How to perform an IT risk assessment

Few businesses are able to effectively function when its IT systems fail. A thorough IT risk assessment is a crucial way to defend your security system from being compromised and implement an effective strategy to respond.

The importance of an IT risk assessment is often underestimated as daily IT maintenance grows larger and more demanding, not to mention the sheer volume of 'paperwork' an IT risk assessment requires.

To make the whole process easier, we've compiled a list of tips and steps that you as the CIO can take to ensure a smooth risk assessment.

Additional reporting by Christina Mercer.

Why should you perform an IT risk assessment?

Why should you perform an IT risk assessment?

The purpose of an IT risk assessment is to ensure all vulnerabilities and shortfalls are addressed and managed properly.

Risk assessments are particularly important for security teams and they should be performed regularly with the findings shared with all relevant employees and board members.

Without properly assessing an IT teams' on-goings you could be left vulnerable, not only in the security department.

Risk assessments will help keep costs under control and make auditing a lot easier when that comes around. Finding areas to save money is a great benefit to an IT risk assessment.

Define every possible vulnerability
iStock

Define every possible vulnerability

Before every risk assessment, there is a large quantity of necessary admin that goes along with it. You should set aside some time to create a document detailing all the possible vulnerabilities and risk that could crop up.

Note down the possible threats to your IT network, whether that be ransomware, DDoS attacks, phishing or more severe malware attacks, the possible routes in, the most vulnerable people - and provide examples of this.

Your organisation might only fall victim to one or so of these attacks, but noting every possible malicious activity that could attack businesses like yours will help people outside of the IT department grasp the importance of regular maintenance of the IT department and IT audits/assessments.

Each possible risk identified requires a detailed review of the threat. Using real-life scenarios is an effective way of envisioning the possible consequences for the organisation.

A vulnerability assessment should be conducted by IT using both automated and manual tools to identify any areas of weakness that should be classified as at-risk areas.

The assessment should note the current security situation covering the protection in place and any gaps that may not be covered.

Create an advisory committee
iStock

Create an advisory committee

The risk management procedure will be easiest to implement with the right people involved. An advisory committee should be created that includes representatives of every area of the business where risks could be contained, and any individuals who could know how to contain it.

A security risk assessment checklist and an audit checklist are useful tools to help review the risks, while web-based tools offer more advanced means to compute them.

Let everyone know your plans
iStock

Let everyone know your plans

It's easy to think that a risk assessment is only relevant to the people directly involved. However, you should consider explaining the procedures and the possible impact of its outcome, whatever that may be to everyone in the whole department.

Offering a meeting to give an overview to everyone in your team or dropping an email is not only good practice, but it should make everyone ready for any interferences in schedules or unfamiliar faces around the office.

As well as keeping the whole department and organisation in the loop, you should keep key people involved in the whole process and report your findings methodically throughout the assessment process.

Communication is key to ensure information isn't lost or misunderstood.

Data collection
iStock

Data collection

Any risk assessment starts with a review of the current infrastructure. Both hardware and software require an assessment of strengths and weaknesses.

Assets with security risks should be inventoried and assessed by surveying the organisation and then sending the findings for review to the IT department.

The results will form the basis of a review covering the purpose, scope, data flow and responsibilities expected in the risk assessment.

Risk analysis
iStock

Risk analysis

Any danger areas discovered then need to have a strategy put in place to protect them from serious consequences.

The specific vulnerability, the threat to it and the probability of it occurring should all be analysed for each specific area.

Aspects to look out for include the likelihood and magnitude of harm from any unwanted access to the systems and information they process.

Recommendations and departmental review
iStock

Recommendations and departmental review

The resulting recommendations should then be listed in a report and issued to all the relevant stakeholders. Content will include the findings from the analysis and the selected response strategy.

Each department that receives the report will be expected to review the risks it describes. They should then devise their own strategy to reduce or avoid the dangers based on the nature of the business and the specific risks.

Risk mitigation plan
iStock

Risk mitigation plan

The strategy will only be effective when integrated in a risk mitigation plan by the department that established it.

This plan should include a timeline to follow when implementing the mitigation procedure. Once composed it will be sent to IT for review.

IT review
iStock

IT review

The IT team should assess the risk mitigation plan to ensure it is comprehensive and effective. Each step on the plan needs to be reviewed and approved.

Further additions or modifications can then be made if required.

Implement
iStock

Implement

The resulting risk assessment policy will guide planning for, identification of response to and controlling of risk. This will cover how to eliminate the possibility of it occurring and the consequences when it happens.

The impact on third parties such as insurance companies and warranties should also be included.  Each department is responsible for ensuring compliance, and should review findings at least annually, and whenever a new risk emerges from changing to the systems.

Maintenance
iStock

Maintenance

A proactive approach to risk management will build the most effective barriers to threats, so any resource using IT resources should be reviewed for dangers periodically.

A typical timeline for repeating the risk assessment involves a review of the policy at least every two years, but the exact scheduling for future assessments should be determined by the CIO. Any additional assessments to review emerging risks should be conducted as required.

Copyright © 2018 IDG Communications, Inc.

Related Slideshows