Risk Analysis

Risk analysis helps organizations secure sensitive information, protect its image and reputation, and meet compliance requirements. A formal risk analysis process includes identifying risk areas and implementing controls to reduce risks to acceptable levels.

The first step in the process is to identify assets that need protection. The assets can be tangible or intangible and generally provide value to the organization. Examples of tangible assets include buildings, employees, computer and network servers, etc. Examples of intangible assets may include intellectual property, custom software presently installed and under development, customer lists, goodwill, etc.

Once the assets have been identified, you will want to identify threats to the assets. The threats can be unintentional or intentional and may include:

• Natural threats (acts of God)
• Accidental or unintentional threats (worker illness, equipment failure)
• Intentional threats such as asset theft and asset tampering (malicious damage)

For each threat, there may be one or more specific vulnerabilities. Vulnerabilities may be based upon location, employee skill sets, network access controls, network monitoring, etc. Examples of vulnerabilities include lack of employee security related education, user knowledge, security functionality, poor password selection by employees, etc. Once a vulnerability has been identified, you should determine how likely it is to occur (probability).

Once your assets, threats, and vulnerabilities have been identified, you can then evaluate the potential impact or loss. Examples of impact can include the cost of downtime, loss of information, breach of legislation, impact on reputation, loss of opportunity, etc. For each asset, consider the asset value, specific vulnerability, and probability of the event.

The next step in the risk analysis process is to develop controls that help eliminate risks or reduce them to an acceptable levels.

Risk assessments help organizations identify, manage, and reduce their risks.

Mitigating Risks

Organizations are finding that IT systems are a double edge sword. Not only do they increase employee productivity and reduce costs, they also increase risks as intellectual property and sensitive information are stored in a central location. Assessments can help organizations identify and manage risks. Once risk areas have been identified, organizations have a number of ways to mitigate or reduce their risks.

• Risk Assumption. Accept the potential risk and continue operating the IT system or implement controls to lower the risk to an acceptable level. Administrative, physical, and technical controls help lower the organization's risks.
• Risk Avoidance. Avoid the risk by eliminating the risk and/or consequence. For example, bypass or eliminate certain functions of a system or shut down the system when risks are identified.
• Risk Limitation. Limit the risk by implementing controls that minimize the adverse impact of the risk. For example, implement preventive controls such as Intrusion Prevention Systems (IPS) that actively identify and restrict access to information.
• Risk Planning. Manage risks by developing a risk mitigation plan that prioritizes, implements, and maintains controls. Implement managed services to minimize risks.
• Risk Research. Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
• Risk Transference. Compensate for the loss by transferring the risk to another party. In addition to securing systems,organizations have the option to insure against security breaches. For example, insurance can cover the cost of regulatory mandated notifications that a security breach has occurred as well as fines, fees, or penalties arising from privacy or consumer protection errors.

Need to Manage your Risks?

Mid-size firms have growth challenges. Many are growing quickly and don't have the resources of large firms. One mid-size organization provided employment screening and background checks. The firm was growing rapidly, attracting large clients, and expected to double in size within two years. Management was concerned that the IT staff and infrastructure cannot support the organization’s rapid growth.

They contracted with a firm to provide a network assessment amd an analysis of data backups, anti-virus, e-mail, software licensing, software patching, laptops, and many other areas. In addition to the IT infrastructure, the Work Plan included interviews with IT, management, and key users to determine if there was an alignment or satisfaction issue with IT.

The analysis included a comparison of the IT department with industry benchmarks so the organization could evaluate if they were making effective use of IT spending. The assessment also reviewed written policies, business continuity plans, and related procedures and guidelines.

The assessment identified several “hidden” issues that would have caused a disruption in business operations. The prioritized Action Plan gave the firm guidance to make immediate changes to their network infrastructure and IT staff. The organization’s management had peace of mind knowing that the plan allowed the firm double in size over the next two years.

Network assessments provide management with peace of mind and help organizations achieve growth targets.

Network Assessments

Network assessments help organizations identify, manage, and reduce their risks. While there are many forms of assessments, a typical assessment reviews the network infrastructure with the main purpose of ensuring reliability.

Typical areas reviewed include:

• Network – servers, workstations, laptops
• Scalability - performance, connectivity
• Backups – including off-site rotation
• Electronic communications - e‑mail and IM
• Software - licensing, patch management, custom
• Policies – procedures, change management

Find out more about network assessments and how they can help you enhance the reliability of your network infrastructure.

