Work Priority Scheme for EDP (Electronic Data Processing) Audit and Computer Security Review

摘要

The report describes a high level risk analysis for Automated Information Systems (AISs) that can be used by computer security reviewers and EDP auditors to prioritize their non-discretionary and discretionary review activities for these AISs. It divides the risk analysis problem into five areas of risk concern (called dimensions) with each area defined by a set of characteristics. The five dimensions are: Criticality/Mission Impact, Size/Scale/Complexity, Environment/Stability, Reliability/Integrity, and Technology Integration. The report presents a possible two-level scoring scheme which calculates the level of risk for each dimension, uses the Criticality score as a first order system risk score, and then combines all five dimension risk scores for a second order system risk score. An approach for deriving an EDP audit or computer security review plan using these scores is outlined.