Information Technology Risk Assessment Tool User Guide
v1.0 – January 2014 Release
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Version History Date
Version Summary of Changes
Author
24 Jan 14
1.0
Anthony Quinn
ITRAT-User-Guide-241113.doc
Release 1.0 – ITRAT User Guide
http://www.informationtechnologyriskassessment.com
Table of Contents 1. Disclaimer ............................................................................................................. 5 2. Glossary ................................................................................................................. 6 2.1. Terms ..........................................................................................................................................6
3. Purpose of this document ................................................................................ 7 4. Target audience ................................................................................................. 8 4.1. Assumed knowledge ............................................................................................................8
5. Legal matters ....................................................................................................... 9 6. System Requirements ...................................................................................... 10 6.1. Technical requirements .....................................................................................................10 6.1.1. Connectivity ..................................................................................................................10 6.1.2. Browser types ................................................................................................................10 6.1.3. Hosting provider ...........................................................................................................10 6.1.4. Data centre ...................................................................................................................10 6.1.5. Data storage .................................................................................................................10 6.1.6. Local storage ................................................................................................................10 6.1.7. Backup and archive ...................................................................................................11 6.1.8. Disaster recovery .........................................................................................................11 6.1.9. Help and support .........................................................................................................11 6.1.10. Fair use / data storage / restoration ....................................................................11 6.1.11. System Timeout ..........................................................................................................11
7. Overview and conceptual framework ...................................................... 12 7.1. Why perform an IT risk assessment ..................................................................................12 7.2. Industry Coverage ...............................................................................................................12 7.3. Purpose of the Information Technology Risk Assessment Tool ................................15 7.4. User Types and Roles...........................................................................................................15 7.5. Types of Assessments ..........................................................................................................15
8. Getting started .................................................................................................. 16 8.1. Home Page ...........................................................................................................................16 8.2. Register ...................................................................................................................................16 8.2.1. Online payments .........................................................................................................16 8.2.2. Online payments .........................................................................................................22 8.2.3. Pricing Structure ...........................................................................................................23 8.2.1. Discount Codes ............................................................................................................24 8.3. Sign In ......................................................................................................................................24
9. Configuring and calibrating the ITRAT tool ............................................... 26 9.1. Overview ................................................................................................................................26 9.2. Configuration and calibration .........................................................................................26 ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9.3. Changing Model Dimension Categories and Sub-Categories ..............................26 9.3.1. Model -> Groups ..........................................................................................................26 9.3.2. Model -> Categorization ...........................................................................................27 9.3.3. Model -> Sub-Categorization...................................................................................27 9.4. Changing Model Questions – Global and Custom ...................................................28 9.4.1. Model -> Questions -> Global Questions ..............................................................28 9.4.2. Model -> Questions -> Custom Questions ............................................................30 9.5. Model –> Total Range ........................................................................................................31 9.6. Jurisdiction -> Ratings .........................................................................................................32 9.7. Account Management .....................................................................................................34 9.7.1. Users .................................................................................................................................34 9.7.2. Payments .......................................................................................................................35 9.8. Password Management ....................................................................................................36
10. Completing the Information Technology risk assessment.................... 38 10.1. Overview ...............................................................................................................................38 10.2. Selecting risk assessment type ........................................................................................38 10.2.1. Full Assessments..........................................................................................................38 10.2.2. Single Dimension Assessments ...............................................................................39 10.3. Selecting the industry sector ...........................................................................................39 10.4. Completing the risk assessment .....................................................................................40 10.4.1. Providing context on the authorship of the risk assessment .........................40 10.4.2. Authorship information ............................................................................................40 10.4.3. Risk Assessment Context ..........................................................................................41 10.5. Risk dimensions ....................................................................................................................42 10.5.1. Internal Risk Factors – Risk Management............................................................42 10.5.2. Internal Risk Factors – Systems Development Lifecycle .................................42 10.5.3. Internal Risk Factors – Threat Assessment ...........................................................42 10.5.4. External Risk Factors – Risk Management ...........................................................42 10.5.5. External Risk Factors – Threat Assessment ...........................................................42 10.5.6. Jurisdiction Risk Factors ............................................................................................42 10.6. Completing the questions ...............................................................................................43 10.6.1. Layout of the assessments page ..........................................................................43 10.6.2. Understanding the ‘Inherent Risk’ ........................................................................44 10.6.3. Understanding the ‘Residual Risk’ ........................................................................45 10.6.4. Documenting the risk assessment ........................................................................47 10.6.5. Generating the risk assessment summary report .............................................47
11. Support ............................................................................................................... 52 12. Feedback and suggestions .......................................................................... 53 13. Partnership and/or Investment Opportunities ......................................... 54 ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
1. Disclaimer The contents contained within the Information Technology Risk Assessment Tool (ITRAT) and this User Guide are provided for general information only and do not constitute the provision of professional advice. The content of the ITRAT contains information that will assist organizations to assess their Information Technology risks and has been designed to inform areas of vulnerabilities that should be the focus of any Information Technology Risk Management Program. Before any action or decision is taken on the basis of any materials the user should obtain appropriate independent professional advice. Any conclusions drawn are based on inputs and configurations made by the Company Admin or End-User. Financial Crimes Consulting Pty Ltd does not warrant that the ITRAT contains all considerations necessary to consider risk for your purposes and accepts no responsibility or liability for any loss suffered as a result of reliance on the materials contained within this product. The purchaser of the ITRAT indemnifies Financial Crimes Consulting Pty Ltd and all associated business partners or companies against all loss, damages, claims, liability, expenses, payments or outgoings incurred by or awarded against the end-user arising directly or indirectly from any third party, including but not limited to: (i) The end users use of the ITRAT. For the avoidance of doubt, this means that if the end-user is ever sued or the subject of criminal or civil penalties from other third parties and/or regulatory bodies, including but not limited to fines or compensation that Financial Crimes Consulting Pty Ltd will be fully indemnified. (ii) Any act or omission of Financial Crimes Consulting Pty Ltd including any negligence, unlawful conduct or wilful conduct by Financial Crimes Consulting Pty Ltd relating to this agreement or arising as a consequence of the performance or non-performance of the products or services, intellectual property infringement, breach of confidentiality, misleading and deceptive conduct or other legal liability (iii) Any action taken by international regulators or third parties against the end users of the ITRAT, the end user indemnifies Financial Crimes Consulting Pty Ltd against any liability and indemnifies and protects Financial Crimes Consulting Pty Ltd against any liability. End users that use the ITRAT are taken to have agreed to the above terms and conditions and indemnities.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
2. Glossary 2.1. Terms Term
ITRAT Company Admin End-User Risk Dimension
Description Information Technology Risk Assessment Tool. User with permissions to configure the risk assessment tool. Users with permissions perform risk assessments. Includes these major categorizations of risk: 1. Internal Risk: 1.1 Risk Management 1.2 Systems Development Lifecycle (SDLC) 1.3 Threat Assessment 2. External Risk: 2.1 Risk Management – same as internal 2.2 Threat Assessment – same as internal
Risk Factor Risk Score
These are the questions that are included in the ITRAT. The weight that has been assigned to the risk factor: § § § § § §
Relative Weighting Inherent Risk Residual Risk
ITRAT-User-Guide-241113.doc
0 = disabled 1 = very low risk 2 = low risk 3 = moderate risk 4 = high risk 5 = very high risk
The weighting of risk dimensions relative to each other This is calculated based on the likelihood x impact This is the overall risk rating after the effectiveness of mitigating controls has been taken into consideration.
