INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT

 What is Risk?

Risk is any unwanted event which impact organisation’s objectives to attain business goal.

There are various type of business risk exists in any organisation

• Strategic Risk
• Operational Risk
• Financial Risk
• Compliance Risk

Risk Management is a process of Identifying, analysis and evaluating the organisations risks and then providing appropriate controls in order to mitigate the risk.

What is IT Risk?

In this digital age most of the businesses are using Information Technology. Hence IT is playing very pivotal role in many businesses.

If any organisation use IT to manage their business, it is very important to understand and identify risk related to their information systems and data, then to manage and reduce the risk, and develop a response plan in the case of any IT crisis.

Nowadays business have regulatory and legal compliance obligations in relation to data privacy, electronics transitions and staff training which are the factors which can influence IT Risk Management strategies.

Main IT risks include software and hardware failure, malicious and virus attacks, humanerrors, misconfigurations as well as natural disaster like flood,fire earthquake and cyclones.

General IT Risk

These Risk can be subcategorised further:

• Hardware and software failure – Abuse of rights and Corruption of data ,Electromagnetic radiation ,loss of power supply
• Malware – malicious software designed to disrupt computer operation

• Viruses – computer code that can copy itself and spread from one computer to another, often disrupting computer operations
• Spam, scams and phishing – unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
• Human error–error in data processing, data disposal errors, or accidental opening of infected email attachments.

NATURAL DISASTERS SUCH AS FIRE, EARTHQUAKE, CYCLONE AND FLOODS ALSO ACTS AS RISK TO IT INFRASTRUCTURE. IN ABSENCE OF BUSINESS CONTINUITY PLAN, IT MAY LEAD TO DATA LOSS, CORRUPTION IN DATA RECORDS AND UNAVAILABILITY OF IT SERVICES TO THE CUSTOMERS.

How to Manage Information Security Risk?

Management of IT risk involves a series of activities in this chronological order:

• Risk Identification
• Risk Assessment
• Risk Mitigation
• Development of Response Plan
• Review of Risk Management procedures

How to reduce Information Technology Risk?

There are lots of risks and threats on business which can impact IT Operations. Applying appropriate measures will protect the IT system through unauthorised access.

Few steps to improve IT Security

1. Proper access control to computer, servers, networks and Wi-Fi.
2. Using strong password
3. Encryption of critical data
4. Using firewall. IDS ,IPS on the network
5. Update software and antivirus with latest patches.
6. Data backup for all the critical data
7. Information security training and awareness to the staff
8. Using secure software developments processes.
9. Implementing SSL for secure online communication.
10. Last but not the least having Cyber Security Insurance.

 Few famous standards and frameworks which can help organisations to mitigate IT risks are:

• ISO 31000
• COBIT
• COSO
• NIST Risk Management Framework
• ISO 27001
• ISO 27005

For any organisation risk identification is the first step for risk mitigation. An undetected risk is the most dangerous thing, a treatment methodology can be only be implemented once the risk is identified. Organisation need a right approach and skilled workforce to this job.Step by Step risk management process will help organisation’s to mitigate IT related risk and get an effective and efficient IT system to achieve business goals.

WHY BUSINESS CONTINUITY MANAGEMENT IS SO IMPORTANT FOR IT SERVICE PROVIDERS

Whenever there is disruption in business, it can cost money, damage in reputation or sometimes customer loss. Insurance companies does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan is must for any IT service provider for sustaining such catastrophic conditions.

Business Continuity process identifies the likelihood and impact of the risks on the business and then produces a contingency plan to deal with any kind of eventualities, like IT system failure, terrorism, natural calamities like earthquake and flood, unavailability of staff etc.

Business Continuity is one of the most critical aspect of any business.

WHAT IS BUSINESS CONTINUITY MANAGEMENT (BCM)?

Business continuity management (BCM) is a framework for identifying an organization’s risk, its exposure to external and internal threats pertaining to service availability and hence formulating a plan to mitigate the risk. Business Continuity Management involves development of plan to prevent any disaster and assist in recovery in case of crisis. The motive of Business Continuity management is to develop and implement ability to effectively respond to threats such as data breaches or natural disasters and protect the business interests of the organization. BCM includes crisis management, disaster recovery, business recovery, incident management, emergency management and contingency planning.

What Is Business Continuity Planning (BCP)?

Business continuity planning (BCP) is the step by step process of creating a robust preventive system and a mechanism of quick recovery from the potential risks to a company. BCP ensures that personnel and assets are protected, and are able to function quickly in the event of a disaster. Business Continuity Planning is conceived in advance and involves input from key stakeholders and personnel.

