The IT Risk Evaluation is based on operational information collected from a representative group of Information Technology managers and executives.  Using terms and processes based on industry-standard the models and frameworks (COBIT, ITIL, ISO), potential threats relating to strategy, policy and practice are examined, analyzed and classified.

We break IT down into 19 control areas covering all things IT: from planning, budgeting, forecasting, architecture development (i.e. the "front-end" of the IT lifecycle), through measurement, reporting and evaluating results at the back-end.  We look at all of the 34 IT sub-processes including asset acquisition, utilization and disposition, project management, systems development and quality assurance, production support and incident tracking, along with internal and external staffing and third-party involvement. 

Using 243 threats that are relevant to all IT departments, we gather information from our clients relating to the probability of occurrence of a given threat and its relative criticality.  With our mappings, we can make extrapolations that provide us with 935 individual points of data to analyze. 

Our deliverable includes:

Our process takes approximately 2 hours onsite for data gathering, leveraging a facilitated session with key participants, which generally includes the CIO and his/her direct reports.  We encourage key business users of information technology and interested third-parties (e.g. auditors, compliance managers, etc) to participate if possible.  We follow up within a few days (based on client availability) to present our findings and recommendations

Click on the link below to see a sample deliverable: