Scénarios de risque génériques de COBIT 5

Portfolio establishment and maintenance

  • 0101 Wrong programmes are selected for implementation and are misaligned with corporate strategy and priorities.
  • 0102 There is duplication between initiatives. Aligned initiatives have streamlined interfaces.
  • 0103 A new important programme creates longterm incompatibility with the enterprise architecture.
  • 0104 Competing resources are allocated and managed inefficiently and are misaligned to business priorities.

Programme/projects life cycle management

  • 0201 Failing (due to cost, delays, scope creep, changed business priorities) projects are not terminated.
  • 0202 There is an IT project budget overrun. The IT project is completed within agreed-on budgets.
  • 0203 There is occasional late IT project delivery by an internal development department.
  • 0204 Routinely, there are important delays in IT project delivery.
  • 0205 There are excessive delays in outsourced IT development project.
  • 0206 Programmes/projects fail due to not obtaining the active involvement throughout the programme/project life cycle of all stakeholders (including sponsor).

IT investment decision making

  • 0301 Business managers or representatives are not involved in important IT investment decision making (e.g., new applications, prioritisation, new technology opportunities).
  • 0302 The wrong software, in terms of cost, performance, features, compatibility, etc., is selected for implementation.
  • 0303 The wrong infrastructure, in terms of cost, performance, features, compatibility, etc., is selected for implementation.
  • 0304 Redundant software is purchased.

IT expertise and skills

  • 0401 There is a lack of or mismatched IT-related skills within IT, e.g., due to new technologies.
  • 0402 There is a lack of business understanding by IT staff affecting the service delivery/projects quality.
  • 0403 There are insufficient skills to cover the business requirements.
  • 0404 There is an inability to recruit IT staff. The correct amount of IT staff, with appropriate skills and competencies is attracted to support the business objectives.
  • 0405 There is a lack of due diligence in the recruitment process.
  • 0406 There is a lack of training leading to IT staff leaving.
  • 0407 There is insufficient return on investment regarding training due to early leaving of trained IT staff (e.g., MBA).
  • 0408 There is an overreliance on key IT staff. Job rotation ensures that nobody alone possesses the entire knowledge of the execution of a certain activity.
  • 0409 There is an inability to update the IT skills to the proper level through training.

Staff operations (human error and malicious intent)

    • 0501 Access rights from prior roles are abused. HR and IT administration co-ordinate on a frequent basis to ensure timely removal of access rights, avoiding the possibility of abuse.
    • 0502 IT equipment is accidentally damaged by staff.
    • 0503 There are errors by IT staff (during backup, during upgrades of systems, during maintenance of systems, etc.).
    • 0504 Information is input incorrectly by IT staff or system users.
    • 0505 The data centre is destroyed (sabotage, etc.) by staff.
    • 0506 There is a theft of a device with sensitive data by staff.
    • 0507 There is a theft of a key infrastructure component by staff.
    • 0508 Hardware components were configured erroneously.
    • 0509 Critical servers in the computer room were damaged (e.g., accident, etc.).
    • 0510 Hardware was tampered with intentionally (security devices, etc.).

Information (data breach: damage, leakage and access)

  • 0601 Hardware components are damaged, leading to (partial) destruction of data by internal staff.
  • 0602 The database is corrupted, leading to retained at a second location.
  • 0603 Portable media containing sensitive data (CD, USB drives, portable disks, etc.) is lost/disclosed.
  • 0604 Sensitive data is lost/disclosed through logical attacks.
  • 0605 Backup media is lost or backups are not checked for effectiveness.
  • 0606 Sensitive information is accidentally disclosed due to failure to follow information handling guidelines.
  • 0607 Data (accounting, security-related data, sales figures, etc.) are modified intentionally.
  • 0608 Sensitive information is disclosed through email or social media.
  • 0609 Sensitive information is discovered due to inefficient retaining/archiving/disposing of information.
  • 0610 IP is lost and/or competitive information is leaked due to key team members leaving the enterprise.
  • 0611 The enterprise has an overflow of data and cannot deduct the business relevant information from the data (e.g., big data problem).

Architecture (architectural vision and design) 

  • 0701  The enterprise architecture is complex and inflexible, obstructing further evolution and expansion leading to missed business opportunities.
  • 0702 The enterprise architecture is not fit for purpose and not supporting the business priorities.
  • 0703 There is a failure to adopt and exploit new infrastructure in a timely manner.
  • 0704 There is a failure to adopt and exploit new software (functionality, optimisation, etc.) in a timely manner.

