Guide to Conducting IT Risk Assessments
By ERMProtect Staff
The more your business relies on IT, the more important it is to identify and control the risks that could affect your IT systems. Threats ranging from equipment failure to malicious attacks by hackers have the potential to disrupt critical business systems or open up access to your confidential data. Many businesses hire independent firms such as ERMProtect to conduct IT risk assessments and draft remediation and response plans, especially if they are rich targets for hackers. Other businesses perform their own IT risk assessments. Below is systematic approach to identifying, assessing, and managing IT security-related risks.
What Are Typical IT Risks?
The first step is to identify and examine the threats posed to your IT systems and the information held in them. They face a wide range of threats that include:
- Physical threats resulting from physical access or damage to IT resources such as the servers. These could include theft, damage from fire or flood, or unauthorized access to confidential data by an employee or outsider.
- Electronic threats aiming to compromise your business information - e.g., a hacker could get access to your website, your IT system could become infected by a computer virus, or you could fall victim to a fraudulent email or website.
- Technical failures such as software bugs, a computer crash, or the complete failure of a computer component. A technical failure can be catastrophic if, for example, data on a failed hard drive cannot be retrieved and no backup copy is available.
- Infrastructure failures such as the loss of your internet connection can interrupt your business - e.g., you could miss an important purchase order.
- Human error is a major threat - e.g., someone might accidentally delete important data, or fail to properly follow security procedures.
Another technique is to use a brainstorming approach. Interview key stakeholders at your business to understand what risk mitigation plans are already in place or are needed. Summarize the results in a risk register.
How To Conduct A Risk Assessment?
When assessing the IT risks your business may face, avoid spending too much time and money reducing risks that may pose little or no threat to your business.
Instead, you want to focus on the most serious risks, based on:
- The likelihood of the risk happening.
- The cost or impact if it does happen.
A quantitative assessment of your risks would be the combination of these two factors. For example, if a risk has a high probability and a high cost/impact, then it will get a high-risk assessment. Quantitative measures of risk like this are only meaningful when you have good data. You may not have the necessary historical data to work out probability and cost estimates on IT-related risks, which can change very quickly.
A more practical approach is to use a qualitative assessment. This is using your judgment to decide whether the probability of occurrence is high, medium, or low. For example, you might classify as 'high probability' something that you expect to happen several times a year.
You do the same for cost/impact in whatever terms seem useful, for example:
- Low - would lose up to half an hour of production.
- Medium - would cause complete shutdown for at least three days.
- High - would cause irrevocable loss to the business.
You might then decide to act on risks that are high probability/medium cost/impact, medium probability/high cost or high probability/high cost and leave the rest.
How Is Risk Management Structured?
Risk management is a structured way of controlling IT risks. The following steps outline a typical approach:
- Identify risks.
- Assess risks - assess the severity of each risk is and prioritize the most important.
- Mitigate risks - implement controls and preventative measures to reduce the probability of the risk occurring and limit its impact if it does.
- Review - risk management should be seen as an ongoing process. Continuously reassess threats and actively search for new ones.
Ideally, you should try to reduce the probability of risks affecting your business in the first place. For example, you can reduce risks by:
- Making your business less of a target. Consider what needs to be on public or shared systems and, where possible, remove sensitive information.
- Installing and maintaining security controls, such as firewalls, anti-virus software and control processes that help prevent unauthorized users from accessing your IT system.
- Implementing security policies and procedures such as internet and email usage policies, and training staff.
- Using a third-party IT provider that can provide its own security expertise.
Where risks cannot be eliminated or reduced to an acceptable level, you may be able to reduce the impact. This should include procedures for detecting and dealing with problems - e.g., if a virus gets into your system. You may also want to consider insurance against the costs of security breaches.
In management's selection of procedures and techniques of controls, the degree of control implemented is a matter of reasonable business judgment. The common guideline that should be used in determining the degree of internal controls implementation is that the cost of a control should not exceed the benefit derived.
IT Risk Management Checklist
Risk management can be relatively straightforward if you follow some basic principles. Below are some practical hints that you may find useful:
- Take IT security into consideration from the outset when you plan new or changed IT systems.
- Actively look for IT-related risks that could impact upon your business. A workshop will help you to think more imaginatively about risks than doing it alone.
- Consider the opportunity, capability, and motivation behind potential attacks.
- Assess the seriousness of each IT risk so that you can focus on those which are most significant.
- Implement standard configurations for PCs, servers, firewalls, and other technical elements of the system.
- Do not rely on just one technical control (e.g., a password). Use two-factor authentication to guarantee user identity - e.g., something you have (such as an ID card) and something you know (a PIN or password).
- Support technical controls with appropriate policies, procedures, and training.
- Make sure you have a business continuity plan covering any serious IT-related risks that you cannot fully control.
- Regularly review and update your IT risk assessment and business continuity plan.
- Establish an effective incident recording and management system.
- For purposes of consistency, consider certification to the information security management standard NIST CSF or ISO/IEC 27001 for your business and your trading partners.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights