Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

Edit subtitles

0:00 - 0:03

Information Technology (IT) Risk and
0:03 - 0:05

Management of IT Risks.
0:05 - 0:07

Welcome to the Risk Management of
0:07 - 0:10

Everything channel. On this channel, you
0:10 - 0:12

will see videos on risk management and
0:12 - 0:14

the application of risk management to
0:14 - 0:17

diverse areas and sectors. If you are new
0:17 - 0:19

here, make sure to subscribe to our
0:19 - 0:21

channel and press the notification
0:21 - 0:23

button so you can be notified when we
0:23 - 0:25

upload new videos.
0:25 - 0:27

Thank you.
0:27 - 0:29

This video discusses Information
0:29 - 0:32

Technology (IT) Risks and Management of
0:32 - 0:34

IT Risks. In this video, you will
0:34 - 0:36

understand the meaning of Information
0:36 - 0:40

Technology (IT) risk, categories of IT
0:40 - 0:43

risks, impacts of IT failure on business
0:43 - 0:47

organizations, types of IT risks, IT
0:47 - 0:49

risks management process, how to manage
0:49 - 0:53

IT risks, IT risk assessment, quantitative
0:53 - 0:56

IT risks assessment, qualitative IT risks
0:56 - 0:59

assessment, how to mitigate IT risks,
0:59 - 1:01

incident response, IT incident
1:01 - 1:03

management process, IT incidence
1:03 - 1:06

recovery planning, IT standard, IT risk
1:06 - 1:09

management checklist, IT risk management
1:09 - 1:12

policy, and content of IT risk management
1:12 - 1:16

policy. Now, let us start.
1:16 - 1:18

The more a business relies on
1:18 - 1:20

Information Technology (IT), the more
1:20 - 1:22

critical it is to identify and control
1:22 - 1:25

its IT systems' risks.
1:25 - 1:27

Threats ranging from equipment failure
1:27 - 1:29

to malicious attacks by hackers can
1:29 - 1:32

disrupt critical business systems and
1:32 - 1:34

access confidential data.
1:34 - 1:38

What is Information Technology (IT) Risk?
1:38 - 1:40

IT risk is any threat to a business
1:40 - 1:43

data, critical systems, and business
1:43 - 1:46

processes. It is the risk associated with
1:46 - 1:49

the use, ownership, operation, involvement,
1:49 - 1:53

influence, and adoption of IT. IT risk is
1:53 - 1:55

any threat to a business data, critical
1:55 - 1:59

systems, and business processes. IT risks
1:59 - 2:01

can damage business value and often come
2:01 - 2:04

from poor management of processes and
2:04 - 2:05

events.
2:05 - 2:08

Categories of IT Risks.
2:08 - 2:10

IT risk spans a range of business-critical
2:10 - 2:12

areas, such as:
2:12 - 2:16

1. Security, for example, compromised
2:16 - 2:19

business data due to unauthorized access
2:19 - 2:20

or use.
2:20 - 2:23

2. Availability, such as inability to
2:23 - 2:26

access IT systems needed for business
2:26 - 2:27

operations.
2:27 - 2:30

3. Performance, such as reduced
2:30 - 2:33

productivity due to slow or delayed
2:33 - 2:36

access to IT systems; and
2:36 - 2:39

4. Compliance, such as failure to follow
2:39 - 2:42

laws and regulations (for example, data
2:42 - 2:44

protection).
2:44 - 2:47

IT risks varies in range and nature. It
2:47 - 2:49

is essential to be aware of all the
2:49 - 2:51

different types of IT risk potentially
2:51 - 2:53

affecting a business.
2:53 - 2:55

Impacts of Information Technology
2:55 - 2:58

Failure on Business Organizations.
2:58 - 3:01

For businesses that rely on technology,
3:01 - 3:04

events or incidents that compromise IT
3:04 - 3:07

can cause many problems. For example, a
3:07 - 3:09

security breach can lead to
3:09 - 3:13

(1) identity fraud and theft,
3:13 - 3:16

(2) financial fraud or theft,
3:16 - 3:18

(3) damage to reputation,
3:18 - 3:22

(4) damage to brand; and
3:22 - 3:25

(5) damage to a business physical asset.
3:25 - 3:28

Furthermore, failure of IT systems due to
3:28 - 3:31

downtime or outages can result in other
3:31 - 3:34

damaging and severe consequences, such as:
3:34 - 3:38

(1) Lost sales and customers, (2) Reduced
3:38 - 3:40

staff or business productivity, (3)
3:40 - 3:42

Reduced customer loyalty and
3:42 - 3:45

satisfaction, and (4) Damaged
3:45 - 3:48

relationship with partners and suppliers.
3:48 - 3:51

If IT failure affects a firm's ability
3:51 - 3:54

to comply with laws and regulations, then
3:54 - 3:56

it could also lead to (1) breach of
3:56 - 4:00

legal duties, (2) penalties, fines, and
4:00 - 4:04

litigation, (3) reputational damage, and (4)
4:04 - 4:07

breach of client confidentiality.
4:07 - 4:11

Types of Information Technology Risks.
4:11 - 4:13

Organizations IT systems and
4:13 - 4:15

information are susceptible to a wide
4:15 - 4:18

range of risks. If a business relies on
4:18 - 4:20

technology for its operations and
4:20 - 4:22

activities, the managers need to be aware
4:22 - 4:26

of IT threats. Threats to a firm's IT
4:26 - 4:28

systems can be external, internal,
4:28 - 4:31

deliberate, and unintentional. Most IT
4:31 - 4:33

risks affect one or more of the
4:33 - 4:34

following:
4:34 - 4:38

(1) business or project goals,
4:38 - 4:40

(2) service continuity,
4:40 - 4:43

(3) bottom-line results,
4:43 - 4:46

(4) business reputation,
4:46 - 4:49

(5) security, and
4:49 - 4:51

(6) infrastructure.
4:51 - 4:55

Examples of Information Technology Risks.
4:55 - 4:57

Based on the nature of risks, it is
4:57 - 5:00

possible to differentiate between:
5:00 - 5:03

1. Physical threats: These are threats
5:03 - 5:06

arising from physical access or damage
5:06 - 5:09

to IT resources such as servers.
5:09 - 5:11

These could include theft, damage from
5:11 - 5:14

fire or flood, or unauthorized access to
5:14 - 5:16

confidential data by an employee or
5:16 - 5:17

outsider.
5:17 - 5:20

2. Electronic threats: aim at
5:20 - 5:22

compromising business information, for
5:22 - 5:25

example, a hacker could get access to the
5:25 - 5:28

company's website, a computer virus may
5:28 - 5:30

infected its IT system, or the business
5:30 - 5:33

may fall victim to a fraudulent email or
5:33 - 5:36

website. These are the common types of
5:36 - 5:39

electronic threats a business face.
5:39 - 5:42

3. Technical failures include software
5:42 - 5:44

bugs, computer crashes, and complete
5:44 - 5:47

failure of a computer component. A
5:47 - 5:49

technical failure can be catastrophic if,
5:49 - 5:52

for example, a firm cannot retrieve data
5:52 - 5:54

on a failed hard drive and no backup
5:54 - 5:56

copy is available.
5:56 - 6:00

4. Infrastructure failures: These include
6:00 - 6:02

loss of internet connection that can
6:02 - 6:03

interrupt a business.
6:03 - 6:05

Infrastructure failures can make a
6:05 - 6:08

company loss an important purchase order.
6:08 - 6:12

5. Human error is a significant threat,
6:12 - 6:14

for example, someone might accidentally
6:14 - 6:17

delete important data or fail to follow
6:17 - 6:19

security procedures properly.
6:19 - 6:22

Information Technology Risk Management
6:22 - 6:23

Process.
6:23 - 6:26

To manage IT risks effectively, the
6:26 - 6:28

following six steps of the risk management
6:28 - 6:30

process should be undertaken:
6:30 - 6:34

1. Identify risks: determine the nature
6:34 - 6:35

of risks and how they relate to a
6:35 - 6:37

business.
6:37 - 6:40

2. Assess risks: determine how serious
6:40 - 6:42

each risk is to the business and
6:42 - 6:44

prioritize them.
6:44 - 6:47

3. Mitigate risks: Put preventive
6:47 - 6:49

measures to reduce the likelihood of the
6:49 - 6:52

risk occurring and limit its impact.
6:52 - 6:55

4. Develop incident response: set out
6:55 - 6:57

plans for managing a problem and
6:57 - 7:00

recovering the company's operation.
7:00 - 7:03

5. Develop contingency plans: ensure that
7:03 - 7:06

the company can continue to run after an
7:06 - 7:08

incident or a crisis.
7:08 - 7:11

6. Review processes and procedures:
7:11 - 7:13

continue to assess threats and manage
7:13 - 7:14

new risks.
7:14 - 7:17

How to Manage Information Technology
7:17 - 7:18

Risks.
7:18 - 7:21

