SlideShare uma empresa Scribd logo

It risk assessment

Happiest Minds Technologies
Happiest Minds Technologies

An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are:

Tecnologia
1 de 6
Baixar para ler offline
IT Risk Assessment Happiest People Happiest Customers
© Happiest Minds Technologies Pvt. Ltd. All Rights Reserved2 Contents Contents…………………………………………………………………………………………………………2 Introduction………………………………………………………………………………………………..........3 What benefits accrue from an IT risk assessment?………………………………………………………...3 Conducting an IT Risk Assessment………………………………………………….............………………4 Common Pitfalls to Avoid…………………………………………...................………………….……….....5 Our solution for conducting an efficacious IT Risk Assessment.................………………….………......5 Conclusion……………………………………………………………………………………………………….5 About the Author……………………………………………………………………………………………......6
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are: Identify security threats and vulnerabilities Conducting an IT risk assessment can help locate vulnerabilities in your existing IT infrastructure and enterprise applications, before these are exploited by hackers. Appropriate action can then be taken to patch and fix these vulnerabilities, reducing IT risk and the potential impact of any breach. Identify the maturity level of existing security controls and tool usage An IT risk assessment can help evaluate the existing defenses and preventive / corrective controls in place. The identified areas of improvements can then be mapped against the current technology landscape to ascertain if improvements are possi- ble (additional security controls or a possible correlation of data arising from these controls that can result in advanced threat intelligence, for instance). The IT assessment thus highlights remediation measures to maximize current investments. Enhance enterprise-wide security policies Not only will the assessment help plug holes in your security, but, by tying IT risk to enterprise-wide risk management, it can help create more secure solutions, practices and policies within the organization. This will improve the overall security of infor- mation in the organization, and help identify what security strategy best suits your organization. Gauge security awareness and readiness An IT risk assessment needs the involvement of various IT security personnel, as well as other employees and managers, which will help you gauge how aware various individuals and departments are of security threats, vulnerabilities, practices and solutions. It also gives a measure of how well the employees and contractors understand and follow the enterprise’s security policies and standards. An IT risk assessment may thus, point to the need for security awareness campaigns or workshops for your employees. Justify security investments Reviewing existing IT infrastructure and studying the potential business impact of a compromised system can help make a business case for security spending. An assessment can present a fair analysis of security investment versus potential losses and costs from security breaches. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved A 2014 study by the Ponemon Institute and HP showed that the average annual cost of cyber crime incurred by U.S. organiza- tions has risen by 96% between 2010 and 2014, to a staggering $12.7 million. All organizations are aware of the danger posed by hackers out to steal data and money, and yet, many fail to keep their security policies and systems updated. Outdated software with vulnerabilities and practices that leave the organization open to threat are still common. In order to protect your organization, you must methodically evaluate the risks, threats, and vulnerabilities surrounding your IT infrastructure. In short, you need an IT Risk Assessment. An IT Risk Assessment is a comprehensive review of the IT organization, with the objective of identifying existing flaws that could be exploited to threaten the security of the network and data. It serves as the basis for deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. 3 Introduction What benefits accrue from an IT risk assessment?
Prove security due diligence With IT risk assessment regulations likely to come into play in the next few years, it is important that your organization have documented proof of conducting assessments on a regular basis. Moreover, if you have insurance that deals with data loss, the insurance organizations will demand proof that the appropriate security measures were in place (in case of an incident). IT risk assessment documentation can help prove that. Understand the security maturity of your partners A recent study by PwC has found that the biggest challenge to security today is from internal (employees and partners), not external threats. A robust IT assessment includes assessment of security measures within your partner network. Findings from the assessment can help plan better defenses against third-party attacks. The overall objective of an organization’s security strategy is to ensure the protection of information (whether its own or that of customers, suppliers, and other parties) and assets. An IT risk assessment is a major preventive measure that actively mitigates the risk of vulnerabilities and threats negatively impacting the organization. A traditional IT risk assessment reviews IT-related issues such as outages, application downtime and hardware failures. It comprises three main steps: Evaluation The evaluation phase focuses on understanding the critical resources that may be affected by the threat or vulnerability. Busi- ness evaluation can be conducted by: Identifying critical business processes and assets: The first step is to identify all the information, processes, and informa- tion assets that are crucial or important for the functioning and security of the business. Identifying these critical components will help you decide what you want to protect, and what the consequence of losing them would be. Identifying vulnerabilities: A proactive review process to check for inherent vulnerabilities that could be exploited and affect the organization. When identifying vulnerabilities, remember to view them within the context of the business, i.e. how they will affect your business as a whole. Gathering information on potential threats to your organization’s information: Knowing what threats each of your IT assets may face and from where those may originate can help formulate a plan of defense. Risk Assessment The risk assessment phase consists of determining the likelihood and the severity of threats and vulnerabilities. Not all threats are equal—some happen more often than others, and others are more devastating to the organization’s infrastructure. The first step in identifying the worst threats is to find out how likely it is that the threat will occur. Next, quantify the impact the threat could have