Temat: Analiza ryzyka aplikacji

Jak dobrze przeprowadzić analizę ryzyka dla danej aplikacji? Jakie kwestie powinny pojawi się w kwestionariuszu analizy ryzyka (jakie pytania) i na co należy zwrócić szczególną uwagę? Czy gdzieś można znaleźć kwestionariusz, który można wykorzystać w analizie ryzyka dla danej aplikacji i ewentualnie przykładowe raporty, które powstały na bazie tego kwestionariusza?

Temat: Analiza ryzyka aplikacji

Chciałbym polecić następujące publikacje:

COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition (Apr 2007)
- Value Drivers, Risk Drivers, Control Practices, Test the Control Design, Test the Outcome of the Control Objective
IT Control Objectives for Sarbanes-Oxley 2nd Edition (Sep 2006)
- wykorzystanie COBIT-a do aplikacji finansowych i audytu zgodności z SOX
Risk IT Framework + Risk IT Practitioner Guide
- całościowy framework zarządzania ryzykiem IT w organizacji

http://www.isaca.org/Knowledge-Center/Research/Researc...
http://www.isaca.org/Knowledge-Center/Research/Pages/R...
http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-...



Grzegorz Albinowski edytował(a) ten post dnia 17.03.11 o godzinie 15:41

Temat: Analiza ryzyka aplikacji

Sekcja AC Application Controls zawiera między innymi poniższych 6 aplikacyjnym punktów kontrolnych, a w każym z nich VALUE DRIVERS (nieosiągnięte lub zagrożone korzyści staniowią ryzyko), RISK DRIVERS (ryzyko), CONTROL PRACTICES (praktyki kontrolne, a więc co należy zrobić aby uniknąć ryzyka i zrealizować korzyści biznesowe), materiały ISACA zawierają ponadto sporo zaleceń dla audytorów w poniższym układzie.

Przykładowe zalecenia (c) ISACA

1. Source Data Preparation and Authorisation

Control Objective:
Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Minimise errors and omissions through good input form design. Detect errors and irregularities so they can be reported and corrected.

Value Drivers:
• Data integrity
• Standardised and authorised transaction documentation
• Improved application performance
• Accuracy of transaction data

Risk Drivers:
• Compromised integrity of critical data
• Unauthorised and/or erroneous transactions
• Processing inefficiencies and rework

Control Practices:
1. Design source documents in a way that they increase accuracy with which data can be recorded, control the workflow and facilitate subsequent reference checking. Where appropriate, include completeness controls in the design of the source documents.
2. Create and document procedures for preparing source data entry, and ensure that they are effectively and properly communicated to appropriate and qualified personnel. These procedures should establish and communicate required authorisation levels (input, editing, authorising, accepting and rejecting source documents). The procedures should also identify the acceptable source media for each type of transactio
3. Ensure that the function responsible for data entry maintains a list of authorised personnel, including their signatures.
4. Ensure that all source documents include standard components and contain proper documentation (e.g., timeliness, predetermined input codes, default values) and are authorised by management.
5. Automatically assign a unique and sequential identifier (e.g., index, date and time) to every transaction.
6. Return documents that are not properly authorised or are incomplete to the submitting originators for correction, and log the fact that they have been returned. Review logs periodically to verify that corrected documents are returned by originators in a timely fashion, and to enable pattern analysis and root cause review.

2 Source Data Collection and Entry

Control Objective: Ensure that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.

Value Drivers:
• Accurate data entry and efficient processing
• Errors detected in a timely manner
• Sensitive transaction data secured

Risk Drivers:
• Processing inefficiencies due to incomplete data entry
• Compromised integrity of critical data
• Access control violations
• Data entry errors undetected

Control Practices
1. Define and communicate criteria for timeliness, completeness and accuracy of source documents. Establish mechanisms to ensure that data input is performed in accordance with the timeliness, accuracy and completeness criteria.

[...]

3. Accuracy, Completeness and Authenticity Checks

Control Objective: Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.

Value Drivers:
• Data processing errors efficiently remediated
• Data accuracy, completeness and validity maintained during processing
• Uninterrupted transaction processing
• Segregation of duties for data entry and processing

Risk Drivers:
• Processing inefficiencies and reworks due to incomplete, invalid or inaccurate data entry
• Compromised integrity of critical data
• Data entry errors undetected
• Unauthorised data entry

Control Practices:
1. Ensure that transaction data are verified as close to the data entry point as possible and interactively during online sessions. Ensure that transaction data, whether people-generated, system-generated or interfaced inputs, are subject to a variety of controls to check for accuracy, completeness and validity. Wherever possible, do not stop transaction validation after the first error is found. Provide understandable error messages immediately such that they enable efficient remediation.

[...]

4. Processing Integrity and Validity

Control Objective: Maintain the integrity and validity of data throughout the processing cycle. Ensure that detection of erroneous transactions does not disrupt processing of valid transactions.

Value Drivers:
• Processing errors detected in a timely manner
• Ability to investigate problems
Risk Drivers:
• Insufficient evidence of errors or misuse
• Data entry errors undetected
• Unauthorised data processing

Control Practices:
1. Establish and implement mechanisms to authorise the initiation of transaction processing and to enforce that only appropriate and authorised applications and tools are used.

[...]

10. Reconcile file totals. For example, a parallel control file that records transaction counts or monetary value as data should be processed and then compared to master file data once transactions are posted. Identify, report and act upon out-of-balance conditions.

5. Output Review, Reconciliation and Error Handling

Control Objective: Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient and protected during transmission; that verification, detection and correction of the accuracy of output occur; and that information provided in the output is used.

Value Drivers:
• Sensitive data output protected
• Complete and error-free processing results delivered to the right recipient
• Errors detected in a timely manner

Risk Drivers:
• Sensitive transaction data delivered to wrong recipient
• Compromised data confidentiality
• Inefficient transaction processing
• Transaction data output errors undetected

Control Practices:
1. When handling and retaining output from IT applications, follow defined procedures and consider privacy and security requirements. Define, communicate and follow procedures for the distribution of output.
[...]

6. Transaction Authentication and Integrity

Control Objective: Before passing transaction data between internal applications and business/ operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport.

Value Drivers:
• Straight-through processing
• Confidence in validity and authenticity of transactions
• Errors and misuse prevented

Risk Drivers:
• Erroneous and/or unauthorised transactions
• Transaction errors undetected
• Inefficiencies and rework

Control Practices:
1. Where transactions are exchanged electronically, establish an agreed-upon standard of communication and mechanisms necessary for mutual authentication, including how transactions will be represented, the responsibilities of both parties and how exception conditions will be handled.
2. Tag output from transaction processing applications in accordance with industry standards to facilitate counterparty authentication, provide evidence of non-repudiation, and allow for content integrity verification upon receipt by the downstream application.
3. Analyse input received from other transaction processing applications to determine authenticity of origin and the maintenance of the integrity of content during transmission.Grzegorz Albinowski edytował(a) ten post dnia 17.03.11 o godzinie 13:49

Temat: Analiza ryzyka aplikacji

Dodatkowo dokument Risk-IT framework definiuje konieczność przeanalizowania ryzyka w poniższych procesach COBIT (zarządzanie usługami IT) oraz VAL-IT (zarządzanie portfelem projektów IT), co również ma wpływ na ryzyko aplikacyjne.

Odpowienie Value + Risk Drivers są dostępne w dokumentach ISACA: cytowane wcześniej Control Practices oraz w serwisie COBIT on-line