IT risk management
With today’s pressures of compliance, cyber crime and customer demands organisations can no longer afford to have ad-hoc IT Policies and IT security measures in place. Protecting organisation data properly is critical.
Whilst the significant advancements in technology can provide many business advantages and opportunities; they can also come with new and potentially significant risk.
We provide an overview of the types of risks you need to consider in an IT Risk Management Framework.
IT risk management can be standalone or combined as part of the business risk management within an existing ISO framework.
IT Risks to Consider:
IT security
Risks: Data breach, malware/virus resulting in data loss, user error data loss or exposure.
Potential Mitigation: Comprehensive network security tools with external testing and reviews.
Adopt software which carefully controls data access and data sharing across multiple applications.
Capacity
Risks: Systems and storage capacities or unknown or are not forecasted with business growth.
Potential Mitigation: IT Capacity Management which would include a regular review on data growth and operational capacity. System alerts at storage and operational capacity points.
Cloud creep
Risks: Additional cloud applications could be subscribed to and used by other departments or members of staff. Organisational data could be in multiple clouds unknown to management or IT.
Potential Mitigation: Use software to monitor or restrict third party data storage cloud applications.
Survivability
Risks: IT systems have become critical to most businesses. Estimated downtime in the event of an IT failure should be considered.
Potential Mitigation: Assess the downtime period of an IT failure and ensure there is a Disaster Recovery solution in place that can recover within an accepted time period.
Compliance
Risks: IT system or data may not be compliant to expected standards.
Potential Mitigation: Managing all compliance manually would be too difficult. Automated monitoring and auditing to highlight risk is necessary. For example, simple auditing of administration use and access.