http://www.informationtechnologyriskassessment.com
3. Purpose of this document The purpose of this document is to describe the core functions of the ITRAT, and to explain to Company Admin and End-Users how to configure, calibrate and conduct risk assessments using the tool. The document contains the following key sections: • • • •
Overview and conceptual framework Getting started Customising and calibrating the Information Technology Risk Assessment Tool Completing the Information Technology Risk Assessment
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
4. Target audience The target audience for this document includes: •
Company Administrators – these are typically staff who operate in IT risk and/or compliance functions that have responsibility for identifying, managing and mitigating against information technology risks
•
End Users – these are typically staff that would perform a risk assessment and could include; IT staff, risk and compliance managers, legal or internal audit staff
4.1. Assumed knowledge It is assumed that Company Administrators that are responsible for configuring and calibrating the risk assessment have a detailed knowledge of the internal and external operating environment of the organisation. If your organisation does not have suitably qualified staff to perform this role Financial Crimes Consulting Pty Ltd, offer Consulting Services and can assist in the initial setup of the ITRAT It is assumed that end-users have a good working knowledge of the internal and external operating environments such that a determination can be made about whether the risk attribute exists within the organisation or operating environments. In addition, it is assumed that the end-user has a thorough understanding of the control framework that may exist to mitigate or minimise the impact of the identified risks.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
5. Legal matters It is important to understand the role of the ITRAT – we do not know your business as well as you do, but the ITRAT has been designed and built based on years of deep experience in Information Technology risk management and compliance matters. Whilst we are confident in our expertise and have used our deep skills and experience in the IT risk management space it would be unauthentic of us to claim that ‘one size fits all’ and that the out-of-the-box settings apply to every sector in every scenario. The ITRAT has been designed as a framework for IT risk and compliance staff to reflect on the internal and external environments and to use this knowledge and experience to configure, calibrate and complete risk assessments, which are appropriate to the circumstances. The ITRAT provides opportunities to document the rationale behind deviations from the default settings but due to the diverse nature of users from a variety of industry sectors and organizations within each sector it is not appropriate for Financial Crimes Consulting to provide warranties that by using our products that the Information Technology risks will be fully understood, mitigated and managed. The End User License Agreement (EULA) contemplates these issues and sets out the terms and conditions of use, as well as, your rights in relation to the use of the ITRAT. Due to the nature of the product we require all users to indemnify Financial Crimes Consulting Pty Ltd. against any liabilities associated with using the ITRAT. The EULA is required to be acknowledged, and accepted as part of the initial registration process and ongoing usage of the ITRAT is considered to be acceptance of the terms outlined in the EULA.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
6. System Requirements 6.1. Technical requirements 6.1.1.
Connectivity
The tool is thin client – meaning that most processing and storage occurs on our servers. A modest Internet connection is required to input data and browse through the ITRAT. 6.1.2.
Browser types
The ITRAT operates across all of the following browsers: • • • •
Safari Mozilla Firefox Google Chrome Internet Explorer (later than version 8.0)
6.1.3.
Hosting provider
Our hosting services provider is Sententia Pty Ltd, which has been providing hosting and mission critical services for government, financial services, telecommunications companies and other organisations since 1989. Among other things, Sententia is known for data centre architecture and Payment Card Industry ("PCI") standard hosting solutions. It is this expertise that Sententia has brought to the hosting of our application and product / solutions. 6.1.4.
Data centre
Our solutions are hosted in a Tier One data centre which offers outstanding physical and virtual security, with 24 x 7 guards and biometric security access to the physical hardware assets and locked cabinets within the data centre. The applications are monitored on a 24 x 7 basis with full alerting to the technical consultants responsible for managing our applications. Servers used are best of breed Process Area Network (“PAN”) managed, meaning that we can increase server assets – particularly processing, memory and networking assets in real time. Of course performance is monitored, so if any hosting resources become a constraint, our consultants are alerted and resources can be added to ensure satisfactory performance. 6.1.5.
Data storage
Our application systems and client data are stored on commercial grade SAN solutions which offer snap-shoting of data for better recovery time objectives and the ability to “roll forward and roll-back” in time for dedicated client instances of our applications. 6.1.6.
Local storage
Users will need some capacity to upload and download documents including reports generated at the completion of risk assessments. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
6.1.7.
Backup and archive
In addition we offer sophisticated daily backup, weekly and monthly archive facilities where application and user data are stored on tape, which is taken off site. 6.1.8.
