Risk management is critical in each profit oriented organization. Proper risk management strategy ensures that organization eliminates unnecessary cost which occurs in a company due to avoidable risk. It is also a tool used to increase production in business. Consequently, many organizations currently use information technology in their operations. Information technology involves computer application to store data, retrieve document, training and development and many others.
Like any other organization, IT oriented organization should follow and apply specific and critical steps when undertaking risk assessment to help them pre-identify risk or threat the computer systems face and document results which will aid in risk management. The system risk assessment in an IT department follows specific steps which the manager must acclimatize with. In this document, I will complete system Risk analysis in IT department in Smith Call Center Organization. Within this organization, computers are used to monitor customer’s calls, handle customer call requests among many others.
Delegate your assignment to our experts and they will do the rest.
Steps in risk assessment in IT department
System Characterization
The first step in my risk assessment plan for this project is to characterize the system within my disposal. Under this step, my main work is to identify the resources and the system which I have the capability to access with much ease. This includes the computers which are used to receive and call the clients as well the individuals who are responsible for carrying out this function within the department. The primary resource I am interested in within these step is computer software, data information systems, data sensitivity, and an individual who support the IT, the system policies within the organization and lastly the system security personnel and architecture (2017).
Also, conducting small group focus interviews and distribution of questionnaires are part and parcel of my assessment. This will help me gather information about the security issues facing the system from the trusted employees as asserted by Covello and Merkhoher (2013). Security identification
My next step is to identify any system security threat. A risk, in this case, is a potential of any threat source to cause system vulnerability successfully. Threat source, on the other hand, is an incident or situation which makes the system vulnerable. Under this step, my main aim is to isolate the threat source which will allow me to deal with the threat. At this step, I am keenly observing any natural threat, personal threat, or environmental threat with an intention to identify any connection between these threats with the system security. My primary concern is whether the company suffers from issues to do with power failures, pollutions, earthquakes, floods, electrical storms, events which are maliciously caused by the employees; malicious uploads malicious data entry, and many others. These issues constitute a larger part of my assessment (Li, 2014).
Vulnerability identification
Having identified the system security threat, my attention is focused on finding the extent to which the system within this organization is vulnerable. Why it is vulnerable and the efforts the organizations make to curb the vulnerability. Vulnerability, in this case, is the system design, implementation or internal control weaknesses which can be easily exploited by unauthorized person and hence may result to breach of the security policies. Under this step, my goal is to list all the weaknesses within the department system which can be utilized by the potential threat sources. For this reason, I will use vulnerability sources within the organization such as previous assessment to come up with the list of vulnerability. Also, I will use the internet to identify the weaknesses the system audit report if any and vulnerability database. Alternatively, performing system testing is part and parcel of my assessment. Under this step, tools such as automated vulnerability scanning tool are paramount and are incorporated within my actions. For accuracy purposes, security test evaluation form a significant part of my actions under this step.
Control Method Determination
Having listed the vulnerabilities the system within this organization faces, my attention now focuses on the control methods the organization puts in place to ensure that the organization systems are secured. My analysis under this step is inclusive of the methods which are used to curb the security issue within the organization’s systems. For instance, what are the issues incorporated to protect the software and the company web page? What are the security methods included to protect the computer hardware? The strategies the organization uses to identify any threat and many others. Also, I am interested to know the preventive techniques the company uses to prevent security issues in the system. The detective technique if any, that the firm has put in place to detect the security issues before they happen are also part of my action. Under this step, I have incorporated the safety checklist in my action which helps in carrying out the analysis of the control systems within the organizations.
Likelihood of the Risk Occurrence
My next step in my assessment after having the data on the control methods of the organization is to determine the likelihood of the risk occurring based on the information I have already gathered. My intention at this point is to help the organization know the probability of their security strategies being overcome by the potential threat sources. My intent at this stage is to rate their likelihood of the organization security methods and management destruction as either low, high, or medium. My conclusion at this point considers the result of my data on the organization security control management methods, nature and vulnerability and threat sources capability within the organization.
Impacted analysis
The next stage is impacted analysis to determine the level of impact the system, as well as the entire organization, faces in case there is successful threat exercise of vulnerability. My consideration at this point is given to system mission in the organization, criticality of the system data to the organization and data sensitivity. To gather this information, I will major on the organization existing documents. An example is mission impact analysis report. My primary intention at this point is to know the extent at which the organization reputation and image together with production level will be affected in case the system security is breached.
Risk determination
The next step in my assessment focuses in on risk determination. My main aim at this level is to assess the level at which the organization IT systems are exposed to the risk. My action at this point includes determining the likelihood of the threat attempting to affect the system. The adequacy of the planned system control within the organization and to determine the impact should the threat successful occur within the system. My primary tool at this stage is the Risk level matrix which guides me when I am assigning or rating the likelihood of risk occurrences (Fenton & Griffiths, 2008).
Control recommendation
The second last step is to give the control recommendation. My control mechanism recommendations are based on legislation and regulation in the organization, safety, and reliability within the organization and many others ( Stoneburner, Goguen, & Feringa., 2012).
Documentation
The last step is documentation. Under this step, my intention is to document all the threat sources and vulnerability identified, the risk identified during the assessment and many others
In conclusion, computer system security is very paramount in many organizations since its use is currently vast. Risk assessment is very paramount in protecting system security in organization. Risk assessment helps in risk identification which enables prior action in risk management activities. For this reason these risk management steps should be followed critically.
References
Covello, V. T., & Merkhoher, M. W. (2013). Risk Assessment Methods: Approaches for Assessing Health and Environmental Risks . Springer Science & Business Media.
Fenton, G. A., & Griffiths, D. V. (2008). Risk Assessment in Geotechnical Engineering . Wiley.
Li, W. (2014). Risk Assessment of Power Systems: Models, Methods, and Applications . John Wiley & Sons.
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30, Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30.
