Checklist for Infrastructure risk assessment

1. Dependence on technology
   
   • Level of automation
     
     • All
     • Extensive
     • Many
     • Some
     • Few
   • Sophistication
     
     • Leading edge
     • Real time
     • Mix of real time and batch
     • Batch mode
     • Basic
   • Allowable downtime
     
     • Greater than an hour
     • Greater than a day
     • Greater than a week
     • Greater than a month
     • Revert to paper
2. External interaction
   
   • Outsourcing
     
     • Complete outsource
     • Most key activities outsourced
     • Outsourcing of some key activities
     • Some outsourcing
     • No outsourcing
   • Partner and contracters
     
     • Untested suppliers
     • Less well known suppliers
     • Range of partners with some smaller suppliers
     • Established partners
     • Reputable partners
   • Business unit user computing external to the system
     
     • Vital part of operations
     • Supplemental
     • Regular
     • Some
     • Minimal
3. Skills and resources
   
   • Qualification and training
     
     • Inexperienced and inadequately trained staff
     • Poorly trained staff
     • Mix of qualified and inexperienced staff
     • Good range of skilled staff
     • High calibre of staff
   • Workload
     
     • Insufficient resources
     • Shortfall in resources
     • Resources adequate for current needs and informal planning of future needs
     • Sufficient staff to meet current workload
     • At predetermined levels
   • Management structure
     
     • No management
     • No management defined
     • Management function suitable for current resources
     • Accountability is clear
     • High level enterprise representation
   • Staff churn
     
     • No stability
     • Low morale
     • Regular churn
     • Limited churn and satisfactory replacement strategy
     • Negligible churn
4. Changing environment
   
   • Major projects
     
     • Extremely high activity stretching resources to the limit
     • High volume with intermittent capacity problems
     • Within resource ability
     • Limited
     • Minimal
   • Custom development
     
     • Extremely high activity of development
     • High volume of development activity
     • Balanced development and packaged solutions
     • Majority of solutions are packaged
     • Packaged solutions
   • Leading edge technology
     
     • Leading edge technology
     • New technology introduced
     • Some level of recent technology change
     • Low level of technology change
     • Stable technology
   • Business resources
     
     • All business activities being reorganised
     • Major reorganisation
     • Some core business processes reorganised
     • Some elements of the business reorganised
     • No significant changes
5. Reliability of systems
   
   • Complexity
     
     • Very large and complex systems
     • Large systems
     • Moderately large systems
     • Majority simple systems
     • Small or simple systems
   • Fragmentation
     
     • Separate ‘islands’ of systems
     • Majority of information is relayed manually
     • Resources adequate for current needs and informal planning of future needs
     • Interfaces between systems automated
     • Fully integrated
   • Scalablity
     
     • Environment is volatile
     • Difficult to predict changes
     • Occasional emergency changes
     • Changes can be predicted
     • Demand is stable
   • Error rate
     
     • Constant error rate
     • Regular error rate
     • Occasional errors
     • Errors rare
     • No errors
   • Stability
     
     • Systems inflexible and majority of needs are not addressed
     • Systems inflexible
     • Delays experienced
     • Stable and all key needs addressed
     • Systems are stable and all needs addressed
6. Focus on business environment
   
   • Business interaction
     
     • No coordination with business
     • Some involvement of business
     • Business needs considered in strategy
     • Business requirements a priority
     • Strategic part of business
   • Management awareness
     
     • Management and business users are not aware of value and risk of systems
     • Management aware of value and risk but business users are not
     • High level addressed and limited knowledge of lower levels
     • Understanding of systems is a high priority
     • Full awareness of value and risk
   • Satisfy requirements
     
     • Requirements not addressed
     • Systems unsatisfactory
     • Systems satisfy core requirements
     • Most systems satisfy requirement
     • Business needs are satisfied
7. Value of information
   
   • Fraud
     
     • Business has highly desirable assets
     • Significant range of valuable information
     • Some valuable information
     • Information not valuable
     • Minimal desirable assets
   • Legislation
     
     • Highly regulated
     • Extensive regulation and compliance activity
     • Some systems need to be adapted for compliance
     • Some relevance
     • Minimal impact
   • Data sensitivity
     
     • Information is highly sensitive and confidential
     • High confidential information stored
     • Important information stored
     • Limited storage of information
     • Minimal system use
   • Reputation
     
     • Company involved in highly sensitive activity
     • Company has high profile
     • Company is well known
     • Little reason for damage to reputation
     • Low profile