Manualshelf

Datasheet

ManualsBrandsFor Dummies Manualsbooks978-0-470-38843-3
11121314151617181920
22
Part I: Building the Background
All organizations could benefit from a greater appreciation of the mounting
risks to IT — a firmer, more practical understanding of the risks we’re likely
to be subjected to. Three areas of consideration stand out:
How risk manifests itself to information technology and users (including
employees, partners, and suppliers).
How organizations should assess and address their level of exposure
to risk.
How an environment full of communication technologies, sensitive intel-
lectual property, and personal customer information aggravates risk.
The issue is much more complicated than initially thought.
Until recently, organizations always assumed that they must somehow to be
protected from outside threats. After all, they reasoned, our employees are
all good, right? That’s as may be — but these days, the whole concept of an
organizational boundary is old hat — in effect, no longer valid — in even the
most limited of organizations. This makes any kind of risk assessment tricky.
Although IT risk management is becoming increasingly important to all
organizations, creating a full-fledged, ongoing program takes time. But it isn’t
a bad idea to kick off this process yourself — and we’re here to help:
To be successful, you need senior management on your side so the
effort gets decent support.
IT department heads must talk with business people and vice versa.
Excruciating? Yes, we can appreciate that — but both the functional
managers and the IT administrators must be able to review business
operations, workflow, and the technology that affects data loss. And not
just once. You’ll have to keep this dialog going . . . .
Periodically you have to carry out thorough security reviews to analyze
changes to manage new and unseen threats and vulnerabilities created
by changes in business processes, and to determine the effectiveness of
existing controls.
Departments whose units handle or manage information assets or electronic
resources should conduct regular, formal risk assessments. A risk assessment
must
Determine what information resources exist
Identify what information resources require protection
Help IT and the business to understand and document potential risks
from electronic or physical security failures
05_388433-ch01.indd 2205_388433-ch01.indd 22 1/23/09 9:36:07 PM1/23/09 9:36:07 PM