Managing ICT risks

You may already consider risks in terms of financial management, health and safety or employment issues, but many risks relate to your ICT systems. Even minor problems can affect word processing documents, accounts, budgets, reports and confidential personnel records. Even minor problems can stop an organisation in its tracks.

As well as taking action to prevent security problems it is wise to assess the risks of failure to your ICT systems and prepare plans to deal with it, if or when it happens.

Technology that doesn’t work
Hardware or software could fail to meet the organisation’s operational needs.A newly implemented network, database or finance package may not be up to the job, or equipment proves to be unreliable.

You can manage these risks through good purchasing processes: drawing up appropriate requirements, carefully assessing suppliers, and properly managing implementation processes. You should also ensure that you have adequate and appropriate technical support for your technology.A volunteer may be fine for a small community group, but a team of ten people using a small network of computers may need help on a range of issues – no good if your volunteer is only available in the evenings.

Secure your assets
Think about the physical security of equipment and protecting the data held on computer systems. Risks include computer system failures such as a network going down, or loss of data owing to a flood or fire damage. Computers and hard drives can be stolen. Or someone could get unauthorised access to information, either via the Internet or equipment left unsupervised in an office.

Make sure you have an inventory of all your ICT equipment and keep it off-site in case of a fire. Get adequate insurance cover and secure your PCs and laptops physically. Use security marking and carefully manage who has permission to access documents or directories on a computer network.

Policies and procedures
Look at your current policies and procedures and make sure they include protective measures to prevent problems and protect personal and/or confidential information on your organisation’s computers.

Remember that having the procedures and policies in place is not enough.They need to be managed by a named individual, enforced, and regularly reviewed with the whole team.

Deaking with risks

Risk assessment helps you deal with problems before they happen

• Identify the risk
  What can go wrong? e.g. accounting software crashes
• Evaluate the risk
  How likely is to occur? e.g. high, medium or low likelihood.
• Analyse the risk
  What would be the consequences? e.g. unable to manage finances
• Manage the risk
  What systems, policies and procedures will minimise the effects of the risk should it occur? e.g. daily back-ups

Stay safe and legal

Consider the relevant laws and regulations that apply to you and the risks that could arise from your use of technology, in the form of penalties and/or prosecution for lack of compliance. For example:

• Data ProtectionAct: e.g. failing to adequately protect personally identifiable information, or inappropriate marketing using personal information
• Charities Law and CompaniesAct: e.g. financial reporting requirements not met because of computer systems going down and failure to do adequate back-ups of financial information
• Disability DiscriminationAct: e.g. failure to provide suitable computer equipment to disabled employees, failure to make reasonable adjustments to your website to make it accessible
• Health and SafetyAct: e.g. failure to provide suitable display screen equipment or working arrangements that allow computer users to take adequate breaks
• Software licensing and copyright regulations: e.g. using unlicensed software, employees downloading music on to work machines, using copyrighted material on your organisation's website without the permission of the copyright owner, etc
• Breach of libel laws: e.g. inappropriate use of Internet/email by staff such as libellous or defamatory material sent by email or posted to Internet sites

More information can be found in Section 4 on policies and procedures.

Weblink

Visit Microsoft’s Business site to help keep track of security issues: www.bcentral.co.uk/businesstechnology/ it-security/