Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

Rollback to version 1

0:00 - 0:03

information technology i.t risk and
0:03 - 0:05

management of it risks
0:05 - 0:07

welcome to the risk management of
0:07 - 0:10

everything channel on this channel you
0:10 - 0:12

will see videos on risk management and
0:12 - 0:14

the application of risk management to
0:14 - 0:17

diverse areas and sectors if you are new
0:17 - 0:19

here make sure to subscribe to our
0:19 - 0:21

channel and press the notification
0:21 - 0:23

button so you can be notified when we
0:23 - 0:25

upload new videos
0:25 - 0:27

thank you
0:27 - 0:29

this video discusses information
0:29 - 0:32

technology i.t risks and management of
0:32 - 0:34

it risk in this video you will
0:34 - 0:36

understand the meaning of information
0:36 - 0:40

technology i.t risk categories of it
0:40 - 0:43

risks impacts of it failure on business
0:43 - 0:47

organizations types of it risks i.t
0:47 - 0:49

risks management process how to manage
0:49 - 0:53

it risks it risk assessment quantitative
0:53 - 0:56

it risks assessment qualitative it risks
0:56 - 0:59

assessment how to mitigate it risks
0:59 - 1:01

incidence response i.t incident
1:01 - 1:03

management process i.t incidence
1:03 - 1:06

recovery planning it standard it risk
1:06 - 1:09

management checklist it risk management
1:09 - 1:12

policy and content of it risk management
1:12 - 1:16

policy now let us start
1:16 - 1:18

the more a business relies on
1:18 - 1:20

information technology i.t the more
1:20 - 1:22

critical it is to identify and control
1:22 - 1:25

its i.t systems risks
1:25 - 1:27

threats ranging from equipment failure
1:27 - 1:29

to malicious attacks by hackers can
1:29 - 1:32

disrupt critical business systems and
1:32 - 1:34

excess confidential data
1:34 - 1:38

what is information technology i t risk
1:38 - 1:40

i.t risk is any threat to a business
1:40 - 1:43

data critical systems and business
1:43 - 1:46

processes it is the risk associated with
1:46 - 1:49

the use ownership operation involvement
1:49 - 1:53

influence and adoption of it it risk is
1:53 - 1:55

any threat to a business data critical
1:55 - 1:59

systems and business processes it risks
1:59 - 2:01

can damage business value and often come
2:01 - 2:04

from poor management of processes and
2:04 - 2:05

events
2:05 - 2:08

categories of it risks
2:08 - 2:10

i t risk spans a range of business
2:10 - 2:12

critical areas such as
2:12 - 2:16

1. security for example compromised
2:16 - 2:19

business data due to unauthorized access
2:19 - 2:20

or use
2:20 - 2:23

2. availability such as inability to
2:23 - 2:26

access i-t systems needed for business
2:26 - 2:27

operations
2:27 - 2:30

3. performance such as reduced
2:30 - 2:33

productivity due to slow or delayed
2:33 - 2:36

access to it systems and
2:36 - 2:39

4. compliance such as failure to follow
2:39 - 2:42

laws and regulations for example data
2:42 - 2:44

protection
2:44 - 2:47

i.t risks varies in range and nature it
2:47 - 2:49

is essential to be aware of all the
2:49 - 2:51

different types of it risk potentially
2:51 - 2:53

affecting a business
2:53 - 2:55

impacts of information technology
2:55 - 2:58

failure on business organizations
2:58 - 3:01

for businesses that rely on technology
3:01 - 3:04

events or incidents that compromise i.t
3:04 - 3:07

can cause many problems for example a
3:07 - 3:09

security breach can lead to
3:09 - 3:13

one identity fraud and theft
3:13 - 3:16

two financial fraud or theft
3:16 - 3:18

three damage to reputation
3:18 - 3:22

4. damage to brand and
3:22 - 3:25

5. damage to a business physical asset
3:25 - 3:28

furthermore failure of it systems due to
3:28 - 3:31

downtime or outages can result in other
3:31 - 3:34

damaging and severe consequences such as
3:34 - 3:38

one lost sales and customers two reduced
3:38 - 3:40

staff or business productivity three
