91香蕉黄色视频

Information technology or IT risk is basically any threat to your business data, critical systems and business processes. It is the risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an organisation. IT risks have the potential to damage business value and often come from poor management of processes and events.

Categories of IT risks

IT risk spans a range of business-critical areas, such as:

• security - eg compromised business data due to unauthorised access or use
• availability - eg inability to access your IT systems needed for business operations
• performance - eg reduced productivity due to slow or delayed access to IT systems
• compliance - eg failure to follow laws and regulations (eg data protection)

IT risks vary in range and nature. It's important to be aware of all the different types of IT risks potentially affecting your business.

Potential impact of IT failure on business

For businesses that rely on technology, events or incidents that compromise IT can cause many problems. For example, a security breach can lead to:

• identity fraud and theft
• financial fraud or theft
• damage to reputation
• damage to brand
• damage to your business' physical assets

Failure of IT systems due to downtime or outages can result in other damaging and diverse consequences, such as:

• lost sales and customers
• reduced staff or business productivity
• reduced customer loyalty and satisfaction
• a damaged relationship with partners and suppliers

If IT failure affects your ability to comply with laws and regulations, then it could also lead to:

• breach of legal duties
• breach of client confidentiality
• penalties, fines and litigation
• reputational damage

If technology is enabling your connection to customers, suppliers, partners and business information, managing IT risks in your business should always be a core concern.

In its guidance, the National Cyber Security Centre (NCSC) provides a clear explanation of .

IT risks should be carefully assessed and measured. This is where an IT risk assessment comes in - a process of identifying security risks and evaluating the threat they pose. Once risks are identified and assessed, you will manage them through a comprehensive IT risk management process.

Your IT systems and the information that you hold on them face a wide range of risks. If your business relies on technology for key operations and activities, you need to be aware of the range and nature of those threats.

Types of risks in IT systems

Threats to your IT systems can be external, internal, deliberate and unintentional. Most IT risks affect one or more of the following:

• business or project goals
• service continuity
• bottom-line results
• business reputation
• security
• infrastructure

Examples of IT risks

Looking at the nature of risks, it is possible to differentiate between:

• Physical threats - resulting from physical access or damage to IT resources such as the servers. These could include theft, damage from fire or flood, or unauthorised access to confidential data by an employee or outsider.
• Electronic threats - aiming to compromise your business information - eg a hacker could get access to your website, your IT system could become infected by a computer virus, or you could fall victim to a fraudulent email or website. These are often of a criminal nature.
• Technical failures - such as software bugs, a computer crash or the complete failure of a computer component. A technical failure can be catastrophic if, for example, you cannot retrieve data on a failed hard drive and no backup copy is available.
• Infrastructure failures - such as the loss of your internet connection can interrupt your business - eg you could miss an important purchase order.
• Human error - is a major threat - eg someone might accidentally delete important data, or fail to follow security procedures properly.

How to manage IT risks?

Managing various types of IT risks begins with identifying exactly:

• the type of threats affecting your business
• the assets that may be at risks
• the ways of securing your IT systems

Find out how to carry out an IT risk assessment and learn more about the IT risk management process.

IT risk assessment is a process of analysing potential threats and vulnerabilities to your IT systems to establish what loss you might expect to incur if certain events happen. Its objective is to help you achieve optimal security at a reasonable cost.

There are two prevailing methodologies for assessing the different types of IT risk: quantitative and qualitative risk analysis.

Quantitative IT risk assessment

Quantitative assessment measures risk using monetary amounts. It uses mathematical formulas to give you the value of expected losses associated with a particular risk, based on:

• the asset value
• the frequency of risk occurrence
• the probability of associated loss

In an example of server failure, a quantitative assessment would involve looking at:

• the cost of a server or the revenue it generates
• how often does the server crash
• the estimated loss incurred each time it crashed

From these values, you can work out several key calculations:

• single loss expectancy - costs you would incur if the incident occurs once
• annual rate of occurrence - how many times a year you can expect this risk to occur
• annual loss expectancy - the total risk value over the course of a year

Find a formula to calculate .

These monetary results could help you avoid spending too much time and money on reducing negligible risks. For example, if a threat is unlikely to happen or costs little or nothing to remedy, it probably presents a low risk to your business.

However, if a threat to your key IT systems is likely to happen, and could be expensive to fix or likely to affect your business adversely, you should consider it high risk.

You may want to use this risk information to carry out a cost/benefit analysis to determine what level of investment would make risk treatment worthwhile.

Keep in mind that quantitative measures of risk are only meaningful when you have good data. You may not always have the necessary historical data to work out probability and cost estimates on IT-related risks, since they can change very quickly.

Qualitative IT risk assessment

Qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on probability and impact and uses a rating scale to describe the risks as:

• low - unlikely to occur or impact your business
• medium - possible to occur and impact
• high - likely to occur and impact your business significantly

For example, you might classify as 'high probability' something that you expect to happen several times a year. You do the same for cost/impact in whatever terms seem useful, for example:

• low - would lose up to half an hour of production
• medium - would cause complete shutdown for at least three days
• high - would cause irrevocable loss to the business

With your ratings determined, you can then create a to help you categorise the risk level for each risk event. This can, ultimately, help you decide which risks to mitigate using controls, and which to accept or transfer.