Disaster recovery
With the offsite tape storage and sophisticated provisioning of server and user access, we offer very responsive data recovery time frames. 6.1.9.
Help and support
Our standard offering is to offer help and support services by web and email. Our support desk operates between 9am and 5pm Monday to Friday in normal business hours from Sydney Australia. Premium support is available outside of those hours. Please contact us for a quote if you require it. 6.1.10. Fair use / data storage / restoration Our data storage within the offered solutions is intended to allow relevant contextual documents to be stored in conjunction with assessment products. These typically include policy documents, audits and other supporting materials as well as printed assessments from our products. Our storage solution was not intended, to be used for transactional material, such as, customer identification documents, transaction monitoring reports and the like. We offer 500MB of storage per user, which means that most plans that we offer allow more than adequate storage for the use of our solutions. Beyond this level, we reserve the right to charge AUD$50 per GB per month for storage, and will not guarantee recovery of any documents stored beyond this level. For client accounts that are not renewed within 90 days of expiration, we do not guarantee restoration or access of any data. For any legal access to your data, we will not provide access without a court order or without notifying you first where we are legally allowed, but a term of our contract with you is that you agree to pay any costs incurred by us in the provision of data for any matter including investigations, litigation and the like. Our charges for these matters are AUD$1000 per matter and AUD $400 per hour plus disbursements for searching, extraction and copying of data. Restoration of data by request from the authorised delegate from your account is available at the same rate; this would typically involve costs of disk recovery, tape restoration and the like. 6.1.11. System Timeout The ITRAT has an in-built timeout feature that automatically logs the user out of the system if it has been inactive for more than 60 minutes. Â
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
7. Overview and conceptual framework 7.1. Why perform an IT risk assessment
There are a number of reasons why it is advisable for organisations to conduct an IT risk assessment, including: • •
•
Reduce business impacts associated with IT risk issues by identifying, managing and mitigating IT risks Provides a framework to assess risks and allows Board and Senior Management to have an in-depth understanding of high-risk areas, which can assist in prioritising resources accordingly Visualising IT risk concentration helps organisations to identify control weaknesses and target resources proportionately on areas that are higher risk
In completing a comprehensive risk assessment, understanding the likelihood and impact of the risk event occurring, which is known as ‘inherent risk’ and by assessing the mitigating controls that can or have been deployed to reduce these risks, organizations will gain a deeper understanding of the ‘residual risk’. This understanding leads to a more sophisticated approach to risk management, regardless of the particular risk in question.
7.2. Industry Coverage The ITRAT has been designed to cover a wide range of industry sectors. Whilst the majority of IT risks impact organisations similarly, there may be some industry sectors, such as Banking and Finance that may suffer significant financial and reputational risks where IT risks are not identified, mitigated and managed appropriately. For this reason, we have maintained the same flexibility for industry sector customization as our other risk assessment products. The industry sectors that are covered by the ITRAT include:
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The default questions in the ITRAT have been pre-configured with out-of-the-box settings, which are an initial suggesting about the relative risk weighting of a particular question for the industry sector. Company Admin users have permissions to over-ride these default settings and will have the opportunity to document the rationale for applying changes, which provides a full audit trail. The pre-configuration is designed to reduce (but can’t eliminate) the possibility that the default settings are not appropriate to the particular circumstances of the internal and external environment that the organization operates in and it is essential that the default settings are thoroughly reviewed to determine whether these settings are appropriate to your organization or calibrate the ITRAT, where required. Our subject matter experts and business partners have developed a globally applicable cloud-based Information Technology risk assessment model that allows organizations to assess Information Technology risks across a variety of dimensions: •
Internal Risk Factors – Risk Management – – – – – – – – – – – – – – –
•
IT Risk Management Framework IT Risk Strategy Governance and Oversight Organisational Management of IT IT Policies and Procedures IT Risk Reporting Change Management Developing an Information Asset Profile Data Quality Framework Business Continuity Planning Disaster Recovery IT Program and Project Management IT Training Employee Risks Third Party Relationship Risks
Internal Risk Factors – Software Development Lifecycle (SDLC) – – – – – – – – –
Project initiation and scoping Proof of concept Design Development Testing and Integration Implementation and Deployment Post Implementation Reviews Business and IT Operational Management Maintenance and Disposal
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
•
Internal Risk Factors – Threat Assessment – Threat Type – Organisational – Business Process – Data – Systems – Technical Threats – Hardware and Software – Accidental or Deliberate Damage – Destruction or Misuse of Data – Interception and Impersonation – Physical Threats – Loss from theft – Vandalism or sabotage – Accidental damage – Environmental Threats – Support Infrastructure Threats – Power Supply – Telecommunications – Support Environment
•
External Risk Factors – Risk Management – Same as internal but based on externally introduced risks
•
External Risk Factors – Threat Assessment – Same as internal but based on externally introduced risks
•
Jurisdiction – The origins of the jurisdiction risk assessment originated from our money laundering risk assessment tool. From an IT risk perspective, the nature of IT risks are likely to be less important, however, we decided that for some organisations this may be an important factor in their decision to outsource IT operations, development or other activities to third parties.
