Information technology risk management

Informationtechnology risk management



RiskManagement in IT and its impact

Informationtechnology plays a crucial role in many business organizations. If anindividual manages or owns a business that utilized informationtechnology, it is often vital to identify the risk to informationdata and information technology system, to manage or reduce thoserisks as well as to develop a response plan in case of an informationtechnology crisis. Business owners have a legal duty in relation toelectronic transaction, privacy and staff training which impacts oninformation technology risk management strategies. Informationtechnology risks includes software and hardware failure, human error,viruses and malicious attacks, spam as well as natural disasters suchas floods, cyclones and fire (Powell&amp Landauer, 2010).

RiskManagement Planning

Theprocess of risk identification, risk assessment and development ofstrategies that are aims at management of the risks. A riskmanagement plan is often considered one of significant parts of thebusiness continuity. Being aware of the impending informationaltechnology risk in the institution and finding numerous approached tominimize their impacts helps the organization to recoverappropriately. The type of the project will be technological and willentail fixing computer security systems within the organization. Theproject will cover every department in the business organization theproject will be conducted for one month and will cover all thedepartments in the business organization. The project aims atpreventing damage or theft to the organization’s information,prevention of service disruption as well as prevention of damage andtheft to the hardware (Powell&amp Landauer, 2010).

Additionally,the project will help control access to organizational computers withan intention of minimizing access to data and loss of the same databy attackers or other individuals within the organization. Theproject will have a lot of risks that will involve vandalism, theftof the security resources, hackers, and fire, theft of the hardwareand the soft ware as well as other climatic conditions such asflooding. Computer security within the organization will entailfixing the computers with the latest security technology with anintention of preventing attacks from previous employees, otherpersonnel within the organization and attackers such as hackers. Atthe completion of the project we expect that all the computer systemwithin the organization is fully protected for the set period. Therisk of attack should also be minimized as far as possible. Thedeliverables will include security software and hardware as well assecurity cameras to help track the individuals who will be accessinginformation from the main server as well as other sections of theorganization. Organizations have continued to lose their valuabledata through attacks as a result of inadequate measures to deal withthe situation (Powell&amp Landauer, 2010) .

Theproject will choose A-CAT risk management strategy that will helpdeal with the effects. A-CAT stands for avoidance of the risk,control or mitigation of the risk, accepting the risk and finallyrisk transfer to other organizations that will be able to deal withthe outcome of the risks. Avoidance of the risk will entail havingplans in place such as security cameras to help monitor theindividuals who will be accessing the computer resources in theorganization. Control or mitigation of the risk will entailreduction of the likelihood or the impact through intermediate stepssuch as reducing the number of people accessing the servers at atime. Acceptance of the risk will entail the organization budgetingfor dealing with the risk in cases where it takes place (Powell&amp Landauer, 2010).

Finally,transfer risk will entail insuring all the computer security gadgetsand machines with an intention of outsourcing the risks to the thirdparty such as an insurance company that will be determined to managethe outcome. The company will also utilize the team workflowtechnology in dealing with any risks that may arise. The managementplan will utilize several steps that entail risk identification,analysis of the risk, action plan and finally monitoring of the risk.The source of the risk may be as a result of dependency or gapswithin the organization. The main server is accessed by more than oneindividual and thereby monitoring access will be effective inmanagement of the risks that may be involved (Powell&amp Landauer, 2010).


Riskidentification entails determining what hazards or risks exists orare anticipated, their remoteness in time, their characteristics,their duration period, their remoteness in time and possibleoutcomes. Risk identification often determined the potential risksthat will prevent investments, enterprises and other programs fromachieving its objectives. Computer security projects have numerouspotential risks. Risk identification often entails identification ofthe risk, documenting it and then communicating its concerns. Thecomputer security project in the organization will be vulnerable to alot of computer securities that are also known as informationtechnology security or cyber safety (Powell&amp Landauer, 2010).

Theproject’s intention was to safeguard all computers and otherrelated gargets such as computer networks from attackers such ashackers through controlled monitoring of the individuals who will beaccessing the main servers as well as other end points within theorganization. The project will ensure all the mechanisms and channelsby which digital services, equipments and information are protectedfrom unauthorized or unintended access, destruction and change. Theproject will ensure that both informational security and physicalsecurities are put in place. Informational security will helpsafeguard data loss while physical security will help prevent theftof equipments. The project will focus on cyber security which entailsthe process of applying security measures to ensure availability ofdata, integrity and confidentiality (Powell&amp Landauer, 2010).

Cybersecurity aims at assuring the protection of various assets thatincludes desktops, data, human, servers and buildings. The potentialrisks to the project includes computer crime, eavesdropping, computercrime, backdoors, denial of service attack, direct access attacks andexploits. Exploits is a tool that is designed to take advantage ofslight problems or flaws in the computer system. This frequentlyincludes having control over the computer system, creation of adenial of service attack as well as allowing privilege escalation.The approach is often utilized in numerous computer viruses.Eavesdropping entails the act of listening to conversation betweenthe hosts communicating in a network. The machines in theorganization can be eavesdropped through monitoring electromagnetictransmission that is often generated by the hardware (Powell&amp Landauer, 2010).Direct-access attacks is often conducted by attackers who oftenutilize perform many functions in the devices or install varioussoftware with an aim of compromising security of the gadget. Thehacker may also download a huge data quantity onto backup media.Denial of service attack is often conducted by the attackers with anaim of ensuring that the user is unable to access their data bymaking the system unusable. A backdoor is a computer system that isoften utilized by the attackers to by-pass normal authentication andaccess data without any detection. Vulnerability is a problem that isassociated with the installed computer system. It allows attackers toexploit the available flaws and access the organizational data.