3:40 - 3:42

reduced customer loyalty and
3:42 - 3:45

satisfaction and four damaged
3:45 - 3:48

relationship with partners and suppliers
3:48 - 3:51

if i.t failure affects a firm's ability
3:51 - 3:54

to comply with laws and regulations then
3:54 - 3:56

it could also lead to one breach of
3:56 - 4:00

legal duties two penalties fines and
4:00 - 4:04

litigation 3 reputational damage and 4
4:04 - 4:07

breach of client confidentiality
4:07 - 4:11

types of information technology risks
4:11 - 4:13

organizations i.t systems and
4:13 - 4:15

information are susceptible to a wide
4:15 - 4:18

range of risks if a business relies on
4:18 - 4:20

technology for its operations and
4:20 - 4:22

activities the managers need to be aware
4:22 - 4:26

of it threats threats to a firm's it
4:26 - 4:28

systems can be external internal
4:28 - 4:31

deliberate and unintentional most i.t
4:31 - 4:33

risks affect one or more of the
4:33 - 4:34

following
4:34 - 4:38

1. business or project goals
4:38 - 4:40

2. service continuity
4:40 - 4:43

3. bottom line results
4:43 - 4:46

fourth business reputation
4:46 - 4:49

five security and
4:49 - 4:51

six infrastructure
4:51 - 4:55

examples of information technology risks
4:55 - 4:57

based on the nature of risks it is
4:57 - 5:00

possible to differentiate between
5:00 - 5:03

1. physical threats these are threats
5:03 - 5:06

arising from physical access or damage
5:06 - 5:09

to i.t resources such as servers
5:09 - 5:11

these could include theft damage from
5:11 - 5:14

fire or flood or unauthorized access to
5:14 - 5:16

confidential data by an employee or
5:16 - 5:17

outsider
5:17 - 5:20

2. electronic threats aim at
5:20 - 5:22

compromising business information for
5:22 - 5:25

example a hacker could get access to the
5:25 - 5:28

company's website a computer virus may
5:28 - 5:30

infected sighty system or the business
5:30 - 5:33

may fall victim to a fraudulent email or
5:33 - 5:36

website these are the common types of
5:36 - 5:39

electronic threats a business face
5:39 - 5:42

3. technical failures include software
5:42 - 5:44

bugs computer crashes and complete
5:44 - 5:47

failure of a computer component a
5:47 - 5:49

technical failure can be catastrophic if
5:49 - 5:52

for example a firm cannot retrieve data
5:52 - 5:54

on a failed hard drive and no backup
5:54 - 5:56

copy is available
5:56 - 6:00

4. infrastructure failures these include
6:00 - 6:02

loss of internet connection that can
6:02 - 6:03

interrupt a business
6:03 - 6:05

infrastructure failures can make a
6:05 - 6:08

company loss an important purchase order
6:08 - 6:12

5. human error is a significant threat
6:12 - 6:14

for example someone might accidentally
6:14 - 6:17

delete important data or fail to follow
6:17 - 6:19

security procedures properly
6:19 - 6:22

information technology risk management
6:22 - 6:23

process
6:23 - 6:26

to manage it risks effectively the
6:26 - 6:28

following 6 steps of the risk management
6:28 - 6:30

process should be undertaken
6:30 - 6:34

1. identify risks determine the nature
6:34 - 6:35

of risks and how they relate to a
6:35 - 6:37

business
6:37 - 6:40

2. assess risks determine how serious
6:40 - 6:42

each risk is to the business and
6:42 - 6:44

prioritize them
6:44 - 6:47

3. mitigate risks put preventive
6:47 - 6:49

measures to reduce the likelihood of the
6:49 - 6:52

risk occurring and limit its impact
6:52 - 6:55

4. develop incident response set out
6:55 - 6:57

plans for managing a problem and
6:57 - 7:00

recovering the company's operation
7:00 - 7:03

5. develop contingency plans ensure that
7:03 - 7:06

the company can continue to run after an
7:06 - 7:08

incident or a crisis
7:08 - 7:11

6. review processes and procedures
7:11 - 7:13

continue to assess threats and manage
7:13 - 7:14

new risks
7:14 - 7:17

how to manage information technology
7:17 - 7:18

risks
7:18 - 7:21

managing various types of i-t risks
7:21 - 7:24

begins with identifying precisely
7:24 - 7:26

1. the type of threats affecting the
7:26 - 7:27

business
7:27 - 7:30

2. the assets that may be at risk and 3
7:30 - 7:33

the ways of securing i.t systems
7:33 - 7:36

information technology risk assessment
7:36 - 7:38

i.t risk assessment is a process of
7:38 - 7:40

analyzing potential threats and
7:40 - 7:43

vulnerabilities to it systems to
7:43 - 7:45

establish their potential loss
7:45 - 7:47

its objective is to help achieve optimal
7:47 - 7:50

security at a reasonable cost there are
7:50 - 7:52

two prevailing methodologies for
7:52 - 7:55

assessing the different types of it risk
7:55 - 7:56

quantitative and qualitative risk
7:56 - 7:58

analysis
7:58 - 8:00

now let us now discuss the two types of
8:00 - 8:03

it risks assessment methodology
8:03 - 8:06

quantitative information technology
8:06 - 8:08

risks assessment
8:08 - 8:10

quantitative assessment measures risk
8:10 - 8:12

using monetary amounts and numeric data
8:12 - 8:15

it uses mathematical formulas to give
8:15 - 8:17

value in terms of
8:17 - 8:20

1 the frequency of risk occurrence
8:20 - 8:23

2 the asset value and
8:23 - 8:26

3 the probability of associated loss
8:26 - 8:29

in an example of server failure a
8:29 - 8:31

quantitative assessment would involve
8:31 - 8:32

looking at
8:32 - 8:35

1. cost of a server or the revenue it
8:35 - 8:36

generates
8:36 - 8:40

2. how often does the server crash and
8:40 - 8:43

3. the estimated loss incurred each time
8:43 - 8:45

it crashed
8:45 - 8:47

from these values the company can work
8:47 - 8:51

out several vital calculations including
8:51 - 8:54

1. single loss expectancy refers to the
8:54 - 8:56

costs the company would incur if the
8:56 - 8:59

incident occurred once
8:59 - 9:01

2. the annual rate of occurrence this
9:01 - 9:03

refers to how many times a year the
9:03 - 9:06

company could expect the risk to occur
9:06 - 9:07

and
9:07 - 9:08

3.
9:08 - 9:10

annual loss expectancy this refers to
9:10 - 9:13

the total risk value over a year
9:13 - 9:15

these computations can assist the
9:15 - 9:17

company in avoiding spending too much
9:17 - 9:20

time and money on reducing negligible
9:20 - 9:23

risks for example if a threat is
9:23 - 9:25

unlikely to happen or costs little or
9:25 - 9:27

nothing to remedy it probably presents a
9:27 - 9:30

low risk to the business however if a
9:30 - 9:32

threat to the company's critical i t
9:32 - 9:34

systems is likely to happen and could be
9:34 - 9:36

expensive to fix or likely to affect the
9:36 - 9:38

business adversely such risk should be
9:38 - 9:41

considered as a high risk the risk
9:41 - 9:43

information can also be used to conduct
9:43 - 9:45

a cost and benefit analysis to determine
9:45 - 9:48

what level of investment would make risk
9:48 - 9:50

treatment worthwhile a company may not
9:50 - 9:52

always have the necessary historical
9:52 - 9:55

data to determine the probability of i.t
9:55 - 9:58

related risks and estimated costs
9:58 - 10:00

meanwhile quantitative measures of risk
10:00 - 10:03

are meaningful when there is good data
10:03 - 10:06

qualitative information technology risks
10:06 - 10:07

assessment
10:07 - 10:09

qualitative risk assessment is opinion
10:09 - 10:11

based it relies on judgment to
10:11 - 10:14

categorize risks based on probability
10:14 - 10:16

and impact and uses a rating scale to
10:16 - 10:19

describe the risks as
10:19 - 10:22

1. low means unlikely to occur or impact
10:22 - 10:24

a business
10:24 - 10:27

2. medium means possible to occur and
10:27 - 10:29

impact and
10:29 - 10:32

3. high means likely to occur and impact
10:32 - 10:34

the business significantly
10:34 - 10:37

for example it is possible to describe a
10:37 - 10:40

high probability risk as events that are
10:40 - 10:42

likely to happen several times in a year