5 Steps to Risk Management

Risk management services provide strategies, processes, and tools to identify, analyze, respond to, control, and evaluate risks. A formal five step approach to risk management helps organizations identify, manage and reduce risks.
1. Identify Risks - Assessment. Outside, independent assessments identify risks that cause downtime and business interruption. Review your technology systems, people, and processes.
2. Risk Findings - Analysis. Additional investigation and research. Analyze findings and evaluate your organization’s risk tolerance based upon information provided during the assessment.
3. Risk Response - Action Plan. Develop a prioritized action plan of recommendations, responsibilities, and related costs. The Action Plan provides the steps needed to address vulnerabilities.
4. Risk Control - Managed Services. Managed networking and security solutions protect your information assets.
5. Risk Effectiveness – Evaluate & Repeat. Evaluate the effectiveness of your organization’s risk management mechanisms. Not just a one-time event, prepare for the next assessment.

Find out more about assessments and how they can help your organization reduce its risks.

Security Tip #1 - Assessments Enhance Value

Network and security assessments and audits help determine if IT funds are effectively being used, identify and quantify IT related strengths and weaknesses, and help you focus on those areas that create the most value for your firm. Assessments are ideal for:

• Ensuring compliance (HIPAA, Sarbanes Oxley, etc.)



• Emerging and fast growing firms



• IPO ready organizations



• Organizations concerned about security



• Businesses with geographically distributed offices



• Organizations in the financial and health care industries



• Firms working with the government or large institutions



• Organizations that share and collect personal and/or proprietary data

Assessments and Business Value

While some organizations want tactical advice on the state of the IT department, others want to maximize their investment in IT by developing and implementing a formal strategy. Before an organization can develop and execute strategy, the business can use assessments to understand its IT infrastructure and related strengths and weaknesses.

Find out more about IT network and security assessments and how they can help your organization.

Security Tip #2 - Protecting Your Data

Encryption can protect your data. Most organizations have sensitive information that needs to be stored on IT systems and distributed to authorized business contacts in a safe and secure manner. It is important to use secure encryption technology when conducting business and electronically exchanging information. Encryption makes information unintelligible to everyone except for your intended recipient.

Confidential information is created on a daily basis. Restricting access to confidential information on your network is only part of the solution. Increase the integrity of the data by encrypting sensitive information. Your business contacts need to use encryption to help maintain the confidentiality of your data since not all of your confidential information is contained within your office. Employees frequently work out of the office and this information must be transported in a safe and secure manner.

Your reputation is at risk when confidential information is compromised and increased costs are incurred when information is exposed to unauthorized personnel. Don’t wait for someone to gain access to your confidential information. Encrypt information to protect you from threats both inside and outside of your organization.

Find out more about networking, security, and risk management solutions.

Security Tip #4 - Hackers, What You Need to Know

Hackers know things that you don't. That's their edge. It's the reason that they can break into networks, leaving a path of destruction in their wake. Concerned about security? Your concerns may be directly related to the value of the information you are trying to protect. For example, is your data difficult to recreate? What are the implications if someone outside the company gets access to your confidential documents? You can’t always prevent hackers from breaking in, but you can make it more difficult for them to succeed.

Why you need formal security protection:

• Hackers like the challenge of breaking into systems


• Without proper protection, any part of your network is at risk


• Hackers cause network downtime (downtime cost calculator)


• Hackers seek out weaknesses in your systems

Don't assume that ad-hoc security can protect you from Internet threats. A managed approach to security provides the protection you need.

Security Tip #8 - Security Assessments

Subscription security assessments. It is often difficult to decide where to properly allocate your security budget. Rather than simply throwing money at the problem, leading organizations use periodic security assessments to help pinpoint network security issues.

As new vulnerabilities are discovered on a daily basis, a system that is secure one day may be completely wide open the next. Much like regular anti-virus updates, subscribing to recurring security assessments helps an organization identify network security weaknesses before they can be exploited.

In addition to protecting your IT systems, periodic security assessments help protect your organization's reputation by helping identify vulnerabilities before they are exploited by unwanted intruders. Find out more about security assessments and how they can help protect your "information assets".

Single Points Of Failure

A Single Point of Failure (SPOF) analysis analysis helps your organization manage its risks. By identifying your points of failure, you can:

• Reduce your costs. By effectively allocating and prioritizing resources to critical areas. In addition, your internal staff can focus on your core competencies.
• Enhance your image and reputation. By delivering on a narrow range of assigned duties, the team evaluating your single points of failure can help you eliminate downtime.
• Improve your competitive position. By improving system availability, you'll be more competitive in your market place and better able to compete against larger organizations.
• Increase your levels of customer service. Your systems will keep you in contact with those you serve.

Find out more about managing your Single Points of Failure.

Risk Management Benefits

Risk management tools and processes allow business managers to position their organizations to be industry leaders. By properly employing risk management processes, an organization can receive many benefits including:

• Peace of mind by through enhanced network and system availability


• Enhanced image and reputation by keeping you in contact with your business associates


• Improved competitive position by helping you compete effectively in the market place


• Increased levels of customer service by keeping you in contact with those you serve

Don't let your organization get left behind. Learn more about our risk assessment services and how they can help you.