5 Generic IT Risk Scenarios.docx
《5 Generic IT Risk Scenarios.docx》由会员分享,可在线阅读,更多相关《5 Generic IT Risk Scenarios.docx(48页珍藏版)》请在冰点文库上搜索。
5GenericITRiskScenarios
GenericITRiskScenarios
#
High-levelScenario
RiskScenarioComponents
RiskCategory/Group
Risk
RiskConsequence
Risk
RiskConsequence
ThreatType
Actor
Event
Asset/
Resources
Time
ITBenefit/ValueEnablement
ITPrammeandProjectDelivery
ITOperationsandServiceDelivery
NegativeExampleScenarios
FailtoGain
LoseValue
PositiveExampleScenarios
GainValue
PreserveValue
1
ITprogrammeselection
Failure
Internal
Ineffectiveexecution
Process(portfoliomanagement)
Timing(non-critical)Duration(extended)Detection(slow)
P
S
•Wrongprogrammesselectedforimplementation,misalignedwithcorporatestrategyandpriorities
•Duplicationbetweendifferentinitiatives
•Newimportantprogrammecreateslong-termincompatibilitywiththeenterprisearchitecture
•Programmesleadingtosuccessfulnewbusinessinitiativesselectedforexecution
2
Newtechnologies
Failure
Internal
Ineffectivedesign
Process(technologyselection)Enterprisearchitecture(technology)
Timing(non-critical)Duration(extended)Detection(slow)
P
S
•Failuretotimelyadoptandexploitnewtechnologies(i.e.,functionality,optimisation)
•Newandimportanttechnologytrendsnotidentified
•Inabilitytousethetechnologytorealisedesiredoutcomes(e.g.,failuretomakerequiredbusinessmodelororganisationalchanges)
•Newtechnologiesfornewinitiativesormoreefficientoperationsadoptedandexploited
3
Technologyselection
Failure
Internal
Ineffectiveexecution
Process(technologyselection)Enterprisearchitecture(technology)
Timing(non-critical)Duration(extended)Detection(slow)
P
S
•Wrongtechnologies(i.e.,cost,performance,features,compatibility)selectedforimplementation
•Optimaltechnologyselectedforimplementation
4
ITinvestmentdecisionmaking
Failure
Internal
Ineffectiveexecution
Process(investmentmanagement)Peopleandorganisation
Timing(non-critical)Duration(extended)Detection(slow)
P
S
•BusinessmanagersorrepresentativesnotinvolvedinimportantITinvestmentdecisionmaking(e.g.,newapplications,prioritisation,newtechnologyopportunities)
•Co-ordinateddecisionmakingoverITinvestmentsbetweenbusinessandIT
5
AccountabilityoverIT
Failure
Internal
Ineffectiveexecution
Process(definetheITprocesses,organisationandrelationships)Peopleandorganisation
Timing(non-critical)Duration(extended)Detection(moderate)
P
S
S
•BusinessnotassumingaccountabilityoverthoseITareasitshould(e.g.,functionalrequirements,developmentpriorities,assessingopportunitiesthroughnewtechnologies)
•BusinessassumesappropriateaccountabilityoverITandco-determinesthestrategyofIT,especiallyapplicationportfolio
6
IntegrationofITwithinbusinessprocesses
Failure
Internal
Ineffectiveexecution
Process(definetheITprocesses,organisationandrelationships)Peopleandorganisation
Timing(non-critical)Duration(extended)Detection(moderate)
P
S
•Extensivedependencyanduseofend-usercomputingandadhocsolutionsforimportantinformationneeds
•Separateandnon-integratedITsolutionstosupportbusinessprocesses
•FullyintegratedITsolutionsareinplaceacrossbusinessprocesses
7
Stateofinfrastructuretechnology
Failure
Internal
Ineffectivedesign
Process(acquireandmaintaintechnologyinfrastructure)Infrastructureenterprisearchitecture(technology)
Timing(non-critical)Duration(extended)Detection(slow)
S
S
•ITtechnologyinuseisobsoleteandcannotsatisfynewbusinessrequirements(e.g.,networking,security,storage)
•Modernandstabletechnologyused
8
Ageingofapplicationsoftware
Failure
Internal
Ineffectiveexecution
Process(acquireandmaintaintechnologyinfrastructure)Infrastructureenterprisearchitecture(applications)
Timing(non-critical)Duration(extended)Detection(slow)
P
P
•Oldapplicationsoftware(e.g.,oldtechnology,poorlydocumented,expensivetomaintain,difficulttoextend,notintegratedincurrentarchitecture)
•Modernapplicationsoftware;easytoaddnewprocessfunctionality
9
Architecturalagilityandflexibility
Failure
Internal
Ineffectivedesign
Process(determinetechnologicaldirection)Enterprisearchitecture
Timing(non-critical)Duration(extended)Detection(slow)
P
S
S
•ComplexandinflexibleITarchitectureobstructingfurtherevolutionandexpansion
•Modernandflexiblearchitecturesupportsbusinessagility/innovation
10
Regulatorycompliance
FailureMalicious
Internal
Regulation
Process(ensurecompliancewithexternalrequirements)
Timing(non-critical)Duration(extended)Detection(slow)