on the enterprise. Then, by mapping threats and vulnerabilities, likelihood, and impact to critical information, processes, and information assets, you can determine a scale to rate the severity of the consequences of an event or a breach in security. This will help determine which threats or vulnerabilities you need to prepare for. Risk Mitigation Risk mitigation is all about preparing to face a potential threat or tackle a possible vulnerability. It requires the organization to take many steps, either on its own, in collaboration with the IT infrastructure providers or with the aid of IT security organiza- tions. There are three measures your organization must have in place: • Preventive: Preventive measures identify threats before they occur. These notify your security team when they spot a threat or locate vulnerability, so they can begin taking steps to deal with the event. • Mitigation: Mitigation aims to reduce or minimize the consequences of an event or breach of security. These measures ensure that the threat does not impact the entire infrastructure or all the information resources. • Recovery: Recovery operations enable the organization to resume business activities post the event. This includes recovering data from remote/offsite data centers and getting systems up and running in safe environments. 4 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved4 Conducting an IT Risk Assessment
4 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved5 There are some common pitfalls that you should be aware of that can weaken the efficacy of an IT risk assessment: Viewing IT risk assessment as separate from enterprise risk management: IT risks cannot be treated as a discrete aspect of security not related to the wider enterprise. Incorporate IT risk management into the enterprise risk management system in order to understand how IT risks affect and are affected by other security and business risks. Their broader impact on the whole organization must be considered. Conducting a non-contextual assessment: IT risk assessments must be viewed within a business context. When analying breaches and vulnerabilities, it is essential to see these in the context of your information assets and how an attack on them will impact business. This kind of in-depth and actionable analysis will help develop an effective assessment that provides a window into not only technology flaws, but also business vulnerabilities. Diluting the focus on assets that matter: The aim should not be to audit every IT equipment, server, or application, but to conduct a thorough assessment with greater frequency for targeted, high-risk IT assets. Ignoring third-party risk: While organizations account for risk from organization practices and software, they often forget to account for risks from other third-party organizations and individuals. In reality, these latter risks play a significant role, especially if your enterprise systems or financial exchange systems are integrated, since a breach of your vendor’s network can compromise your own data. Improper assessment of threats: Some organizations fail to account for the severity of threats, or broadly classify threats into categories; both these practices lead to an insufficient understanding of the real danger from each threat. Infrequent assessment of risks: Risk assessment cannot be a once-a-year activity; it is a continuous process requiring frequent checks. Imbalance in assessment parameters: IT risk assessment is not a list of items to be rated, it is an in-depth look at the many security practices and software. Many organizations fail to realize that there should be a balance between the quanti- tative and qualitative data collected for assessment. Relying mostly on automated assessment tools: While automated tools facilitate efficient assessment and a continuous monitoring of IT assets and infrastructure, manual pen testing is required for a more in-depth and comprehensive assess- ment. Some risks, specifically business vulnerabilities, can only be identified by manual intervention. Inability to translate the findings into actionable items: Translating the findings into a set of actionable and remediation plans, and aligning them with IT strategy and roadmap is a key step that is often left incomplete after an IT risk assessment. Bringing the senior management into loop and getting their buy-in on remediation plans and regular follow-ups are key to realizing the full benefit of the assessment. Our solution for conducting an efficacious IT Risk Assessment Happiest Minds’ ComplianceVigil is a solution for monitoring and managing IT risks. It provides a platform for risk and compliance management where framework, management, automation and monitoring are bundled into a single platform delivered from the cloud (private or public).ComplianceVigil will provide your organization with an integrated and flexible framework for documenting and assessing risks and their impacts, managing audits, and planning solutions. Common Pitfalls to Avoid Conclusion
129 12 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Priya Kanduri About the Author Happiest Minds Heads the Risk and Compliance practice at Happiest Minds Technologies Pvt. Limited. She brings in more than 15 years of experience in the area of IT Security across multiple domains like Identity and Access Management, Data Security, Cloud Security, Governance, Risk and Compliance. Her recent work includes running large information security programs for enterprises across UK and Europe and helping them get compliant with regulatory mandates. She is a regular speaker at security conferences on various subjects like identity management & governance, IP protection, risk management and cloud adoption for compliance. 6 © 2014 Happiest Minds. All Rights Reserved. E-mail: Business@happiestminds.com Visit us: www.happiestminds.com Follow us on This Document is an exclusive property of Happiest Minds Technologies Pvt. Ltd Happiest Minds enables Digital Transformation for enterprises and technology providers by delivering seamless customer experience, business efficiency and actionable insights through an integrated set of disruptive technologies: big data analytics, internet of things, mobility, cloud, security, unified communications, etc. Happiest Minds offers domain centric solutions applying skills, IPs and functional expertise in IT Services, Product Engineering, Infrastructure Management and Security. These services have applicability across industry sectors such as retail, consumer packaged goods, e-commerce, banking, insurance, hi-tech, engineering R&D, manufacturing, automotive and travel/transportation/hospitality. Headquartered in Bangalore, India, Happiest Minds has operations in the US, UK, Singapore, Australia and has secured $ 52.5 million Series-A funding. Its investors are JPMorgan Private Equity Group, Intel Capital and Ashok Soota.

