IT Risk Management
Name:
Professor:
Course Name:
Date:
IT Risk Management
Abstract
This paper explores three published articles that report on the results of researches conducted on risks related to Information Technology and methods that can be used in the management of the same. Some of the articles agree on the definition of risks and its management while others differ. This presents a wide range of results from which a uniform conclusion can be acquired. According to Gibson (2010), a risk is the likelihood that a loss will be experienced, this happens if a certain threat has exposed a vulnerability in the organization’s system. This paper examines Gibson’s (2010) article on risk management in relation to two other articles in order to come up with a control measure for the threat facing The Home Depot. Keywords: Risk, Threat, Vulnerability, Loss. Introduction Ever since IT was introduced into the organizational management systems, numerous studies on the various facets of information technology risk management have been carried out, focusing on the extent of losses that may be experienced in case a threat exposed vulnerability. Every organization that relies heavily on IT to conduct its daily processes makes it obligatory to identify risks in their data and IT systems, in order to manage or reduce those risks. These organizations also develop response systems that can be turned to immediately an IT crisis occurs. Gibson (2010), states that risk management
Risk assessment is used to determine the extent of handling threats and the risks associated with an IT system throughout its life cycle.
IT projects can have a lot of different components to them which creates the potential for more risks. These risks need to be identified, analyzed, and addressed as the project progresses (Schwalbe Ph.D., 2014). There are different types of risk that can affect the implementation of a system that will allow people to manage their own human resource information. A positive risks can produce a project under budget or ahead of schedule, while a negative risks can have adverse effects on a project such as going way over budget. There are also some risks that do not have a positive or negative impact on a project. Identifying risks and addressing them is mostly handled by the program manager.
Risk management includes the “overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective to take to control these risks” (Conklin et al, 2012, pg. 678). For the proper development of risk management techniques, every person at every level of the organization, especially those involved in the Information Security (IS) department “must be actively involved in the following activities:
Information technology can be very costly, and it is imperative for organizations not to overspend when it comes to their IT budget. However, it is vital for organizations to understand the risks associated with information technology. As we saw in the TJX case, TJX’s senior management did not update their systems and had very little IT knowledge. This led to multiple risks involving several security breaches which could have been contained by improving their information systems more efficiently. It is not just developing and implementing information technology; it is also understanding risks and formulating solutions to issues associated with IT. In Adventures of an IT Leader, Barton faced many challenges when it came to the budget of IVK. He assumed full responsibility for all the risks associated with the technology used and the IT budget. When the power shut off at IVK, Barton was faced with many challenges including possible customer records compromised, IVK’s systems infected, and deciphering solutions to secure the system. Barton suggested that IVK shut down operations to build a new and secure system to ensure IVK’s systems could identify where the infection originated and repairing the system for future
Risk refers to a likelihood, probability, a chance that a loss may occur in a given organization. Most of the times, there is a high risk when there is vulnerability. In this case, vulnerability refers to a weakness that the organization has. Risk assessment refers to the process of identification of potential hazards and proper analysis of the expected losses if those hazards occur (Homeland Security, n.d.). Risk assessment as a way of profiling risk according to impact to the organization. Some organizations have business impact analysis exercises geared towards determination of potential hazards based risk assessment approaches. Organizations’ risk differ depending on the size and the type of business they are doing. The disparity in organizations’ risk call for different adaptation of risk assessment approaches. Even with the disparities of the businesses, proper risk management not only ranks the risks according to the seriousness but also identifies the best methods to control risks in an organization.
Risk analysis is an integral part of data safety within an organization and the analysis is vital to the mission and success of an organization. Risk analysis is used “to identify threats and then provide recommendations to address these threats” (Taylor et al, 2006). Risk analysis encompasses not only the equipment and programs used in an organization but also covers the culture, managerial, and administrative processes to assure data security. A key factor in risk analysis is to have a good Information Resource Management Plan.
