Risk management is the discipline of identifying, monitoring and limiting risks. To further clarify this it can be broken down into detailed guideline sections:
• Identify assets and which ones are critical
• Identify and assess threats
• Assess the vulnerability of critical assets to specific threats
• Determine the risk
• Identify ways to reduce those risks
• Prioritise risk reduction measures
This all makes sense as an overall “big picture”, but we now need to optimise these guidelines to reflect the businesses’ need to conduct a Risk Assessment on its IT infrastructure, and the systems that run on it.
The first question in my mind is how important Information Technology (IT) is to the business that I am dealing with?
Ask any business owner that question and they’ll all say they cannot accept any risk. This question needs to be impartial, as setting a goal of no risk is unlikely to be reached, and will have considerable cost implications.
I do not ask this question nor is it one I expect an answer to. It’s a feeling that one builds up as the discovery process unfolds, as to the importance of IT within the business. This allows you to tailor any solution relevant to risk versus cost, as it nearly always is a balance of these two factors.
I will now translate the points above into the IT world, and some of the key areas that should be considered.
Physical IT Assets (i.e. servers or other devices). Compile a list of these devices, then assess the effect of each item from the list below, and the possible knock on effect to the business and its continuity:
- Theft (physical security)
- Fire & excessive heat
- Water or excessive damp
- Equipment failure or damage
Software Assets (i.e. databases or business applications). Again, compile a list of applications or software systems that your business uses day to day, and consider the impact on each point.
- Theft of data (through poor data security or a disgruntled employee being malicious)
- Software failure (e.g. a business database)
- Accidental data deletion or corruption
- Data being unavailable due to physical equipment failure
- Data security (who can access what and from where)
Having looked at these two key areas you will be forming opinions about importance and risk. What are the chances (or risk) of a fire or a flood? What about theft?
Now we have to attribute the chances of said item happening and what percentage of that chance are you willing to accept? This answer will in turn reflect the likely cost implications in order to meet the requirement.
The average business will have tight financial constraints that mean they have to accept some risk. They have to deal with the reality of day to day risk, which normally presents itself as data loss through hardware failing, data corruption or accidental data deletion.
Here are some thoughts to a simple blanket solution that turns a blind eye to the more exceptional risks, but covers the likely events:
• Ensure all hardware, have good manufactures warranties. Typically this would be three years cover with four hour response or next business day at least
• Ensure all business critical software has support from the suppliers, and be clear what that support offering actually is
• Protect all vital physical equipment from theft
• Protect key equipment from electrical surges or outages
• Backup key data- this is a large subject matter on its own but a good disaster recovery plan is vital and it must be multi layered (i.e. don’t rely on one system). Remember though a backup is only as good as the last restore!
• System administration. Ensure you either have qualified professional IT staff, or use an industry certified outsourced IT Support Company, who can maintain system integrity and security to ensure no risk is presented through viruses, spyware, hacking or incorrect access to data etc. Ensure you have a service level agreement with your IT department, so you know likely response times in the event of things going wrong.
In summary, IT Risk Management is largely common sense, but ensure you seek the right IT professionals to help guide you through the possible scenarios and the solutions. From this you will strike that balance of risk versus cost, and ultimately your peace of mind!
Tags: IT risk management, technology