Business continuity Planning is the assessment of both internal and external risks and its impact on the business and then implementing preventive, detective and corrective  measures.

BCP involves defining any and all risks that can affect the organisation’s objectives and operations, making it an important part of the organization’s risk management strategy

Basic areas in which Business Continuity Planning needs to be considered:

• IT Service Continuity
• Disaster Recovery (DR)
• Pandemic Planning:
• Life-Safety
• People Continuity

HOW TO DEVELOP BUSINESS CONTINUITY PLAN?

Development of business Continuity plan includes following steps:

STEP 1 First of all, perform need analysis and define strategy objectives and an implementation framework should be created

STEP 2 Next, business value of organisational applications should be identified and RTO (Recovery Time Objectives) and RPO (Recovery Point Objectives) through data risk should be determined

STEP 3 Next, match technologies for safeguarding data, including backup, disaster recovery, vaulting, snapshot and replication, based upon business value

STEP 4 Next, infrastructure and personnel plans, including organizational and communications processes should be defined. A business continuity team should be formulated and business continuity plan should be complied to manage a business disruption.

STEP 5 Next, required technologies should be implemented and training and awareness to critical personnel as to which business processes are impacted

STEP 6 Table Top exercise and BCP drills of the documented plan should be conducted, in different scenario. Outcomes should be documented.

STEP 7 Next, Measure and validate test results relative to the plan overall objectives

STEP 8 Further, required enhancements that have been prioritized as a result of continuous testing and evaluation should be implemented

STEP 9 Next, continuously review, enhance and improve the business continuity plan with respect to organizational changes, fluctuating business conditions and the addition of new technologies

STEP 10 Finally, remember to repeat the entire process continuously.

BUSINESS CONTINUITY PLAN CONTAINS:

• Purpose and scope of BCP
• Initial data, including important contact information of all important stakeholders, located at the beginning of the plan
• Change management procedures
• Business Impact Analysis(BIA) and Risk Assessment(RA)
• How to use the business continuity plan, including guidelines as to when the BCP will be initiated
• Business Continuity Policy
• Emergency response and management
• Step-by-step procedures for Data Recovery
• Checklists and data flow diagrams
• Review ,test and update schedule for BCP

WHY BUSINESS CONTINUITY MANAGEMENT IS IMPORTANT FOR IT SERVICE PROVIDERS

Since most of our businesses are digitizes and IT is playing an important role everywhere like ERP, CRM, databases etc. So it’s mandatory for the IT service providers to consider Business continuity in order to keep business up and running in case of disaster. Features of BCP:

• Business Continuity Planning helps to identify all the critical processes and assets of the organisation and all the risk associated with them.
• Business Continuity planning is helpful in continuing the operations case of disasters like fire, cyber-attacks, natural calamities, civil unrest etc.
• Business Continuity Planning prepares the organisation for any kind of disruption and thus minimise the effect of a disruption on an organisation.
• It reduces the risk of financial loss in the organisation.
• This helps the organisation to meet legal and statutory requirements.
• RTO and RPO enables recovery of critical systems within an agreed timeframe.

• This helps in retaining organisation’s brand and image and give employees, clients and suppliers confidence in the organisation’s services.
• Frequent BCP drills help the organisation to react and re-establish the services quickly in case of disaster.
• BCP involves documentation of all the activities which should be performed in case of disruption and a well-tested & document process help to revive the business easily.
• BCP provides an advantage of working from remote location in case of disaster, thus no interruption in operations.
• A well planned BCP helps reducing downtime in case of disruption.
• Taking backups is an integral part of BCP, so organisations can recover data without much loss and can resume their business.

Business Continuity and disaster Recovery cannot be achieved by a single employee or person, it’s a team effort. A single person or an untrained staff cannot deal with disastrous situations. And, like most of the team activities, it requires practice and adequate competence in order to perform effectively in adverse situations like disaster. A proper planning is required.

Proper planning means that a thorough assessment and relevant controls shall be implemented and tested. A proper planning will tell who shall do what and how it shall be performed provides a set of well tested instructions in case of contingency.

If the stakeholders are not informed and not practiced in their roles, they cannot perform well.In that regard, business continuity planning is a sign of inclusion and commitment for a company to have a real plan.

CYBER SECURITY WORKSHOPS: AN EFFECTIVE WAY TO UNDERSTAND CYBER RISKS FOR BEGINNERS AND PROFESSIONALS

Workshops has always been a great source of knowledge about the subject. Cyber Security being such a crucial issue nowadays, attending workshops on Cyber security will help the attendees about the Cyber world with respect to their working domain and help them to use the Cyber more effectively and efficiently.

