IT Threat-Risk Assessment Procedure | ITSD101

IT Threat-Risk Assessment Procedure

The IT Threat-Risk Assessment Procedure identifies potential threats to your company’s IT assets and helps evaluate those threats on the basis of probability and risk. The IT Threat-Risk Assessment Procedure applies to all company IT assets. (8 pages, 1932 words)

IT Threat-Risk Assessment Responsibilities:

The Information Technology Security Manager is responsible for conducting threat assessments of the Information Technology network and reporting on the results of such assessments. Also, the Information Technology Security Manager is responsible for continually monitoring threats and taking actions to mitigate risk to the company’s Information Technology assets.

Information Technology Managers are responsible for evaluating the results of a threat assessment, assessing the level of risk to various Information Technology assets, and recommending actions that mitigate risk.

IT Threat-Risk Assessment Definitions:

Risk – Possibility of losing availability, integrity, or confidentiality of Information Technology assets due to a specific threat; also, the product of threat level and vulnerability level.

Threat – Expression of intent to inflict evil, injury, or damage; potential violation of security.

Threat Assessment – A process by which types of threats an Information Technology network might be vulnerable to and where the network is most vulnerable are identified.

Vulnerability – Flaw or weakness in a system’s design, implementation, or operation and management that could be exploited.

IT Threat-Risk Assessment Procedure Activities

• IT Threat Risk and Assessment-Introduction
• IT Threat Assessment Preparation
• IT Threat/Risk Assessment
• IT Threat/Risk Management Review

IT Threat-Risk Assessment Procedure References

• Sarbanes Oxley Act of 2002
• Control Objectives for Information Related Technology (COBIT)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• National Institute of Standards and Technology (NIST) Special Publication #800-30- Risk Management Guide for Information Technology Systems (July, 2002)

IT Threat-Risk Assessment Procedure Forms

• IT Threat/Risk Assessment Report Form

One important element of strategic IT planning is to perform a SWOT analysis, where you determine your company’s strengths, weaknesses, opportunities, and threats. You can use the result of your SWOT analysis can be used to rearrange (or reprioritize) your resources and strategic actions, thereby helping you build and maintain a strong competitive position. You should also account for these Top 10 Computer and IT Trends in your strategic plan.

Many of these Computer and IT trends have been evolving for some time and are only now approaching the mainstream; some will go away before they reach critical mass, to be replaced by other concepts. Regardless, there’s no time like the present! Ignoring these — or any — trends could put your business in jeopardy. To stay competitive, you’ve got to stay current…if not ahead of the pack.

Top 10 Computer and IT Trends:

1. CLOUD COMPUTING

Companies are moving to new cloud and SaaS based software systems to take advantage of reduced operating costs and focus on their core business. IT departments are under pressure to improve productivity and deliver more value, fast. How many applications have you moved to the cloud? Expect to move more and more software applications into the cloud.

2. RICH CONTENT

Companies are driving video into the mainstream with consumer electronics, the web, social networking, unified communications, Internet-based television and mobile computing. Company departments beyond marketing are examining how rich content can be used to improve the customer/supplier relationship. Have you paid attention to computer and IT trends ad introduced rich content and video into your website yet? Expect to develop video production capabilities.

3. COLLABORATION

Companies are increasing productivity through collaboration software that speeds communication and drives action. Wikis, blogs, forums, instant messaging, social networks, and/or collaborative office products collect important employee, supplier, or customer feedback online, which can be used to take immediate action. How much “voice of the customer” information are you collecting? Expect to use more collaboration tools as a customer, supplier, or employee.

4. MOBILE COMPUTING

Companies are increasing productivity through the use of PDAs, tablets, and other personal devices to collect or access data and important software applications on the go. This new-found freedom has pluses (see Collaboration, Cloud Computing) and minuses (see Data Security, below). How many mobile devices are you using? Expect to introduce more mobile computing devices to increase productivity and stay competitive.

5. DATA SECURITY

Company’s face increasing liability exposure from social networking websites and employees housing data in PDAs, laptops, or wireless networks. WikiLeaks may only be the beginning…Do your employees have access to sensitive information? Expect to introduce digital rights management, data loss prevention, data security and other IT policies and procedures templates with these computer and IT trends.

6. LOCATION-BASED SERVICES

Many service and delivery companies are already using this technology to provide better customer service by identifying which rep is closest to a given customer site. GPS data that produce personally identifiable employee information (mobile devices, RFID tags) will also cause companies to examine their privacy policies and internal controls. Do you know where your employees are? Expect to update your data collection policies.

7. DATA BREACH NOTIFICATION

It’s simply good business practice (and it’s the law, in some cases) to notify your customers of any data breach to their systems. How prepared are you to handle data breaches? Expect to develop a data breach procedure.

8. RISK REPORTING

Companies face increasing pressure to improve customer and supplier verification (to prevent money laundering, fraud, terrorist exposure, etc.). Do you have a customer/supplier evaluation process? How effective is it? Expect to introduce new policies and procedures for recognizing, reducing, and reporting risks.

9. STANDARDS CONVERGENCE

Companies are operating more globally and complying with worldwide standards (e.g., IFRS, HACCP, certain ISO standards). To compete globally, companies need to comply with an increasing number of worldwide standards. Have you begun to prepare for worldwide standards which may impact your firm significantly? Expect to convert and adapt to even more worldwide standards in the near term.

10. HEALTH INFORMATION TECHNOLOGY

Healthcare companies need to examine their IT systems, software, and practices (if they’re not already) to provide a secure environment for the storage and use of personal health information. Do you know how safe your personal health information is? Expect to introduce new security and access controls, and to possibly see more legislation in this regard.