Last infrastructure environment - High Performance Computing
Automate Or Get Left Behind Advancing The Audit Function Forward
Smoothing the Audit Trail
Active Voice vs. Passive Voice
Cris Luchsinger | ED | Enterprise Compliance & Operational Risk Testing, USAA
Embracing the Power of Data
Jawad Khan, Director, Data Services & Knowledge Management Information Services Division, Rush University Medical Center
Thank you for Subscribing to CIO Applications Weekly Brief
Technology Risk Assessment, not just for the Audit Department
By Timothy M. Grace, Director of Technology Risk Advisory Services, Mueller Prost
State-sponsored hackers, ransomware agents, corporate spies, and corporate espionage campaigns are attacking today’s enterprises technology environments. In most cases, the bad actors never announce themselves. They gain unauthorized access to systems through well-hidden malware, quietly sitting on network devices, watching, and recording traffic, data and information to steal or provide them a competitive advantage. In some cases, systems are being used to stage attacks on other organizations or store data for future use. How can a Chief Information Officer (CIO) protect their organization from becoming a victim?
With the ever-evolving and diverse range of technology within today’s organizations, threats to your information are already in place or can be introduced at any time.
Executives and company leaders must consider the implications of technology reliance by the organization. They must ensure their organization and customer data is protected and stays confidential, with the integrity intact, while also remaining accessible within the organization. Three key issues CIOs should evaluate during a technology risk assessment:
1. Ability to control cybersecurity.
2. Ability to upgrade or replace systems. As organizations look to stay relevant, they will need to assess their current systems to ensure they are providing an optimized solution. IT Departments need to upgrade old and outdated systems to newer versions and technology.
3. Ability to align operations with technology. Today’s business technology needs are quickly outpacing organizations’ information technology functions. CIOs need to ensure their organization meet the demands of their technology user base to ensure sustained levels of productivity.
CIOs must not only assess their organizations needs but their technology risk. Without assessing the risk associated with the technology deployed, they may be unaware of potential financial and reputation damage. Privacy issues and cybersecurity breaches often become highly publicized incidents, which can affect your organization’s perceived integrity. Therefore, it is vital that the appropriate controls are in place to protect the confidentiality and accessibility of private information.
Risk Management Essentials
The risk management cycle is continuous and iterative. It begins with a technology department identifying the risk universe by reviewing its broadest risk areas.
Technology risk assessments are key components of risk management, and they are essential to identifying the danger zones in your business and effectively control these risks
Once they identify the root causes, they can develop action plans to mitigate these issues. The basic steps of the risk management process include:
1. Identify the opportunities for risk within the technology department.
2. Prioritize and filter the universe to quantify the impact, probability and risk tolerance.
3. Evaluate the prioritized risk items within the universe to determine remediation or mitigation strategies. During this evaluation -
a. Develop a corrective action plan to eliminate or mitigate the risk.
b. Determine steps to reduce risk to an acceptable level.
c. Determine whether to transfer the risk to another lower-priority process.
d. Determine whether management has a plan to accept the risk.
4. Monitor each identified risk item in the universe for events or prompts that indicate a change in the risk environment or control infrastructure.
5. Revalidate risk for changes or additions in the risk universe.
Technology Risk Assessment Timing
An IT Department can perform a technology risk assessment at any time, but there are certain indicators for the most appropriate time. Here are some suggestions:
• Annually to support the development of a multiyear, risk-based technology audit plan.
• When new technology risks or challenges are introduced into the business or technology environment.
• When organizational changes occur.
• Along with strategic actions such as mergers, acquisitions, outsourcing or off-shoring.
• During operational initiatives including organizational restructuring, changes in technology use and new applications of technology.
• When market condition changes such as growth, globalization, downsizing or stagnation.
• When the use of technology is reactive and is not keeping pace with business demands.
• When new or updated mandates are introduced (Sarbanes-Oxley, privacy, cybersecurity or internal controls regulations or industry standards).
A CIO can also use a risk assessment for technology optimization, process improvement, resource focus, valuation services and due diligence reviews.
Without a technology risk assessment and the corresponding remediation or mitigation actions, an organization may be vulnerable to an increasing range of threats that may result in legal liability, financial impact, regulatory non-compliance (state, federal, international), reputation damage, diminished resiliency, reduced reliability or lack of integrity.
The vulnerabilities uncovered by a technology risk assessment if not mitigated could also result in a decrease in your organization’s valuation, impacting stock value, equity, borrowing power, liquidity or a potential merger or acquisition. Vulnerabilities could also disrupt strategic alliances, joint ventures or result in a loss of client revenues.
Technology risk assessments are key components of risk management, and they are essential to identifying the danger zones in your business and effectively control these risks. Regularly scheduled technology risk assessments should be used to update risk management plans and programs and to monitor the progress of the organization’s overall technology risk management program.
If your business has not performed a technology risk assessment, or if an existing assessment is more than a year old, now is a good time to contact your advisor.