Risk assessment 101: here is your IT assessment checklist


IT managers live in an era of zero downtime. With the business world and IT having become so inextricably interwoven, the demand for high-performance, lightweight and low-touch IT infrastructure is on the increase. A complete halt of business procedures due to downtime can seriously damage the credibility of your department – not to mention the reputational – and other – risk to the business. This makes iterative risk assessment a key function for any IT department.

But what should your risk assessment include? What are the chief areas of risk that businesses face in an age of mobility, social media and interconnectedness? This blog is by no means an exhaustive list of risk areas for your business, but aims to highlight a few key areas that every IT manager should consider.

1. Physical risk should be the top of your list

With viruses, worms, hackers and Trojans in overabundance, physical risk sometimes enjoys less prevalence in the minds of IT staff. Server rooms arguably house your most important asset – your data. This makes access control mechanisms that monitor and manage entry to your server room crucial. Consider factors such as cleaning staff, visitors or even disgruntled office workers and the potential havoc they can wreak when given uncontrolled access to your company’s server room, and importance of a physical risk assessment becomes clear.

Physical risk also exists outside of the server room. Networking infrastructure such as switches, wireless AP’s, etc. are typically strewn throughout workplaces and should be located strategically to prevent loss or damage to equipment. Consider the cost to the business if a key department is rendered unproductive due to a damaged switch that connects it to the rest of the network.

2 BYOD considerations and precautions

Balancing productivity with security can be a minefield. Business’ reliance on technology has forced some IT professionals to open their networks to mobile devices – in many cases, devices that do not even belong to the business. This would have been inconceivable just a few years ago. But times have changed, and so has the face of the company network. With Bring-Your-Own-Device (BYOD) culture now a reality for the modern IT manager, assessing – and mitigating – the risk involved in allowing users to connect their mobile devices to your company network can be the difference between agility and a security nightmare.

A good starting point would be to perform a needs analysis and grant access only to staff that absolutely require access. Travelling sales staff, executives and management would fall into this category without much debate, but is it really necessary to expose your network by granting your receptionist access to your environment via her mobile device? The decision to grant access according to need might not make you popular amongst staff, but this shouldn’t be your chief concern.

3. Standard operating procedures should mitigate risk and boost performance

Standard Operating Procedures (SOP) aid in creating networking environments that are safe, secure and predictable. Not only so they guide your IT staff in their daily functions, but also serve to create an environment that functions according to the identified best practices of the business. You see, risk doesn’t only relate to damage, loss or theft of company assets, but includes time and productivity loss due to systems that are built and maintained with no clear vision or roadmap of the future. With a SOP in place, your business can rely on a network that not only has adequate security precautions in place, but one that performs at peak on a consistent level, thus maximising efficiency and eliminating bottlenecks caused by underperforming technology.

4. Consider the risk your staff poses to your environment

It’s ironic. The very people you’re building the best IT infrastructure for, can be the people who pose the biggest threat to it. Computer usage policies exist for a reason: keeping the business safe from staff abusing IT resources. IT risk assessments should factor in the human element and include measures that ensure the workforce understands their role in bringing about a safe, predictable and peak-performing environment. Mitigating the human element would include proactive communication around IT best-practices, thorough induction of new employees and the all-important usage policy.

5. It is important to re-evaluate your disaster recovery plan

Disaster recovery and continuity plans are a great way of ensuring that your business is able to function in the case of a catastrophe. Having said this, a continuity plan is only effective if it is continuously assessed and modified according to changing circumstances. Be sure to evaluate the efficacy of your contingency plans and test them regularly with simulations that factor in as many scenarios you can conceive.

6. Risk assessment should be an iterative function

Networks change constantly. Just think about the environments IT administrators were responsible for maintaining, say, five years ago and compare them to the virtualised, internet-driven networks we find today. As networks grow and technological advancements add more functionality and features to the way we live, work and play, so does the inherent risk that comes along with pushing the envelope. But this is the nature of Information and Communication Technology. The challenge lies in balancing the need for security with the onslaught of new innovations that drive us beyond perceived limitations. As IT manager, your task is to find perfect synergy between these two pressing matters – and a risk assessment program that is comprehensive, dynamic and adaptable is the greatest weapon in your arsenal.

Feel free to contact us for more information