Updated On 5:22:58 PM Controls Analysis for Computer Software Risk Assessment Software risk assessment employing software controls analysis methodology to identify and evaluate software controls used to manage and reduce risk in computer software. This discussion offers a template for enumerating and analyzing controls in computer programs to reduce business risk. The controls analysis method will help determine if additional controls or procedures are warranted based on a cost/benefit of risk reduction. Some examples of software which should be considered for risk assessment are. We have expert enterprise-level database development capabilities for cloud/web-based databases through our partnership with Jay McCormick and his team. • Spreadsheet used periodically to analyze data • Department- or Group-level database such as Microsoft Access • Financial package such as Quick Books or a custom developed application • Process-control computer • Security/fire systems • Corporate-wide CRM databases Software Controls Analysis (SCA) should be implemented as a standard operating procedure within your general business risk assessment procedures. The assessment should be conducted on a scheduled basis. The frequency of the SCA will depend on your business as well as the criticality of the computer programs. Typically SCA review cycles range from one to five years. The reason for the repeated application of the SCA process is that there is nothing more consistent in business than change - especially when it comes to computer software. We recommend that you develop preprinted forms (or a database system) to record all information in the risk assessment process. The Risk Assessment Methodology An outline of the key steps in a SCA process follows. You may use this information as a risk assessment template. Starting Software Risk Analysis 1) Inventory all computer systems. This inventory would include key attributes of the programs such as: a) Purpose b) Location c) Responsible Person d) General importance to the business i) High ii) Medium iii) Low 2) Prioritize the IT Computer Controls Analyses of the above systems based on the general importance (1d above) of each. 3) Establish one or more teams to perform the SCAs. Ideally, the team members should represent several disciplines within the company, such as software, finance, management and system subject-matter specialist. Software Risk Management Steps II. Software Risk Management Steps 1) Identify system output(s). 2) For each output determine the events that could happen to the output or information. Free project management templates that we recommend and have probably used. Risk Analysis Template. Issues and Action Items Management Database (MS Access). Microsoft Access database for a small housing charity. If you are not familiar with Microsoft's Access database program, you will need to gain a basic understanding, at least. Risk assessment - scoring the consequence and likelihood for the risk, before (inherent risk) and after (residual risk) controls. You can use the Access database templates to build your own solution, or simply as examples of how to create Access database applications. Cost reconciliations, at-risk project status reports, and more; Fully customizable to add your own fields, reports, forms, macros, or VB; Compatible with MS Access 2000 to 2013. This tutorial provides step-by-step instructions for creating a risk assessment template in Excel 2010 that uses a scatter chart to plot the risk from undertaking a project or activity. A risk assessment template can help project managers visually assess the risks of competing projects or tasks to enable them to determine which. This is an example of how I incorporated risk management into a project schedule by creating a risk register that associates risk identification data to specific tasks within the schedule. Create Custom Risk Fields. First, I identified the project-specific risk fields that were required. Based on industry standards. Some events to consider are: a) Long-term unavailability of output b) Intermediate-term unavailability c) Short term unavailability - may be seconds or minutes in some cases d) Premature dissemination of time-critical information (e.g., web post too early) e) Dissemination of output to unauthorized individuals (e.g., classified or sensitive information) f) Missing or lost output (e.g., batch run of retirement checks with one check missing) g) Errors/miscalculations in output 3) For each event in 2 above determine the criticality / importance to the business. The criticality is most often distilled to a dollar amount of loss to the business. This dollar amount may be derived by considering some of the following results stemming from the events: a) Theft/loss of money b) Lost lead time for products c) Loss of information to a competitor d) Incorrect decisions based on erroneous data e) Law suit f) Fire/Flood, or other preventable disaster 4) Determine the probability (high, medium, low) of occurrence of each risk event identified in 2 above. 5) For each event cataloged in 2 above identify one or more possible scenarios that could cause the event to happen. For a first-time SCA develop these scenarios without regard to any existing controls. Determine the probability (high, medium, low) of occurrence for each scenario. It is helpful to discuss how the event could happen when determining the probability. 