10:42 - 10:45

the same can be done for cost and impact
10:45 - 10:48

in practical terms for example
10:48 - 10:51

low means that the company would lose up
10:51 - 10:54

to half an hour of production
10:54 - 10:57

medium means t hat the company would
10:57 - 10:59

cause complete shutdown for at least
10:59 - 11:02

three days and high means that the
11:02 - 11:04

company would cause irreversible loss to
11:04 - 11:05

the business
11:05 - 11:08

after risk ratings a risk assessment
11:08 - 11:10

matrix should be created to categorize
11:10 - 11:12

the level of risk of each risk event
11:12 - 11:15

this will assist the company in deciding
11:15 - 11:17

which risk to mitigate accept or
11:17 - 11:20

transfer different types of it risk
11:20 - 11:22

assessments can be undertaken often it
11:22 - 11:25

may be best to use a mixed approach to
11:25 - 11:27

it risks assessments combining elements
11:27 - 11:29

of both quantitative and qualitative
11:29 - 11:32

analysis the company can also use
11:32 - 11:34

quantitative data to assess the value of
11:34 - 11:37

assets and loss expectancy this may take
11:37 - 11:39

time and effort but it can also result
11:39 - 11:42

in a greater understanding of the risks
11:42 - 11:43

and better data than each method would
11:43 - 11:45

provide alone how to mitigate
11:45 - 11:48

information technology risk
11:48 - 11:50

if the company cannot remove or reduce
11:50 - 11:52

risks to an acceptable level it might
11:52 - 11:55

reduce the impact of potential incidents
11:55 - 11:57

the company should consider
11:57 - 12:00

1. setting procedures for detecting
12:00 - 12:03

problems for example a virus might
12:03 - 12:05

infect the company's system
12:05 - 12:08

2. getting insurance against the costs
12:08 - 12:10

of security breaches
12:10 - 12:12

as part of risk management a firm should
12:12 - 12:15

reduce potential i.t risks that may
12:15 - 12:17

impact the business the company should
12:17 - 12:19

put establish measures to protect the
12:19 - 12:21

company's systems and data from all
12:21 - 12:24

known threats the company should also
12:24 - 12:27

create contingency plans to minimize the
12:27 - 12:28

impacts of unknown threats on the
12:28 - 12:31

organization's operations
12:31 - 12:35

to mitigate it risks the company should
12:35 - 12:38

one regularly review the information it
12:38 - 12:40

holds and share ensure that the company
12:40 - 12:43

comply with data protection legislation
12:43 - 12:45

and think about what needs to be on
12:45 - 12:48

public or shared systems where possible
12:48 - 12:50

sensitive information should be removed
12:50 - 12:54

or secured thoroughly 2. install and
12:54 - 12:56

maintain security controls such as
12:56 - 12:59

firewalls anti-virus software and
12:59 - 13:02

processes that help prevent intrusion
13:02 - 13:05

3. implement security policies and
13:05 - 13:07

procedures such as internet and email
13:07 - 13:10

usage policies and train staff
13:10 - 13:12

follow best practices in cyber security
13:12 - 13:14

for business
13:14 - 13:17

4. use a third-party it provider if it
13:17 - 13:20

lacks in-house skills often they can
13:20 - 13:23

provide their security expertise
13:23 - 13:25

incident response
13:25 - 13:28

incident response is a way of managing
13:28 - 13:30

the aftermath of an i.t security breach
13:30 - 13:33

or failure it is vital to develop a
13:33 - 13:35

response plan before the occurrence of
13:35 - 13:37

an event or incident to
13:37 - 13:40

1. limit the damage caused by the event
13:40 - 13:41

and
13:41 - 13:44

2. reduce recovery time and costs for
13:44 - 13:45

the business
13:45 - 13:48

information technology incident response
13:48 - 13:49

plan
13:49 - 13:51

an id incident response plan is a set of
13:51 - 13:53

pre-written instructions to assist an
13:53 - 13:56

organization in responding to i.t
