Click here to read about the services we provideClick here to learn more about the industries we serveClick here to learn more about Blue & Co., LLCClick here to visit the main page of the Blue & Co., LLC  websiteClick here for valuable resourcesClick here to read about careers at Blue & Co., LLCClick here to read recent press releases of Blue & Co., LLCClick here to contact us

 

ASSESSING YOUR ORGANIZATION'S IT RISK

By Stephen T. Clements, CPA - Senior Manager

The National Association of Corporate Directors published its 2009 nonprofit (NFP) governance survey, which represented the responses of more than 100 NFP board trustees regarding their board practices. One area which continues to be a focus of concern among those surveyed is information technology (IT) risk.

The first step for any organization in identifying IT risk would be to obtain an understanding of existing policies, procedures, and controls. IT policies, procedures and controls should be responsive to the risks faced by the organization. The interpretation of IT risks and their severity of the risk is a matter of judgment which depends on many factors such as the size of the organization and the depth of the organizations reliance on IT in its day to day operations. The assessment should focus on the security related to information or protecting the organization from potential risks.

The IT risk assessment process should address five categories (as listed below followed by a brief description of each category) and how the organizations current policies, procedures, and controls address the identified level of risk related to each within the organizations IT environment.

Risk Management: IT risk management is an ongoing process of understanding and monitoring information technology risks. This process includes understanding the related assets (physical, system, server, storage, communications), range of threats (accidental, natural, malicious, business change), strategies for addressing risks (acceptance, avoidance, transfer, insurance) and controls to manage risk (preventive, detective, corrective, predictive).

IT Security: To address IT security, organizations should develop policies and procedures to address acceptable use, access controls, application security, change control, data handling, disaster recovery, email, encryption, internet access and use, mobile computing, network security, physical access, privacy, remote access, secure disposal, use of personal equipment and vulnerability management.

Human Resource Security Elements: Effective IT controls include certain human resource elements including defining the roles and responsibilities of users and ensuring they are subject to acceptable use policies, non-disclosure requirements, information handling expectations and prohibitions from unauthorized software use or installation.

Communications and Operations Management: Communications and operations management involves addressing changes in IT systems, managing third party service provider controls, assessing and monitoring system capacity, implementing solutions to external threats, ensuring appropriate back-up, managing wireless access, ensuring the security of data sent and received and addressing risks related to removable media.

Business Continuity and Disaster Recovery: Organizations should have business continuity and disaster recovery plans responsive to the scale and risks related to their IT infrastructure. Such plans should include the conditions which activate the plan, maintenance schedules to ensure revisions and testing as appropriate and specific information on assets, locations, service providers, etc.

For a more comprehensive discussion regarding this article or any other IT risk concerns affecting your organization please contact your Blue & Co. advisor.

 

If you have any questions regarding the article above or any other issue affecting your not-for-profit organization please contact your Blue & Co. advisor or e-mail us at blue@blueandco.com or call us at 800-717-BLUE

 

Please visit our website at http://www.blueandco.com for more information regarding the services we provide.


 

Blue & Co, LLC | 12800 N. Meridian Street | Suite 400 | Carmel, IN 46032 *

Blue & Co, LLC | 627 Washington Street |  Columbus, IN 47201

Blue & Co, LLC | 8800 Lyra Drive | Suite 450 |  Columbus, OH 43240

Blue & Co, LLC | One American Square | Suite 2200 | Indianapolis, IN 46282

Blue & Co, LLC | 250 West Main Street | Suite 2900 | Lexington, KY 40507

Blue & Co, LLC | 500 West Jefferson Street | Suite 1600 | Louisville, KY 40202

Blue & Co, LLC | 2650 Eastpoint Parkway | Suite 300 | Louisville, KY 40223

Blue & Co, LLC | 106 Community Drive  | Seymour, IN 47274

* firm administration location

Privacy Notice
Please add Blue & Co., LLC to your approved senders list to ensure uninterrupted communication.