Managing various types of IT risks
7:21 - 7:24

begins with identifying precisely:
7:24 - 7:26

(1) The type of threats affecting the
7:26 - 7:27

business,
7:27 - 7:30

(2) The assets that may be at risk, and (3)
7:30 - 7:33

The ways of securing IT systems.
7:33 - 7:36

Information Technology Risk Assessment.
7:36 - 7:38

IT risk assessment is a process of
7:38 - 7:40

analyzing potential threats and
7:40 - 7:43

vulnerabilities to IT systems to
7:43 - 7:45

establish their potential loss.
7:45 - 7:47

Its objective is to help achieve optimal
7:47 - 7:50

security at a reasonable cost. There are
7:50 - 7:52

two prevailing methodologies for
7:52 - 7:55

assessing the different types of IT risk:
7:55 - 7:56

quantitative and qualitative risk
7:56 - 7:58

analysis.
7:58 - 8:00

Now, let us now discuss the two types of
8:00 - 8:03

IT risks assessment methodology.
8:03 - 8:06

Quantitative Information Technology
8:06 - 8:08

Risks Assessment.
8:08 - 8:10

Quantitative assessment measures risk
8:10 - 8:12

using monetary amounts and numeric data.
8:12 - 8:15

It uses mathematical formulas to give
8:15 - 8:17

value in terms of:
8:17 - 8:20

(1) The frequency of risk occurrence,
8:20 - 8:23

(2) The asset value, and
8:23 - 8:26

(3) The probability of associated loss.
8:26 - 8:29

In an example of server failure, a
8:29 - 8:31

quantitative assessment would involve
8:31 - 8:32

looking at:
8:32 - 8:35

(1) Cost of a server or the revenue it
8:35 - 8:36

generates,
8:36 - 8:40

(2) How often does the server crash, and
8:40 - 8:43

(3) The estimated loss incurred each time
8:43 - 8:45

it crashed.
8:45 - 8:47

From these values, the company can work
8:47 - 8:51

out several vital calculations including
8:51 - 8:54

(1) single loss expectancy: refers to the
8:54 - 8:56

costs the company would incur if the
8:56 - 8:59

incident occurred once,
8:59 - 9:01

(2) The annual rate of occurrence: This
9:01 - 9:03

refers to how many times a year the
9:03 - 9:06

company could expect the risk to occur;
9:06 - 9:07

and
9:07 - 9:08

(3)
9:08 - 9:10

Annual loss expectancy: This refers to
9:10 - 9:13

the total risk value over a year.
9:13 - 9:15

These computations can assist the
9:15 - 9:17

company in avoiding spending too much
9:17 - 9:20

time and money on reducing negligible
9:20 - 9:23

risks. For example, if a threat is
9:23 - 9:25

unlikely to happen or costs little or
9:25 - 9:27

nothing to remedy, it probably presents a
9:27 - 9:30

low risk to the business. However, if a
9:30 - 9:32

threat to the company's critical IT
9:32 - 9:34

systems is likely to happen and could be
9:34 - 9:36

expensive to fix or likely to affect the
9:36 - 9:38

business adversely, such risk should be
9:38 - 9:41

considered as a high risk. The risk
9:41 - 9:43

information can also be used to conduct
9:43 - 9:45

a cost and benefit analysis to determine
9:45 - 9:48

what level of investment would make risk
9:48 - 9:50

treatment worthwhile. A company may not
9:50 - 9:52

always have the necessary historical
9:52 - 9:55

data to determine the probability of IT-related
9:55 - 9:58

risks and estimated costs.
9:58 - 10:00

Meanwhile, quantitative measures of risk
10:00 - 10:03

are meaningful when there is good data.
10:03 - 10:06

Qualitative Information Technology Risks
10:06 - 10:07

Assessment.
10:07 - 10:10

Qualitative risk assessment is opinion-based.
10:10 - 10:11

It relies on judgment to
10:11 - 10:14

categorize risks based on probability
10:14 - 10:16

and impact and uses a rating scale to
10:16 - 10:19

describe the risks as:
10:19 - 10:22

1. Low: means unlikely to occur or impact
10:22 - 10:24

a business;
10:24 - 10:27

2. Medium: means possible to occur and
10:27 - 10:29

impact; and
10:29 - 10:32

3. High: means likely to occur and impact
10:32 - 10:34

the business significantly.
10:34 - 10:37

For example, it is possible to describe a
10:37 - 10:40

high probability risk as events that are
10:40 - 10:42

likely to happen several times in a year.