13:56 - 13:59

threats and potential scenarios such as
13:59 - 14:03

1. information data breaches 2. denial
14:03 - 14:05

of service attacks
14:05 - 14:08

3. firewall intrusion
14:08 - 14:11

4. virus or malware infection
14:11 - 14:15

5 damage to equipment or premises
14:15 - 14:18

6. insider threats and
14:18 - 14:20

7. loss of power or other technology
14:20 - 14:22

failures
14:22 - 14:24

the company's incident response pl on
14:24 - 14:26

should be created through robust high
14:26 - 14:29

tea risk assessments a firm incident
14:29 - 14:32

response plan should identify key people
14:32 - 14:34

who will act in an incident and describe
14:34 - 14:36

their roles and responsibilities
14:36 - 14:39

an i.t incident response plan should
14:39 - 14:40

also clearly articulate who is
14:40 - 14:42

responsible for testing the plan and
14:42 - 14:45

putting it into action a firm incident
14:45 - 14:47

response plan should identify key people
14:47 - 14:50

who will act in an incident and describe
14:50 - 14:52

their roles and responsibilities
14:52 - 14:54

information technology incident
14:54 - 14:56

management process
14:56 - 14:59

the process of managing an i.t incident
14:59 - 15:02

typically consists of six steps
15:02 - 15:05

one prepare staff and managers on how to
15:05 - 15:07

handle potential incidents should they
15:07 - 15:08

arise
15:08 - 15:11

2. determine if an event is a nighty
15:11 - 15:13

failure or a security incident
15:13 - 15:16

3. contain the incident and prevent
15:16 - 15:20

further damage to systems and equipment
15:20 - 15:22

4. find the cause of the incident and
15:22 - 15:25

remove the affected systems
15:25 - 15:28

5. recover those systems after removing
15:28 - 15:29

the threats
15:29 - 15:33

6. document and analyze the situation to
15:33 - 15:36

update change or improve procedures
15:36 - 15:39

an it incident may focus on one or more
15:39 - 15:41

it components of a business or be a part
15:41 - 15:44

of a broader crisis plan for example
15:44 - 15:48

fire flood and natural disaster it is
15:48 - 15:50

therefore beneficial to develop an
15:50 - 15:53

emergency response plan the company's
15:53 - 15:55

emergency response plan should be
15:55 - 15:58

integrated into its incident response
15:58 - 15:59

strategy
15:59 - 16:01

information technology incident recovery
16:01 - 16:03

planning
16:03 - 16:05

how an organization responds to it
16:05 - 16:07

incidents would determine how well its
16:07 - 16:10

business recovers from i.t incidents
16:10 - 16:12

planning can help to shorten the
16:12 - 16:14

recovery period and reduce losses it is
16:14 - 16:17

essential to plan thoroughly to protect
16:17 - 16:20

staff stakeholders and the organization
16:20 - 16:22

from the impact of potential business
16:22 - 16:25

from i.t failure and security breaches a
16:25 - 16:27

recovery plan could include the
16:27 - 16:28

following
16:28 - 16:31

1. the recovery period goals
16:31 - 16:34

2. strategies to recover the business
16:34 - 16:36

activities within the quickest possible
16:36 - 16:38

time and
16:38 - 16:41

3. a description of resources equipment
16:41 - 16:43

and staff required to recover the
16:43 - 16:45

company's operations
16:45 - 16:48

information technology standard
16:48 - 16:50

according to international standards
16:50 - 16:52

organization iso a standard is a
16:52 - 16:55

document that provides requirements
16:55 - 16:57

specifications guidelines and
16:57 - 16:59

characteristics that can be used
16:59 - 17:02

consistently to ensure that materials
17:02 - 17:04

products processes and services are fit
17:04 - 17:06

for their purpose
17:06 - 17:08

standards allow technology to work
17:08 - 17:10

seamlessly and establish trust so that
17:10 - 17:13

markets can operate smoothly i.t
17:13 - 17:14

standards are beneficial to
17:14 - 17:16

organizations because they
