Springfield I.T$.$ Consulting develops and maintains business software for IT clients. Springfield is doing a threat analysis as part of a BCP creation project and so far they have identified several threats. In this exercise, we will focus on Data Loss.

When Springfield IT Consulting loses data it could be any of the following:

$$ Work in progress,

$$ Completed work

$$ Financial data

$$ Customer data

$$ Work order data,

$...$

Three threat sources have been identified for data loss:

$1.$ Hacking,

$2.$ Worker Error

$3.$ Hardware Failure

The table below should be completed based off of the organisation above on a risk by risk basis to record details of the risk events that have been identified that could have a significant impact on the organization. Identification of these risks can be based on a consideration of the objectives of the organization and$/$or the features that must be present for the organization to be successful. These features are often referred to as key dependencies. In other words, risk identification can start with a review of the objectives and$/$or the key dependencies for the organization.

Risk record of potential impact

Risk reference $($see note $1)$

Nature of risk $($see note $2)$

Potential impact $($see note $3)$

Tolerability of event $($see note $4)$

Existing controls $($see note $5)$

Guidance notes

$1.$ Unique identifier should be assigned to each risk. For ease of reference and unambiguous identification of risk, the risk reference assigned can also be used to indicate the nature and$/$or location of the risk.

$2.$ Description of the risk event and how it might be caused or triggered, including information or data on previous experiences with a related risk event, both within the organization and in relation to similar events that have affected competitors.

$3.$ Analysis of the potential impact on the finances, infrastructure, reputation and$/$or marketplace, in terms of the likelihood and magnitude of the risk event and the relationship to objectives and key dependencies.

$4.$ Decision on whether the level of risk identified during the analysis is tolerable for the organization, including consideration of the controllability of the risks and the nature of the business imperative associated with the risk.

$5.$ Mitigation currently in place and standard of risk control that is achieved by the existing controls, compared with the level of risk that is required, including consideration of the efficiency and effectiveness of existing controls as well as regulatory requirements.