Portfolio establishment and maintenance
- 0101 Wrong programmes are selected for implementation and are misaligned with corporate strategy and priorities.
- 0102 There is duplication between initiatives. Aligned initiatives have streamlined interfaces.
- 0103 A new important programme creates longterm incompatibility with the enterprise architecture.
- 0104 Competing resources are allocated and managed inefficiently and are misaligned to business priorities.
Programme/projects life cycle management
- 0201 Failing (due to cost, delays, scope creep, changed business priorities) projects are not terminated.
- 0202 There is an IT project budget overrun. The IT project is completed within agreed-on budgets.
- 0203 There is occasional late IT project deliveryÂ by an internal development department.
- 0204 Routinely, there are important delays in ITÂ project delivery.
- 0205 There are excessive delays in outsourced ITÂ development project.
- 0206 Programmes/projects fail due to notÂ obtaining the active involvement throughoutÂ the programme/project life cycle of allÂ stakeholders (including sponsor).
IT investment decision making
- 0301 Business managers or representatives areÂ not involved in important IT investmentÂ decision making (e.g., new applications,Â prioritisation, new technology opportunities).
- 0302 The wrong software, in terms of cost,Â performance, features, compatibility, etc.,Â is selected for implementation.
- 0303 The wrong infrastructure, in terms of cost,Â performance, features, compatibility, etc.,Â is selected for implementation.
- 0304 Redundant software is purchased.
IT expertise and skills
- 0401 There is a lack of or mismatchedÂ IT-related skills within IT, e.g., due to newÂ technologies.
- 0402 There is a lack of business understandingÂ by IT staff affecting the service delivery/projects quality.
- 0403 There are insufficient skills to cover theÂ business requirements.
- 0404 There is an inability to recruit IT staff. The correct amount of IT staff, withÂ appropriate skills and competenciesÂ is attracted to support the businessÂ objectives.
- 0405 There is a lack of due diligence in theÂ recruitment process.
- 0406 There is a lack of training leading toÂ IT staff leaving.
- 0407 There is insufficient return on investmentÂ regarding training due to early leaving ofÂ trained IT staff (e.g., MBA).
- 0408 There is an overreliance on key IT staff. Job rotation ensures that nobody aloneÂ possesses the entire knowledge of theÂ execution of a certain activity.
- 0409 There is an inability to update the IT skillsÂ to the proper level through training.
Staff operations (human error and malicious intent)
- 0501 Access rights from prior roles are abused. HR and IT administration co-ordinate on aÂ frequent basis to ensure timely removal ofÂ access rights, avoiding the possibilityÂ of abuse.
- 0502 IT equipment is accidentally damagedÂ by staff.
- 0503 There are errors by IT staff (during backup,Â during upgrades of systems, duringÂ maintenance of systems, etc.).
- 0504 Information is input incorrectly by IT staff orÂ system users.
- 0505 The data centre is destroyed (sabotage,Â etc.) by staff.
- 0506 There is a theft of a device with sensitiveÂ data by staff.
- 0507 There is a theft of a key infrastructureÂ component by staff.
- 0508 Hardware components were configuredÂ erroneously.
- 0509 Critical servers in the computer room wereÂ damaged (e.g., accident, etc.).
- 0510 Hardware was tampered with intentionallyÂ (security devices, etc.).
Information (data breach: damage, leakage and access)
- 0601 Hardware components are damaged, leading to (partial) destruction of data by internal staff.
- 0602 The database is corrupted, leading to retained at a second location.
- 0603 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed.
- 0604 Sensitive data is lost/disclosed through logical attacks.
- 0605 Backup media is lost or backups are not checked for effectiveness.
- 0606 Sensitive information is accidentallyÂ disclosed due to failure to follow information handling guidelines.
- 0607 Data (accounting, security-relatedÂ data, sales figures, etc.) are modified intentionally.
- 0608 Sensitive information is disclosed through email or social media.
- 0609 Sensitive information is discovered due to inefficient retaining/archiving/disposing of information.
- 0610 IP is lost and/or competitive information is leaked due to key team members leaving the enterprise.
- 0611 The enterprise has an overflow of data and cannot deduct the business relevant information from the data (e.g., big data problem).
Architecture (architectural vision and design)
- 0701 The enterprise architecture is complexÂ and inflexible, obstructing further evolutionÂ and expansion leading to missed businessÂ opportunities.
- 0702 The enterprise architecture is not fit forÂ purpose and not supporting the businessÂ priorities.
- 0703 There is a failure to adopt and exploit newÂ infrastructure in a timely manner.
- 0704 There is a failure to adopt and exploit newÂ software (functionality, optimisation, etc.) inÂ a timely manner.
Infrastructure (hardware, operating system and controlling technology) (selection implementation, operations and decommissioning)
- 0801 New (innovative) infrastructure is installedÂ and as a result systems become unstableÂ leading to operational incidents, e.g., BringÂ your own device (BYOD) programme.
- 0802 The systems cannot handle transactionÂ volumes when user volumes increase.
- 0803 The systems cannot handle system loadÂ when new applications or initiativesÂ are deployed.
- 0804 Intermittently, there are failures of utilitiesÂ (telecom, electricity).
- 0805 The IT in use is obsolete and cannot satisfyÂ new business requirements (networking,Â security, database, storage, etc.).
- 0806 Hardware fails due to overheating.
- 0901 There is an inability to use the softwareÂ to realise desired outcomes (e.g., failureÂ to make required business model orÂ organisational changes).
- 0902 Immature software (early adopters, bugs,Â etc.) is implemented.
- 0903 The wrong software (cost, performance,Â features, compatibility, etc.) is selected forÂ implementation.
- 0904 There are operational glitches when newÂ software is made operational.
- 0905 Users cannot use and exploit newÂ application software.
- 0906 Intentional modification of software leadingÂ to wrong data or fraudulent actions.
- 0907 Unintentional modification of software leadsÂ to unexpected results.
- 0908 Unintentional configuration and changeÂ management errors occur.
- 0909 Regular software malfunctioning of criticalÂ application software occurs.
- 0910 Intermittent software problems withÂ important system software occur.
- 0911 Application software is obsolete
- 0912 There is an inability to revert back to formerÂ versions in case of operational issues withÂ the new version.
Business ownershipÂ of IT
- 1001 Business does not assume accountabilityÂ over those IT areas it should, e.g.,Â functional requirements, developmentÂ priorities, assessing opportunities throughÂ new technologies.
- 1002 There is extensive dependency and use ofÂ end-user computing andÂ ad hocÂ solutionsÂ for important information needs, leadingÂ to security deficiencies, inaccurate dataÂ or increasing costs/inefficient use ofÂ resources.
- 1003 Cost and ineffectiveness is related toÂ IT related purchases outside of theÂ procurement process.
- 1004 Inadequate requirements lead to ineffectiveÂ service level agreements (SLAs).
Supplier selection performance, contractual compliance, termination of service and transfer
- 1101 There is a lack of supplier due diligenceÂ regarding financial viability, deliveryÂ capability and sustainability of supplierâ€™sÂ service.
- 1102 Unreasonable terms of business areÂ accepted from IT suppliers.
- 1103 Support and services delivered by vendorsÂ are inadequate and not in line with the SLA.
- 1104 Outsourcer performance is inadequateÂ in a large-scale long-term outsourcingÂ arrangement.
- 1105 There is non-compliance with softwareÂ licence agreements (use and/or distributionÂ of unlicenced software, etc.).
- 1106 There is an inability to transfer toÂ alternative suppliers due to overreliance onÂ current supplier.
- 1107 Cloud services are purchased by the businessÂ without the consultation/involvement of IT,Â resulting in inability to integrate the serviceÂ with in-house services.
- 1201 There is non-compliance with regulations,Â e.g., privacy, accounting, manufacturing.
- 1202 Unawareness of potential regulatoryÂ changes have an impact on the operationalÂ IT environment.
- 1203 The regulator prevents cross-borderÂ dataflow due to insufficient controls.
- 1301 There is no access due to disruptiveÂ incident in other premises.
- 1302 Government interference and national business value.
- 1303 Targeted action against the enterpriseÂ results in destruction of infrastructure.
Infrastructure theft or destruction
- 1401 There is a theft of a device withÂ sensitive data.
- 1402 There is a theft of a substantial number ofÂ development servers.
- 1403 Destruction of the data centre (sabotage,Â etc.) occurs.
- 1404 There is accidental destruction of individualÂ devices.
- 1501 There is an intrusion of malware on criticalÂ operational servers.
- 1502 Regularly, there is infection of laptops withÂ malware.
- 1503 A disgruntled employee implements a timeÂ bomb that leads to data loss.
- 1504 Company data are stolen throughÂ unauthorised access gained by aÂ phishing attack.
- 1601 Unauthorised users try to break intoÂ systems.
- 1602 There is a service interruption due toÂ denial-of-service attack.
- 1603 The web site is defaced.
- 1604 Industrial espionage takes place.
- 1605 There is a virus attack.
- 1606 Hacktivism takes place.
- 1701 Facilities and building are not accessibleÂ because of a labour union strike.
- 1702 Key staff is not available through industrialÂ action (e.g., transportation strike).
- 1703 A third party is not able to provide servicesÂ because of strike.
- 1704 There is no access to capital caused by aÂ strike of the banking industry.
- 1801 The equipment used is not environmentallyÂ friendly (e.g., power consumption,Â packaging).
Acts of nature
- 1901 There is an earthquake.
- 1902 There is a tsunami.
- 1903 There are major storms and tropicalÂ cyclones.
- 1904 There is a major wildfire.
- 1905 There is flooding.
- 1906 The water table is rising.
- 2001 New and important technology trends areÂ not identified.
- 2002 There is a failure to adopt and exploit newÂ software (functionality, optimisation, etc.) inÂ a timely manner.
- 2003 New and important software trends are not identified (consumerisation of IT).
ISACA (2013), COBIT 5 for RISK, disponible en ligne http://www.isaca.org/COBIT/Pages/Risk-product-page.aspx?cid=1002152&Appeal=PR