The model is fully customisable - questions, dimensions, scores and weightings can be added or removed on an individual or grouped basis. It has been designed to be customized, to suit the context of its use and to record and communicate aspects of these risks. After completing the risk assessment a PDF report is generated – this can be stored to provide a full audit trail summarising the outcomes of the risk assessment that was conducted.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
7.3. Purpose of the Information Technology Risk Assessment Tool The purpose of the Information Technology Risk Assessment Tool includes: • • • • • •
Assisting users to conduct a comprehensive risk assessment Identifying the inherent risks – likelihood x impact Assessing the mitigating factors that can reduce the inherent risks Identifying the existence and effectiveness of mitigating controls Providing a framework for making operational improvements Providing a full audit trail of risk-based assessments and allow periodic monitoring
7.4. User Types and Roles There are three user types and roles: •
Super Admin – this function is controlled by the operators of the ITRAT and will be invisible to all users. This is where the global questions and settings are managed, as well as, account, discount and referral management
•
Company Admin – this function is the administrator for the organisation and the account is typically used to configure the ITRAT and manage user accounts
•
End-User – this function is responsible for performing risk assessments using the ITRAT. The function does not have user access rights to configure the ITRAT in any way
7.5. Types of Assessments There are two types of assessments that can be performed in the tool: •
Full Assessments – which include all of the dimensions within the ITRAT
•
Single Dimension Assessments – which can be performed on a single risk dimension only, for example, external risk factors could be considered in isolation of other risk dimensions
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
8. Getting started 8.1. Home Page The home page for the ITRAT can be accessed at: http://www.informationtechnologyriskassessment.com There are two main options on this page: § §
Register – for new users looking to purchase access to the ITRAT Sign In – for returning users
8.2. Register Clicking the blue “Register” button in the top right hand side of the screen will open the registration page below:
Once the registration details have been provided users will be directed to the PayPal page. 8.2.1.
Online payments
The ITRAT supports both online and offline payments. The following screenshots step through the process for online payments using the PayPal payment gateway, but we also support offline payments outside of PayPal, which is described in section 8.2.2. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Our pricing is tiered based on the number of employees and the annual revenue, to reduce the annual license fee to the appropriate tier, answer these two questions and the appropriate discount code will automatically be applied, which will have the effect of reducing the prices to the correct annual license price. If you were referred by a third party organization to buy our products, please select the correct organization from the Referral Source dropdown, so that the sale is accredited to our partners. Additional users can be added, as well as, consulting services, where our experts can guide you through the ABC RAT and assist your organisation in the configuration and customization of the risk assessment to your specific requirements. In order to proceed with your purchase, you must tick the checkbox to acknowledge that you agree to the Terms and Conditions and the End User License Agreement. For online payments, click the ‘Pay Now’ button and this will take you through the payment process using PayPal. You will be provided with a summary of your order and the option to either login to your PayPal account or alternatively pay by credit or debit card. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Note: It is important to note that PayPal have a maximum daily payment limit of $12,500 and therefore only Red, Bronze and Silver packages can be purchased using online payments, Gold and Platinum packages must be purchased using an offline payment method.
If paying by credit or debit card but still through PayPal, the daily maximum payment limits still apply. Simply enter the credit card and address details and once your payment has been successfully processed an email will be sent automatically to the email that has been provided.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
A summary of the order will be provided for review. To confirm click Pay Now.
Â
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Once PayPal has processed the order you will see the following confirmation.
You will also receive an email similar to the one shown below:
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
And will then be re-directed to the ITRAT website, where you will be able to Sign In.
An email confirmation of the purchase order is also sent to Financial Crimes Consulting Pty Ltd.
A copy of the invoice is available to be viewed by Company Admin users and is explained in 9.7.2. After making a successful purchase via PayPal this message is displayed:
After clicking ‘Go to Dashboard’ the user is directed to Account Management (see 9.7.3) ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
8.2.2.
Online payments
Financial Crimes Consulting also supports offline payments for users that wish to purchase payments via alternative methods to PayPal. We support the following payment types: § § §
Credit card – American Express, Visa, MasterCard and Diners Cheque Electronic Funds Transfer
To process offline payments, simply download the form below: http://informationtechnologyriskassessment.com/media/FCC-IT-Risk-AssessmentForm-201213.pdf
And email this to info@informationtechnologyriskassessment.com or FCC@financialcrimesconsulting.com.au On receipt of your payment we will process your order manually. We will confirm receipt of the funds or will provide a receipt once payment has been made. You will also receive a confirmation email with your login credentials, which you can use to invite end-users based on the number of additional users that have been added. The manual invoice will be added into the Account Management folder, so that it is visible to Company Admin users in exactly the same way as if the purchase were automated via PayPal.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
8.2.3.
Pricing Structure
Our pricing structure is tiered depending on either the number of employees or the size of the annual revenues of your organization. The pricing consists of an annual license fee, which essentially provides access to the ITRAT for 12 months from the date of purchase for one Company Administrator and one End-User. Additional users can be added either at the time of purchase, or at any time afterwards by the Company Admin user. If additional users are added after the initial time of purchase the access and cost is pro-rated to the date cycle of the Company Administrators access and charged accordingly. The plans and pricing for the ITRAT are described below:
We also provide consulting services to organizations that require expert support in configuring and calibrating the ITRAT to their specific requirements. We have developed a number of relationships with suitably qualified subject matter experts that can guide you through this process either via a web-based consultation or an on-site visit. If your organization would like to use the ITRAT but outside of the cloud hosted environment then we can perform a custom installation on a secure environment of your choosing1.
1
We need to be able to fully understand your requirements before we can quote for this work.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
8.2.1. Discount Codes The default fee is the Platinum Package but simply type in the discount codes outlined below and the pricing will be updated to the appropriate package. Enter Coupon: GOLDDEAL SILVERDEAL BRONZEDEAL REDDEAL
Effect Platinum -> Gold Platinum -> Silver Platinum -> Bronze Platinum -> Red
Discount Applied $20,000 $40,000 $46,000 $48,000
To Pay $29,999 $9,999 $3,999 $1,999
The discount applies only to the Annual License fee.
8.3. Sign In Clicking the dark grey “Sign In” button in the top right hand side of the screen will open the Sign In page. Simply enter the user name and password and click the Sign In button.
If you have forgotten your password, click the “Forgot password” link and this will take you to a screen where you can request that your password be emailed to the original email address used in the initial registration.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Once you’ve signed in you’ll see any previous assessments that you’ve undertaken or been given access to. It may look like this or have no history to reference.
