire or develop application software An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with business and end-user strategies and objectives.

Logical Access
Ensure systems security An information security policy exists and has been approved by an appropriate level of executive management.

Below sample service level agreement (SLA) for supporting security event feeds from network devices. This sample SLA is arranged between the network support team (NetEng) and the team to whom security monitoring is assigned (InfoSec).

The purpose of this document is to clarify support responsibilities and expectations. Specifically, it outlines:
- Services provided by NetEng to support network security event recording for monitoring and incident response

- General levels of response, availability, and maintenance associated with these services

So how good is your IT Security Administration? Below some of the list that is intended as a guide to the various areas that need to be reviewed to conduct a complete assessment of security administration.

• Organization and policies
• Procedures and post orders
• Personnel selection
• Staffing and background checks
• Education and awareness
• Contract management

Each aspect of this assessment is equally important to providing the client with a complete picture of the operation. You should understand that the assessment process is intended to document the current status of the security program for the client

Configuration Management

As the application is reviewed within the optimise phase, is the CMDB used to assist with the review?

Are Configuration Management personnel involved in the optimisation process, including providing advice in the use of and updating the inventory?

Change Management

As modifications are identified within this phase, does the team use the Change Management system to coordinate the changes?

Incident Management is a sub process in ITIL that need to be implemented in every company for better IT operation. However there are a lot of concept or design that we can used to make incident management process become more simple and integrated. Above is an example of how incident management process flow would be performed

Below some question audit checklist for backup process:

What SLAs are required for this server?
What is the role of this server? The role will have a direct impact on the backup options and requirements for it, and will directly feed into the remaining questions to be considered for servers. Sample server roles might include production, development, test, and quality assurance (QA).
Are there any special backup handling requirements for applications on the server?
Are there any special backup handling requirements for data on the server?
What times can the server be backed up?
What times are backups not allowed to occur?
What types of backups should this server receive? At minimum, most organizations will need to evaluate the necessity of the following:
Daily: What rotation between fulls, differentials, and incrementals are required?

Attached sample of Recovery Request form and Testing Acceptance form for backup and recovery activity. This templates is taken from Enterprise Systems Backup and Recovery a Corporate Insurance Policy. De Guise, Preston 2009

Any tips and suggestion? hope this document will be useful for your Information System Auditing Resources.