Infrastructure (hardware, operating system and controlling technology) (selection implementation, operations and decommissioning)

  • 0801 New (innovative) infrastructure is installed and as a result systems become unstable leading to operational incidents, e.g., Bring your own device (BYOD) programme.
  • 0802 The systems cannot handle transaction volumes when user volumes increase.
  • 0803 The systems cannot handle system load when new applications or initiatives are deployed.
  • 0804 Intermittently, there are failures of utilities (telecom, electricity).
  • 0805 The IT in use is obsolete and cannot satisfy new business requirements (networking, security, database, storage, etc.).
  • 0806 Hardware fails due to overheating.

Software

  • 0901 There is an inability to use the software to realise desired outcomes (e.g., failure to make required business model or organisational changes).
  • 0902 Immature software (early adopters, bugs, etc.) is implemented.
  • 0903 The wrong software (cost, performance, features, compatibility, etc.) is selected for implementation.
  • 0904 There are operational glitches when new software is made operational.
  • 0905 Users cannot use and exploit new application software.
  • 0906 Intentional modification of software leading to wrong data or fraudulent actions.
  • 0907 Unintentional modification of software leads to unexpected results.
  • 0908 Unintentional configuration and change management errors occur.
  • 0909 Regular software malfunctioning of critical application software occurs.
  • 0910 Intermittent software problems with important system software occur.
  • 0911 Application software is obsolete
  • 0912 There is an inability to revert back to former versions in case of operational issues with the new version.

Business ownership of IT

  • 1001 Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies.
  • 1002 There is extensive dependency and use of end-user computing and ad hoc solutions for important information needs, leading to security deficiencies, inaccurate data or increasing costs/inefficient use of resources.
  • 1003 Cost and ineffectiveness is related to IT related purchases outside of the procurement process.
  • 1004 Inadequate requirements lead to ineffective service level agreements (SLAs).

Supplier selection performance, contractual compliance, termination of service and transfer

  • 1101 There is a lack of supplier due diligence regarding financial viability, delivery capability and sustainability of supplier’s service.
  • 1102 Unreasonable terms of business are accepted from IT suppliers.
  • 1103 Support and services delivered by vendors are inadequate and not in line with the SLA.
  • 1104 Outsourcer performance is inadequate in a large-scale long-term outsourcing arrangement.
  • 1105 There is non-compliance with software licence agreements (use and/or distribution of unlicenced software, etc.).
  • 1106 There is an inability to transfer to alternative suppliers due to overreliance on current supplier.
  • 1107 Cloud services are purchased by the business without the consultation/involvement of IT, resulting in inability to integrate the service with in-house services.

Regulatory compliance

  • 1201 There is non-compliance with regulations, e.g., privacy, accounting, manufacturing.
  • 1202 Unawareness of potential regulatory changes have an impact on the operational IT environment.
  • 1203 The regulator prevents cross-border dataflow due to insufficient controls.

Geopolitical

  • 1301 There is no access due to disruptive incident in other premises.
  • 1302 Government interference and national business value.
  • 1303 Targeted action against the enterprise results in destruction of infrastructure.

Infrastructure theft or destruction

  • 1401 There is a theft of a device with sensitive data.
  • 1402 There is a theft of a substantial number of development servers.
  • 1403 Destruction of the data centre (sabotage, etc.) occurs.
  • 1404 There is accidental destruction of individual devices.

Malware

  • 1501 There is an intrusion of malware on critical operational servers.
  • 1502 Regularly, there is infection of laptops with malware.
  • 1503 A disgruntled employee implements a time bomb that leads to data loss.
  • 1504 Company data are stolen through unauthorised access gained by a phishing attack.

Logical attacks

  • 1601 Unauthorised users try to break into systems.
  • 1602 There is a service interruption due to denial-of-service attack.
  • 1603 The web site is defaced.
  • 1604 Industrial espionage takes place.
  • 1605 There is a virus attack.
  • 1606 Hacktivism takes place.

Industrial action

  • 1701 Facilities and building are not accessible because of a labour union strike.
  • 1702 Key staff is not available through industrial action (e.g., transportation strike).
  • 1703 A third party is not able to provide services because of strike.
  • 1704 There is no access to capital caused by a strike of the banking industry.

Environmental

  • 1801 The equipment used is not environmentally friendly (e.g., power consumption, packaging).

Acts of nature

  • 1901 There is an earthquake.
  • 1902 There is a tsunami.
  • 1903 There are major storms and tropical cyclones.
  • 1904 There is a major wildfire.
  • 1905 There is flooding.
  • 1906 The water table is rising.

Innovation

  • 2001 New and important technology trends are not identified.
  • 2002 There is a failure to adopt and exploit new software (functionality, optimisation, etc.) in a timely manner.
  • 2003 New and important software trends are not identified (consumerisation of IT).

Bibliographie

ISACA (2013), COBIT 5 for RISK, disponible en ligne http://www.isaca.org/COBIT/Pages/Risk-product-page.aspx?cid=1002152&Appeal=PR