stty consulting › our future
Information & Systems Risk :: page 3
Processes
The main process related risks are:
Complacency, lack of awareness or understanding of risks, or accepting too much risk
Systems lifecycle management, poor requirements definition, poor system design and inadequate testing
Inadequate resilience, poor business continuity management
Governance weaknesses, lack of legal and regulatory compliance
The following actions will help reduce the potential impact of these risks.
Manage security proactively. If possible, use the 11-point framework of the ISO 17799 Code of Practice for Information Security. Select the controls which match your business needs and balance investment in security with the risks you're prepared to accept.
Undertake regular risk analysis of your systems. Prepare and maintain a risk reduction plan to keep up with your business.
Investigate all security incidents and use the information to improve and adapt your defences and processes.
Maintain a complete register of your assets. For information, assets include databases, drawings, and technical documents - for equipment, include memory and hard disk capacities. If you don't know you've got it, you're unlikely to miss it if it disappears. For software, practice software asset management for legal compliance and cost-effective licensing.
As a minimum, ensure that your activities comply with the Data Protection Act, especially when transferring information to third parties. Additionally you should be aware of the implications of the Computer Misuse Act and the Regulation of Investigatory Powers Act
Create a thorough business continuity plan. Keep it rehearsed, tested, and up to date. Use reports of security incidents as tests of the plan. Align your plan with the importance of the assets in your asset register. Evaluate your business' information assets according to values based on confidentiality, integrity and availability.
Quarantine new software - know what you are testing it for and make sure there are acceptable results before using it on live systems.
Protect your intellectual property vigorously with trademarks, patents and security-savvy non-disclosure agreements with everyone you work with. Build in data protection measures when you add, change or remove information form your systems. This can include scheduled checks for accuracy and currency.
The links below provide additional information and resources:
Information security best practice
Business continuity planning in IT
page 1 :: page 2