10:42 - 10:45

The same can be done for cost and impact
10:45 - 10:48

in practical terms, for example,
10:48 - 10:51

Low means that the company would lose up
10:51 - 10:54

to half an hour of production,
10:54 - 10:57

Medium means that the company would
10:57 - 10:59

cause complete shutdown for at least
10:59 - 11:02

three days, and High means that the
11:02 - 11:04

company would cause irreversible loss to
11:04 - 11:05

the business.
11:05 - 11:08

After risk ratings, a risk assessment
11:08 - 11:10

matrix should be created to categorize
11:10 - 11:12

the level of risk of each risk event.
11:12 - 11:15

This will assist the company in deciding
11:15 - 11:17

which risk to mitigate, accept, or
11:17 - 11:20

transfer. Different types of IT risk
11:20 - 11:22

assessments can be undertaken. Often, it
11:22 - 11:25

may be best to use a mixed approach to
11:25 - 11:27

IT risks assessments, combining elements
11:27 - 11:29

of both quantitative and qualitative
11:29 - 11:32

analysis. The company can also use
11:32 - 11:34

quantitative data to assess the value of
11:34 - 11:37

assets and loss expectancy. This may take
11:37 - 11:39

time and effort, but it can also result
11:39 - 11:42

in a greater understanding of the risks
11:42 - 11:43

and better data than each method would
11:43 - 11:45

provide alone. How to Mitigate
11:45 - 11:48

Information Technology Risk.
11:48 - 11:50

If the company cannot remove or reduce
11:50 - 11:52

risks to an acceptable level, it might
11:52 - 11:55

reduce the impact of potential incidents.
11:55 - 11:57

The company should consider
11:57 - 12:00

(1) setting procedures for detecting
12:00 - 12:03

problems, for example, a virus might
12:03 - 12:05

infect the company's system, and
12:05 - 12:08

(2) getting insurance against the costs
12:08 - 12:10

of security breaches.
12:10 - 12:12

As part of risk management, a firm should
12:12 - 12:15

reduce potential IT risks that may
12:15 - 12:17

impact the business. The company should
12:17 - 12:19

establish measures to protect the
12:19 - 12:21

company's systems and data from all
12:21 - 12:24

known threats. The company should also
12:24 - 12:27

create contingency plans to minimize the
12:27 - 12:28

impacts of unknown threats on the
12:28 - 12:31

organization's operations.
12:31 - 12:35

To mitigate IT risks, the company should:
12:35 - 12:38

1. Regularly review the information it
12:38 - 12:40

holds and share. Ensure that the company
12:40 - 12:43

comply with data protection legislation
12:43 - 12:45

and think about what needs to be on
12:45 - 12:48

public or shared systems. Where possible,
12:48 - 12:50

sensitive information should be removed
12:50 - 12:54

or secured thoroughly. 2. Install and
12:54 - 12:56

maintain security controls, such as
12:56 - 12:59

firewalls, anti-virus software and
12:59 - 13:02

processes that help prevent intrusion.
13:02 - 13:05

3. Implement security policies and
13:05 - 13:07

procedures, such as internet and email
13:07 - 13:10

usage policies and train staff.
13:10 - 13:12

Follow best practices in cybersecurity
13:12 - 13:14

for business.
13:14 - 13:17

4. Use a third-party IT provider if it
13:17 - 13:20

lacks in-house skills. Often, they can
13:20 - 13:23

provide their security expertise.
13:23 - 13:25

Incident Response.
13:25 - 13:28

Incident response is a way of managing
13:28 - 13:30

the aftermath of an IT security breach
13:30 - 13:33

or failure. It is vital to develop a
13:33 - 13:35

response plan before the occurrence of
13:35 - 13:37

an event or incident to
13:37 - 13:40

(1) limit the damage caused by the event;
13:40 - 13:41

and
13:41 - 13:44

(2) reduce recovery time and costs for
13:44 - 13:45

the business.
13:45 - 13:48

Information Technology Incident Response
13:48 - 13:49

Plan.
13:49 - 13:51

An IT incident response plan is a set of
13:51 - 13:53

pre-written instructions to assist an
13:53 - 13:56

organization in responding to IT
13:56 - 13:59

