Está en la página 1de 5

Management Dashboard - Issues & Risks

Issue Status
Issue Summary Risk Summary
Open 0 Open 42 Open Closed In Progress Monitoring Resolved

Closed 0 Closed 0
In Progress 0 In Progress 0
Monitoring 0 Monitoring 0
Resolved 0 Resolved 0
Low Impact 0 Low 0
Med Impact 0 Moderate 0
High Impact 0 High 0
Low Priority 0 Extreme 0
Med Priority 0 Total Risks 42 Risk Status
High Priority 0
Open Closed In Progress Monitoring Resolved
Total Issues 0

Issue Type Summary Risk Type Summary


Strategic 0 Strategic 6
Financial 0 Financial 6
Regulatory 0 Regulatory 7
Management 0 Management 4
Operational 0 Operational 19 100%

Risk & Issue Types Total Risk Ratings

20 1
18 0.9
16 0.8
14 0.7
12 Risk Type 0.6
10 Issue Type 0.5
8 0.4
6 0.3
4 0.2
2 0.1
0 0
Strategic Financial Regulatory Management Operational Low Moderate High Extreme

Last Review Date: 21-02-2014 Record Number: 00676480


Cloud Computing Risk Log
Ref Date Impact Risk Risk Mitigation Last Current
Risk Type Risk Control Area Issue Action Owner Likelihood Rating Likelihood Impact
No Logged Rating Rating Actions Reviewed Status
Lack of effective internal information security
governance, risk management and
R1 Management Governance & Enterprise Risk Management compliance, and alignment with the provider <select> <select> N/A Open
own security governance

Risk of adequate Data Protection no longer


being maintained to a compliant level
R2 Management Data Protection Risks <select> <select> N/A Open

Media cannot be physically destroyed,


cannot be properly identified or no adequate
procedure in place
R3 Management Sensitive Media Sanitisation <select> <select> N/A Open

Loose identification of sensitive data or


protection of data in transit or stored in the
cloud, and prevention of data leakage
R4 Management Information Management and Data Security <select> <select> N/A Open

Risk of failing to comply with government-


mandated and industry-specific regulations
R5 Regulatory Compliance and Audit Management and standards, and failure to get audit <select> <select> N/A Open
information from the provider

Storage, processing, disclosure to third-party,


transfer to other legal jurisdictions of personal
R6 Regulatory Legal Issues: Contracts and Electronic Discovery data and the risk for the provider not being <select> <select> N/A Open
able to produce business data in case of
subpoena
Failure for the provider to detect, handle
incidents and report them to the agency with
R7 Regulatory Incident Response data that can be analysed easily to satisfy <select> <select> N/A Open
legal requirements in case of forensic
investigations
The system cannot be audited and/or
certified as it should
R8 Regulatory Audit or Certification unavailable <select> <select> N/A Open

Failure in achieving or maintaining


Compliance (to regulation, governance,
R9 Regulatory Compliance Degradation standards) <select> <select> N/A Open

The agency might relinquish control to the


provider on a number of issues which may
R10 Regulatory Governance Degradation affect overall governance <select> <select> N/A Open

Mirroring data for delivery and redundant


Storage of data in multiple jurisdictions and lack storage without actualised information as to
R11 Regulatory where the data is stored. agency may <select> <select> N/A Open
of transparency
unknowingly violate regulations especially if
clear information is not provided about the
jurisdiction
Unable of storage
to make business applications
interoperate between providers and lack of
R12 Strategic Interoperability and Portability standards to minimise the risk of vendor lock- <select> <select> N/A Open
in

Page 2 of 5
AS/NZ Standard 4360:2004 Risk Management

Each risk has been rated in terms of its resulting likelihood of occurrence and the potential impact, using the rating system specified in AS/NZ
STANDARD 4360:2004 Risk Management. These are explained in the tables below.

Table 1 - Types of Issues/Risks


Type Description
Strategic Related strategic mission and objectives.
Financial economic
Related to legal impact (costs,
and contractual revenues,Political
obligations. budgets).legislative
Regulatory (Compliance)impacts.
Management Related to decision making, resources, policies, etc.
Operational (Technical) Related to ICT delivery, support or management services.

Table 2 - Qualitative Measure of Consequences of Likelihood


Level Descriptor Description
A Almost certain Is expected to occur in most circumstances. More than once per year
B Likely Will probably occur in most circumstances. 1 in 1 - 3 years
C Possible Might occur at some time. 1 in 3 - 5 years
D Unlikely Could occur at some time. 1 in 5 - 10 years
E Rare May occur in exceptional circumstances. 1 in 10 years

Table 3 - Qualitative Measure of Consequences of Impact


Level Description Example detail description
No injuries, low financial loss, no risk to
1 Insignificant
reputation.
Minor First aid treatment, on-site release
2 Minor immediately contained, medium financial loss,
some customer dissatisfaction.
Medical treatment required, on-site release
3 Moderate contained with outside assistance, high
financial loss and public visibility.
Major Extensive injuries, loss of production
4 Major capability, invocation of disaster recovery with
no detrimental effects, major financial loss.
Death, off-site with detrimental effect, huge
5 Catastrophic
financial loss.

