-
Essay / IT Risks and Exposures - 1420
IT Risks and ExposuresComputers of all kinds within an organization constantly face a variety of risks and exposures. It is helpful to first define these terms: • IT Risk The likelihood that an adverse event could turn into a loss • IT Exposure The results of a threat from an adverse event that has the potential to become a risk • Vulnerability A vulnerability or a system weakness that may develop into a threat or riskThe total impact of IT risks ranges from minor to devastating and may include some or all of the following:• Loss of sales or revenue• Loss of profits• Loss of personnel • Failure to comply with government requirements or laws• Inability to serve customers• Inability to maintain growth• Inability to operate effectively and efficiently• Inability to compete successfully for new customers• Inability to stay ahead of the curve on competition• Inability to remain independent without being acquired or merged• Inability to maintain current customer/customer base• Inability to control costs • Inability to keep up with technological advancements • Inability to control employees involved in illegal activities • Damage to business reputation • Complete business failure IT risks. exposures and losses may be classified as intentional or unintentional and may involve actual damage, alteration of data or programs, and unauthorized dissemination of information. Objects that may be affected include physical items such as hardware or paper output, both of which are vulnerable to risks such as theft or loss; the telecommunications system which can cause major problems to the business if unavailable for any reason and which is also vulnerable to internal or external penetration; application software which, being a major control element, is vulnerable to modification, circumvention or direct sabotage; system software such as the operating system itself which may also be modified or circumvented; IT operations where control procedures can be altered or circumvented and the data itself where virtually anything can happen. • IS risks are the opposite of control objectives and must be treated as business risks. As such, they are the responsibility of executive management and are applied at the technical level. Obviously, the relative importance of risks will vary and control techniques will vary from industry to industry and business to business. Risks can be minimized, but they can never be completely eliminated. Threats to the computer system Threats can come from external or internal sources and can be intentional or unintentional, malicious or not. Insider threats can come from: • Users • Management • IS Auditors • IS Staff • Others Acting alone or in collusion. Users Threats from this source are the most common and include errors, fraud, privacy violation (usually accidental), or malicious damage..