threats and potential scenarios, such as
13:59 - 14:03

(1) information data breaches, (2) denial
14:03 - 14:05

of service attacks,
14:05 - 14:08

(3) firewall intrusion,
14:08 - 14:11

(4) virus or malware infection,
14:11 - 14:15

(5) damage to equipment or premises,
14:15 - 14:18

(6) insider threats, and
14:18 - 14:20

(7) loss of power or other technology
14:20 - 14:22

failures.
14:22 - 14:24

The company's incident response plans
14:24 - 14:27

should be created through robust IT
14:27 - 14:29

risk assessments. A firm incident
14:29 - 14:32

response plan should identify key people
14:32 - 14:34

who will act in an incident and describe
14:34 - 14:36

their roles and responsibilities.
14:36 - 14:39

An IT Incident Response Plan should
14:39 - 14:40

also clearly articulate who is
14:40 - 14:42

responsible for testing the plan and
14:42 - 14:45

putting it into action. A firm incident
14:45 - 14:47

response plan should identify key people
14:47 - 14:50

who will act in an incident and describe
14:50 - 14:52

their roles and responsibilities.
14:52 - 14:54

Information Technology Incident
14:54 - 14:56

Management Process.
14:56 - 14:59

The process of managing an IT incident
14:59 - 15:02

typically consists of six steps.
15:02 - 15:05

1. Prepare staff and managers on how to
15:05 - 15:07

handle potential incidents should they
15:07 - 15:08

arise.
15:08 - 15:11

2. Determine if an event is an IT
15:11 - 15:13

failure or a security incident.
15:13 - 15:16

3. Contain the incident and prevent
15:16 - 15:20

further damage to systems and equipment.
15:20 - 15:22

4. Find the cause of the incident and
15:22 - 15:25

remove the affected systems.
15:25 - 15:28

5. Recover those systems after removing
15:28 - 15:29

the threats.
15:29 - 15:33

6. Document and analyze the situation to
15:33 - 15:36

update, change or improve procedures.
15:36 - 15:39

An IT incident may focus on one or more
15:39 - 15:41

IT components of a business or be a part
15:41 - 15:44

of a broader crisis plan, for example,
15:44 - 15:48

fire, flood, and natural disaster. It is,
15:48 - 15:50

therefore, beneficial to develop an
15:50 - 15:53

emergency response plan. The company's
15:53 - 15:55

emergency response plan should be
15:55 - 15:58

integrated into its incident response
15:58 - 15:59

strategy.
15:59 - 16:01

Information Technology Incident Recovery
16:01 - 16:03

Planning.
16:03 - 16:05

How an organization responds to IT
16:05 - 16:07

incidents would determine how well its
16:07 - 16:10

business recovers from IT incidents.
16:10 - 16:12

Planning can help to shorten the
16:12 - 16:14

recovery period and reduce losses. It is
16:14 - 16:17

essential to plan thoroughly to protect
16:17 - 16:20

staff, stakeholders, and the organization
16:20 - 16:22

from the impact of potential business
16:22 - 16:25

from IT failure and security breaches. A
16:25 - 16:27

recovery plan could include the
16:27 - 16:28

following:
16:28 - 16:31

(1) the recovery period goals,
16:31 - 16:34

(2) strategies to recover the business
16:34 - 16:36

activities within the quickest possible
16:36 - 16:38

time, and
16:38 - 16:41

(3) a description of resources, equipment,
16:41 - 16:43

and staff required to recover the
16:43 - 16:45

company's operations.
16:45 - 16:48

Information Technology Standard.
16:48 - 16:50

According to International Standards
16:50 - 16:52

Organization (ISO), a standard is a
16:52 - 16:55

document that provides requirements,
16:55 - 16:57

specifications, guidelines, and
16:57 - 16:59

characteristics that can be used
16:59 - 17:02

consistently to ensure that materials,
17:02 - 17:04

products, processes, and services are fit
17:04 - 17:06

for their purpose.
17:06 - 17:08

Standards allow technology to work
17:08 - 17:10

seamlessly and establish trust so that
17:10 - 17:13

markets can operate smoothly. IT
17:13 - 17:14

standards are beneficial to
17:14 - 17:16

organizations because they
17:16 - 17:19

provide a common language to measure
