When people associate the word risk with IT, the first thing that often comes to mind is some Third World hacker breaking into the corporate network to steal sensitive customer information for resale on the black market. Or they envision a lost or stolen laptop containing millions of transaction records, credit card number and so forth. After all, these kinds of events, when they occur, are often big news and are highly visible.
The two examples I just cited are only a small part of what should be mitigated through the use of a comprehensive
Although cloud computing is not covered in this article, it's becoming a more and more common part of the IT landscape and can (and probably will) necessitate modification to some of today's risk management policies. As your organization develops a new risk management strategy or refines an existing one, don't overlook this newest trend.
Good backups mean good risk management
Regardless of the organization, taking good backups must be a universal part of an overall risk management strategy, although the exact method may vary. Without some method for backing up critical business information, recovery is impossible. Some statistics indicate that 90% of companies that suffer major data loss go out of business within two years.
Given the breadth and depth of choice when it comes to backup software -- from the "install an agent and backup to Mozy" option, to the full-fledged internal backup option -- this is one risk management item there is no reason or excuse to overlook or ignore.
Taking a backup, however, isn't nearly enough. Organizations need to routinely test backup quality and completeness. Backups can be notoriously fickle, and it's amazing just how bad they can be. I worked in an organization once that had previously fired its entire IT department after discovering that there were no good backups of the financial system for six months.
The following items should be included in any risk management policy related to backup:
- Backup frequency, type (full, differential) and retention for each type of data being protected.
- Short-term and long-term backup and recovery objectives.
- Backup process and quality testing frequency and procedures.
- Backup location -- off-site.
Data and network security
Data can be accessed from all kinds of locations, and securing that data can be a pretty significant task. Employees can unwittingly (or wittingly) store massive amounts of data on portable devices and then lose said devices, or have those devices stolen. This is one area of a risk management plan in which a security vs. usability argument needs to be made. How much user flexibility are you willing to compromise to protect the integrity of your data?
Data security consists of both organizational policies and technological measures implemented together. The technology should enforce organization policies such as the following, which should be included in your risk management processes:
- Access controls to include limits on who is allowed access to sensitive data, such as
personally identifiable customer information.
- Policies -- both organizational and technological -- controlling on which devices data can be
saved. For example, should users be allowed to save information to removable devices such as flash
- In the event that mobile devices are allowed, policies and measures for encrypting the information, including full disk and mobile storage device encryption.
As part of this process, don't ignore items such as your organization's password policies, too. Password policies should include password expiration and complexity, as well as thresholds at which a user's account becomes disabled.
From a mobility perspective, consider newer technologies such as virtual desktop infrastructure that keeps information inside the data center at all times. Further, test your network security through vulnerability assessments performed from time to time.
Don't forget physical security as risk management
Physical security is an integral part of a risk management strategy and includes a number of the following components:
- Controlling access to critical infrastructure such as the data center and intermediary
- Maintaining appropriate environmental control and monitoring at the location of critical infrastructure. For example, does the data center have a fire suppression system that can preserve both equipment and human life? Does the data center have monitoring systems that ensure that temperature and humidity remain inside specified parameters?
Physical security controls also need to be present in the other components of a risk management strategy, including deciding who is allowed to handle tapes or other backups and control of mobile devices.
Business continuity and high availability
A fire, natural disaster or another major event can spell catastrophe for an organization and its survival. In order to ensure that it's business as usual as much as possible, many organizations choose to develop comprehensive business continuity plans that define in detail what steps are taken to regain operations, or remain in operation. With technology playing a major role in the operation of many businesses, ensuring that IT assets stay in operation is high on the business continuity/availability list.
High availability is often part of an overall risk management strategy and can entail such activities as building clustered services, implementing RAID sets on storage devices or moving to a fully redundant architecture based on VMware, for example. It can also mean the development of a fully redundant standby data center that can assume control in the event of the loss of service in a main data center.
There are numerous examples of high-availability strategies found in software today, including the aforementioned clustered services and VMware high availability. You can also look at features like Microsoft Exchange 2010's Database Availability Groups, and technologies like it.
Risk management resources
If you're at the beginning of creating your overall risk management strategy, there are a number of resources available that can help you determine who and what to include, and how.
- Risk Management Guide for Information Technology Systems from the National Institute for Standards and Technology.
- IT Risk Management Report from Symantec Corp.
- Effective IT Risk Management from Continuity Central .
This was first published in November 2010