Technology Risk Management

Why is technology risk management important to an organization?

Given most organizations have limited time and resources, many may not fully appreciate the need for assessment and planning. However, technology affects employment practices, volunteer recruitment, fundraising, crisis management, copyright, security, privacy, client protection and insurance coverage, by putting in place processes to reduce or eliminate the risk, we can lessen the potential impact to the organization.

In short, technology risk management is essentially loss management. When a hard drive containing all of the donor data, grant funding information, or financials crashes and there are no backups available, the time and resource required to re-build/recover the information would be devastating to an organization.

Risk management for technology does not need to be complicated and there are some very cost effective solutions organizations can implement to ensure their mission critical data are protected.

How would an organization go about identifying possible risks?

Before putting together a risk management process, the first step is to identify the critical IT assets of an organization.

Conducting a Security Audit

A security audit is a measurable assessment of how the security policy is employed in an organization. This includes taking an inventory of the hardware/software infrastructure of the organization, review of existing security policies and studying staff use of technology.

For small to medium sized nonprofits, the best way to conduct a security audit is to work with an IT consultant. There are lots pre-audit homework the organization should prepare for the consultant. This would include hosting information, previous audit records, access to the system log files etc.

Risk Assessment

Once an IT survey has been completed, you can then analyze the risks facing those assets and identify and prioritize strategies for protecting them.

Type of Risks:

Loss of Access: Theft of computers/hard drives, hardware failure all prevent staff from accessing the technology and the mission critical resources.

Cyber Attack: Viruses and Trojans are ways sensitive files containing grant-related data can be hijacked over the network. Denial of service attacks can shut down the network preventing the ability to provide information to the public on the organization’s website.

Knowledge Management: Staff turnovers and improper documentation of IT infrastructure can prevent organizations from accessing donation databases, websites and other sensitive organization data.

Disaster Planning: Fire, flood or other natural disasters may damage computers and destroy mission critical data to the organization.

Based on the level of sensitivity of the data, and the likelihood of the above senarios happening, organizations can then prioritize the safeguards used to address these risks in a security plan.

Risk management

Risk mitigation are the counter measures an organization can put in place to reduce risk. Some examples are:

• Fix know software exploits
• Keeping anti-virus software up-to-date
• Improve physical security
• Implement security policies
• Improved training for all staff

After identifying the counter measure to existing risks, organizations cans separate these into counter measures they have already taken; will be implementing in the future and ones that have been identified but will not be implemented.

It is important to conduct regular evaluation and reassessment of the risk management processes to ensure proper protection of organization’s resources.

Resources:

How to identify security threats to an organization:

http://www.techsoupcanada.ca/learning_center/articles/security_threats

IT Asset Management:

http://www.techsoupcanada.ca/learning_center/articles/it_asset_management

Disaster Planning Toolkit:

http://www.techsoupcanada.ca/learning_center/articles/disaster_planning