17:16 - 17:19

one provide a common language to measure
17:19 - 17:21

and evaluate performance
17:21 - 17:24

2. make information sharing easy through
17:24 - 17:27

i.t and computer systems and
17:27 - 17:31

3. protect consumers by ensuring safety
17:31 - 17:34

durability and market equity
17:34 - 17:36

standards and their development frame
17:36 - 17:38

guide and normalize almost all areas of
17:38 - 17:39

our lives
17:39 - 17:42

for example standards in it govern
17:42 - 17:44

information sharing between digital
17:44 - 17:47

devices platforms and standardized
17:47 - 17:49

production machines to ensure uniform
17:49 - 17:51

repair and reproduction
17:51 - 17:54

standardization in accounting healthcare
17:54 - 17:57

or agriculture promotes best industry
17:57 - 17:59

practices that emphasize safety and
17:59 - 18:00

quality control
18:00 - 18:03

standards reflect the shared values
18:03 - 18:06

aspirations and responsibilities within
18:06 - 18:07

organizations
18:07 - 18:09

good knowledge of the most current
18:09 - 18:11

standards can drive innovation increase
18:11 - 18:14

research and development's market value
18:14 - 18:16

and promote international trade and
18:16 - 18:18

commerce iso
18:18 - 18:21

27001 is an international i.t standard
18:21 - 18:24

by the way iso is an abbreviation for
18:24 - 18:27

international standard organization
18:27 - 18:31

now let us discuss iso 27001
18:31 - 18:32

iso
18:32 - 18:36

27001 international i.t standard
18:36 - 18:37

iso
18:37 - 18:40

27001 is an international standard that
18:40 - 18:43

describes best practices for information
18:43 - 18:46

security management systems it belongs
18:46 - 18:49

to a 27 000 family of standards all of
18:49 - 18:51

which aim to help keep a business
18:51 - 18:53

information assets secure
18:53 - 18:56

the standard specifies controls that are
18:56 - 18:59

key to maintaining security iso
18:59 - 19:03

27001 control amongst others highlight
19:03 - 19:04

the following
19:04 - 19:07

1. security policy states what an
19:07 - 19:10

information security policy is what it
19:10 - 19:12

should cover and why a company should
19:12 - 19:14

have a security policy
19:14 - 19:17

2. organizational security states how an
19:17 - 19:20

organization should manage information
19:20 - 19:22

security in a business
19:22 - 19:25

3. asset classification and control
19:25 - 19:27

describe how to audit and manage a
19:27 - 19:30

company's information computers software
19:30 - 19:32

and services
19:32 - 19:36

4. staff security focuses on training
19:36 - 19:39

responsibilities vetting procedures and
19:39 - 19:41

response to incidents
19:41 - 19:44

5. physical and environmental security
19:44 - 19:47

entails keeping key locations secure and
19:47 - 19:48

physical control of access to
19:48 - 19:51

information and equipment
19:51 - 19:54

6. communications and operations
19:54 - 19:55

management secure operation of
19:55 - 19:58

information processing facilities during
19:58 - 20:00

day-to-day activities especially
20:00 - 20:02

computer networks
20:02 - 20:05

7. access control emphasizes the right
20:05 - 20:07

to use information and systems based on
20:07 - 20:09

business and security needs precisely
20:09 - 20:11

controlling who can do what within an
20:11 - 20:14

organization's information resources
20:14 - 20:15

eight
20:15 - 20:18

system development and maintenance if an
20:18 - 20:20

organization develops its software the
20:20 - 20:23

design should be suitable secure and
20:23 - 20:25

maintain information integrity
20:25 - 20:28

9. business continuity management
20:28 - 20:30

ensures that essential business
20:30 - 20:32

activities are maintained during adverse
20:32 - 20:34

conditions thereby coping with major
20:34 - 20:37

disasters to minor local issues
20:37 - 20:39

like other international standard
20:39 - 20:41