Table 4 - Quantitative Measure of Consequences of Impact


Level Description Example detail description
1 Insignificant Nil Negligible
2 Minor Under 500K
3 Moderate Between $500k - $5m
4 Major Between $5m - $20m
5 Catastrophic Above $20m

Table 5 - Qualitative Risk Analysis Matrix

Consequences
Insignificant Minor Moderate Major Catastrophic
Likelihood: 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H

Key Description
E Extreme Risk: Immediate action required to mitigate the risk.
H High Risk: Action should be taken to compensate for the risk.
M Moderate Risk: Action should be taken to monitor the risk.
L Low Risk: Routine acceptance of the risk.

Table 6 - Issues/Risks status types


Type Description
Open New item identified and awaiting action.
Closed Item closed e.g. no longer a concern, rejected, etc.
In progress Item undergoing treatment/mitigation activities.
Monitoring Treatment/Mitigiation activities complete and being monitored.
Item resolved through treatment/mitigation actions and resolution
Resolved
accepted by stakeholders.
Cloud Computing Issues Log
Ref No Issue Type Date Logged Issue Control Area Description Impact Priority Last Update Allocation Details/Update Assigned To Status Deadline
I1 <select> <select> <select> <select>
I2 <select> <select> <select> <select>
I3 <select> <select> <select> <select>
I4 <select> <select> <select> <select>
I5 <select> <select> <select> <select>
I6 <select> <select> <select> <select>
I7 <select> <select> <select> <select>
I8 <select> <select> <select> <select>
I9 <select> <select> <select> <select>
I10 <select> <select> <select> <select>
I11 <select> <select> <select> <select>
I12 <select> <select> <select> <select>
I13 <select> <select> <select> <select>
I14 <select> <select> <select> <select>
I15 <select> <select> <select> <select>
I16 <select> <select> <select> <select>
I17 <select> <select> <select> <select>
I18 <select> <select> <select> <select>
I19 <select> <select> <select> <select>
I20 <select> <select> <select> <select>
I21 <select> <select> <select> <select>
I22 <select> <select> <select> <select>
I23 <select> <select> <select> <select>
I24 <select> <select> <select> <select>
I25 <select> <select> <select> <select>
I26 <select> <select> <select> <select>
I27 <select> <select> <select> <select>
I28 <select> <select> <select> <select>
I29 <select> <select> <select> <select>
I30 <select> <select> <select> <select>
I31 <select> <select> <select> <select>
I32 <select> <select> <select> <select>
I33 <select> <select> <select> <select>
I34 <select> <select> <select> <select>
I35 <select> <select> <select> <select>
I36 <select> <select> <select> <select>
I37 <select> <select> <select> <select>
I38 <select> <select> <select> <select>
I39 <select> <select> <select> <select>
I40 <select> <select> <select> <select>
I41 <select> <select> <select> <select>
I42 <select> <select> <select> <select>
I43 <select> <select> <select> <select>
I44 <select> <select> <select> <select>
I45 <select> <select> <select> <select>
I46 <select> <select> <select> <select>
I47 <select> <select> <select> <select>
I48 <select> <select> <select> <select>
I49 <select> <select> <select> <select>
I50 <select> <select> <select> <select>

Table 1 - Types of Issues/Risks


Type Description
Strategic Related strategic mission and objectives.
Financial Related
Related toto legal
economic impact (costs,
and contractual revenues,
obligations. budgets).
Political
Regulatory (Compliance) or legislative impacts.
Management Related to decision making, resources, policies, etc.
Operational Related to ICT delivery, support or management services.
Document Control

Date Version Name and Position Review type/status or amendments

Provided by KineticIT
Final version - customised
7/7/2009 1.00 under contract to the
original Issue-Risk log template.
Dept of Finance

Customised for DoF project


9/11/2013 1.10 Updated and rebadged
management.

Modified - increased issues and


9/18/2013 1.20 Jack Hondros
risk items.
Additional content provided by
Greg Stone - Chief Technology
Officer, Microsoft Australia, Pierre
12/13/2013 1.30 Jack Hondros Noel - Chief Security Advisor,
Microsoft Asia and James
Kavanagh - Chief Security
Advisor, Microsoft Australia.