IT Risk Management

IT risk management includes all of the activities that an organization carries out to manage information technology related risks. IT risk management is a formalized process and includes:

1. Risk Assessment
2. Risk Analysis
3. Risk Treatment
4. Risk Mitigation
5. Risk Review and Evaluation

1. Risk Assessment (Identify Risks)
Risk Assessments identify possible sources of risk. They identify threats or events that could have a meaningful impact on the organization.

2. Risk Analysis (Impact)
Risk Analysis considers the probability and magnitude of each event. Risk evaluation compares the estimated risk with a set of risk criteria to determine the significance of the risk.

3. Risk Treatment (Risk Response Action Plan)
Risk Treatment identifies how each risk is to be addressed. Residual risk is the risk left over after implementing risk treatment steps that avoid the risk, transfer the risk, reduce the risk, or accept the risk.

4. Risk Mitigation (Risk Control)
Risk mitigation plans propose applicable and effective security controls that manage the risks. The plan should contain a schedule outling the tasks to be performed, individuals responsible for the actions, estimated dates, etc.

5. Risk Review and Evaluation (Risk Effectiveness)
Risk management plans change over time as the business evolves, as new threats emerge, as losses are incurred, and as management changes. Review the effectiveness of your approach and revise as necessary.

Risk assessments help organizations identify, manage, and reduce risks to acceptable levels.

Risk Analysis

Risk analysis helps organizations secure sensitive information, protect its image and reputation, and meet compliance requirements. A formal risk analysis process includes identifying risk areas and implementing controls to reduce risks to acceptable levels.

The first step in the process is to identify assets that need protection. The assets can be tangible or intangible and generally provide value to the organization. Examples of tangible assets include buildings, employees, computer and network servers, etc. Examples of intangible assets may include intellectual property, custom software presently installed and under development, customer lists, goodwill, etc.

Once the assets have been identified, you will want to identify threats to the assets. The threats can be unintentional or intentional and may include:

• Natural threats (acts of God)
• Accidental or unintentional threats (worker illness, equipment failure)
• Intentional threats such as asset theft and asset tampering (malicious damage)

For each threat, there may be one or more specific vulnerabilities. Vulnerabilities may be based upon location, employee skill sets, network access controls, network monitoring, etc. Examples of vulnerabilities include lack of employee security related education, user knowledge, security functionality, poor password selection by employees, etc. Once a vulnerability has been identified, you should determine how likely it is to occur (probability).

Once your assets, threats, and vulnerabilities have been identified, you can then evaluate the potential impact or loss. Examples of impact can include the cost of downtime, loss of information, breach of legislation, impact on reputation, loss of opportunity, etc. For each asset, consider the asset value, specific vulnerability, and probability of the event.

The next step in the risk analysis process is to develop controls that help eliminate risks or reduce them to an acceptable levels.

Risk assessments help organizations identify, manage, and reduce their risks.

Mitigating Risks

Organizations are finding that IT systems are a double edge sword. Not only do they increase employee productivity and reduce costs, they also increase risks as intellectual property and sensitive information are stored in a central location. Assessments can help organizations identify and manage risks. Once risk areas have been identified, organizations have a number of ways to mitigate or reduce their risks.

• Risk Assumption. Accept the potential risk and continue operating the IT system or implement controls to lower the risk to an acceptable level. Administrative, physical, and technical controls help lower the organization's risks.
• Risk Avoidance. Avoid the risk by eliminating the risk and/or consequence. For example, bypass or eliminate certain functions of a system or shut down the system when risks are identified.
• Risk Limitation. Limit the risk by implementing controls that minimize the adverse impact of the risk. For example, implement preventive controls such as Intrusion Prevention Systems (IPS) that actively identify and restrict access to information.
• Risk Planning. Manage risks by developing a risk mitigation plan that prioritizes, implements, and maintains controls. Implement managed services to minimize risks.
• Risk Research. Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
• Risk Transference. Compensate for the loss by transferring the risk to another party. In addition to securing systems,organizations have the option to insure against security breaches. For example, insurance can cover the cost of regulatory mandated notifications that a security breach has occurred as well as fines, fees, or penalties arising from privacy or consumer protection errors.