Recomendados

u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case Study
Praveen Vackayil
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
Imperva
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
 

Recomendados

u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case Study
Praveen Vackayil
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
Imperva
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
elvinchan
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
Mike McMillan
 
Role management
Role managementRole management
Role management
Abidullah Zarghoon
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
Roger Johnston
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
salman butt
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
Maciej Buczkowski
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
Ivonne Yeste
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
Chris Ross
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Bo Birdwell
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
DevOps.com
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity Journey
EMC
 
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Healthcare Network marcus evans
 
insider threat research
insider threat researchinsider threat research
insider threat research
Asma Al-maskaria
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
Martin Lindgren
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
George Goodall
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awareness
Happiest Minds Technologies
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
mmagario
 

Mais conteúdo relacionado

Mais procurados

Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
salman butt
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
Maciej Buczkowski
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
Ivonne Yeste
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
DevOps.com
 

Mais procurados (20)

Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
Role management
Role managementRole management
Role management
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity Journey
 
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 

Destaque

Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
mmagario
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
Wajahat Rajab
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)
Steven Hoober
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same Slide
Crispy Presentations
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
Rand Fishkin
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
Motivate Design
 

Destaque (20)

Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awareness
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 
How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)How People Really Hold and Touch (their Phones)
How People Really Hold and Touch (their Phones)
 
The History of SEO
The History of SEOThe History of SEO
The History of SEO
 
Displaying Data
Displaying DataDisplaying Data
Displaying Data
 
Five Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same SlideFive Killer Ways to Design The Same Slide
Five Killer Ways to Design The Same Slide
 
The Seven Deadly Social Media Sins
The Seven Deadly Social Media SinsThe Seven Deadly Social Media Sins
The Seven Deadly Social Media Sins
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
 
How To (Really) Get Into Marketing
How To (Really) Get Into MarketingHow To (Really) Get Into Marketing
How To (Really) Get Into Marketing
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
 
What 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From FailureWhat 33 Successful Entrepreneurs Learned From Failure
What 33 Successful Entrepreneurs Learned From Failure
 
Upworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The InternetsUpworthy: 10 Ways To Win The Internets
Upworthy: 10 Ways To Win The Internets
 
Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.Crap. The Content Marketing Deluge.
Crap. The Content Marketing Deluge.
 