Background- In its most basic sense, risk management identifies, allows assessment, and prioritizes risks that are associated and central to an individual project or organization. Risk management allows the organization to be proactive in preventing or mitigating risks, for improving certain processes within the organization, and with the hope of preventing fiscal exposure. However, in almost every organization there are risks individuals are unique and do not always perform at a high level of safety; mechanical or design failures exist, construction projects have supply or labor issues, there are uncertainties in computer or data modification, of course natural disasters, and even deliberate attacks from competitors, etc. Because this is such a common occurrence, national and even international standards have been developed in conjunction with the insurance and regulatory institutions to at least provide basic guidelines to minimize risks risk (International Organization for Standardization, 2009).
Information systems are known to be at risk from malicious attacks, user error, and from other disasters. As technology is relied upon more heavily and computer systems become interdependent and accessible by more individuals, the susceptibility to threats increases. In addition, individuals are developing high levels of computer skills that results in an increased risk of intrusion from outsiders. The Information Security Risk Assessment will determine the assets of the company, organizational risks, the current security posture, any areas of risk for GDI, and recommend a mitigation strategy for reducing information security risks and implementing strategies to reduce these risks. Through the Information Security Risk Assessment, GDI is taking steps to ensure that the organization identifies significant risks and determines the best method to mitigate the risks.
Vulnerabilities are like a thorn in the side of every single organization doing business today. In the IT world vulnerabilities are bugs or flaws, a weakness, or an exposure of an application, system, device, or service which could lead to a failure of confidentiality, integrity, or availability (Liu & Zhang, 2011). They are to companies today what the black plague was to Europe in the 1300’s. It doesn’t even matter if the organization is connected to the internet or not it’s still vulnerable to some type of attack. Regardless of what a company actually produces and what its mission statement states their number one internal concern is “vulnerability”. How do IT Departments and IT Managers combat these threats? Every company has
Many businesses are concerned with information technology risks. Many organizations are concerned with different types of risk and attempt to control risk as they are assessed. In order to control risk, organizations must create control environments that set the tone of employee awareness and promote operational efficiency. One attempt to control risk is through risk assessment. The purpose of risk assessment is to identify organizational risks and evaluate additional or specific control procedures. The purpose of this paper is to analyze and assess the risks within the flow charts of accounts payable, accounts receivable,
Risk management is defined as the orderly procedure of recognizing, assessing, analyzing and tending to get rid of potential risks that exist within the organization. To make it more simple and understandable risk management is the procedure to secure the advantages by maximizing modern techniques to minimize the risk that might lead to the breach of information privacy and information security. Managing risk is a proactive function of any organization. The concept of risk management has been initialized in hospitals from 1977. In any well-developed risk management program though the target is to have a risk free environment there must be a couple of processes exist those are Risk identification and Risk control.
While it lessens the burden on organizations, reducing and shifting the cost and risk of its IT operation, security and management issues to an external service provider or vendor, outsourcing any portions of an organization's Information System has significant risks that can sometimes become detrimental to the outsourced organization. According to the Commission on Government Outsourcing, "when outsourcing an organization exposes itself to significant risks in terms of security, accuracy, and completeness of information (Holroyd City Council, 2008)". Comprised in the rest of this document is an
Risk management is the term applied to a logical and systematic method of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize opportunities. (Lecture notes)Risk Management is also described as 'all the things you need to do to make the future sufficiently certain'. (The NZ Society for Risk Management, 2001)
The diligence of information system technology has extensively developed in gratified and intricacy. On the other hand, due to its enormous multifaceted process and operations, the businesses must advance a very high mitigation strategy in order to control the threat that may rise. The tactic can be constructed on the technology development and the planned incidences to lessen impact risk cruelty. With the rapidity and complications of the risk setting altering on a daily basis, all too frequently the initiatives are caught up occasionally in the wake of reputational and fiscal mutilation. Thus, they require to take cautiousness and come up with sufficient approaches to ensure that they are completely
Good security management requires risk management to mitigate or reduce risk to an acceptable level within an organization. Security management’s objective is to protect the company and its assets. A proper risk analysis will identify the company’s major assets, threats that put those assets at risk, and estimate the possible damage and loss a company may endure if any of the threats were to become real. With a good risk analysis, management can determine the type of budget they want to set to mitigate threats. Risk analysis justifies the cost of the countermeasures against the threats and determines the benefit or worth of security