This template was purchased by AuditNet from a third party under a work for hire
agreement. However, while we have attempted to provide accurate information no
representation is made or warranty given as to the completeness or accuracy of the template. In particular, you should be aware that the template may be incomplete, may contain errors, or may have become out of date. While every reasonable precaution has been taken in the preparation of this template, neither the author nor AuditNet assumes responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. The information contained in this document is believed to be accurate. However, no guarantee is provided. Use this information at your own risk. Thank you for sharing your document(s)with AuditNet. You will receive the agreed upon compensation for each working paper that we accept subject to answering the due diligence questions and certification required byour attorney. The audit working papers (programs or documents) you send must be original and current.Youmust have either created the documents or have permission from whoever prepared themor from your organization to share. They must be in Word or Excel format (Excel preferred). Based on advice from legal counsel, beforewe accept the material and process your payment we need to perform due diligence on what you are sharing. You must answer these questions and your email response will be considered an electronic signature for purposes of this statement. Name: Organization: Title of the Audit Working Paper(s) a) Are you the author of the Materials (are the Materials original works that you created? b) Please provide a brief explanation of the purpose of the working paper: c) Please provide the audit objectives for the working paper: d) By submitting the Materials or other communication or content after receipt of this notice, you grant AuditNet permission to, on an irrevocable, perpetual, worldwide and royalty-free basis, reproduce, distribute, display, perform, read, enhance, adapt, modify, create derivative works or use the Submitted Materials and any other such communication or content on this site, on any other site and anywhere throughout the world in all media? e) Please provide the industry sector for your contribution. (i.e. life insurance, banking, energy etc.) f) Please provide the functional area for your audit program. g) Please provide several keywords to help categorize programs and facilitate searches. h) Please ensure that you have removed (scrubbed)all confidential or proprietary information such as company name, employee name, email addresses, social security numbers, etc. Your name and email address will not be added to the Materials. Certification I hereby certify that I am the author of the materials shared or have written permission from the author and/or the organization that I work for in the form of a transfer of all rights or a license from the author to grant use of the Materials to AuditNet. By submitting the Materials or other communication or content after receipt of this notice,I herebygrant AuditNet permission to, on an irrevocable, perpetual, worldwide and royalty-free basis, reproduce, distribute, display, perform, read, enhance, adapt, modify, create derivative works or use the Submitted Materials and any other such communication or content on this site, on any other site and anywhere throughout the world in all media. Date: 8/16/13 MULTI-DIMENSIONAL RISK ASSESSMENT Yes Covering technical, human and natural threats, this Risk Assessment provides global coverage of threats, categorizing and rating them simultaneously. A. A basis for study of patterns and trends. B. Aid in the internal audit staff's professional development. C. Detailed supporting material for use in discussion with operating personnel. D. A source of evidence in litigation and in administrative actions. E. A basis for supervisory review and evaluation of audit performance. F. A permanent record for use in planning and carrying out future audits. Yes All Strategy and Planning Risk, Assessment, Threats, Analysis Correct Affirmed Steps to fill out risk analysis: 1. Identify Major Application(s) 2. Identify General Support System(s) 3. Evaluate the Likelihood of Occurrence and Impact Severity. 4. Use past experience and/or vulnerability test results to increase/decrease likelihood ratings. 5. Add any additional threats. 6. Once you have developed an action plan to decrease risks, rerun the tool to get new ratings. Recommendations are examples of actions you can take to mitigate high risk items. MULTI-DIMENSIONAL RISK ASSESSMENTS 246133395.xlsx.ms_office Client: Major Application: Threat categories Likelihood of occurrence Impact severity Risk level Human threats 1 Data entry errors or omissions 15 2 Inadvertent acts or carelesness 12 3 Impersonation 15 4 Shoulder surfing 9 5 User abuse or fraud 24 6 Theft, sabotage, vandalism or physical intrusions 18 7 Espionage 12 Technical threats 1 Misrepresentation of identity 12 2 Intrusion or unauthorized access to system resources 24 3 Data/system contamination 24 4 Eavesdropping 24 5 Insertion of malicious software or unauthorized modification of database 24 6 Takeover of authorized session 24 7 System and application errors, failures, and intrusions not properly audited and logged 42 General Support System: Environmental and physical threats 1 Environmental conditions 8 2 EMI 8 3 Hazardous material accident 8 4 Physical cable cuts 8 5 Power fluctuation 16 6 Secondary disasters 8 Human threats 1 Arson 12 2 Improper disposal of sensitive media 24 3 Shoulder surfing 24 HIPAAssociates Confidential 10/1/2014 Page 7 246133395.xlsx.ms_office Client: Major Application: Threat categories Likelihood of occurrence Impact severity Risk level Human threats 4 Inadvertent acts or carelesness 24 5 Omissions 30 6 Procedural violation 30 7 Scavenging 24 8 Theft, sabotage, vandalism or physical intrusions 18 9 User abuse 24 10 Espionage 12 11 Labor unrest 30 12 Terrorism 12 13 Riot/civil disorder 6 Natural threats 1 Natural disaster 12 2 Secondary disaster 12 Technical threats 1 Data/system contamination 24 2 Compromising emanations 20 3 Corruption by system, system errors, or failures 24 4 Eavesdropping 24 5 Misuse of known software weaknesses 12 6 Hardware/equipment failure 18 7 Insertion of malicious software or unauthorized modification of database 30 8 Installation errors 25 9 Intrusion or unauthorized access to system resources 24 10 Jamming (Telecommunications) 8 11 Impersonation 18 12 Saturation of communications or resources 12 13 Tampering 12 HIPAAssociates Confidential 10/1/2014 Page 8 Likelihood of occurrence 1 Negligible Unlikely to occur 2 Very low Likely to occur 2/3 times every 5 years 3 Low Likely to occur once every year or less 4 Medium Likely to occur every 6 months or less 5 High Likely to occur once every month or less 6 Very high Likely to occur multiple times per month 7 Extreme Likely to occur multiple times per day Impact severity 1 Insignificant 2 Minor 3 Significant 4 Damaging 5 Serious 6 Critical