SAD/U5 Topic 6 Managing Risk in IT
If you own or manage a business that makes use of IT, it is important to identify risks to your IT systems and data, to reduce or manage those risks, and to develop a response plan in the event of an IT crisis. Business owners have legal obligations in relation to privacy, electronic transactions, and staff training that influence IT risk management strategies.
IT risks include hardware and software failure, human error, spam, viruses and malicious attacks, as well as natural disasters such as fires, cyclones or floods.
You can manage IT risks by completing a business risk assessment. Having a business continuity plan can help your business recover from an IT incident.
General IT Threats
General threats to IT systems and data include:
- Hardware and software failure: Such as power loss or data corruption
- Malware: Malicious software designed to disrupt computer operation
- Viruses: Computer code that can copy itself and spread from one computer to another, often disrupting computer operations
- Spam, scams and phishing: Unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
- Human error: Incorrect data processing, careless data disposal, or accidental opening of infected email attachments.
Criminal IT Threats
Specific or targeted criminal threats to IT systems and data include:
- Hackers: People who illegally break into computer systems
- Fraud: Using a computer to alter data for illegal benefit
- Passwords theft: Often a target for malicious hackers
- Denial-of-service: Online attacks that prevent website access for authorized users
- Security breaches: Includes physical break-ins as well as online intrusion
- Staff dishonesty: Theft of data or sensitive information, such as customer details.
Natural disasters and IT systems
Natural disasters such as fire, cyclone and floods also present risks to IT systems, data and infrastructure. Damage to buildings and computer hardware can result in loss or corruption of customer records/transactions.
Managing information Technology Risks
Managing information technology (IT) risks is a structured process that involves a series of activities designed to:
- Identify risks
- Assess risks
- Mitigate risks
- Develop response plans
- Review risk management procedures.
As a first step in managing IT risks, you should be aware of the legal and legislative requirements for business owners,
IT risk Assessment
An effective IT risk assessment identifies serious risks, based on the probability that the risk will occur, and the costs of business impacts and recovery.
Business Continuity Planning
Having identified risks and likely business impacts, the development of a business continuity plan can help your business survive and recover from an IT crisis. A business continuity plan identifies critical business activities, risks, response plans and recovery procedures.
IT Risk Management Policies and Procedures
IT policies and procedures explain to staff, contractors and customers the importance of managing IT risks and may form part of your risk management and business continuity plans.
Security policies and procedures can assist your staff training on issues such as:
- Safe email use
- Setting out processes for common tasks
- Managing changes to IT systems
- Responses to IT incidents.
A code of conduct can provide staff and customers with clear direction and define acceptable behaviors in relation to key IT issues, such as protection of privacy and ethical conduct.