Over the past two years, more roles have become involved in the review of risk in IT. Today, IT risk management requires that all levels of risk, including executive, managerial, and operational levels, are identified in order that it can mitigate those risks accordingly.
Organizations are now more dependent than ever on the technology that runs the business, and even more so on the data behind that technology. The key areas of IT risk tend to fall into the areas of: data integrity; business continuity; IT infrastructure and network security; and IT management.
Data integrity is crucial, yet it is a constant surprise to risk managers as well as analysts how little some organizations do to protect it. A survey conducted earlier this year by Utimaco demonstrates this point well. Of over 1,100 business users of mobile data, fewer than 20% protect data with encryption or passwords, or implement any protection except in exceptional circumstances, and security guidelines (for mobile data) have only been defined in 7.3% of respondents’ companies.
Business continuity is an obvious component of risk management, but it is apparent that a number of organizations still do not have adequate plans in place. However, a comprehensive business continuity strategy that is regularly tested and reviewed is crucial for organizations that want to be taken seriously, and the IT aspects of business continuity are an essential component of this.
IT infrastructure and network security presents concerns to a risk officer in the usual ways – for example through malware, hackers, and inadvertent or deliberate tampering by temporary or permanent employees. During summer 2007, Newcastle City Council announced that between February 2006 and April 2007, it had inadvertently exposed up to 54,000 card details of payments by individuals for council tax, business rates, parking fines, and rents. According to the council, the information held in the file was encrypted, but had been made available on an insecure server and subsequently uploaded to a computer address registered outside of the UK.
The risks associated with IT management can include concerns about whether a particular function is best delivered in-house or outsourced to a third party, or how to give a project the best chance of success.
The key stages of IT risk management are: identify the risk; detail the stakeholders; determine the scope and basis of the risk evaluation; categorize the risk into one of five pre-determined levels; decide what action (if any) should be taken; and finally, set a process for re-evaluation. These steps, however, should not be limited to the IT risk manager; all lines-of-business managers whose ability to conduct their roles within the organization would be impacted upon should be involved in the process.
Risk management is not a burden for the IT manager; controlling the risks that IT faces supports the business objectives and ultimately improves the bottom line (profits or costs) for the organization. It is not a one-off project but an ongoing process, reassessed regularly with the appropriate processes in place to address changes in circumstances, in order to ensure that the IT department is able to support the organization in its objectives.
Source: OpinionWire by Butler Group (www.butlergroup.com)