What Would Steve Do? 10 Lessons from the World's Most Captivating Presenters
What Would Steve Do? 10 Lessons from the World's Most Captivating PresentersWhat Would Steve Do? 10 Lessons from the World's Most Captivating Presenters
What Would Steve Do? 10 Lessons from the World's Most Captivating Presenters
 
Digital Strategy 101
Digital Strategy 101Digital Strategy 101
Digital Strategy 101
 
Design Your Career 2018
Design Your Career 2018Design Your Career 2018
Design Your Career 2018
 
10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation10 Powerful Body Language Tips for your next Presentation
10 Powerful Body Language Tips for your next Presentation
 

Semelhante a It risk assessment

200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
uzair
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
harihelectronicspune
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
joellemurphey
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
gilbertkpeters11344
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 

Semelhante a It risk assessment (20)

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
5 THREAT AND RISK ASSESSMENT APPROACHES.pptx
5 THREAT AND RISK ASSESSMENT APPROACHES.pptx5 THREAT AND RISK ASSESSMENT APPROACHES.pptx
5 THREAT AND RISK ASSESSMENT APPROACHES.pptx
 
Steps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk AssessmentSteps to Consider When Conducting IT Risk Assessment
Steps to Consider When Conducting IT Risk Assessment
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
Strategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdfStrategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdf
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uae
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Websense
WebsenseWebsense
Websense
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 

Mais de Happiest Minds Technologies

ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
Happiest Minds Technologies
 

Mais de Happiest Minds Technologies (20)

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case Study
 
BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24
 
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
 
DIGITAL MANUFACTURING
DIGITAL MANUFACTURINGDIGITAL MANUFACTURING
DIGITAL MANUFACTURING
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
 
AN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEAN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSE
 
VMware to AWS Cloud Migration
VMware to AWS Cloud MigrationVMware to AWS Cloud Migration
VMware to AWS Cloud Migration
 
Digital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfDigital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdf
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Cloud Reshaping Banking
Cloud Reshaping BankingCloud Reshaping Banking
Cloud Reshaping Banking
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UK
 
PAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkPAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArk
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
 
How to Approach Tool Integrations
How to Approach Tool IntegrationsHow to Approach Tool Integrations
How to Approach Tool Integrations
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