organizations management system
20:41 - 20:44

standards the company can certify the
20:44 - 20:46

business to iso 27001
20:46 - 20:49

but certification is not mandatory the
20:49 - 20:51

company may decide to implement the
20:51 - 20:53

standard to benefit from the best
20:53 - 20:55

practice it contains or may wish to
20:55 - 20:57

certify to reassure customers and
20:57 - 21:00

clients that follow information security
21:00 - 21:02

management systems best practice
21:02 - 21:04

information technology risk management
21:04 - 21:06

checklist
21:06 - 21:08

risk management can be relatively simple
21:08 - 21:10

if its basic principles are understood
21:10 - 21:12

and applied here is a checklist to
21:12 - 21:15

ensure effective it risk
21:15 - 21:18

management 1. think about i.t security
21:18 - 21:20

from the start when planning and
21:20 - 21:22

updating an i.t system
21:22 - 21:25

2. actively look for it risks that could
21:25 - 21:28

affect the business and identify why the
21:28 - 21:31

likelihood costs and impact of those
21:31 - 21:32

risks
21:32 - 21:35

3. think about the opportunity
21:35 - 21:37

capability and motivation behind
21:37 - 21:39

potential attacks
21:39 - 21:41

understand the reasons for a cyber
21:41 - 21:42

attack
21:42 - 21:45

4. assess the seriousness of each it
21:45 - 21:47

risk and focus on those that are most
21:47 - 21:49

significant
21:49 - 21:50

5.
21:50 - 21:53

understand the relevant laws legislation
21:53 - 21:55

and industry guidelines especially if
21:55 - 21:58

the company must comply with the general
21:58 - 22:01

data protection regulation gdpr and
22:01 - 22:02

other local and international
22:02 - 22:04

regulations
22:04 - 22:08

6. configure computers servers firewalls
22:08 - 22:10

and other technical elements of the
22:10 - 22:13

system keep software and hardware
22:13 - 22:15

equipment up to date put in place other
22:15 - 22:18

standard cyber security measures and
22:18 - 22:19

read about securing the company's
22:19 - 22:21

wireless network
22:21 - 22:24

7. do not rely on just one technical
22:24 - 22:28

control for example a password use
22:28 - 22:30

two-factor authentication to guarantee
22:30 - 22:33

user identity for example something
22:33 - 22:35

introduces additional security such as
22:35 - 22:39

id card pin and password
22:39 - 22:42

eight develop data recovery and backup
22:42 - 22:44

processes and consider daily backups to
22:44 - 22:46

off-site locations
22:46 - 22:49

9. support technical controls with
22:49 - 22:52

appropriate policies procedures and
22:52 - 22:54

training understand the most common
22:54 - 22:57

insider threats in cyber security
22:57 - 23:00

10. make sure that the company have a
23:00 - 23:02

business continuity plan
23:02 - 23:04

this should cover any severe it risk
23:04 - 23:07

that cannot be fully controlled the
23:07 - 23:09

business continuity plan should be
23:09 - 23:11

updated and reviewed regularly
23:11 - 23:14

11. establish effective i.t incident
23:14 - 23:16

response and recovery measures as well
23:16 - 23:19

as a recording and management system
23:19 - 23:22

simulate incidents to test and improve
23:22 - 23:25

the company's incident planning response
23:25 - 23:27

and recovery framework
23:27 - 23:30

12. develop and follow specific i.t
23:30 - 23:32

policies and procedures such as email
23:32 - 23:35

and internet views and ensure that
23:35 - 23:38

companies staff know what is acceptable
23:38 - 23:41

13. consider certification to the it
23:41 - 23:43

security management standards for the
23:43 - 23:46

business and its business partners
23:46 - 23:48

having highlighted the it risk
23:48 - 23:50

management checklist let us proceed to
23:50 - 23:53

discuss it risk management policy
23:53 - 23:56

i.t risk management policy
23:56 - 23:59

i.t policies and procedures explain why
23:59 - 24:01