If you are undertaking a new assessment, click on the “Begin Assessment” button on the top right of the screen. The remaining steps to completing the risk assessment are documented in section 10, but prior to that it is usually appropriate to configure and calibrate the risk assessment tool to suit the requirements of your business, which is described in the next section.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9. Configuring and calibrating the ITRAT tool 9.1. Overview
The purpose of this section of the user guide is to explain to Company Administrators how to configure and calibrate the ITRAT and to manage user access and permissions within the organization. The ITRAT is very flexible and was designed to be fully customizable, to cater for different risk factors, in different sectors, as well as, providing the ability to calibrate weights and scores at both a risk factor and risk dimension level, and to allow end-users the ability to add, modify or neutralize any risk factor that should be included into the boundaries of the risk assessment.
9.2. Configuration and calibration The Company Admin user has the following access rights, which will be explained further in this section: § § § § § §
Changing model dimension weightings Changing weights and scores Adding risk factor questions and risk dimensions Setting relative weighting between risk dimensions Account management Password management
9.3. Changing Model Dimension Categories and Sub-Categories 9.3.1.
Model -> Groups
This feature allows the Company Admin user to change the default weightings of the main Groups of the ITRAT, including:
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9.3.2.
Model -> Categorization
This feature allows the Company Admin user to change the default weightings of the main Categorization Dimensions of the ITRAT, including: § § § § § §
Internal Risk Factors – Risk Management Internal Risk Factors – Systems Development Lifecycle Internal Risk Factors – Threat Assessment External Risk Factors – Risk Management External Risk Factors – Threat Assessment Other Risk Factors - Jurisdiction
To adjust the default settings, click on the Edit icon and change the slider to assign a new weighting, this can be completed for either a “Full” or “Single Dimension” Assessment. You will be required to provide a comment to explain the rationale for the change. Once completed, click the save icon. 9.3.3.
Model -> Sub-Categorization
This feature allows the Company Admin user to change the default weightings of the Sub-Categories within each of the dimensions described in 9.3.1. To configure this, select the edit icon on the sub-category that you would like to modify, again this could be for either a “Full” or “Single Dimension” Assessment, but the key difference at this level within the model is that the ranges for Low, Medium and High can be adjusted. These have the effect of determining the cut-off point of when questions within the particular sub-category are considered to be lower, medium or higher risk, which determines how the model is ultimately calculated. Use the sliders to configure this, the first slider is for adjusting the low range and the second slider is for adjusting the high range, the difference between the two will be the medium range. The scale is 0 – 100. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
For example, if the concentration of risk was in the lower quartile, the first slide could be set to 25, meaning that anything 25% of less would be low risk and if the determination of higher risk would be 75% or above the second slider would be set to 75. This would mean that any questions that scored between 26% and 74% would receive a medium risk rating. The sliders can be used else, just type in the values into the text boxes within the Current Range column.
9.4. Changing Model Questions – Global and Custom 9.4.1.
Model -> Questions -> Global Questions
The ITRAT has around 650 in-built Global Questions that have been preconfigured based on the industry sectors listed below.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Company Admin users have permissions to view and ultimately over-ride the default settings within the Global Questions. To do this the Company Admin must decide which industry sector (or sectors) that the Global Questions should display. This can be narrowed further, by selecting the sub-categorization, which guides the user to the question sub-set, within the Global Questions. Selecting the ‘Go’ button after the selection has been made will generate a refined set of Global Questions to start editing. The next few screenshots are a continuation of the Global Question set:
In this screenshot, a reduced set of industry sectors has been selected. The default setting for all industries has been set the same for each question and for each Assessment Type (Full or Single Dimension only), but it is easy to over-ride these by clicking on the edit icon. Then the scores can be adjusted up or down as appropriate. A score of zero (0) means that the question is essentially disabled for that sector, and 1 is low risk and 5 the maximum is higher risk. Comments are also required when changing default scores. Once completed click the save button.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9.4.2.
Model -> Questions -> Custom Questions
Custom questions can be added by Company Admin users by clicking on Model -> Questions -> Custom Questions and then clicking the “Add New Custom Model Question” link at the bottom of the page. Then add in the question and provide an assumption, category and answer type, then provide the weightings and scores which determines the applicability to the sectors selected and then click the save button.
The default position for Custom Questions will be “0” and the Company Admin user will have to set each of the weightings for the sector. Keeping the value at zero has the effect of excluding the question from appearing in the ITRAT.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The ITRAT comes with the following ‘Answer Types’, which need to be defined for each question:
In the question design, there are some circumstances where answering No to a question should receive a lower overall score and vice-versa, so you will need to think carefully about the way in which the question is phrased and set the answer type in a way that achieves the appropriate outcome based. There are also some answers that relate to a single jurisdiction or multiple jurisdictions, so selecting whether the End-User should select from a single country or allow a multi-pick selection on multiple countries should be a consideration when adding new custom questions.
9.5. Model –> Total Range Company Admin users also have the option to change the total range across all global Categorizations (Dimensions) by calibrating the total range of the risk weighting from Low, Medium and High. This global parameter should be used with caution since it has the effect of defining the cut-offs across all risk dimensions in the ITRAT.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9.6. Jurisdiction -> Ratings  Company Admin users can modify the jurisdiction ratings in the ITRAT by clicking Jurisdiction -> Ratings. Out-of-the-box there is a downloadable file that provides the rational for the default risk ratings which has been based on over 25 different risk factors that have been considered in determining the risk assessment of the jurisdictional dimension. If Company Admin users want to override the default settings, simply click on the Edit icon in the Action column and select the risk rating, add a comment to explain the rationale for assessing the country risk rating and click the save icon.
 ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
There is also an in-built country ratings map that colour codes each country on a drillable map, which allows users to hover over the country that they are interested in and selecting the country either from the dropdown list or by simply clicking on the country of interest, which will drill down and display the country and the risk rating.
Once the country has been selected, it displays on the map and in the dropdown with a summary of the risk profile for that country.
The summary country risk ratings have been developed using inputs from over 25 reliable and independent sources and is available as a separate product. For more information about how this product works please visit the following website: www.countryriskassessment.com
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
9.7. Account Management Company Admin users have permissions to manage their account information and can view the following information: § § 9.7.1.
