Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version: Draft
July 2005
Table of Contents
Document History................................................................................................................ 3
1.Introduction.......................................................................................................................4
1.1.Purpose ......................................................................................................................5
1.2.Disclaimer.................................................................................................................. 5
1.3.Location and Currency of Document......................................................................... 5
2.Objective........................................................................................................................... 5
3.Notations........................................................................................................................... 6
3.1Example...................................................................................................................... 6
4.Development Approach.................................................................................................... 7
5. Verification & Validation.............................................................................................. 7
6.References.........................................................................................................................7
Document History
Name Date Comments Version
Mahesh Ahuja 31/07/05 1.0
1. Introduction
A risk is a future event which may adversely affect the project. The risk is defined as:
“The potential that a given threat will exploit vulnerabilities of an asset or group of
assets to cause loss or damage to the assets.”
The impact or relative severity of the risk is proportional to the business value of the
loss / damage and to the estimated frequency of the threat.
In this context, risk has the following elements:
Threats to, and vulnerabilities of, processes and/or assets (including both physical
and information assets)
Impact on assets based on threats and vulnerabilities
Probabilities of threats (combination of the likelihood and frequency of
occurrence)
Business Risks are those threats that may impact the assets, or processes, or objectives of
a specific business or organization. The nature of these threats may be financial,
regulatory or operational and may arise as a result of the interaction of the business with
its environment or as a result of the strategies, systems, processes, procedures, and
information used by the business.
The process of risk management begins with identifying business objectives, information
assets and the underlying systems or information resources that generate/store, use or
manipulate the assets (hardware, software, databases, networks, facilities, people etc.)
critical to achieving these objectives.
1.1.Purpose
This document provides help in preparing the risk catalog for the business or an
organization or specific project in focus. The catalog will help in deriving Risk
Management Process.
1.2.Disclaimer
EGD accepts no liability for the content of this document, or for the consequences of any
actions taken on the basis of the information provided, unless that information is
subsequently confirmed in writing.
2. Objective
The prime objective is to identify and manage the risks before they will exploit
vulnerabilities of an asset or group of assets to cause loss or damage to the business.
3. Notations
Content Description
Risk identification <<High Level Description of Risk>>
Risk Probability <<Likelihood of occurrence. It may be High, Medium or Low”>>
Risk Impact << Based on threats and vulnerabilities. It may be High, Medium or Low>>
Status
Risk description <<Description in Detail>>
Risk Consequences <<How it impacts the business. What losses can happen if Risk is not
managed properly >>
Risk Mitigation <<How the Risk can be taken the edge off>>
3.1 Example
Content Description
Risk identification IT-literacy in Federal Government
Risk Probability High
Risk Impact High
Status Open
Risk description Currently, few persons at the Federal Government are IT literate.
Risk Consequences The usage of deployed systems and basic infrastructure and the adoption of
new e-enabled processes will be very low.
Risk Mitigation Basic computer training be made mandatory for all Federal Government
employees of Grade BPS-5 and above. Additionally, Ministry and role specific
training should be imparted to ensure maximum usage and benefit realization
from E-Government programs.
4. Development Approach
6. References
6.1 2003 CISA Review Manual