P
S
S
•Non-compliancewithregulations(e.g.,accounting,manufacturing,)
11
Softwareimplementation
Failure
Internal
Ineffectiveexecution
Process(enableoperationanduse)Enterprisearchitecture(applications)
Timing(non-critical)Duration(moderate)Detection(instant)
P
•Operationalglitcheswhennewsoftwareismadeoperational
•Usersnotpreparedtouseandexploitnewapplicationsoftware
12
ITprojecttermination
Failure
Internal
Ineffectiveexecution
Process(retiretheprogramme)
Timing(critical)Duration(extended)Detection(Slow)
P
•Failing(duetocost,delays,scopecreep,changedbusinesspriorities)projectsnotterminated
•Failingorirrelevantprojectsstoppedonatimelybasis
13
ITprojecteconomics
Failure
Internal
Ineffectiveexecution
Process(monitorandreportontheprogramme)
Timing(non-critical)Duration(extended)Detection(slow)
P
•IsolatedITprojectbudgetoverrun
•ConsistentandimportantITprojectsbudgetoverruns
•Absenceofviewonportfolioandprojecteconomics
•ITprojectcompletedwithinagreed-uponbudgets
14
Projectdelivery
Failure
Internal
Ineffectiveexecution
Process(monitorandreportontheprogramme)
Timing(non-critical)Duration(extendedduration)Detection(slow)
S
P
S
•OccasionallateITprojectdeliverybyinternaldevelopmentdepartment
•RoutinelyimportantdelaysinITprojectdelivery
•ExcessivedelaysinoutsourcedITdevelopmentproject
•Projectdeliveryontime
15
Projectquality
Failure
Internal
Ineffectiveexecution
Process(monitorandreportontheprogramme)
Timing(non-critical)Duration(extended)Detection(slow)
P
•Insufficientqualityofprojectdeliverables(duetosoftware,documentation,compliancewithfunctionalrequirements)
•Projectdeliverstospecifications
16
Selection/performanceofthird-partysuppliers
Failure
Internal
Ineffectivedesign
Process(managethird-partyservices)Peopleandorganisation
Timing(non-critical)Duration(extended)Detection(slow)
S
P
•Inadequatesupportandservicesdeliveredbyvendors,notinlinewithservicelevelagreements(SLAs)
•Inadequateperformanceofoutsourcerinlarge-scalelong-termoutsourcingarrangement
•Thirdpartyactingasstrategicpartner
17
Infrastructuretheft
Malicious
InternalExternal
Theft
Infrastructure
Timing(unknown)Duration(extended)Detection(instant)
S
S
P
•Theftoflaptopwithsensitivedata
•Theftofsubstantialnumberofdevelopmentservers
18
Destructionofinfrastructure
AccidentalMalicious
InternalExternal
DestructionInappropriateuse
Infrastructure
Timing(unknown)Duration(extended)Detection(instant)
S
S
P
•Destructionofdatacentre(duetosabotage,etc.)
•Accidentaldestructionofindividuallaptops
19
ITstaff
Failure
Internal
Ineffectiveexecution
Process(manageIThumanresources)Peopleandorganisation
Timing(unknown)Duration(extended)Detection(moderate)
P
P
P
•Departureorextendedunavail-abilityofkeyITstaff
•Keydevelopmentteamleavestheenterprise
•InabilitytorecruitITstaff
20
ITexpertiseandskills
Failure
Internal
Ineffectivedesign
Process(manageIThumanresources)Peopleandorganisation
Timing(unknown)Duration(extended)Detection(instant)
P
P
P
•LackormismatchofIT-relatedskillswithinIT(e.g.,duetonewtechnologies)
•LackofbusinessunderstandingbyITstaff
•AttractingtheappropriatestaffincreasestheservicedeliveryoftheITdepartment
•Correctstaffandskillmixwillsupportprojectdeliveryandvaluedelivery
21
Softwareintegrity
AccidentalMalicious
InternalExternal
Modification
Process(managechangesandinstallandaccreditsolutionsandchanges)Enterprisearchitecture(software)
Timing(non-critical)Duration(short)Detection(slow)
S
P
•Intentionalmodificationofsoftwareleadingtowrongdataorfraudulentactions
•Unintentionalmodificationofsoftwareleadingtounexpectedresults
•Unintentionalconfigurationandchangemanagementerrors
22
Infrastructure(hardware)
AccidentalMalicious
InternalExternal
ModificationDestructionInappropriateuse
Infrastructure
Timing(non-critical)Duration(unknown)Detection(instant)
P
•Erroneousmisconfigurationofhardwarecomponents
•Damageofcriticalserversincomputerroom(e.g.,duetoaccident)
•Intentionaltamperingwithhardware(e.g.,securitydevices)
23
Softwareperformance
Failure
Internal
Ineffectivedesign
Enterprisearchitecture(applications)
Timing(non-critical)Duration(unknown)Detection(instant)
S
P
•Regularsoftwaremalfunctioningofcriticalapplicationsoftware
•Intermittentsoftwareproblemswithimportantsystemsoftware
24
Systemcapacity
Failure
Internal
Ineffectivedesign
Enterprisearchitecture(technology)
Timing(non-critical)Duration(unknown