6) At this step we determine if further work needs to be done based upon the event-criticality versus the scenario-probability ( C/P index). You may decide that you do not want to pursue further assessment for C/P indexes of Low/Low. If a software system has only a Low/Low C/P index, then the SCA process stops here time to wrap up the documentation and file it for future review. 7) For those software systems that have C/P indexes other than Low/Low you will want to complete the SCA. 8) For each output-event-scenario combination, define controls that might be put into place to prevent the instance. For first- time SCAs identify controls that already exist and mark them as existing. Types of controls are: a) Separation of duties b) Internet fire wall installation c) Emergency power backup d) Fire suppression/flood detection system installation e) Password protection/expiration of passwords f) Inclusion of software system in company disaster recovery plan 9) Determine the cost of each new control 10) Analyze the cost versus the potential loss to determine if implementation of each control is justified. 11) For those controls to be implemented determine a schedule for implementation. 12) Last step is to schedule a review of the SCA at some future date. Software Risk Management Process Summary III. Summary Overall the process for software risk assessment is pretty simple: • Catalog application programs • Prioritize order of SCA processing • Identify program outputs • Identify what can go wrong with the outputs • Identify controls that will prevent/detect problems with the output • Evaluate the cost/benefit of implementing the controls • Track control implementation and schedule an SCA review. Risk Assessment in Project Planning In project planning, project mangers usually don't tackle their risk assessments with the same enthusiasm as they do in developing the, scope statement, work breakdown structure and. It is just part of human nature to avoid uncertainties and place them on the back burner. Using a risk assessment template to identify, highlight, and assess the potential risks can help make those uncertainties more tangible and thereby eliminate the 'real' risk in not properly addressing them from the start of the project. Just looking for the downloads? • • Another version of the. The Risk Assessment Template This risk assessment template created in the steps below uses and gradient shading to highlight the comparative risks associated with undertaking different projects or activities. Before constructing the risk assessment template, you will first need to decide upon the nomenclature and scale to express the probability and magnitude of the possible loss that could be encountered if the risk materializes. This template uses a 1 to 100 scale, breaking down the magnitude into 5 discernible levels and the probability into six possible ranges as follows: Magnitude of the Consequence • Insignificant - Easily handled within the normal course of operations with no additional costs. (Impact level 75.) Probability of the Consequence • Remote - Probability of less than 10%. • Highly Unlikely - Probability between 10% and 35%. • Possible - Probability between 36% to 50%. • Probable - Probability between 51% to 60%. • Highly Likely - Probability 61% to 90%. • Certain - Probability above 90%. Step by Step Instructions for Creating the Risk Assessment Template 1. Enter the Data in the Excel Sheet • Label the first row in Columns A, B, and C as Project Name or Activity, Probability and Consequence and fill in the name each project or activity and your estimated probability and impact values on the subsequent rows. Select the Chart Style • Choose from the ribbon the Insert Tab • Select Scatter Chart • Choose Scatter Chart with only Markers (a blank chart will appear) 3. Sync the Data to the Chart • From the Chart Tools on the ribbon, select Design • Choose Select Data • Select Add to enter the data for the first project or activity • Change the Series Name to cell A1 • Set Series X values to cell B2 and Series Y values to cell C2 (To enter cell values click in the chart image on the right and then click on the cell with the data.) Your skeleton template will now look like this, and you can proceed with formatting the legend, data points, axes, and plot area. Delete the Legend (the legend is not necessary because each data point will be labeled) • Right click on the legend • Choose delete 5. Label the Data Point • Right click on the data point • Choose Add Data Label • Check the Series Name and uncheck the Y axis and then click Reset Label Text 6. Set Each Axis Range from 0 to 100 • Right click each axis • Choose Format Axis • Set Min to 0 • Set Max to 100 7. Key in the Title and Axis Names • Right click over the text • Select Text Edit and type • Title - Risk Assessment • X axis - Remote Probability Certain • Y axis - Insignificant Consequence Critical 8. Format the Plot Area • Right Click anywhere in the Plot Area • Choose Format Plot Area (The selection box to the left will appear.) • Click on the Gradient circle • On the first stop on the Gradient Bar switch the color to Red • Change the Direction to Linear Diagonal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
April 2018
Categories |