5 Steps to Risk Management

Risk management services provide strategies, processes, and tools to identify, analyze, respond to, control, and evaluate risks. A formal five step approach to risk management helps organizations identify, manage and reduce risks.
1. Identify Risks - Assessment. Outside, independent assessments identify risks that cause downtime and business interruption. Review your technology systems, people, and processes.
2. Risk Findings - Analysis. Additional investigation and research. Analyze findings and evaluate your organization’s risk tolerance based upon information provided during the assessment.
3. Risk Response - Action Plan. Develop a prioritized action plan of recommendations, responsibilities, and related costs. The Action Plan provides the steps needed to address vulnerabilities.
4. Risk Control - Managed Services. Managed networking and security solutions protect your information assets.
5. Risk Effectiveness – Evaluate & Repeat. Evaluate the effectiveness of your organization’s risk management mechanisms. Not just a one-time event, prepare for the next assessment.

Find out more about assessments and how they can help your organization reduce its risks.

Security Tip #2 - Protecting Your Data

Encryption can protect your data. Most organizations have sensitive information that needs to be stored on IT systems and distributed to authorized business contacts in a safe and secure manner. It is important to use secure encryption technology when conducting business and electronically exchanging information. Encryption makes information unintelligible to everyone except for your intended recipient.

Confidential information is created on a daily basis. Restricting access to confidential information on your network is only part of the solution. Increase the integrity of the data by encrypting sensitive information. Your business contacts need to use encryption to help maintain the confidentiality of your data since not all of your confidential information is contained within your office. Employees frequently work out of the office and this information must be transported in a safe and secure manner.

Your reputation is at risk when confidential information is compromised and increased costs are incurred when information is exposed to unauthorized personnel. Don’t wait for someone to gain access to your confidential information. Encrypt information to protect you from threats both inside and outside of your organization.

Find out more about networking, security, and risk management solutions.

Single Points Of Failure

A Single Point of Failure (SPOF) analysis analysis helps your organization manage its risks. By identifying your points of failure, you can:

• Reduce your costs. By effectively allocating and prioritizing resources to critical areas. In addition, your internal staff can focus on your core competencies.
• Enhance your image and reputation. By delivering on a narrow range of assigned duties, the team evaluating your single points of failure can help you eliminate downtime.
• Improve your competitive position. By improving system availability, you'll be more competitive in your market place and better able to compete against larger organizations.
• Increase your levels of customer service. Your systems will keep you in contact with those you serve.

Find out more about managing your Single Points of Failure.

Electronic Communications

Concerned about managing your risks? Want to know how others plan to use Information Technology to manage their risks?

Organizations are finding that the fast paced Information Technology (IT) industry is a double edge sword. While improving operational efficiencies, employees are exposing their businesses to even greater risks.

Imagine going in to work one day and finding that you have been summoned to appear in court. You find that a lawsuit has been filed against your organization. After some research by your legal staff, you are told that one of your employee’s E-mail messages is being used against you and will appear as evidence in your upcoming trial. Imagine that when you read your employee’s E-mail message for the first time, you discover that the E-mail contains sensitive and confidential information about your organization. What can your organization do to avoid future risks?

Organizations are finding that they need to change the way they handle and maintain their electronic records and communications. Many are planning to use IT to manage their risks and potential liabilities by securing and managing their electronic documents and confidential communications.

Areas where IT will be used to manage business risks include:

• Document management
• Confidential communications
• Sensitive communications

Document Management
In the past, organizations maintained large volumes of paperwork in office filing cabinets and off-site warehouses. Access to information required employees to sift through files trying to locate the needed records.

Many organizations improved their access to information through the use of Information Technology solutions that automated the document storage and retrieval process. Through IT solutions such as electronic mail and electronic scanning and filing, documents could be located in minutes or even seconds. No longer did it take days or weeks to find the requested information.

In providing immediate access to information, a new risk emerged. While documents were accessible for internal reference purposes, they were also available to be subpoenaed. A second problem also arose. With traditional file cabinets, organizations tended to have only one version of a document on file. However, with electronic filing, an organization could have word processing documents, E-mail messages, electronic fax transmissions and other types of electronic communications available at a moment’s notice.

Organizations now realize the implications of maintaining electronic communications and the need to better manage these documents through a formalized document management archival and destruction procedure.

