ASSESSING YOUR ORGANIZATION'S IT RISK

By Stephen T. Clements, CPA - Senior Manager

The National Association of Corporate Directors published its 2009 nonprofit (NFP) governance survey, which represented the responses of more than 100 NFP board trustees regarding their board practices. One area which continues to be a focus of concern among those surveyed is information technology (IT) risk.

The first step for any organization in identifying IT risk would be to obtain an understanding of existing policies, procedures, and controls. IT policies, procedures and controls should be responsive to the risks faced by the organization. The interpretation of IT risks and their severity of the risk is a matter of judgment which depends on many factors such as the size of the organization and the depth of the organizations reliance on IT in its day to day operations. The assessment should focus on the security related to information or protecting the organization from potential risks.

The IT risk assessment process should address five categories (as listed below followed by a brief description of each category) and how the organizations current policies, procedures, and controls address the identified level of risk related to each within the organizations IT environment.

Risk Management: IT risk management is an ongoing process of understanding and monitoring information technology risks. This process includes understanding the related assets (physical, system, server, storage, communications), range of threats (accidental, natural, malicious, business change), strategies for addressing risks (acceptance, avoidance, transfer, insurance) and controls to manage risk (preventive, detective, corrective, predictive).

IT Security: To address IT security, organizations should develop policies and procedures to address acceptable use, access controls, application security, change control, data handling, disaster recovery, email, encryption, internet access and use, mobile computing, network security, physical access, privacy, remote access, secure disposal, use of personal equipment and vulnerability management.

Human Resource Security Elements: Effective IT controls include certain human resource elements including defining the roles and responsibilities of users and ensuring they are subject to acceptable use policies, non-disclosure requirements, information handling expectations and prohibitions from unauthorized software use or installation.

Communications and Operations Management: Communications and operations management involves addressing changes in IT systems, managing third party service provider controls, assessing and monitoring system capacity, implementing solutions to external threats, ensuring appropriate back-up, managing wireless access, ensuring the security of data sent and received and addressing risks related to removable media.

Business Continuity and Disaster Recovery: Organizations should have business continuity and disaster recovery plans responsive to the scale and risks related to their IT infrastructure. Such plans should include the conditions which activate the plan, maintenance schedules to ensure revisions and testing as appropriate and specific information on assets, locations, service providers, etc.

For a more comprehensive discussion regarding this article or any other IT risk concerns affecting your organization please contact your Blue & Co. advisor.