17:19 - 17:21

and evaluate performance,
17:21 - 17:24

make information sharing easy through
17:24 - 17:27

IT and computer systems, and
17:27 - 17:31

protect consumers by ensuring safety,
17:31 - 17:34

durability, and market equity.
17:34 - 17:36

Standards and their development frame
17:36 - 17:38

guide and normalize almost all areas of
17:38 - 17:39

our lives.
17:39 - 17:42

For example, standards in IT govern
17:42 - 17:44

information sharing between digital
17:44 - 17:47

devices, platforms, and standardized
17:47 - 17:49

production machines to ensure uniform
17:49 - 17:51

repair and reproduction.
17:51 - 17:54

Standardization in accounting, health care,
17:54 - 17:57

or agriculture promotes best industry
17:57 - 17:59

practices that emphasize safety and
17:59 - 18:00

quality control.
18:00 - 18:03

Standards reflect the shared values,
18:03 - 18:06

aspirations, and responsibilities within
18:06 - 18:07

organizations.
18:07 - 18:09

Good knowledge of the most current
18:09 - 18:11

standards can drive innovation, increase
18:11 - 18:14

research and development's market value,
18:14 - 18:16

and promote international trade and
18:16 - 18:18

commerce. ISO
18:18 - 18:21

27,001 is an international IT standard.
18:21 - 18:24

By the way, ISO is an abbreviation for
18:24 - 18:27

International Standard Organization.
18:27 - 18:31

Now, let us discuss ISO 27,001.
18:31 - 18:32

ISO
18:32 - 18:36

27,001: International IT Standard.
18:36 - 18:37

ISO
18:37 - 18:40

27,001 is an international standard that
18:40 - 18:43

describes best practices for information
18:43 - 18:46

security management systems. It belongs
18:46 - 18:49

to a 27,000 family of standards, all of
18:49 - 18:51

which aim to help keep a business'
18:51 - 18:53

information assets secure.
18:53 - 18:56

The standard specifies controls that are
18:56 - 18:59

key to maintaining security. ISO
18:59 - 19:03

27,001 control, amongst others highlight
19:03 - 19:04

the following:
19:04 - 19:07

1. Security policy states what an
19:07 - 19:10

information security policy is, what it
19:10 - 19:12

should cover and why a company should
19:12 - 19:14

have a security policy.
19:14 - 19:17

2. Organizational security states how an
19:17 - 19:20

organization should manage information
19:20 - 19:22

security in a business.
19:22 - 19:25

3. Asset classification and control
19:25 - 19:27

describe how to audit and manage a
19:27 - 19:30

company's information, computers, software,
19:30 - 19:32

and services.
19:32 - 19:36

4. Staff security focuses on training,
19:36 - 19:39

responsibilities, vetting procedures, and
19:39 - 19:41

response to incidents.
19:41 - 19:44

5. Physical and environmental security
19:44 - 19:47

entails keeping key locations secure and
19:47 - 19:48

physical control of access to
19:48 - 19:51

information and equipment.
19:51 - 19:54

6. Communications and operations
19:54 - 19:55

management secure operation of
19:55 - 19:58

information processing facilities during
19:58 - 20:00

day-to-day activities, especially
20:00 - 20:02

computer networks.
20:02 - 20:05

7. Access control emphasizes the right
20:05 - 20:07

to use information and systems based on
20:07 - 20:09

business and security needs, precisely
20:09 - 20:11

controlling who can do what within an
20:11 - 20:14

organization's information resources.
20:14 - 20:15

8.
20:15 - 20:18

System development and maintenance, if an
20:18 - 20:20

organization develops its software, the
20:20 - 20:23

design should be suitable, secure and
20:23 - 20:25

maintain information integrity.
20:25 - 20:28

9. Business continuity management
20:28 - 20:30

ensures that essential business
20:30 - 20:32

activities are maintained during adverse
20:32 - 20:34

conditions, thereby coping with major
20:34 - 20:37

disasters to minor local issues.
20:37 - 20:39

Like other International Standard
20:39 - 20:41

Organizations management system
20:41 - 20:44

standards, the company can certify the
