# IT Risk Control Matrix | No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | -------------------- | --------------------- | ------------------------------------------------------------ | ---- | ---- | ------ | ----- | ------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily local backups | | | | | | | | | 2 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily backups to external/remote service providers | | | | | | | | | 3 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (Manual) | Quarterly manual backups for long-term storage | | | | | | | | | 4 | CTO | Operational Risk (IT) | Corrupted backup data | | | Daily | | Revealing (System) | Automatic data integrity validation of daily backups | | | | | | | | | 5 | HOD, head of IT, CTO | Operational Risk (IT) | Users have receive access to files or functions outside of their competencies | | | Daily | | Preventing (Manual) | User permissions are defined in a general Permission List. Deviations must be approved | | | | | | | | | 6 | head of IT, CTO | Operational Risk (IT) | Software causes problems | | | Weekly | | Preventing (Manual) | New software and software updates must be tested in a sandbox environment | | | | | | | | | 7 | HOD, head of IT, CTO | Operational Risk (IT) | Unauthorized software. | | | Weekly | | Preventing (Manual) | New software must be approved | | | | | | | | ## Abbreviations * R: Responsible * L: Likelihood (1-5) * C: Consequence (1-5) * L\*/C\*: Likelihood and Consequence after mitigation * O: Occurrence (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient 2022-01-01 - Version 1.0