Checklist for Infrastructure risk assessment


  1. Dependence on technology
    • Level of automation
      • All
      • Extensive
      • Many
      • Some
      • Few
    • Sophistication
      • Leading edge
      • Real time
      • Mix of real time and batch
      • Batch mode
      • Basic
    • Allowable downtime
      • Greater than an hour
      • Greater than a day
      • Greater than a week
      • Greater than a month
      • Revert to paper
  2. External interaction
    • Outsourcing
      • Complete outsource
      • Most key activities outsourced
      • Outsourcing of some key activities
      • Some outsourcing
      • No outsourcing
    • Partner and contracters
      • Untested suppliers
      • Less well known suppliers
      • Range of partners with some smaller suppliers
      • Established partners
      • Reputable partners
    • Business unit user computing external to the system
      • Vital part of operations
      • Supplemental
      • Regular
      • Some
      • Minimal
  3. Skills and resources
    • Qualification and training
      • Inexperienced and inadequately trained staff
      • Poorly trained staff
      • Mix of qualified and inexperienced staff
      • Good range of skilled staff
      • High calibre of staff
    • Workload
      • Insufficient resources
      • Shortfall in resources
      • Resources adequate for current needs and informal planning of future needs
      • Sufficient staff to meet current workload
      • At predetermined levels
    • Management structure
      • No management
      • No management defined
      • Management function suitable for current resources
      • Accountability is clear
      • High level enterprise representation
    • Staff churn
      • No stability
      • Low morale
      • Regular churn
      • Limited churn and satisfactory replacement strategy
      • Negligible churn
  4. Changing environment
    • Major projects
      • Extremely high activity stretching resources to the limit
      • High volume with intermittent capacity problems
      • Within resource ability
      • Limited
      • Minimal
    • Custom development
      • Extremely high activity of development
      • High volume of development activity
      • Balanced development and packaged solutions
      • Majority of solutions are packaged
      • Packaged solutions
    • Leading edge technology
      • Leading edge technology
      • New technology introduced
      • Some level of recent technology change
      • Low level of technology change
      • Stable technology
    • Business resources
      • All business activities being reorganised
      • Major reorganisation
      • Some core business processes reorganised
      • Some elements of the business reorganised
      • No significant changes
  5. Reliability of systems
    • Complexity
      • Very large and complex systems
      • Large systems
      • Moderately large systems
      • Majority simple systems
      • Small or simple systems
    • Fragmentation
      • Separate ‘islands’ of systems
      • Majority of information is relayed manually
      • Resources adequate for current needs and informal planning of future needs
      • Interfaces between systems automated
      • Fully integrated
    • Scalablity
      • Environment is volatile
      • Difficult to predict changes
      • Occasional emergency changes
      • Changes can be predicted
      • Demand is stable
    • Error rate
      • Constant error rate
      • Regular error rate
      • Occasional errors
      • Errors rare
      • No errors
    • Stability
      • Systems inflexible and majority of needs are not addressed
      • Systems inflexible
      • Delays experienced
      • Stable and all key needs addressed
      • Systems are stable and all needs addressed
  6. Focus on business environment
    • Business interaction
      • No coordination with business
      • Some involvement of business
      • Business needs considered in strategy
      • Business requirements a priority
      • Strategic part of business
    • Management awareness
      • Management and business users are not aware of value and risk of systems
      • Management aware of value and risk but business users are not
      • High level addressed and limited knowledge of lower levels
      • Understanding of systems is a high priority
      • Full awareness of value and risk
    • Satisfy requirements
      • Requirements not addressed
      • Systems unsatisfactory
      • Systems satisfy core requirements
      • Most systems satisfy requirement
      • Business needs are satisfied
  7. Value of information
    • Fraud
      • Business has highly desirable assets
      • Significant range of valuable information
      • Some valuable information
      • Information not valuable
      • Minimal desirable assets
    • Legislation
      • Highly regulated
      • Extensive regulation and compliance activity
      • Some systems need to be adapted for compliance
      • Some relevance
      • Minimal impact
    • Data sensitivity
      • Information is highly sensitive and confidential
      • High confidential information stored
      • Important information stored
      • Limited storage of information
      • Minimal system use
    • Reputation
      • Company involved in highly sensitive activity
      • Company has high profile
      • Company is well known
      • Little reason for damage to reputation
      • Low profile

Comments