risk management

IT Security Plan Template

Download Free IT Security Plan Template

A. APPLICATION/SYSTEM IDENTIFICATION

A.1 Application/System Category
- Indicate whether the application/system is a Major Application or a General Support System.
- A Major Application is "an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application."
- A General Support System is an "interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people."

All user accounts in use within organization should be domain accounts and not local accounts held on each workstation's local user account database. The benefit of implementing standard user naming convention are:

1. Enable administrator of the domain to better manage, support and secure the user accounts.
2. Facilitate ease of management and support

Download Free Risk Register Template for IT & Project Management

1. BASIC RISK INFORMATION
Risk Number: Provide a unique identifier for risk

Risk Description / Risk Event Statement: A risk event statement states (i) what might happen in the future and (ii) its possible impact on the project. "Weather" is not a risk event statement. "Bad weather may delay the project" is a risk event statement.

Responsible: Name or title of team member responsible for risk

Date Reported

1. Strategic alignment did not match the business goals.
2. There were communication breakdowns.
3. Up-front buy-in was not obtained.
4. User involvement was inadequate.
5. There were poor user inputs.
6. Stakeholder conflicts existed.
7. The requirements were vague.
8. User requirements were not firmly nailed down.
9. User requirements may have changed midway.
10. Poor cost and schedule estimates existed.

Download Free SAS70 Outsourcing Project Implementation Contracts Evaluation Checklist

Purpose
This section describes in simple terms the purpose of the evaluation, how it relates to the customer, and the benefits the organization will receive from the evaluation process. It is essential that you use common terminology relevant to the organization to ensure that this material is understood.

Methodology
This section describes the methodology that will be used to conduct the evaluation. This is a good place to emphasize the IEM as a standard methodology to conduct technical INFOSEC evaluations, developed and approved by the National Security Agency. This section includes the phases, processes, and steps to be used during the evaluation.

Scope
This section is a detailed demonstration of the level of effort, boundaries, and limitations of the evaluation. Appropriate assumptions are a critical part of the scoping process. The scope section provides a detailed listing of known assumptions affecting the evaluation. Assumptions are critical in demonstrating an understanding of the customer environment and detailing how that environment will affect the evaluation. The types of assumptions may include number of physical locations, number and type of systems, number and type of networks, relevant POC information, information about scheduling of the technical scans and conducting the 10 baseline IEM activities, and any associated constraints that can be listed as assumptions.

Roles and responsibilities of customer staff