It risk assessment

  • 1. IT Risk Assessment Happiest People Happiest Customers
  • 2. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved2 Contents Contents…………………………………………………………………………………………………………2 Introduction………………………………………………………………………………………………..........3 What benefits accrue from an IT risk assessment?………………………………………………………...3 Conducting an IT Risk Assessment………………………………………………….............………………4 Common Pitfalls to Avoid…………………………………………...................………………….……….....5 Our solution for conducting an efficacious IT Risk Assessment.................………………….………......5 Conclusion……………………………………………………………………………………………………….5 About the Author……………………………………………………………………………………………......6
  • 3. An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are: Identify security threats and vulnerabilities Conducting an IT risk assessment can help locate vulnerabilities in your existing IT infrastructure and enterprise applications, before these are exploited by hackers. Appropriate action can then be taken to patch and fix these vulnerabilities, reducing IT risk and the potential impact of any breach. Identify the maturity level of existing security controls and tool usage An IT risk assessment can help evaluate the existing defenses and preventive / corrective controls in place. The identified areas of improvements can then be mapped against the current technology landscape to ascertain if improvements are possi- ble (additional security controls or a possible correlation of data arising from these controls that can result in advanced threat intelligence, for instance). The IT assessment thus highlights remediation measures to maximize current investments. Enhance enterprise-wide security policies Not only will the assessment help plug holes in your security, but, by tying IT risk to enterprise-wide risk management, it can help create more secure solutions, practices and policies within the organization. This will improve the overall security of infor- mation in the organization, and help identify what security strategy best suits your organization. Gauge security awareness and readiness An IT risk assessment needs the involvement of various IT security personnel, as well as other employees and managers, which will help you gauge how aware various individuals and departments are of security threats, vulnerabilities, practices and solutions. It also gives a measure of how well the employees and contractors understand and follow the enterprise’s security policies and standards. An IT risk assessment may thus, point to the need for security awareness campaigns or workshops for your employees. Justify security investments Reviewing existing IT infrastructure and studying the potential business impact of a compromised system can help make a business case for security spending. An assessment can present a fair analysis of security investment versus potential losses and costs from security breaches. © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved A 2014 study by the Ponemon Institute and HP showed that the average annual cost of cyber crime incurred by U.S. organiza- tions has risen by 96% between 2010 and 2014, to a staggering $12.7 million. All organizations are aware of the danger posed by hackers out to steal data and money, and yet, many fail to keep their security policies and systems updated. Outdated software with vulnerabilities and practices that leave the organization open to threat are still common. In order to protect your organization, you must methodically evaluate the risks, threats, and vulnerabilities surrounding your IT infrastructure. In short, you need an IT Risk Assessment. An IT Risk Assessment is a comprehensive review of the IT organization, with the objective of identifying existing flaws that could be exploited to threaten the security of the network and data. It serves as the basis for deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. 3 Introduction What benefits accrue from an IT risk assessment?
  • 4. Prove security due diligence With IT risk assessment regulations likely to come into play in the next few years, it is important that your organization have documented proof of conducting assessments on a regular basis. Moreover, if you have insurance that deals with data loss, the insurance organizations will demand proof that the appropriate security measures were in place (in case of an incident). IT risk assessment documentation can help prove that. Understand the security maturity of your partners A recent study by PwC has found that the biggest challenge to security today is from internal (employees and partners), not external threats. A robust IT assessment includes assessment of security measures within your partner network. Findings from the assessment can help plan better defenses against third-party attacks. The overall objective of an organization’s security strategy is to ensure the protection of information (whether its own or that of customers, suppliers, and other parties) and assets. An IT risk assessment is a major preventive measure that actively mitigates the risk of vulnerabilities and threats negatively impacting the organization. A traditional IT risk assessment reviews IT-related issues such as outages, application downtime and hardware failures. It comprises three main steps: Evaluation The evaluation phase focuses on understanding the critical resources that may be affected by the threat or vulnerability. Busi- ness evaluation can be conducted by: Identifying critical business processes and assets: The first step is to identify all the information, processes, and informa- tion assets that are crucial or important for the functioning and security of the business. Identifying these critical components will help you decide what you want to protect, and what the consequence of losing them would be. Identifying vulnerabilities: A proactive review process to check for inherent vulnerabilities that could be exploited and affect the organization. When identifying vulnerabilities, remember to view them within the context of the business, i.e. how they will affect your business as a whole. Gathering information on potential threats to your organization’s information: Knowing what threats each of your IT assets may face and from where those may originate can help formulate a plan of defense. Risk Assessment The risk assessment phase consists of determining the likelihood and the severity of threats and vulnerabilities. Not all threats are equal—some happen more often than others, and others are more devastating to the organization’s infrastructure. The first step in identifying the worst threats is to find out how likely it is that the threat will occur. Next, quantify the impact the threat could have on the enterprise. Then, by mapping threats and vulnerabilities, likelihood, and impact to