Fiddlers Risk Assessment

1 INTRODUCTION

The purpose of this risk assessment is to determine if controls surrounding the credit card processing, within the corporation is meeting management’s expectations

• The participants and their roles in the risk assessment in relation to their assigned responsibilities at the corporation;

• The techniques used to gather the necessary information (e.g., the use of tools, questionnaires); and

• The risk classifications used are encouraged to classify risks as High, Moderate or Low in accordance with the definitions in the Standard.

This risk assessment builds upon earlier risk assessments performed by the staff. In addition, an IT Security Audit, conducted by Fidder’s Fine Merchandise Internal Audit Services staff on

January 24, 2009 was utilized. This risk assessment was performed in accordance with a methodology described in ITRM Guideline, and utilized interviews and questionnaires developed by Fidder’s Fine Merchandise staff to identify Fidder’s Fine Merchandise

• Vulnerabilities;

• Threats;

• Risks;

• Risk Likelihoods; and

• Risk Impacts.

Participants and their roles in this risk assessment included the following:

• Mike Vail, Fidder’s Fine Merchandise Information Security Officer, and Frank Tran, Audit Director

High: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Moderate: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Low: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

2 - IT SYSTEM CHARACTERIZATION

IT system characterization is defined and the scope of the risk assessment effort. Used the previously developed IT System...