IT Risk Security Audit

Risk assessment for IT systems identifies what information, data or infrastructure you have in your business, the impact of this being inaccessible, and the impact to the business function as a whole. In essence you identify, rank, prioritise, categorise and mitigate Information Technology risks. This approach applies to any risk, operational, marketing, sales, finance in any business.

To determine what the risks are to your business:

  • What is the critical information contained within your computer systems?
  • If this was to be exposed / stolen / not available to your organisation to use, what impact would this have on your business operations
  • What are the business critical functions that require this information?
  • What threats could affect the ability of those business functions to operate?

Once you have a clear understanding of what requires protection, you can develop the process to mitigate the risk potential. Before you spend resources to mitigate this risk, you need to understand and reconcile the ‘why’ on –

  • What is the risk that you are mitigating?
  • Is this the highest priority risk to the organisation or just an individual?
  • Is your intended approach this the most cost effective way to address this?

This Is the core process to identify your risks and develop a risk assessment

Risk is the likelihood of a financial loss to an organisation.

  • Consider what the threat is?
  • How vulnerable the systems are?

Risk implies uncertainty, if something is guaranteed to happen it is not a risk, but a certainty and you would be advised to but controls in place to address this.

Here are some common ways you can suffer financial damage:

  • Legal, if data has been stolen from a computer system, the data protection commission must be notified, along with depending on seriousness, the Police, these actions can result in legal or monetary impact on the business for failure to comply with legal regulations.
  • Data loss. Theft of customer or business information that could cause you to lose business to your competitors, customer information could result in loss of trust and customer attrition.
  • Inability to access systems or data. If an IT system fails to allow access to data, staff may be prevented to perform their daily duties and management get reports on the operations of the business and perhaps customers place orders and perhaps all communicate between each other.
  • Reputation, loss in company data can impact on the trust placed in it by its customers, staff and other stakeholders. Although with so many incidents occurring with data breaches, I suspect the public at large are becoming passé about loss of their personal information.

#Identify your Assets

Perform an audit of the electronic / computer hardware, software, communications and data contained within the business.

To consider – confer with others to understand what is critical information to the business function. Work with management and others to review the list of valuable assets.

For each asset, gather the following information, as applicable;

  • Hardware
  • Software
  • Communications Equipment or Resources
  • Criticality
  • Function
  • Data
  • Users

IT Risk Management is a cost like most of IT to an organisation. You must contend that there will be a limited budget for risk controls; it is a necessary evil for a business to function in this day of cyber security and IT Risk Management

Cyber security – this terminology is banded around a lot, it means the security of all data, hardware, communications platforms that is used within an organisation to operate and the process in place to keep it secure.

You will need to define a standard to determine the importance for each asset class e.g. monetary value, legal standing and importance to the business. Once a standard has been approved and incorporated into the risk assessment security policy, use it to classify each asset.

#Identify Threats

A threat is anything that could exploit a weakness to breach security and cause harm to your organisation. The most advertised threats are hackers and malware but many others have to contend with:

  • Environmental Factors. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy much more any system breach. You can lose not only data, servers/hardware, backups and entire systems, consider the environmental factors in your risk assessment.
  • System failure. The likelihood of system failure depends on the quality of your computer. Typically the expected good operational lifespan for most IT equipment is 5 years, dependant on a stable environment, fit for humans to work in. For relatively new, high-quality equipment, the chance of system failure is low. But if the equipment is old or from a “no-name” vendor, the chance of failure is much higher. There is an old IT saying, ‘you never will get fired for buying an IBM” you buy the brand assurance of quality. Therefore, it’s wise to buy high-quality equipment, or at least equipment with good support.
  • Accidental Human interaction. The threat from internal staff has to be factored in, mistakes happen, files deleted, email links clicked upon, accidental slipping of liquids.
  • Malicious Agents
    • Theft of data, classic hacking of information on your systems
    • Social engineering, misuse of somebody else’s credentials
    • Brute force attacks on computers to steal passwords or take down of online platforms.

#Identification of System Weaknesses

Identification of weaknesses of the system to exploit, potentially breach the system and harm the organisation. Vulnerabilities can be identified through many sources; audit reports, NIST* vulnerability databases, vendor data, software patch reports and Penetration Tests.