Read more about the different ways to evaluate business risks.

Use different types of information in IT risk assessments

Often, it may be best to use a mixed approach to IT risk assessments, combining elements of both quantitative and qualitative analysis.

You can use the quantitative data to assess the value of assets and loss expectancy, but also involve people in your business to gain their expert insight. This may take time and effort, but it can also result in a greater understanding of the risks and better data than each method would provide alone.

The National Cyber Security Centre (NCSC) recommends using a in assessments. Drawing on a wider range of information sources may reveal risks that would otherwise be missed.

In business, IT risk management entails a process of identifying, monitoring and managing potential information security or technology risks with the goal of mitigating or minimising their negative impact.

Examples of potential IT risks include security breaches, data loss or theft, cyber attacks, system failures and natural disasters. Anything that could affect the confidentiality, integrity and availability of your systems and assets could be considered an IT risk.

Steps in the IT risk management process

To manage IT risks effectively, follow these six steps in your risk management process:

1. Identify risks

Determine the nature of risks and how they relate to your business. Take a look at the different types of IT risk.

2. Assess risks

Determine how serious each risk is to your business and prioritise them. Carry out an IT risk assessment.

3. Mitigate risks

Put in place preventive measures to reduce the likelihood of the risk occurring and limit its impact. Find solutions in our IT risk management checklist.

4. Develop an incident response

Set out plans for managing a problem and recovering your operations. Devise and test your IT incident response and recovery strategy.

5. Develop contingency plans

Ensure that your business can continue to run after an incident or a crisis. Read about IT risk and business continuity.

6. Review processes and procedures

Continue to assess threats and manage new risks. Read more about the strategies to manage business risk.

IT risk controls

As part of your risk management, try to reduce the likelihood of risks affecting your business in the first place. Put in place measures to protect your systems and data from all known threats.

For example, you should:

• Review the information you hold and share. Make sure that you comply with data protection legislation, and think about what needs to be on public or shared systems. Where possible, remove sensitive information.
• Install and maintain security controls, such as firewalls, anti-virus software and processes that help prevent intrusion and protect your business online.
• Implement security policies and procedures such as internet and email usage policies, and train staff. 
• Use a third-party IT provider if you lack in-house skills. Often, they can provide their own security expertise. See how to choose an IT supplier for your business.

If you can't remove or reduce risks to an acceptable level, you may be able to take action to lessen the impact of potential incidents.

Mitigate IT risks

To mitigate IT risks, you should consider:

• setting procedures for detecting problems (eg a virus infecting your system), possibly with the help of cyber security breach detection tools
• getting cyber insurance against the costs of security breaches

You can also use the National Cyber Security Centre's (NCSC) free  to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

The NCSC also offer a free . By answering a few simple questions, you can get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack.

ISO 27001 is an international standard that describes best practices for information security management systems. It belongs to a 27000 family of standards, all of which aim to help keep your business' information assets secure.

ISO 27001 controls

The standard specifies controls that are key to maintaining security. These cover (amongst other things):

• security policy - what an information security policy is, what it should cover and why your business should have one
• organisational security - how you should manage information security in a business.
• asset classification and control - eg how to audit and manage information itself, computers, software and services
• staff security - eg training, responsibilities, vetting procedures, and response to incidents
• physical and environmental security - eg keeping key locations secure as well as physical control of access to information and equipment
• communications and operations management - secure operation of information processing facilities during day-to-day activities, especially computer networks
• access control - right to use information and systems based on business and security needs, specifically controlling who can do what with your information resources
• system development and maintenance - if you develop your own software, you will need to consider its design and maintenance to keep it secure and maintain information integrity
• business continuity management - ie the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues
• compliance - with relevant national and international laws

Like other ISO management system standards, you can certify your business to ISO/IEC 27001, but certification isn't mandatory.

You may choose to implement the standard in order to benefit from the best practice it contains, or you may wish to certify to reassure customers and clients that you follow information security management best practices.

See more on standards for best business practice.

IT policies and procedures explain why it is important to manage IT risks in business. You can have them as part of your risk management plans or business continuity strategy.

You should make them available to your staff and suppliers to help them understand:

• the risks to your IT systems and data
• procedures that are in place to mitigate them
• processes for handling common tasks
• managing changes to IT systems
• ways to respond to IT or data security incidents
• acceptable behaviours in relation to key IT issues, such as data protection and safe email use

You should develop a clear policy that takes account of common risks to your data. If you have yet to establish what the risks to your business are, you should carry out an IT risk assessment.

What should an IT risk management policy contain?

It should, at the very least, specify security procedures and standards that will apply in your business, as well as any staff policies you wish to enforce.

IT security procedures

Technical controls, such as systems that limit access to sensitive data or the installation of software, are an important part of most IT security systems. You will need policies and procedures to ensure that these controls are effective. See more on common cyber security measures and read about cyber security for business.