Users Payments Users
The names and user permissions of the users are listed under Settings -> Account Management. Company Admin users have the ability to assign alternative users with Company Admin permissions. Users can also be deleted from this screen. Once a purchase has been made, either at the time of initial registration or at a later stage when upgrading an account, Company Admin users will be directed to this screen, which is used for managing permissions of the End-Users. The Company Admin will be able to view the number of end user licenses that have been purchased, the number of this, which are active, and the number which are still available to use. Company Admin users then can assign themselves as an End-User by clicking the ‘Make me a User’ button, as well as, invite other users within their organisation by adding their email address and clicking the ‘Invite’ button.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
To invite additional users, simply enter the email addresses and select the Invite button that will send the recipient an email that will direct them to the registration page. Once the invite has been sent the number of available user accounts will decrease and the invited users will be added to the left hand window. If you need to delete invited users before they subscribe then simply delete and this will reinstate the number of user accounts available.
Additional license ‘slots’ can be purchased at any time, which is pro-rated based on the amount of time remaining until the annual renewal date of the product license, to do this click the Buy More button which will take the user to the PayPal screen above where additional licenses can be purchased. 9.7.2.
Payments
Full payment history is viewable by Company Admin users, under Settings -> Account Management, simply click on the green ‘+’ icon and this will drill down into the invoice.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Company Admin users have three options with the invoice, based on the icon selection in the top left hand of the window: § § §
Email a copy of the invoice Download to PDF Print a PDF
9.8. Password Management
The password can be reset at any time by clicking Settings -> Change Password. Then simply enter the old password and the new password, which needs to be confirmed and the password will have been reset.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Passwords must be at least 8 characters in length and must contain an alphanumeric character.
Â
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10. Completing the Information Technology risk assessment 10.1. Overview The purpose of this section of the user guide is to explain to End-Users how to complete the risk assessment, by going through the following steps: § § §
Selecting the type of risk assessment to be conducted Selecting the industry sector for the risk assessment Completing the risk assessment § Providing context on the authorship of the risk assessment § Risk dimensions § Completing the questions
10.2. Selecting risk assessment type Prior to commencing a new risk assessment, the first step is to name the risk assessment, which will be the description that appears in the audit history screen. The next step is to select the type of risk assessment to be performed. The ITRAT supports either a ‘Full Assessment’ or a ‘Single Dimension Assessment’ – the main difference being the coverage of questions that are in-built into the assessment. The main dimensions that are standard for the ITRAT include: § § § § § §
Internal Risk Factors – Risk Management Internal Risk Factors – Systems Development Lifecycle Internal Risk Factors – Threat Assessment External Risk Factors – Risk Management External Risk Factors – Threat Assessment Jurisdiction
10.2.1.
Full Assessments
Full Assessments are typically conducted at an enterprise-wide level or can be conducted at a business unit or product line level. The full assessment includes all risk dimensions (categorizations and sub-categorizations), which may include up to 300 questions. Depending on the complexity of the organisation, it is not uncommon for enterprise-wide risk assessments to be conducted at least annually. This frequency is particularly appropriate for higher risk industry sectors or organizations operating in rapidly changing complex environments, for example, those that are expanding into overseas markets or expanding their footprint into a range of industry sectors that may be unfamiliar to them.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The benefit of conducting regular comprehensive risk assessments is that areas of risk can be identified and mitigating controls can be developed and monitored over time to demonstrate a trend towards reducing the overall risks that an organisation faces, or at the least, highlight controls that remain open risks. Forward thinking organizations, typically build the outputs of the risk assessment into the broader risk management framework and provide regular progress and risk reporting to the Board and Senior Management. Documenting the risks and mitigating controls in a robust and auditable tool satisfies the Board obligations to maintain effective oversight for Information Technology risks, and highlights areas where continued focus is required. 10.2.2.
Single Dimension Assessments
Single Dimension Assessments may be more appropriate than conducting a Full Assessment and are typically used in situations when an organisation is looking to: § § § § § §
Expand the countries where a product or service will be offered Expand into new international market sectors Establish new relationships with third party suppliers Acquire a business in an unfamiliar international market Enter into discussions with third parties in respect of a tender process Test the effectiveness of internal controls in mitigating Information Technology risks
There may be many other scenarios where a ‘Single Dimension Assessment’ is the most appropriate approach and the ITRAT is equally effective at supporting this type of assessment.
10.3. Selecting the industry sector The next step is to select the industry sector that the organization operates in or is seeking to assess. The ITRAT has been pre-configured for each of the sectors; the settings can be over-ridden by Company Admin users as required.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10.4. Completing the risk assessment 10.4.1.
Providing context on the authorship of the risk assessment
It may seem obvious but providing contextual information in respect of the risk assessment is a key step as it provides further information regarding the nature of the organisation and the operating environment, which can be used as a gauge to determine whether the ITRAT has been applied in a manner that is appropriate to the environment. After the user has clicked “Begin Assessment”, they will be required to complete the following information where a “Full Assessment” type has been selected. 10.4.2.
Authorship information
The user is required to provide details of who has completed the risk assessment including the period from and period to.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10.4.3.
Risk Assessment Context
This screenshot summarises the information that is required to be completed at the start of any ‘Full� risk assessment.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10.5. Risk dimensions Once the setup and contextual information has been completed the main risk assessment can be started. Below is a summary of the types of risk factor coverage. The detailed questions are reserved for users of the ITRAT. 10.5.1.
Internal Risk Factors – Risk Management
The ITRAT contains around 312 out-of-the-box questions that relate to internal risk factors. 10.5.2.
Internal Risk Factors – Systems Development Lifecycle
The ITRAT contains around 58 out-of-the-box questions that relate to key phases in the systems development lifecycle 10.5.3.
Internal Risk Factors – Threat Assessment
The ITRAT contains around 66 out-of-the-box questions that relate to internal IT Threats. 10.5.4.
External Risk Factors – Risk Management
The ITRAT contains around 102 out-of-the-box questions that relate to external risk factors. 10.5.5.
