Information Technology Reference
In-Depth Information
impact might disable operations of the enterprise depending on criticality of
the asset and its value. It is possible that an ERP system might have high
risk because of the nature of the asset and the impact moderate if appropriate
controls are applied.
3.
High risk vs high impact
- High risk assets include data and information.
Loss of data can have a high impact as the enterprise would have to recreate
the data, and this might mean halting business operations for some time if
the enterprise does not have an effective disaster recovery plan.
4.
Low risk vs low impact
- The enterprise might choose not to do anything
and accept the risk if the risk is low and impact is low. The enterprise might
be interested in assessing the impact on the enterprise even if the risk is low.
There is a possibility that the risk might exist but with low impact that does
not look bad. The enterprise might consider low-cost insurance to cover the
low impact. An example would be loss of scanning software in the enter-
prise. The risk of losing a copy of the software is there but might be low and
the impact is low in relation of operations of the company which might have
the software already installed on the workstations.
5.
Low risk vs moderate impact
- A similar analysis and response might be
taken in a low risk versus moderate impact situation. Since the impact is
moderate and risk low, this means the impact is possible. Action should be
taken to protect the asset. The enterprise can opt for low-cost mitigation
since the risk is low. Having trained IT staff would be an example of low
risk as we expect them to professionally manage an IT infrastructure.
6.
Low risks vs high impact
- Low risk means that the probability of an event is
low and remotely possible. An example would be an earthquake happening
in a non-earthquake zone, such as sub-Saharan Africa. The risk is low but
impact is high. Designers of data centres or buildings may not worry very
much about buildings being hit by earthquakes as the risk is low. Manage-
ment would be worried about the high impact. Some action such as low-cost
insurance can be taken just in case the data centre was hit by an earthquake.
It all depends on management if they can stomach the impact if it occurs.
7.
Moderate risk vs low impact
- In this scenario, the risk is moderate, which
means that the chances of the event happening is possible. Management
needs to take some action depending on the value and criticality of the asset.
Search WWH ::
Custom Search