Information Technology has made it big today and the World is moving today to Digitalisation and so is our business process which has taken its hands off from paper and is moving towards digitalisation.
While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT.
In today’s scenario your Information technology has become synonym to one of the most important assets of the business as the most valuable information of the business is in digital.
But can you imagine the situation if one day your total I.T Assets are compromised or the critical information of your business is stolen ??
Information technology risk, or IT risk, IT-related risk, is any risk related to information technology, Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization’s business processes or mission, ranging from inconsequential to catastrophic in scale.
Today IT Risk is the highest as that is the most critical and the most significant part of the organisation, because if your IT is compromised then the whole business will be on a standstill and that is where the IT Risk Assurance and IT Management comes into play.
And IT audit is different from a financial statement audit. While a financial audit’s purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. BMS can be observers and perform the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization’s information. Specifically, information technology audits are used to evaluate the organization’s ability to protect its information assets and to properly dispense information to authorized parties.
The IT audit that BMS can do it aims to evaluate the following:
Will the organization’s computer systems be available for the business at all times when required? (Known as availability) Will the information in the systems be disclosed only to authorize users? (Known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (Measures the integrity) In this way, the audit hopes to assess the risk to the company’s valuable asset (its information) and establish methods of minimizing those risks.
IT Risk Management System:
Assessing the probability of likelihood of various types of event/incident with their predicted impacts or consequences should they occur is a common way to assess and measure IT risks. Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.
National Information Assurance Training and Education Center defines risk in the IT field as:
- The loss potential that exists as the result of threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces the risk.
- The uncertainty of loss expressed in terms of probability of such loss.
- The probability that a hostile entity will successfully exploit a particular telecommunications or COMSEC system for intelligence purposes; its factors are threat and vulnerability.
- A combination of the likelihood that a threat shall occur, the likelihood that a threat occurrence shall result in an adverse impact, and the severity of the resulting adverse impact.
- The probability that a particular threat will exploit a particular vulnerability of the system.
Analysing the above IT related risks, in lay man’s terms the risks that causes you financial losses because of a compromise of your IT based on a certain event, or someone steals or exploits the information stored through different mediums like hacking, etc. When the IT and its periodic appraisal is as important then a periodic audit of the same is as important and for that BMS is always a call away.
The net mission impact considering:
- the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and
- the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.
Measuring IT Risk:
You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined.
If numerical values (money for impact and probabilities for the other factors), the risk can be expressed in monetary terms and compared to the cost of countermeasures and the residual risk after applying the security control. It is not always practical to express this values, so in the first step of risk evaluation, risk are graded dimensionless in three or five steps scales.
OWASP proposes a practical risk measurement guidelines where the risk is rated between 0 to 9 based on:
- Threat agent factors
- Vulnerability factors
- Technical impact factors
- Business impact factors
- Rate likelihood and impact in a LOW, MEDIUM, HIGH scale assuming that less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH.
- Calculate the risk using the following table
|Overall Risk Severity|
IT Risk Management:
IT risk management can be considered a component of a wider enterprise risk management system.
The establishment, maintenance and continuous update of an Information security management system (ISMS) provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.
Different methodologies have been proposed to manage IT risks, each of them divided into processes and steps.The Certified Information Systems Auditor Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, provides the following definition of risk management: “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.
There have been numerous laws in countries like Europe and US for IT Risk Management.
Auditing information security is a vital part of any IT audit and is often understood to be the primary purpose of an IT Audit. The broad scope of auditing information security includes such topics as data centers (the physical security of data centers and the logical security of databases, servers and network infrastructure components), networks and application security. Like most technical realms, these topics are always evolving; IT auditors must constantly continue to expand their knowledge and understanding of the systems and environment& pursuit in system company.
In an ever-changing information technology world, IT and financial reporting are becoming increasingly complex as there is a greater reliance on the IT systems and processes. Attention is required on the design and operation of controls which helps the management to have accurate, reliable information for financial reporting and decision-making process.
There is a need for greater emphasis on system controls and a requirement for independent assurance on the design and operating effectiveness of internal controls. Our assurance team helps you to evaluate the controls surrounding your financial reporting process in alignment with your business process and IT controls with services such as:
- A comprehensive information system audit
- IT general control reviews
- ERP applications reviews focusing on financial reporting
- Pre and post implementation reviews
- CAAT (Computer Assisted Audit Techniques)
- BMS provides IT Risk Assurance services since years..!!
- Where our experts will take up a complete and rigorous audit procedure through Audit tools and techniques and will give you an Assurance that the IT of the business is in sound position.
- The Experts from BMS Auditing can also establish a whole IT procedure and risk management methodology and it will give the management an assurance and a relaxation that there are no significant risk in the IT and the management can focus on other important aspects and facets of business.