External Risk Factors – Threat Assessment
The ITRAT contains around 75 out-of-the-box questions that relate to the external environment. 10.5.6.
Jurisdiction Risk Factors
The ITRAT has assessed the risk profile of over 260 countries, which is based on analysing over 25 different indices including those listed on the following table: Country Risk Factor Sources Member of FATF or Regional Style Bod(ies) Tax Justice Network - Financial Secrecy Index World Economic Forum - Executive Opinion Survey - Organised Crime Transparency International - Corruption Perceptions Index - 2011 World Economic Forum, Executive Opinion Survey - 1.05 - Irregular payments and bribes United Nations Convention Against Corruption (UNCAC) Signatory Financial and Transparency Standard Risk ITRAT-User-Guide-241113.doc
Country Risk Factor Sources FATF High-Risk and Non-Cooperative Jurisdictions (NCCT) United States International Narcotics Control Strategy Report (INCSR) Volume II on Information Technology and Financial Crimes Transparency International - Corruption Perceptions Index - 2012 Transparency International - Bribe Payers Index - 2011 OECD Convention Signatory Top 25 Exporter World Bank Governance Indicators list
http://www.informationtechnologyriskassessment.com
Country Risk Factor Sources World Bank - Doing Business - Business Disclosure World Economic Forum - Global Competitiveness Report - Regulation of Securities Exchanges OECD Tax Havens - Uncooperative Tax Havens
International IDEA - Political Finance Database - Q35. Do political parties have to report regularly on their finances?
International Development Association - World Bank - IDA Resource Allocation Index (IRAI) - Transparency, Account and Corruption in the Public Sector Freedom House - Freedom in the World & Press Freedom
Country Risk Factor Sources World Economic Forum - Global Competitiveness Report - Strength of Auditing and Reporting International Development Association - World Bank - IDA Resource Allocation Index (IRAI) - Financial Sector International IDEA - Political Finance Database - Q13 - Is there a limit on the amount a donor can contribute to a political party over a time period (not election specific)? International Budget Partnership Open Budget Index
Euromoney - Political Risk
World Economic Forum - Global Competitiveness Report - Favouritism in decisions of government officials (1.07)
Bertelsmann Stiftung Transformation Index (BTI) 2012 - Rule of Law
10.6. Completing the questions 10.6.1.
Layout of the assessments page
The screenshot below summarises the main assessments page layout. Â
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10.6.2.
Understanding the ‘Inherent Risk’
Inherent risk is based on the likelihood of a risk event occurring and the impact to the organisation if the risk were to eventuate. The matrix below summarises the overall Inherent Risk rating once the likelihood x impact scores have been calculated and plots these based on how the risk factor questions are answered.
The likelihood of a risk factor occurring is described below:
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The impact of a risk factor should it occur is also described below:
The Inherent Risk rating resulting from the two risk factors combined is outlined below:
The combined Inherent Risk rating is essentially a “raw score” without any mitigating factors included. 10.6.3.
Understanding the ‘Residual Risk’
Residual risk is essentially the ‘Inherent Risk’ with an adjustment based on the mitigating control environment that exists to reduce or eliminate the impact of the risk factor on an organisation.
Essentially, the end-user is required to make an assessment about the existence of mitigating controls and their effectiveness in managing or significantly reducing the impact of the risk, which are summarised along with the qualifying descriptions over the page.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Once the rating for the effectiveness of the mitigating controls have been factored in, these have the effect of reducing the overall ‘Residual Risk’ score on the basis that poor and/ineffective controls are less risky than no controls and excellent and/or highly effective controls reduce the overall likelihood and impact of a risk factor occurring. This is essentially a gauge of effective risk management in practice. Using the ITRAT in this way, forces end-users to think about both the likelihood and impact of risk and to identify areas where mitigating controls are either absent or are less than optimal. By documenting the current state of the existing mitigating controls it allows the end-user to define the target state for risk management, which provides the organisation with tangible and actionable tasks to improve the effectiveness of the Information Technology risk management framework. In completing this exercise, it is important to consider what is proportionate and reasonable with regard to the likelihood and impact of the various risks. For example, if the likelihood of a risk occurring is rare and the impact of the risk should it occur be low, then it may not be as beneficial to implement excellent and/or highly effective controls, whereas if, the likelihood of a risk occurring is guaranteed and the impact should it occur be extreme, then it is appropriate to develop as effective a mitigating control framework as possible to reduce the overall impact. On an aggregate level, which is provided in the summary reports after the risk assessment has been completed it also provides a view about the concentration of risks within your organisation. For example, if across hundreds of risk factors considered in the model, the number of risk factors appearing in the bottom left quadrant indicates that in general the overall residual risks are low and are less in need to risk management attention, whereas if the concentration of risk factors appears predominantly in the top right, then there is more effort required by the organisation to manage these risks.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
10.6.4.
Documenting the risk assessment
Since risk assessments commonly require independent reviews to be undertaken by suitably qualified experts, the ITRAT requires that an explanation be provided which supports the assessment and outlines why certain ratings or scores were applied, as well as, general comments explaining the existing or mitigating controls or actions that are required to remediate control deficiencies. The end-user is notified if there is missing information on a particular risk factor and will not be allowed to proceed to the next screen unless all of the required information is provided. 10.6.5.
Generating the risk assessment summary report
After completing the risk assessment, a PDF report will be generated that dynamically summarises the results. The main components included in the PDF summary report include: § § § §
Assessment Summary Assessment Detail Information Technology Red Flags Inherent Risks & Control Measures
Assessment Summary The Assessment Summary tab provides a number of important pieces of information: § § §
Authorship information Disclaimer Context behind the risk assessment
Then scrolling down the Assessment Summary reveals the remaining information: § § § §
Inherent Risk Rating – Matrix (including the legend) Residual Risk Rating – Matrix (including the legend) Model Assessment Rating Scores Model Assessment Chart
Inherent Risk Rating
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The overall inherent risk rating matrix is a heat map indicator of the distribution of the inherent risk in the various risk zones. If you see that significant counts for your risk assessment questions are in the green zone, the inherent risk is low. On the other hand, if most of the counts are concentrated more in the red zone, the overall inherent risk is high. Residual Risk Rating
The Residual Risk Rating Matrix plots the inputs from the Inherent Risk Rating Matrix and applies the Effectiveness of the Control Score to plot Residual Risk.