People of all age group and occupation are associated with Cyber nowadays. Everyone in connected through web in their personnel and professional life, however most of the people still doesn’t know the about cyber crimes and risks.

There are certainly many benefits of Cyber Security Workshop’s to different categories:

Students:

Students are nowadays using multiple online platforms to enhance their skillsets. Students will have following benefits

Students can learn about cyber security in Workshops and can learn about various risk scenarios in the personal life and can educate their parents and elders.

Student can understand the career aspect of Cyber Security by leaning different technical concepts.

Young mind is an agile mind, by attending Workshops students can develop new ways of defending cyber-attacks.

Cyber Security is very demanding career nowadays, students can have a foundation of Cyber Security by attending workshops.

Fresher:

Cyber Security workshops can be very helpful in shaping up the career of Fresher’s in the field of Information Technology. If you are a Technology enthusiast and having degree or diploma in Technology, and looking for a job in Cyber security domain, these workshops are very good medium of networking.

There are many benefits of attending the workshop like

In workshops students can meet others with similar interests can, thus can understand the current market requirements and develop the skillsets accordingly.

Cyber Security workshop will give the technical as well as career aspect scenarios to the Fresher’s, wherein they can learn different ways to pursue career in Information and Cyber Security domains.Attending workshops will give you an opportunity to meet people an professionals in the industry and thus can have an opportunity to get a job by developing contacts.

Experienced Professionals:

If you are an experienced professional, then attending Cyber Security workshops will help you in various ways like:

These kind of workshop helps the professionals to understand their responsibility towards organisation’s cyber security. Once you are aware of Cyber Security, you would be able to understand the risk related to Cyber, and thus you will be able to safeguard your organisation from the different risks.

One who is willing to switch his or her career to Cyber Security can attend the workshops to understand the basics of Cyber Security and thus can gradually migrate to the domain if found interesting.

Professional who are already managing Information Technology Infrastructure and applications will learn the different kind scenarios which could be risk for them. Such workshops will help them to implement security in IT infrastructure and application development.

A working professional can inculcate learning of cyber security workshops in their existing job roles, and can mitigate many risk by doing this. In this way one can be helpful to safeguard organisation’s information assets from any kind of internal and external threats

Managers:

Professional who are working as managers have huge responsibilities of the organisation. A manager who is aware of Cyber Security will highlight and mitigate any such risk which could be harmful for the organisation. Cyber Security workshops can be helpful in multiple ways:

By attending these kind of workshops one would definitely understand the importance of cyber security and can implement the same thing within the team and the organisation.

Since awareness and trainings have become mandatory for maintaining Cyber Security and Information Security related compliance. One can show the attendance certification as a proof of attendance.

These kind of workshops would help the Managers to understand any kind of IT reports from any Vendor and one can understand the risk coming from vendors as well, if they are not adhere the Cyber Security principles.

Again, managers can network with other enthusiasts and experts through the workshop and can understand the current risk perspective of the market.

Businessman:

Every business is now a days dependent on Cyber. Everyone is using IT infrastructure and applications for running their business. Cyber Security workshops could be beneficial for Businessman’s because of following factors:

With the help of such workshops businessman will understand the Cyber Security risk which can harm their business and how they can mitigate those risk.

This is a very good medium to understand the Cyber Security and how to enhance the Security of IT infrastructure and application to make them hack proof.

Later on one can develop the Cyber Security framework for their own organisation.Cyber Security workshops helps the business persons to implement the Cyber Security related compliances more effectively because now they can understand the concepts and importance.

So in this way we can say that Workshops, seminars and training camps are very important and useful for any category like children, youth or any elderly man whosoever is using Information technology in their day to day or professional life. There are many free and paid trainings, workshops, seminars and webinars are available where one can either start their Cyber Security journey or any experienced person can enhance their skillsets by attending such events.

These are very good medium of interaction with other people and professionals who can share their knowledge base with you and can be helpful to shape up your career or business. This Information technology world is constantly changing and one needs to be updated all the times, so these workshops are very good medium to do so.

Progressive, Businesses and Educational Institutes   organise workshops for their employees and students time to time. In these events the participants will learn about different kind of attacks which could lead to data leakage. One would come to know about different kind of social engineering attacks like phishing, vishing(voice phishing) and thus will not be the victim of such situations.

# Tags: Freshers, managers, students, experienced professional, businessman,

#Keywords: Cyber Security workshops, seminars, training, information security, risk, compliance, cyber security,