ICT (information, communication, and technology) systems are the most basic type of risk assessments in Diri: An ICT system
The ICT area can quickly become a "black box" where new systems are introduced and used without knowing the risks. Management might not know which systems are critical for the day-to-day business and warrant extra security.
Building your risk management program on ICT systems helps you gain oversight and control of one of the most crucial areas of your business. Applying the ICT systems approach to risk management allows you to work strategically with cybersecurity by mapping out the critical systems and gathering key attributes such as system owners and responsible and their security requirements. Diri helps you maintain your ICT system portfolio and the risks associated with each system.
Types of ICT Systems
A generic business will have some inbound logistics, production of goods, and distribution of the product. We need many types of ICT systems to support these overarching activities, for example:
- Inbound logistics
- Procurement
- Logistics
- Production
- Production engineering systems
- Marketing
- Sales and distribution
- Customer management (CRM)
- Human Relations (HR)
- Accounting and finances
- Webservices
- Office products
- Outbound logistics and followup
- Product distribution
- Helpdesk and support
- Service
While these are just a few examples of system types, they provide a nice pointer to what we mean by systems. For example, Diri is a business management system for quailty control and risk and compliance. ICT systems
serve one or more purposes in an organization, for example, a system
used for invoicing might also be used for paying salaries. Or they can be two
different ICT systems requiring individual risk assessments.
Identifying business critical ICT systems
We build the ICT system portofolio in Diri to enable prioritization of the most crucial systems for analysis first. We recommend using the overall risk assessment to guide you in mapping and registering the most critical ICT systemts. The overall risk assessments asks about the organization's most important deliveries, and which IT systems are important for these deliveries to succeed. This approach presents an efficient way to identify business critical systems. Complete the registration and asset evaluation of the business critical systems to prioritize further.
Delimiting a system risk assessment
The purpose of delimitation is to scope the assessment such that it can be completed within a sensible time frame. Every business has created its own ICT systems jungle, and we can seldom risk assess everything in one go. It, therefore, makes sense to delimit your risk assessment and divide the ICT area into smaller pieces that are easier to overcome.
It can be hard find a sensible delimitation when conducting a risk asessment: A system can consist of several components, data is transmitted to and received from many other applications, and maybe even the authentication happens in a third-party component. We have not put a strict frame on what an ICT system is, because it sometimes makes sense to incorporate several components into a risk assessment. For example, when assessing web-services it can make sense to include both the hosting, webpage, and related components into one system. Other times just delimiting to a system application is most sensible, such as saying that the scope of this assessment is Salesforce and how it is used in our business.
Properties of an ICT system that affect risk
Diri helps you map several properties of an ICT system that affect risk, such as if the system is internet-facing, how it is hosted, amount of users, and who is going to use the system. All of these properties have an impact on the risk profile of the system and can be used in Diri to help you work on the risks that matter.