This template was purchased by AuditNet from a third party under a work for hire

agreement. However, while we have attempted to provide accurate information no

representation is made or warranty given as to the completeness or accuracy of the
template. In particular, you should be aware that the template may be incomplete,
may contain errors, or may have become out of date. While every reasonable
precaution has been taken in the preparation of this template, neither the author
nor AuditNet assumes responsibility for errors or omissions, or for damages
resulting from the use of the information contained herein. The information
contained in this document is believed to be accurate. However, no guarantee is
provided. Use this information at your own risk.
Thank you for sharing your document(s)with AuditNet. You will receive the agreed upon compensation
for each working paper that we accept subject to answering the due diligence questions and
certification required byour attorney.
The audit working papers (programs or documents) you send must be original and
current.Youmust have either created the documents or have permission from whoever prepared
themor from your organization to share. They must be in Word or Excel format (Excel preferred).
Based on advice from legal counsel, beforewe accept the material and process your payment we need
to perform due diligence on what you are sharing. You must answer these questions and your email
response will be considered an electronic signature for purposes of this statement.
Name:
Organization:
Title of the Audit Working Paper(s)
a) Are you the author of the Materials (are the Materials original works that you created?
b) Please provide a brief explanation of the purpose of the working paper:
c) Please provide the audit objectives for the working paper:
d) By submitting the Materials or other communication or content after receipt of this notice, you
grant AuditNet permission to, on an irrevocable, perpetual, worldwide and royalty-free basis,
reproduce, distribute, display, perform, read, enhance, adapt, modify, create derivative works or use
the Submitted Materials and any other such communication or content on this site, on any other site
and anywhere throughout the world in all media?
e) Please provide the industry sector for your contribution. (i.e. life insurance, banking, energy etc.)
f) Please provide the functional area for your audit program.
g) Please provide several keywords to help categorize programs and facilitate searches.
h) Please ensure that you have removed (scrubbed)all confidential or proprietary information such
as company name, employee name, email addresses, social security numbers, etc.
Your name and email address will not be added to the Materials.
Certification
I hereby certify that I am the author of the materials shared or have written permission from the
author and/or the organization that I work for in the form of a transfer of all rights or a license
from the author to grant use of the Materials to AuditNet. By submitting the Materials or other
communication or content after receipt of this notice,I herebygrant AuditNet permission to, on an
irrevocable, perpetual, worldwide and royalty-free basis, reproduce, distribute, display, perform,
read, enhance, adapt, modify, create derivative works or use the Submitted Materials and any other
such communication or content on this site, on any other site and anywhere throughout the world in
all media.
Date: 8/16/13
MULTI-DIMENSIONAL RISK ASSESSMENT
Yes
Covering technical, human and natural threats, this Risk Assessment provides global coverage of
threats, categorizing and rating them simultaneously.
A. A basis for study of patterns and trends.
B. Aid in the internal audit staff's professional development.
C. Detailed supporting material for use in discussion with operating personnel.
D. A source of evidence in litigation and in administrative actions.
E. A basis for supervisory review and evaluation of audit performance.
F. A permanent record for use in planning and carrying out future audits.
Yes
All
Strategy and Planning
Risk, Assessment, Threats, Analysis
Correct
Affirmed
Steps to fill out risk analysis:
1. Identify Major Application(s)
2. Identify General Support System(s)
3. Evaluate the Likelihood of Occurrence and Impact Severity.
4. Use past experience and/or vulnerability test results to increase/decrease likelihood ratings.
5. Add any additional threats.
6. Once you have developed an action plan to decrease risks, rerun the tool to get new ratings.
Recommendations are examples of actions you can take to mitigate high risk items.
MULTI-DIMENSIONAL RISK ASSESSMENTS
246133395.xlsx.ms_office
Client:
Major Application:
Threat categories
Likelihood of
occurrence
Impact
severity
Risk
level
Human threats
1 Data entry errors or omissions 15
2 Inadvertent acts or carelesness 12
3 Impersonation 15
4 Shoulder surfing 9
5 User abuse or fraud 24
6 Theft, sabotage, vandalism or physical intrusions 18
7 Espionage 12
Technical threats
1 Misrepresentation of identity 12
2 Intrusion or unauthorized access to system resources 24
3 Data/system contamination 24
4 Eavesdropping 24
5 Insertion of malicious software or unauthorized modification of database 24
6 Takeover of authorized session 24
7 System and application errors, failures, and intrusions not properly audited and logged 42
General Support System:
Environmental and physical threats
1 Environmental conditions 8
2 EMI 8
3 Hazardous material accident 8
4 Physical cable cuts 8
5 Power fluctuation 16
6 Secondary disasters 8
Human threats
1 Arson 12
2 Improper disposal of sensitive media 24
3 Shoulder surfing 24
HIPAAssociates Confidential 10/1/2014 Page 7
246133395.xlsx.ms_office
Client:
Major Application:
Threat categories
Likelihood of
occurrence
Impact
severity
Risk
level
Human threats
4 Inadvertent acts or carelesness 24
5 Omissions 30
6 Procedural violation 30
7 Scavenging 24
8 Theft, sabotage, vandalism or physical intrusions 18
9 User abuse 24
10 Espionage 12
11 Labor unrest 30
12 Terrorism 12
13 Riot/civil disorder 6
Natural threats
1 Natural disaster 12
2 Secondary disaster 12
Technical threats
1 Data/system contamination 24
2 Compromising emanations 20
3 Corruption by system, system errors, or failures 24
4 Eavesdropping 24
5 Misuse of known software weaknesses 12
6 Hardware/equipment failure 18
7 Insertion of malicious software or unauthorized modification of database 30
8 Installation errors 25
9 Intrusion or unauthorized access to system resources 24
10 Jamming (Telecommunications) 8
11 Impersonation 18
12 Saturation of communications or resources 12
13 Tampering 12
HIPAAssociates Confidential 10/1/2014 Page 8
Likelihood of occurrence
1 Negligible Unlikely to occur
2 Very low Likely to occur 2/3 times every 5 years
3 Low Likely to occur once every year or less
4 Medium Likely to occur every 6 months or less
5 High Likely to occur once every month or less
6 Very high Likely to occur multiple times per month
7 Extreme Likely to occur multiple times per day
Impact severity
1 Insignificant
2 Minor
3 Significant
4 Damaging
5 Serious
6 Critical