| Handling Security and Continuity Risk
It is seldom possible or practical to eliminate a risk to information in terms of confidentiality, integrity or availability. It is a requirement to operate efficiently and economically and therefore management decisions should be made that balance cost and time implications for security measures against the probability of an incident that could affect delivery of Product, Service or jeopardise the security of your business or client information.
IT and Continuity risk is inherently an integral element of the overall business risk assessment. It is important therefore to establish not only the information requirements necessary for all business objectives, but also other elements associated this information need.
Risk Identification- the areas for consideration include what assets are involved, what are the threats and vulnerabilities, plus a review of the likelihood of the threats occurring and the consequences.
Risk Management - the assessment approach must provide a quantitative and/or qualitative measurement of risk. In conjunction with this a risk acceptance capacity.
Risk Mitigation Plans - the approach must also recognise that cost effective planning measures, continuity and security activities can be employed to mitigate exposure to risk.
Risk Acceptance - an essential criterion for risk assessment is the determination of what level of risk is acceptable. Such a review needs to take full evaluation as to what steps have been taken to minimise the risk, and thereby clarify what residual risk will be accommodated.
Risk Action Plan - having undertaken the above approach, a plan for specific risk management should be incorporate into the IT & Continuity project plan.
On-going Review - a regular assessment of risk issues and status is essential, and for continuity & IT projects should be undertaken on regular intervals.