Qualitative/QuantitativeRisk Management&nbsp

Asmentioned before the project will utilize A-CAT approach as a riskmanagement approach aimed at dealing with the various risksidentified. The 1stapproach will entail avoiding the risk. This can be done by ensuringapproach measures are put in place to prevent physical theft ofsoftware and hardware as well as machines such as computers andcomputer network utilized for security purposes. These can be donethrough physical securities as well as controlling access. The secondstep will entail mitigation or control of the risk throughinstallation of the best security software to help deal with thechallenge of cyber security. Mitigation may take place after the riskhas already taken place. Mitigation may entail recovering the filesof the organization as well as installation of the modern and bettersecurity system such as cyber security or cloud security with an aimof ensuring that the files data are not easily accessed by theattackers. Use of strong passwords can also help minimize the risksof attacks (Powell&amp Landauer, 2010).

Acceptanceof the risk when it occurs may also be essential as it offers achance for the technical team to come up with strategies to deal withnew and emerging risks that may impact negatively to the securitysystem of the organization. New risks often develop day after daywith attackers coming up with new strategies of accessing the systemand information. The last approach entails transfer of the risk toother organizations that are feet enough to deal with the outcome(Hsu,Backhouse &amp Silva, 2013).The approach may entail ensuring that all the computer securitygargets and machines are well insured so that in case of an eminentattack that shuts down the equipment, the insurance company will beable to finance the recovery and repair of the system. The projectwill ensure that all the approaches are well implemented to deal withthe attack.

RiskResponse Development&nbsp

Theproject will put plans in place to help deal with each individual orgroup of threat that may target the computer system in theorganization. The risk of vulnerability will be dealt with byutilization of strong passwords in the system, changing of thepasswords once an employee turnover and installation of best securitysoftware to help deal with the threat of attackers. Other forms ofattacks may also be dealt with by utilizing firewalls, user accountaccess control as well as intrusion detection system which are meantto detect network attacks as well as offer assistance on post warattacks(Hsu,Backhouse &amp Silva, 2013).Direct attacks and computer crimes can be prevented throughutilization of the best security measures such as installation ofsecurity cameras to help monitor the employees who are accessing thesystem for example the main server. The approach will help identifythe individuals who may disrupt the system. Denial of service attackmay be prevented through securing the site and the system as well ascontrolling and monitoring access. Other forms of risks such aseavesdropping and vulnerability as well as indirect attack may bedealt with through cyber security. Cyber security is an approach ofapplying security measures to ensure availability of data, integrityand confidentiality. Cyber security often attempts to assure theassets are protected. The assets may include desktop, data andservers as well as humans. It is however difficult to deal with allthe risks and frequent monitoring and assessment will help minimizethe risks involved.

RiskMonitoring and Control&nbsp

Thegoals of the project are to ensure that risks to the installedcomputer security system are minimized and prevented. These will bedone through utilization of the best and modern security measuressuch as cloud security as well as cyber security to prevent loss ofdata to attackers. The progress will be monitored through frequentassessment that will done once in a month. Frequent assessment willhelp detect any new threats and the manner in which they may becountered.

Frequentassessment will help to reduce the threats by updating the systemwith the latest computer security software as well as training of theemployees on the effective practices that will help reduce the flawsthat can be considered as an advantage to the users(Hsu,Backhouse &amp Silva, 2013).

Incase of an attack, the technical team will be available to counterthe effect and change the approach for the better. All the availablerisk will be documented and saved both in hardcopy and softcopy. Theinformation will be vital in educating the employees and otherindividuals who access the system in the organization(Hsu,Backhouse &amp Silva, 2013).It is the responsibility of every individual to ensure that thesystem is secure since some of them may act as the source of the riskwithout being aware. The lesson learned is that new risks are createdeach and every day and therefore it is the responsibility of thetechnical team to ensure that they are able to assess the risksfrequently t help deal with the threat. The information of theproject will be shared with the directors of the organization as wellas the employees to ensure that they also take part in the control ofthe risk.


Risksare often encountered in any plan or activities in world. A riskmanagement plan for the computer security project will therefore beeffective in dealing with attacks and threat to both physical andinformational security. Organizational data is very significant inthe progress of any organization and has to be protected at allcosts. Being aware of the possible risks to the system will help inidentifying ways to minimize the impact and thereby enable theorganization to recover quickly(Hsu,Backhouse &amp Silva, 2013).Even though risks vary from one organization to the other, riskmanagement plan is often a common process. Organizations should beable to allocate enough funds and resources for risk management andmitigation.


Hsu, C., Backhouse, J., &amp Silva, L. (2013). Institutionalizingoperational risk management: an empirical study. J Inf Technol,29(1), 59-72. doi:10.1057/jit.2013.15

Powell,P., &amp Landauer, T. (2010). Risk management for informationsystems development. J Inf Technol, 11(4), 309-319. doi:10.1057/jit2010.5