IT security standards

Standards are important when developing a secure IT environment. For example, agreed standards for the procurement of PCs, servers and firewalls will help to provide consistency. Find out more about ISO 27001 IT security management standard.

IT staff policies

You will also need policies to manage activities that could pose security threats. Consider putting in place an internet usage policy and an email usage policy to protect your systems. Find sample IT policies, disclaimers and notices.

Incident response is a way in which you manage the aftermath of an IT security breach or failure. It is vital to have a response plan in place before an incident occurs so that you can limit the damage caused by the event and reduce recovery time and costs for your business.

What is an IT incident response plan?

An IT incident response plan is a set of written instructions that can help you respond to a number of potential scenarios, such as:

• information data breaches
• denial of service attacks
• firewall intrusion
• virus or malware infection
• insider threats
• damage to equipment or premises
• loss of power or other technology failures

Your incident response plan should identify key people who will act in case of an incident and describe their roles and responsibilities. It should also say who is responsible for testing the plan and putting it into action. Your business' incident response plans should be based on thorough and comprehensive IT risk assessments.

See an example of a  from the National Cyber Security Centre (NCSC).

IT incident management process

The process of managing an IT incident typically consists of six steps:

• prepare staff and managers to handle potential incidents should they arise
• determine if an event is an IT failure or a security incident
• contain the incident and prevent further damage to systems and equipment
• find the cause of the incident and remove the affected systems
• recover those systems after removing the threats
• document and analyse the situation to update, change or improve procedures

An IT incident can be isolated to one or more IT components of your business or it can be a part of a wider crisis (eg fire, flood or natural disaster). If a wider emergency occurs such as fire, the safety of staff and the public is your first priority. You should include emergency response plans in your incident response strategy.

Read more about business continuity and crisis management.

IT incident recovery planning

How you respond to IT incidents will determine how well your business recovers from them. Planning can help you shorten recovery times and minimise losses. A recovery plan could include your recovery time goals, as well as:

• strategies to recover your business activities in the quickest possible time
• a description of key resources, equipment and staff needed to recover your operations

It's essential to plan thoroughly to protect yourself from the impact of potential business crises brought on by IT failure or security breaches.

To help you prepare for and plan your response to a cyber incident, the NCSC has produced small business guidance on . You can also test and practise your response to a cyber attack with the help of their .

Business continuity planning is an essential part of managing IT risks. Planning can help you set out steps to minimise the potential impact of a business disaster - be it an equipment failure, a cyber attack or a simple power outage.

You may also need a business continuity plan to:

• reassure customers that you take risk and security issues seriously
• show effective risk management to insurers, helping to lower premiums
• meet regulatory requirements in certain industries, eg financial services

How to write a business continuity plan?

Your plan should take into account any disruptive events that could affect:

• your people
• premises
• IT systems and networks
• services such as power and telecommunications
• critical business processes

The plan should identify how you will know when to put the plan into action, what steps to take and what individuals' responsibilities are.

Measures that you may need to include in your business continuity plan are:

• a backup and data recovery strategy, including off-site storage
• the development of a resilient IT infrastructure with spare capacity in case of failure - eg mirrored central server computers sited in different locations
• the elimination of single points of failure, such as a single power supply
• secondary manual systems to use until you are able to restore IT services
• agreeing with another business to use each other's premises in the event of a disaster
• arranging to use third-party IT services and accommodation until yours are restored

Keep your plan clear and concise, so that people understand it. It is essential that everyone is aware of their responsibilities.

Remember to test your business continuity plan periodically. Review and update the plan as necessary - eg when people leave the business or you start using new IT systems.

Risk management can be relatively simple if you follow some basic principles. To manage the IT risks to your business effectively, make sure that you do the following:

• Think about IT security from the start when you plan or update an IT system. Discuss your needs and potential problems with the system users.
• Actively look for IT risks that could affect your business. Identify their likelihood, costs and impact. Carry out a comprehensive IT risk assessment.
• Think about the opportunity, capability and motivation behind potential attacks. Understand the reasons for cyber attack.
• Assess the seriousness of each IT risk and focus on those that are most significant.
• Understand the relevant laws, legislations and industry guidelines, especially if you have to comply with the data protection legislation.
• Configure your PCs, servers, firewalls and other technical elements of the system. Keep software and hardware equipment up-to-date. Put in place other common cyber security measures and secure your wireless network.
• Don't rely on just one technical control (eg a password). Use two-factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
• Develop data recovery and backup processes and consider daily backups to offsite locations.
• Support technical controls with appropriate policies, procedures and training. Understand the most common insider threats in cyber security.
• Make sure that you have a business continuity plan. This should cover any serious IT risk that you cannot fully control. Regularly review and update your plan. Read about IT risk and business continuity.
• Establish effective IT incident response and recovery measures, as well as a recording and management system. Simulate incidents to test and improve your incident planning, response and recovery.
• Develop and follow specific IT policies and procedures, such as on email and internet use, and make sure your staff know what falls under acceptable use.
• Consider certification to the IT security management standards for your business and your trading partners.

The National Cyber Security Centre offers detailed guidance to help organisations .

If you want to look at risks beyond IT, see how to manage business risks.