The Residual Risk Rating Matrix is a heat map indicator of the distribution of overall risk that remains after application of control measures. In most cases, with some controls in place, the risk distribution will move towards the lower risk quadrant compared to the risk distribution in the inherent risk matrix. The above two matrices give a distribution in terms of counts over the heat map. This distribution is completely independent of the risk scoring for the questions in the assessment. Model Assessment Rating Scores
The Model Assessment Rating Scores summarise the actual score against the maximum score for the range of questions, produces a normalised score across all questions in the model and a relative % weighting of each Categorisation within a Dimension (Group). The Model Assessment Rating Score table gives the raw risk score at each subcategorization level. This raw score if classified as a low, medium or a high based on the thresholds set forward for that sub-categorization in the model. This scoring technique takes into consideration the weight assigned to each question. This weight on the question represents the relative importance of the question in the overall risk consideration. The raw risk scores at the sub-categorization are rolled up at the categorization level and normalized taking into account the % weighting distribution assigned to the sub-categorization. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
The % weighting helps assign relative weighting to the categorizations within the model. The sum of the % weightings of all sub-categorization in an assessment will always be 100. The roll up of the % weightings and the normalized scores at the Group level is a simple sum of these items across all categorizations under it.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Assessment Detail The Assessment Detail tab provides a full summary of every risk factor (question) that was included in the risk assessment and summarises the ratings and the comments that were included when conducting the assessment. This level of detail provides a full audit history. In many assessments over 500 risk factors may be considered, so please be patient if this tab takes several minutes to load into the browser.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
Maintaining audit history of risk assessments  The ITRAT provides a full audit trail of risk assessments completed including the start and completion dates, the assessment name and type, the sector and the status. In progress risk assessments can be saved and completed at a later stage, returning the user to the same place where they left off. Completed assessments can be retrieved and viewed in the browser at any time, as well as, being saved and sent via PDF to anyone. The audit trail provides a full summary of the settings and responses provided in the risk assessment, which can be used to baseline improvements and risk factors over time.
The completed assessment will be available for the duration of your subscription. At the end of your subscription period, unless you have renewed your annual license, Financial Crimes Consulting Pty Ltd., reserve the right to remove all completed and in-progress assessments from our servers, which may not be archived, so if you are planning on terminating your subscription or allowing it to lapse, it is recommended that you save the completed assessments down to a PDF prior to doing so. Â
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
11. Support We have integrated the ITRAT with Freshdesk the leading supplier of helpdesk software. On the right hand side of every page there is a blue Support button that displays the following once clicked. Simply enter your name, subject, detailed description of the issue, organization, tool that the issue relates to and the support group channel where your ticket should be allocated to then this will get to our support team. Our support team guarantee, your ticket will be responded to within 24 hours (usually sooner). To assist our support team if you could describe exactly the issue and the steps immediately preceding the issue, as well as, attaching screenshots and supporting documentation where appropriate, which will enable us to diagnose the issue faster. We intend on building up a knowledge base with frequently asked questions, which over time may provide the exact answer that you are looking for.
We are committed to providing effective support and services to our clients. If you have any queries please contact us on any of the following: E-mail:
support@informationtechnologyiskassessment.com
Or you can write to us at: Financial Crimes Consulting Pty Ltd, Level 20, Darling Park 201 Sussex Street Sydney, NSW 2000 Australia ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
12. Feedback and suggestions To ensure that we can continue to improve our product offerings we encourage our users to provide feedback – no matter how big or small the suggestion we would like to hear about it so we can prioritise future development work. We have built in a ‘Provide Feedback’ tab on the bottom of every screen of the ITRAT so that you can pass on your comments whenever you are using our products. Simply, click the ‘Provide Feedback’ tab and this screen will appear for you to provide comments:
We regularly review the feedback that our users provide and use this to plan future releases of our products with our development team, so please send in your suggestions to help us to refine and improve our products. Financial Crimes Consulting Pty Ltd., as operators of the ITRAT, reserve the right to capture the details of customisations that have been applied by our user base, so that we can decide whether to include added questions into the standard set of default questions in future releases. To be added to the ITRAT user community group, please email us on info@informationtechnologyriskassessment.com and we will ensure that you receive the latest information on upcoming releases to the ITRAT. ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com
13. Partnership and/or Investment Opportunities Financial Crimes Consulting Pty Ltd., has forged many different types of partnerships in Australia and internationally. We are looking to expand our footprint into different countries around the world and are actively seeking subject matter experts and distribution partners that would like to enter into a reseller relationship with us and receive a commission for any referrals to our financial crime prevention products. We offer reseller arrangements on the ITRAT, the details of which can be found on the following web page: http://informationtechnologyriskassessment.com/pages/partners.php If you would like to receive a distributor / reseller pack, please complete the form on this page and one will be emailed to you. Alternatively, contact us to discuss this further, so we can find out more. We also offer other cloud-based risk assessment tools, including: www.moneylaunderingriskassessment.com www.antibriberyriskassessment.com   www.countryriskassessment.com www.onlinefraudriskassessment.com As well as other related solutions including: www.formsbox.com - digital mailbox management www.trackthebuzz.com - social media monitoring www.fatcataxforms.com - self-certification tool for FATCA Financial Crimes Consulting have also developed online training courses: http://elearn.financialcrimesconsulting.com We are interested in forging strategic partnerships and alliances, that can assist us in taking our products and services to the next level, so if you are interested in discussing potential investment or business opportunities across any of our products we would welcome the opportunity to discuss this further.
ITRAT-User-Guide-241113.doc
http://www.informationtechnologyriskassessment.com