20:44 - 20:46

business to ISO 27,001,
20:46 - 20:49

but certification is not mandatory. The
20:49 - 20:51

company may decide to implement the
20:51 - 20:53

standard to benefit from the best
20:53 - 20:55

practice it contains or may wish to
20:55 - 20:57

certify to reassure customers and
20:57 - 21:00

clients that follow information security
21:00 - 21:02

management systems best practice.
21:02 - 21:04

Information Technology Risk Management
21:04 - 21:06

Checklist.
21:06 - 21:08

Risk management can be relatively simple
21:08 - 21:10

if its basic principles are understood
21:10 - 21:12

and applied. Here is a checklist to
21:12 - 21:15

ensure effective IT risk
21:15 - 21:18

management: 1. Think about IT security
21:18 - 21:20

from the start when planning and
21:20 - 21:22

updating an IT system.
21:22 - 21:25

2. Actively look for IT risks that could
21:25 - 21:28

affect the business; and identify the
21:28 - 21:31

likelihood, costs, and impact of those
21:31 - 21:32

risks.
21:32 - 21:35

3. Think about the opportunity,
21:35 - 21:37

capability, and motivation behind
21:37 - 21:39

potential attacks.
21:39 - 21:42

Understand the reasons for a cyber-attack.
21:42 - 21:45

4. Assess the seriousness of each IT
21:45 - 21:47

risk and focus on those that are most
21:47 - 21:49

significant.
21:49 - 21:50

5.
21:50 - 21:53

Understand the relevant laws, legislation,
21:53 - 21:55

and industry guidelines, especially if
21:55 - 21:58

the company must comply with the General
21:58 - 22:01

Data Protection Regulation (GDPR) and
22:01 - 22:02

other local and international
22:02 - 22:04

regulations.
22:04 - 22:08

6. Configure computers, servers, firewalls,
22:08 - 22:10

and other technical elements of the
22:10 - 22:13

system. Keep software and hardware
22:13 - 22:15

equipment up to date. Put in place other
22:15 - 22:18

standard cybersecurity measures and
22:18 - 22:19

read about securing the company's
22:19 - 22:21

wireless network.
22:21 - 22:24

7. Do not rely on just one technical
22:24 - 22:28

control, for example, a password. Use
22:28 - 22:30

two-factor authentication to guarantee
22:30 - 22:33

user identity, for example, something
22:33 - 22:35

introduces additional security such as
22:35 - 22:39

ID card, PIN, and password.
22:39 - 22:42

8. Develop data recovery and backup
22:42 - 22:44

processes and consider daily backups to
22:44 - 22:46

off-site locations.
22:46 - 22:49

9. Support technical controls with
22:49 - 22:52

appropriate policies, procedures, and
22:52 - 22:54

training. Understand the most common
22:54 - 22:57

insider threats in cybersecurity.
22:57 - 23:00

10. Make sure that the company has a
23:00 - 23:02

business continuity plan.
23:02 - 23:04

This should cover any severe IT risk
23:04 - 23:07

that cannot be fully controlled. The
23:07 - 23:09

business continuity plan should be
23:09 - 23:11

updated and reviewed regularly.
23:11 - 23:14

11. Establish effective IT incident
23:14 - 23:16

response and recovery measures, as well
23:16 - 23:19

as a recording and management system.
23:19 - 23:22

Simulate incidents to test and improve
23:22 - 23:25

the company's incident planning, response,
23:25 - 23:27

and recovery framework.
23:27 - 23:30

12. Develop and follow specific IT
23:30 - 23:32

policies and procedures, such as email
23:32 - 23:35

and internet use, and ensure that
23:35 - 23:38

company's staff know what is acceptable.
23:38 - 23:41

13. Consider certification to the IT
23:41 - 23:43

security management standards for the
23:43 - 23:46

business and its business partners.
23:46 - 23:48

Having highlighted the IT Risk
23:48 - 23:50

Management Checklist, let us proceed to
23:50 - 23:53

discuss IT Risk Management Policy.
23:53 - 23:56

IT Risk Management Policy.
23:56 - 23:59

IT policies and procedures explain why
23:59 - 24:01

it is essential to manage IT risks in
24:01 - 24:04

business. The company can have IT
24:04 - 24:06

policies and procedures as part of its