it is essential to manage it risks in
24:01 - 24:04

business the company can have i.t
24:04 - 24:06

policies and procedures as part of its
24:06 - 24:08

risk management plans or business
24:08 - 24:11

continuity strategy the company's i.t
24:11 - 24:13

policies and procedures should make them
24:13 - 24:16

available to its staff and suppliers to
24:16 - 24:18

endure adequate understanding of
24:18 - 24:22

1. potential risks to the company's it
24:22 - 24:24

systems and data
24:24 - 24:26

2. procedures that are in place to
24:26 - 24:28

mitigate them
24:28 - 24:32

3. processes for handling everyday tasks
24:32 - 24:37

4. managing changes to ite systems
24:37 - 24:40

5. ways to respond to it or data
24:40 - 24:43

security incidents and
24:43 - 24:46

6. acceptable behaviors about cruciality
24:46 - 24:49

issues such as data protection and safe
24:49 - 24:51

email use
24:51 - 24:53

content of information technology risk
24:53 - 24:55

management policy
24:55 - 24:57

an it risk management policy should
24:57 - 24:59

specify security procedures and
24:59 - 25:01

standards that will apply in the company
25:01 - 25:03

and any staff policies the company
25:03 - 25:06

wishes to enforce
25:06 - 25:09

1. i.t security procedures technical
25:09 - 25:12

controls such as systems that limit
25:12 - 25:14

access to sensitive data and software
25:14 - 25:16

installation are essential for it
25:16 - 25:19

security systems the company needs
25:19 - 25:22

policies and procedures to ensure that
25:22 - 25:24

these controls are adequate
25:24 - 25:28

2. i.t security standards standards are
25:28 - 25:30

essential when developing a secure i.t
25:30 - 25:31

environment
25:31 - 25:34

for example agreed standards for the
25:34 - 25:37

procurement of pcs servers and firewalls
25:37 - 25:40

would help to provide consistency
25:40 - 25:43

3. its staff policies the company also
25:43 - 25:46

needs policies to manage activities that
25:46 - 25:48

could pose security threats
25:48 - 25:50

establishing an internet usage policy
25:50 - 25:53

and an email usage policy is also
25:53 - 25:55

necessary to protect the company's
25:55 - 25:57

systems conclusion
25:57 - 26:00

i.t risks and management of it risks
26:00 - 26:03

have been discussed in this video i.t
26:03 - 26:05

risk is any threat to a business data
26:05 - 26:08

critical systems and business processes
26:08 - 26:11

it is the risk associated with the use
26:11 - 26:14

ownership operation involvement
26:14 - 26:17

influence and adoption of it i.t risk
26:17 - 26:19

management entails a process of
26:19 - 26:22

identifying monitoring and managing
26:22 - 26:24

potential information security or
26:24 - 26:26

technology risks to mitigate or minimize
26:26 - 26:28

their negative impact
26:28 - 26:30

i hope the video is educative and
26:30 - 26:33

beneficial to you please post your
26:33 - 26:36

comments below in the comments section
26:36 - 26:38

if this video has been educative and
26:38 - 26:40

beneficial to you then give it a thumbs
26:40 - 26:43

up and share it with your friends
26:43 - 26:45

thank you for seeing the risk management
26:45 - 26:47

of everything videos
26:47 - 26:49

we love to hear from you please post
26:49 - 26:51

your comments and questions in the
26:51 - 26:53

comment section below
26:53 - 26:55

if you are new here make sure to
26:55 - 26:58

subscribe to our channel risk management
26:58 - 27:00

of everything channel and press the
27:00 - 27:02

notification button so you can be
27:02 - 27:05

notified when we upload new videos
27:05 - 27:07

thank you

Title:: Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)
Description:: more » « less
Video Language:: English
Duration:: 27:06

	OEVIDEOS edited English subtitles for Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)
	OEVIDEOS edited English subtitles for Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)