From b38ef2d8b718eb684caff207b02692d5c6b48f6b Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Wed, 17 Aug 2022 10:13:52 +0200 Subject: [PATCH] contnue implementation --- .../08_Quality Management_Risk Control Matrix.md | 10 +++++----- Processes/09_IT.md.md | 4 ++-- Processes/09_IT_Risk Control Matrix.md | 14 ++++++++++---- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/Processes/08_Quality Management_Risk Control Matrix.md b/Processes/08_Quality Management_Risk Control Matrix.md index 4c423f2..56fbc11 100644 --- a/Processes/08_Quality Management_Risk Control Matrix.md +++ b/Processes/08_Quality Management_Risk Control Matrix.md @@ -1,10 +1,10 @@ # Quality Management Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | -| ---- | ---- | ------------------------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | ------------------ | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | -| 1 | CEO | Operational Risk (Quality Management) | Processes are not correctly implemented, no longer up-to-date or insufficient. | | | | | Revealing (Manual) | Every department is audited at least once a quarter by internal auditors. | | | | | | | | -| 2 | CEO | Operational Risk (Quality Management) | The products and services contain insuficciencies which are not detected during the regular development controls and checks. | | | | | Revealing (Manual) | The software, documentation and services are manually tested like a normal customer/user would use them. | | | | | | | | -| 3 | CEO | Operational Risk (Quality Management) | Processes and related documents are incomplete, incorrect or not correctly approved. | | | | | Revealing (Manual) | Internal audits and annual checks by the quality management department. | | | | | | | | +| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| ---- | --------------------- | ------------------------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | ------------------ | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | +| 1 | Internal auditor, DQM | Operational Risk (Quality Management) | Processes are not correctly implemented, no longer up-to-date or insufficient. | | | | | Revealing (Manual) | Every department is audited at least once a quarter by internal auditors. | | | | | | | | +| 2 | Quality Management | Operational Risk (Quality Management) | The products and services contain insufficiencies which are not detected during the regular development controls and checks. | | | | | Revealing (Manual) | The software, documentation and services are manually tested like a normal customer/user would use them. | | | | | | | | +| 3 | Internal auditor, DQM | Operational Risk (Quality Management) | Processes and related documents are incomplete, incorrect or not correctly approved. | | | | | Revealing (Manual) | Internal audits and annual checks by the quality management department. | | | | | | | | ## Abbreviations diff --git a/Processes/09_IT.md.md b/Processes/09_IT.md.md index f406382..f28febb 100644 --- a/Processes/09_IT.md.md +++ b/Processes/09_IT.md.md @@ -25,11 +25,11 @@ The IT department has to ensure that the IT systems are running according to the ### Permission changes -Permissions for data access must be handled carefully and users should only receive permissions according to their functions and tasks. A General permission overview can be found in the Permission List. This list contains a basic guideline for permission handling but can be deviated from in special situations. Deviations must be approved according to the Change Management policy by the respective HOD and IT department. (**R6**) +Permissions for data access must be handled carefully and users should only receive permissions according to their functions and tasks. A General permission overview can be found in the Permission List. This list contains a basic guideline for permission handling but can be deviated from in special situations. Deviations must be approved according to the Change Management policy by the respective HOD and IT department. (**R5**) ### Software changes -New software or software updates must be tested by the IT team in a sandbox environment before they can get migrated to the live environment (**R7**). Generally, updates should be installed as soon as reasonably possible to ensure the newest security fixes, bug fixes and newest software features. The Change Management policy defines the testing and approval procedures for software. (**R8**) +New software or software updates must be tested by the IT team in a sandbox environment before they can get migrated to the live environment (**R6**). Generally, updates should be installed as soon as reasonably possible to ensure the newest security fixes, bug fixes and newest software features. The Change Management policy defines the testing and approval procedures for software. (**R7**) ### Additional guidelines diff --git a/Processes/09_IT_Risk Control Matrix.md b/Processes/09_IT_Risk Control Matrix.md index 930d271..389ad28 100644 --- a/Processes/09_IT_Risk Control Matrix.md +++ b/Processes/09_IT_Risk Control Matrix.md @@ -1,8 +1,14 @@ -# Quality Management Risk Control Matrix +# IT Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | -| ---- | ---- | -------- | ---------- | ---- | ---- | ---- | ----- | --------------- | ------------------- | ---- | ---- | ------- | -------- | ---- | ---- | --------- | -| 1 | | | | | | | | | | | | | | | | | +| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| ---- | -------------------- | --------------------- | ------------------------------------------------------------ | ---- | ---- | ------ | ----- | ------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | +| 1 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily local backups | | | | | | | | +| 2 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily backups to external/remote service providers | | | | | | | | +| 3 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (Manual) | Quarterly manual backups for long-term storage | | | | | | | | +| 4 | CTO | Operational Risk (IT) | Corrupted backup data | | | Daily | | Revealing (System) | Automatic data integrity validation of daily backups | | | | | | | | +| 5 | HOD, head of IT, CTO | Operational Risk (IT) | Users have receive access to files or functions outside of their competencies | | | Daily | | Preventing (Manual) | User permissions are defined in a general Permission List. Deviations must be approved | | | | | | | | +| 6 | head of IT, CTO | Operational Risk (IT) | Software causes problems | | | Weekly | | Preventing (Manual) | New software and software updates must be tested in a sandbox environment | | | | | | | | +| 7 | HOD, head of IT, CTO | Operational Risk (IT) | Unauthorized software. | | | Weekly | | Preventing (Manual) | New software must be approved | | | | | | | | ## Abbreviations