To manage risks, future document management procedures will be developed at the highest executive levels and pushed down to lower levels within the organization Enforced company wide, document management will consider information stored internally, on tape backup media, on the Internet/Intranets, as well as communications with outside business contacts.

Confidential Communications
In addition to managing their documents, organizations must be especially concerned about their confidential communications. These types of communications may occur within an organization or may also include communications with outside business contacts.

To mange their risks, organizations will use IT to better protect their electronic communications. Confidential documents and communications will be encrypted to protect information. While these steps are already being used by some organizations, others are finding that more extensive procedures need to be implemented.

Electronic communications via E-mail will receive special attention. Employees typically have found it beneficial to store electronic versions of E-mail messages. Management tends to believe that these messages may pose more harm than good. As a result, management may dictate that this type of correspondence be removed after a period of time. While many organizations have controlled the archival and destruction of E-mail messages within their organization, most have yet to address electronic communications with outside contacts.

To manage their risks, organizations will implement solutions that more fully address confidential communications and E-mail. For example, management can dictate that E-mail messages expire a pre-determined number of days after the initial transmission of the message. This provides management with the peace of mind knowing that their risks are properly managed.

Sensitive Communications
Business executives in the future will be expected to take more of a proactive role by actively controlling and monitoring electronic communications. IT systems will be configured to restrict the sending or receiving of messages that may contain questionable material.

By configuring software applications to look for certain keywords or phrases, outgoing E-mail correspondence can be stopped before the message has left the sender’s desk. Questionable incoming messages may be routed to a special pending mailbox where they will be held pending a third party review.

By configuring software to look for certain keywords or phrases, an organization can prevent questionable communications that may result in sexual harassment lawsuits or other types of litigation.

Summary
Electronic document management and communications solutions allow organizations to control costs and improve their operational efficiencies. To manage these risks, organizations will implement solutions that address the liabilities associated with electronic records and communications.

Organizations that are successful in using Information Technology to manage current and future business risks will achieve competitive advantages in their marketplaces. Please contact us for more information on managing your risks.

Risk Management Benefits

Risk management tools and processes allow business managers to position their organizations to be industry leaders. By properly employing risk management processes, an organization can receive many benefits including:

• Peace of mind by through enhanced network and system availability


• Enhanced image and reputation by keeping you in contact with your business associates


• Improved competitive position by helping you compete effectively in the market place


• Increased levels of customer service by keeping you in contact with those you serve

Don't let your organization get left behind. Learn more about our risk assessment services and how they can help you.

Reduce Total Cost of Ownership

Reduce total cost of ownership. Industry leading organizations know that IT systems need to be properly managed and maintained. The “Fix on Fail” approach to systems management results in employee frustration, missed deadlines, increased costs and lower levels of client service.

Altius IT recommends the managed solutions listed below. The support schedule depends upon the importance of IT to your organization.

Daily/Weekly

• Check hard drive – capacity and free space


• System – scan drives for errors, defragment


• Software patches – patch management


• Review anti-virus software – auto updates


• Troubleshooting – examine log files for errors


• Check anti-spyware – updates and scans


• User access – add/remove access to systems


• Applications – add/configure and troubleshoot


• Mobile devices – synchronize with desktops


• User support – problem determination, assistance


• Server – application monitoring and size limits

Monthly/Quarterly service

• E-mail – size, user delegate permissions


• Firewall – firmware updates, subscription status


• Internet - review firewall bottlenecks and log file


• System backups - test and review off-site rotation


• Security assessment – penetration test and report


• Backup e-mail – test proper operation and findings


• Public folders – access and security


• Data folders – access and security


• Document – retention procedures, archiving


• Assessment – independent review of systems

Annual service

• Integrity – review user access to systems & data


• IT alignment – with business goals and direction


• IT planning – long range planning and updates


• IT budget – maintenance and special projects


• Policies – review/update policies and procedures


• Best practices – to ensure system availability


• Business continuity – testing and plan revision


• Updates – renew annual subscriptions


• Domains – check expiration of domain names


• Archiving – year end archiving procedures


• Best practices – tools/checklists (database, e-mail)


• Audit – outside independent audit of IT

For more information, please refer to Altius IT's managed networking and security services.