Information Technology Reference
In-Depth Information
COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated
with the use, ownership, operation, involvement, influence, and adoption of IT within an
enterprise.
ISO 22301
provide guidelines on the requirements for a management system to protect
against the likelihood of disruptive incidents which might impact the enterprise. The stand-
ard is a business continuity management standard which prioritises threats to the enterprise.
IT Risk Assessment
IT risk assessment is the process of identifying risks in the IT environment. Enterprises do
use various methods of carrying out risk assessments. One way of starting the process of
risk assessment is by identifying critical and non-critical assets in the enterprise.
Critical assets are critical to the operation of the enterprise. In terms of IT assets, we can
say that in an IT infrastructure, servers and databases running the ERP system are critical
since they are used to support the business of the enterprise and also store data and inform-
ation generated by the enterprise. Other critical assets would be the Internet if the business
enterprise is dependent on the use of the Internet to conduct business. A distance-learning
university usually would conduct all its business operations online. Students are able to re-
gister and work their way up to graduation by using an end-to-end e-learning system. In
such a case, students in different countries can enrol and take courses online via the Inter-
net. The Internet link and associated systems and devices, such as routers and firewalls, can
be regarded as critical assets. Distance-learning universities cannot do without these assets
and support students efficiently.
Another good example is Amazon which conducts its business on the Internet and cannot
do without the Internet. The Amazon web portal can be said to be a critical asset as it is
used as the interface with customers. Customers log in and purchase goods via the web
portal. Maintaining a 24/7 Internet connection is also critical to the survival of the business.
Data and information in both examples given above are critical assets as their operations
depend on the use of information and data generated by the enterprise. Without data and in-
formation, the two enterprises cannot communicate with its customers or conduct its busi-
ness activities.
Non-critical assets are used in the enterprise to support core activities or can be said to be
non-essential items. Printers can be said to be non-critical items in the distance-learning
university example as the university can do without printers for some time compared to not
having Internet traffic. Lack of Internet connectivity would mean no communication with
students, and students would also not be able to access documents and their coursework.
Other examples of non-critical assets in the distance-learning university would be office
productivity software such as Microsoft Word or PowerPoint. Whilst these tools are essen-
Search WWH ::
Custom Search