Information Technology Reference
In-Depth Information
When considering risk treatment, it is important to look at factors such as risk categorisa-
tion, threats, and vulnerabilities. These factors will help the enterprise determine what level
of treatment to apply on a particular risk. Where threat levels are high, management might
consider applying more complex measures in order to protect the enterprise. High risks are
common where the enterprise is conducting its business on the Internet for example. Many
hackers might be interested in bringing down the Internet site the enterprise is using or steal
vital information from the enterprise databases.
One option the enterprise might consider is to avoid risks by, for example, ensuring that
all IT equipment being purchased is through certified vendors. It is also an important con-
sideration that IT staff are also trained to use and manage the equipment. Lack of trained
staff might introduce risk in the enterprise as operation of equipment might not be up to the
required standard.
The other way of treating risk is by transferring risk. Risk can be transferred through in-
surance, for example. If the enterprise has determined that there is risk of fire at the data
centre, management might decide to insure the equipment and software used at the data
centre. In the event of a disaster, the insurance company will pay for replacing the in-
sured equipment and software. The enterprise can also transfer risk through equipment war-
ranties. If there is a defect or system malfunction, the supplier can replace the equipment
as per terms of the warranty.
IS auditors should ensure that the enterprise has put in place effective plans for ensuring
risk transfer in order to protect the business. Risk transfers do not provide immediate relief
as the replacement of equipment takes time unless there is an arrangement with suppliers
of the systems.
The other measure management can use is by applying appropriate controls, such as imple-
menting a disaster-recovery site. This will ensure that systems and data can be recovered in
the shortest possible time in the event of an incident. Disaster-recovery sites might be ex-
pensive to set up but are worth the cost if the enterprise depends on IT systems for business
operations.
An enterprise might decide to accept the risk if it is considered that it is less likely to occur
and has low impact on the enterprise. A typical example is an earthquake happening in a
zone where an earthquake has never happened in a hundred years. Management might take
the position that the risk of damage to IT equipment is not likely because an earthquake
might not happen. In the event that an earthquake does happen, the enterprise will accept
damage to equipment and find money to replace the damaged equipment.
If the cost of treatment is higher than the assets the enterprise is trying to protect, manage-
ment might also accept the risk and damage to equipment even if this means going out of
business. A typical example would be replacing a brewery plant. Management might think
Search WWH ::
Custom Search