critical information, processes, and information assets, you can determine a scale to rate the severity of the consequences of an event or a breach in security. This will help determine which threats or vulnerabilities you need to prepare for. Risk Mitigation Risk mitigation is all about preparing to face a potential threat or tackle a possible vulnerability. It requires the organization to take many steps, either on its own, in collaboration with the IT infrastructure providers or with the aid of IT security organiza- tions. There are three measures your organization must have in place: • Preventive: Preventive measures identify threats before they occur. These notify your security team when they spot a threat or locate vulnerability, so they can begin taking steps to deal with the event. • Mitigation: Mitigation aims to reduce or minimize the consequences of an event or breach of security. These measures ensure that the threat does not impact the entire infrastructure or all the information resources. • Recovery: Recovery operations enable the organization to resume business activities post the event. This includes recovering data from remote/offsite data centers and getting systems up and running in safe environments. 4 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved4 Conducting an IT Risk Assessment
  • 5. 4 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved5 There are some common pitfalls that you should be aware of that can weaken the efficacy of an IT risk assessment: Viewing IT risk assessment as separate from enterprise risk management: IT risks cannot be treated as a discrete aspect of security not related to the wider enterprise. Incorporate IT risk management into the enterprise risk management system in order to understand how IT risks affect and are affected by other security and business risks. Their broader impact on the whole organization must be considered. Conducting a non-contextual assessment: IT risk assessments must be viewed within a business context. When analying breaches and vulnerabilities, it is essential to see these in the context of your information assets and how an attack on them will impact business. This kind of in-depth and actionable analysis will help develop an effective assessment that provides a window into not only technology flaws, but also business vulnerabilities. Diluting the focus on assets that matter: The aim should not be to audit every IT equipment, server, or application, but to conduct a thorough assessment with greater frequency for targeted, high-risk IT assets. Ignoring third-party risk: While organizations account for risk from organization practices and software, they often forget to account for risks from other third-party organizations and individuals. In reality, these latter risks play a significant role, especially if your enterprise systems or financial exchange systems are integrated, since a breach of your vendor’s network can compromise your own data. Improper assessment of threats: Some organizations fail to account for the severity of threats, or broadly classify threats into categories; both these practices lead to an insufficient understanding of the real danger from each threat. Infrequent assessment of risks: Risk assessment cannot be a once-a-year activity; it is a continuous process requiring frequent checks. Imbalance in assessment parameters: IT risk assessment is not a list of items to be rated, it is an in-depth look at the many security practices and software. Many organizations fail to realize that there should be a balance between the quanti- tative and qualitative data collected for assessment. Relying mostly on automated assessment tools: While automated tools facilitate efficient assessment and a continuous monitoring of IT assets and infrastructure, manual pen testing is required for a more in-depth and comprehensive assess- ment. Some risks, specifically business vulnerabilities, can only be identified by manual intervention. Inability to translate the findings into actionable items: Translating the findings into a set of actionable and remediation plans, and aligning them with IT strategy and roadmap is a key step that is often left incomplete after an IT risk assessment. Bringing the senior management into loop and getting their buy-in on remediation plans and regular follow-ups are key to realizing the full benefit of the assessment. Our solution for conducting an efficacious IT Risk Assessment Happiest Minds’ ComplianceVigil is a solution for monitoring and managing IT risks. It provides a platform for risk and compliance management where framework, management, automation and monitoring are bundled into a single platform delivered from the cloud (private or public).ComplianceVigil will provide your organization with an integrated and flexible framework for documenting and assessing risks and their impacts, managing audits, and planning solutions. Common Pitfalls to Avoid Conclusion
  • 6. 129 12 © Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Priya Kanduri About the Author Happiest Minds Heads the Risk and Compliance practice at Happiest Minds Technologies Pvt. Limited. She brings in more than 15 years of experience in the area of IT Security across multiple domains like Identity and Access Management, Data Security, Cloud Security, Governance, Risk and Compliance. Her recent work includes running large information security programs for enterprises across UK and Europe and helping them get compliant with regulatory mandates. She is a regular speaker at security conferences on various subjects like identity management & governance, IP protection, risk management and cloud adoption for compliance. 6 © 2014 Happiest Minds. All Rights Reserved. E-mail: Business@happiestminds.com Visit us: www.happiestminds.com Follow us on This Document is an exclusive property of Happiest Minds Technologies Pvt. Ltd Happiest Minds enables Digital Transformation for enterprises and technology providers by delivering seamless customer experience, business efficiency and actionable insights through an integrated set of disruptive technologies: big data analytics, internet of things, mobility, cloud, security, unified communications, etc. Happiest Minds offers domain centric solutions applying skills, IPs and functional expertise in IT Services, Product Engineering, Infrastructure Management and Security. These services have applicability across industry sectors such as retail, consumer packaged goods, e-commerce, banking, insurance, hi-tech, engineering R&D, manufacturing, automotive and travel/transportation/hospitality. Headquartered in Bangalore, India, Happiest Minds has operations in the US, UK, Singapore, Australia and has secured $ 52.5 million Series-A funding. Its investors are JPMorgan Private Equity Group, Intel Capital and Ashok Soota.