IRSA: IT Risk Self Assessment

Contact us

Do you need help?

Do not hesitate to contact us, without any obligation.
(+39) 011.9597444

IRSA: IT Risk Self Assessment

The assessment of IT risks requires the use of all available information sources to identify priorities in prudential terms.

With this in mind, it detects the need to allow the Risk Manager and the IT function to proceed with IT Risk Self Assessment sessions (hereinafter: IRSA) capable of analysing the Bank’s IT risk profile through a process that involves all the structures attributable to the systems exposed.

AIT Risk offers the possibility to conduct IT risks assessment activities through the adoption of methodologies based on industry standards and/or internal policies that allow to determine their potential impact.

More specifically, following a specific mapping of IT risks within the perimeter limited by the expected scenarios (including adverse scenarios related to critical IT systems), the system allows to apply a parameterizable “methodological framework” able to involve, through a workflow, all responsible users called upon to define the levels of impact, frequency and adequacy of the control system.

This flow allows to manage with particular accuracy the segregation of roles and contents, allowing each user involved to make the evaluation only and exclusively with reference to the calculation index of its own pertinence and, above all, only the information for which it is actually responsible.

With A.IT Risk the Risk Manager can take advantage of an instrument characterized by great ease of use, high configurability, innate predisposition to the documentability of sessions.

During an evaluation session, the system facilitates the coordination of the users involved through automatic messages addressed to those who, following a status change, are directly involved in the successive phases.

At the end of the evaluations, the system provides structured reporting of the session outcomes, offering synthesis frameworks that can be “navigated” according to a “drill-down” logic.

Qualitative and quantitative model

  • Definition of the general probabilities of threats in light of the exposure risk levels of the controls applied
  • Correctives of the probabilities in the relations between threat scenarios
  • Application (with corrective measures) of the probabilities between threat-scenarios on the relations with the computer assets
  • Definition of impacts in the relations between scenes-assets
  • Residual risk calculation

Qualitative model

  • Definition of the impacts of the scenarios (synthesis between operational, reputational, economic, …) and corrective application in relations with threats
  • Definition of threat probabilities and corrective application in relationships with scenarios
  • Gross risk calculation at asset-threat level
  • Application of the asset control protections on the relationship with threats
  • Residual risk calculation