24:06 - 24:08

risk management plans or business
24:08 - 24:11

continuity strategy. The company's IT
24:11 - 24:13

policies and procedures should make them
24:13 - 24:16

available to its staff and suppliers to
24:16 - 24:18

endure adequate understanding of:
24:18 - 24:22

1. Potential risks to the company's IT
24:22 - 24:24

systems and data,
24:24 - 24:26

2. Procedures that are in place to
24:26 - 24:28

mitigate them,
24:28 - 24:32

3. Processes for handling everyday tasks,
24:32 - 24:37

4. Managing changes to IT systems,
24:37 - 24:40

5. Ways to respond to IT or data
24:40 - 24:43

security incidents, and
24:43 - 24:46

6. Acceptable behaviors about crucial IT
24:46 - 24:49

issues, such as data protection and safe
24:49 - 24:51

email use.
24:51 - 24:53

Content of Information Technology Risk
24:53 - 24:55

Management Policy.
24:55 - 24:57

An IT risk management policy should
24:57 - 24:59

specify security procedures and
24:59 - 25:01

standards that will apply in the company
25:01 - 25:03

and any staff policies the company
25:03 - 25:06

wishes to enforce.
25:06 - 25:09

1. IT Security Procedures: Technical
25:09 - 25:12

controls, such as systems that limit
25:12 - 25:14

access to sensitive data and software
25:14 - 25:16

installation, are essential for IT
25:16 - 25:19

security systems. The company needs
25:19 - 25:22

policies and procedures to ensure that
25:22 - 25:24

these controls are adequate.
25:24 - 25:28

2. IT Security Standards: Standards are
25:28 - 25:30

essential when developing a secure IT
25:30 - 25:31

environment.
25:31 - 25:34

For example, agreed standards for the
25:34 - 25:37

procurement of PCs, servers, and firewalls
25:37 - 25:40

would help to provide consistency.
25:40 - 25:43

3. IT Staff Policies: The company also
25:43 - 25:46

needs policies to manage activities that
25:46 - 25:48

could pose security threats.
25:48 - 25:50

Establishing an internet usage policy
25:50 - 25:53

and an email usage policy is also
25:53 - 25:55

necessary to protect the company's
25:55 - 25:57

systems. Conclusion.
25:57 - 26:00

IT risks and management of IT risks
26:00 - 26:03

have been discussed in this video. IT
26:03 - 26:05

risk is any threat to a business data,
26:05 - 26:08

critical systems, and business processes.
26:08 - 26:11

It is the risk associated with the use,
26:11 - 26:14

ownership, operation, involvement,
26:14 - 26:17

influence, and adoption of IT. IT risk
26:17 - 26:19

management entails a process of
26:19 - 26:22

identifying, monitoring, and managing
26:22 - 26:24

potential information security or
26:24 - 26:26

technology risks to mitigate or minimize
26:26 - 26:28

their negative impact.
26:28 - 26:30

I hope the video is educative and
26:30 - 26:33

beneficial to you. Please post your
26:33 - 26:36

comments below in the comment section.
26:36 - 26:38

If this video has been educative and
26:38 - 26:40

beneficial to you; then, give it a thumbs
26:40 - 26:43

up and share it with your friends.
26:43 - 26:45

Thank you for seeing the Risk Management
26:45 - 26:47

of Everything videos.
26:47 - 26:49

We love to hear from you. Please post
26:49 - 26:51

your comments and questions in the
26:51 - 26:53

comment section below.
26:53 - 26:55

If you are new here, make sure to
26:55 - 26:58

subscribe to our channel (Risk Management
26:58 - 27:00

of Everything channel) and press the
27:00 - 27:02

notification button so you can be
27:02 - 27:05

notified when we upload new videos.
27:05 - 27:05

Thank you.

Title:: Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)
Description:: more » « less
Video Language:: English
Duration:: 27:06

	OEVIDEOS edited English subtitles for Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)
	OEVIDEOS edited English subtitles for Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Information Technology (IT) Risk and Management of IT Risks (Information Technology Risk Management)

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)