It Risk Assessment: Who Needs it?

Businesses have been rushing to embrace technology because it is no longer a competitive advantage to do so; it's a competitive necessity. The rewards of real time data access and greater efficiencies among vendors and clients are beginning to be realized. Have you properly assessed the risk with all your technology? We've been so focused on the reward side of technology, we've failed to weigh the risks. And by not doing so, your organization may be exposed to numerous hazards.

Many industries are required by law to take a long hard look at the risks surrounding their technology. Healthcare has HIPAA to thank, whereas financial institutions have GLBA. And if that's not enough, the Sarbanes-Oxley Act has pro-visions to consider too. But even if your business is not mandated to address information technology (IT) risks, it's still good business practice to do so. You've spent too much time, effort and money to let it be the weak-link in your business.

So what exactly is an IT risk assessment? It is a systematic process that identifies and quantifies vulnerabilities threatening your informational assets so that mitigating safeguards can be developed. Although the answer may appear self explanatory, the process can be confusing and daunting. Following are some helpful guidelines on how to implement an IT risk assess-ment program.

The first step is to get the support and commitment from senior management. This may prove difficult because this process focuses on how to mitigate the things that can cause you to go out of business, rather than focusing on the things that define your business.

Next, you need to define the objectives of the assessment and determine the proper security mix of maintaining data confidentiality, data integrity and data availability. Without clear objectives, your efforts will be a futile exercise of meaningless meetings and debate.

After the objectives of the assessment have been defined, your risk assessment team should be established. This team must consist of a diverse representation of your business, including skill sets from technology, key departments and, most importantly, an individual who will communicate the progress of the assessment to management. An additional consideration to this team is a non-vested individual or "security mentor" to create balance and objectivity during the process.

Performing an IT risk assessment is more art than science. There aren't any industry standards to guide you through this process. However, as a starting point, consider taking a two-pronged approach. Start by identifying key business processes and their underlying technologies and systems. After taking an inventory of what is important, you will need to quantify them so your team can prioritize its effort. Try using a relative ranking method for the various business processes. Regardless of how you rank your processes and systems, the team should define the quantification process before actually ranking them.

Now that you have identified and quantified what is important, reflect back on the underlying objectives of the assessment. By reflecting on the proper mix of security objectives (confidentiality, integrity and availability) your team can begin the process of identifying the vulnerabilities that can expose your assets to unnecessary hazards.

Just as you quantified your business processes and underlying systems, you will need to quantify each of the vulnerabilities. When quantifying risk, use an impact versus probability method. You should analyze the severity of the impact if the vulnerability was realized versus the probability of realizing the vulnerability. This will help turn the art of risk management into a more quantifiable science. Those risks with a "high impact/high probability" ranking will be a higher priority to begin safeguarding in comparison to those with lower impact or lower probability.

As with any risk assessment process, the basic key is to identify what is important, analyze what could harm it and quantify your exposure so you can begin mitigating your highest risks.

Scott Brouillette is a principal in the Kansas City office of BKD Technologies, a division of BKD, LLP. He can be reached at: 816.701.0223 or by e-mail at sbrouillette@bkd.com.