Lesson 1, Topic 1
In Progress

1.6. Minimise risks to the information technology environment at all times

ryanrori February 1, 2021

[responsivevoice_button rate=”0.9″ voice=”UK English Female” buttontext=”Listen to Post”]

Risk assessment is a structured and systematic procedure, which is dependent upon the correct identification of hazards and an appropriate assessment of risks arising from them, with a view to making inter-risk comparisons for purposes of their control and avoidance.  

Information technology requires adequate protection to provide high security. The aim of the safety analysis applied on an information system is to identify and evaluate threats, vulnerabilities and safety characteristics and to minimise risks to the information technology environment at all times. IT assets are exposed to risk of damage or losses. IT security involves protecting information stored electronically. That protection implies data integrity, availability and confidentiality.  Nowadays, there are many types of computer crimes: money theft 44%, damage of software 16%, theft of information 16%, alteration of data 12%, theft of services 10%, trespass 2% (Boran, 2003). 

In order to minimise losses, it is necessary to involve risk management and risk assessment in the areas of information technology and operational risks. Risk management and risk assessment are the most important parts of Information Security Management (ISM). There are various definitions of Risk Management and Risk Assessment but most experts accept that Risk Management involves analysis, planning, implementation, control and monitoring of implemented measurements, and Risk Assessment, as part of Risk Management. It consists of several processes: 

  • Risk identification, 
  • Relevant risk analysis, 
  • Risk evaluation  

Risk Management recognises risk, accesses risk, and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of Risk Assessment is to make a decision whether a system is acceptable, and which measures would provide it’s accept- ability. For every organisation using IT in its business process it is significant to conduct the risk assessment. Numerous threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls for its mitigation on the acceptable level.  

In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organisation, both internal and external, has an important role. Besides, past experiences from this or a similar organisation about risk issues, are very useful. We can use many techniques for identifying risk: checklists, experienced judgments, flow charts, brainstorming, Hazard and Operability studies, scenario analysis, etc.  

In order to assess the level of risk, likelihood and the impact of incidental occurrences should be estimated. This estimation can be based on experience, standards, experiments, expert advice, etc. Since every event has various and probably multiple consequences, the level of risk is calculated as a combination of likelihood and impact. Risk analysis or assessment can be quantitative, semi- quantitative, and qualitative.   Evaluation of risk involves making a decision which risks require conducting measures in order to be reduced. Measurements could be technical (hardware or software), organisational (procedures), operational, protective, and others. After consideration all costs and benefits of an action plan can be developed, including proposed actions and responsibilities of its conducting.  

Implementation of the action plan should modify risk, and remaining risk has to be assessed. Management of the organisation should accept this residual risk. 

In addition, there is a need of recommended measures in order to maintain residual risk on the acceptable level. This process of Risk Management is continuous, and assessments have to be updated, repeating the risk management cycle.