During the course of managing an IT department, it is important for IT management to understand areas of risks. There are standard best practices that can be engaged to score your department/organization. Below I have added some as a starting point. These are by no way complete.

 

Management and Planning

Objective 1

The staff responsibilities to information systems environment are assigned to specialized personnel.

Deficiencies in this objective could lead to not knowing and/or too many responsibilities associated to information systems.

 

Objective 2

The strategies about information systems, development plans and budget are mapped according to the strategic goal and company business.

Deficiencies in this objective could lead to the design, purchase/construction, development and system operations not responding to the company and business needs.

 

Objective 3

The selection of a service provider is based on company policies.

Deficiencies in this objective could lead to unsuitable service and inaccurate generated information, vulnerable or lack of integrity.

 

Objective 4

The services levels given by the provider are consistent with the Management expectations.

Deficiencies in this objective could lead to unsuitable service and inaccurate generated information, vulnerable or lack of integrity.

 

Objective 5

Users receive correct formation in use and handling the information systems.

Deficiencies in this objective could lead the incorrect use of information assets, which could cause generated information, were inaccurate, vulnerable or lacks of integrity.

 

Physical and Logical Security

Objective 1

Tools and security techniques are implemented and set up with the purpose of assuring a correct logical techniques level, narrowing the access to the programs, data and other information sources only for authorized persons.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, due to absence of proper policies, the lack of implementation of these measures on information systems and ignorance on the part of users of safety standards.

 

Objective 2

Tools and security logical techniques are implemented to monitor and control actions on information systems.

Deficiencies in this objective could lead to lack of control made actions on information systems, with possible impact in information confidentially, integrity and availability.

 

Objective 3

Information systems are correctly protected against external attacks and/or malicious codes.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information.

 

Objective 4

Tools and security are implemented to allow access to information systems only to authorized users.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, due to an incorrect access profiles management.

 

Objective 5

All information resources are fixed by a correct security control, access to critical areas are restricted to authorized personnel.

Deficiencies in this objective could lead to unauthorized access and possible exposure, theft, modification, damage or loss of information, as well as failures or incidences in information systems working and other disaster or extraordinary accidents.

 

Objective 6

All company information resources are identified and managed.

Deficiencies in this objective could lead the incorrect of fraudulent use of equipment and/or data they have, leading in a possible exposure, theft, modification, damage or loss of information.

 

Applications Development and Maintenance

Objective 1

Development or maintenance applications of projects are consistent with the management’s intention.

Deficiencies in this objective could lead to the design, purchase/construction and systems development not responsive to the end users’ needs.

 

Objective 2

Migration process of replaced old applications is carried out accurately and completely.

Deficiencies in this objective could negatively impact information integrity and validity.

 

Infrastructures Operations and Maintenance

Objective 1

Infrastructure development or maintenance projects (database software, networks, equipment) are in consistent with the management’s intentions.

Deficiencies in this objective could lead to changes not responsive to the users’ needs.

 

Objective 2

Technological infrastructure are correctly identified and supported.

Deficiencies in this objective could lead to the changes not responses to the users’ needs, as well as a possible loss of knowledge in information assets.

 

Objective 3

Information systems levels of service providers are consistent with the management’s expectations.

Deficiencies in this objective could lead to the information systems not working correctly, resulting in potential risk to the availability of the information.

 

Objective 4

In disaster case, every essential business processes are recoverable in a defined time.

Deficiencies in this objective could lead to the information integrity and availability, due to incomplete, inaccurate or no recoverable data.

 

Objective 5

The information is kept in accordance to company laws, regulations and politics, could be recoverable, in case.

Deficiencies in this objective could lead to the information integrity and availability, be incomplete, inaccurate or not recoverable data.