* NIST, National Implementation Standards and Technology,, is an American standard adopted worldwide for the overall management of IT risks, security and good IT practice.

Testing of the security of your IT system should be performed annually. Both the business environment and IT systems are in a constant stage of change.  Based on the resources available to management and IT department, this weakness may be best detected by external specialised vendors, who have dedicated teams performing these duties for many clients.

  • Information Security test and evaluation (ST&E) procedures
  • Penetration testing techniques
  • Automated vulnerability scanning tools

These are mostly counteracted by use of proper patch management, physical security of your IT environment.

# Controls

IT systems operate by means of controls; access to data, hardware, encryption, software, communication systems. These are typically password enabled and access level to data. They are in place to minimise the probability that persons will have access to information beyond their appropriate job function.

Controls are both preventive and reactive to issues e.g.  Antivirus software is preventative to prevent malicious software operating on your computer, while other security programs, firewalls may be reactive to stop issues from migrating further, lock down systems if a red flag has been highlighted, lockdown network traffic and prevent data exportation out of the computer from the internet for example.

Preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.

# Likelihood of the Incident

The probability of the impact is a key stone of the Risk assessment. The PI Risk Matrix chart illustrates this as a high, medium or low factor. And these are typically coloured in Red (high), Amber (medium) and Green Low. White is used for those risks that have been mitigated and have an inconsequential impact on the business.

# Impact

Impact analysis typically includes the following

  • What is the critical information contained within your systems, if this was to be exposed / stolen, what impact would this have on your business operations
  • What are the business critical functions that require this information?
  • What threats could affect the ability of those business functions to operate?

A Business Impact Statement is utilised to document the impact, either by quantitative or qualitative means on the organisation. What would be compromised if an incident occurred and the financial impact to the business.

An incident can result in the compromise of sensitive business data, customer information. This is factored with in the High, Medium or low risk categorisation. The following additional items should be included in the impact analysis:

  • The estimated frequency of the threat’s exploitation of a vulnerability on an annual basis
  • The approximate cost of each of these occurrences

#7 Pritorising Information Security Risks

For each of the impact/likelihood, determine the IT risk to the organisation

  • The likelihood that the threat will exploit the vulnerability
  • The impact of the threat successfully exploiting the vulnerability
  • The adequacy of the existing or planned information system security controls for eliminating or reducing the risk

This is where the Risk Matrix is most useful. This visually indicates the ranking of Information security risks.

# Controls

Once the risk matrix is determine, an action plan should be developed

We utilise this action plan to determine a 12 month process to mitigate and control the risks. High levels tackled within a short period, immediate to 1 month, Medium risk from 2 – 3 months and then Low risks over the term of the action plan depending on their severity. We will recommend that you conduct a quarterly review of each risk and re-score it. Working with the management team to prioritise these according to business operations requirements.

As you consider controls to mitigate each risk, be sure to consider:

  • Organisational policies
  • Cost-benefit analysis
  • Operational impact
  • Feasibility
  • Applicable regulations
  • The overall effectiveness of the recommended controls
  • Safety and reliability

#9 Documentation

The next step of the risk assessment process is to develop a report for management. This will document risk owners, budgetary impact, resource requirements, timeline and any associated risks.

This report will identify remediation steps that will mitigate or reduce the risk. Each step has an associated cost, and as prior, depending on the budget, can deliver real benefit in reducing risks. Again there must be a business reason for mitigating the risk or prioritising it.

Some risks may be tolerated and not warranty any resources, and or part of a risk family, where a greater ranking risk, once mitigated can have a trickle down reduction effect on other risks. For example, having an offsite backup replication of data, can impact many IT security risks, business continuity and restoration.


The Risk Assessment process for IT is at the heart of IT Management and risk management. These are the process that establishes the groundwork for the organisations information security management, providing a framework to determine what is a threat or weakness, means to respond and the financial impact to the business. Ultimately it is documents the process on how a risk can be identified, ranked, controlled and mitigated

Leave a Reply

Your email address will not be published. Required fields are marked *