2 - The ICT System Risk Assessment

2 - The ICT System Risk Assessment

What is an ICT system?

ICT (information, communication, and technology) systems are the most basic type of risk assessments in Diri: An ICT system is a set-up consisting of hardware, software, data and the people who use them. It commonly includes communications technology, such as the internet. An ICT supports and streamlines business activities, just as Diri improves the risk management process. Framing a risk assessment as a system allows us to limit the scope of the project in a sensible way.

ICT allows us to be:

  • more productive - we can complete a greater number of tasks in the same time at reduced cost by using computers than we could prior to their invention
  • able to deal with vast amounts of information and process it quickly
  • able to transmit and receive information rapidly
Information is stored and processed using digital systems. Information also flows between systems following the workflow. Dividing your risk assessments into systems makes the work easier and allows for prioritization.

Why ICT systems in risk management?

The ICT area can quickly become a "black box" where new systems are introduced and used without knowing the risks. Management might not know which systems are critical for the day-to-day business and warrant extra security.
Building your risk management program on ICT systems helps you gain oversight and control of one of the most crucial areas of your business. Applying the ICT systems approach to risk management allows you to work strategically with cybersecurity by mapping out the critical systems and gathering key attributes such as system owners and responsible and their security requirements. Diri helps you maintain your ICT system portfolio and the risks associated with each system.

Types of ICT Systems

A generic business will have some inbound logistics, production of goods, and distribution of the product. We need many types of ICT systems to support these overarching activities, for example:
  1. Inbound logistics
    1. Procurement
    2. Logistics
  2. Production
    1. Production engineering systems
    2. Marketing
    3. Sales and distribution
    4. Customer management (CRM)
    5. Human Relations (HR)
    6. Accounting and finances
    7. Webservices
    8. Office products
  3. Outbound logistics and followup
    1. Product distribution
    2. Helpdesk and support
    3. Service

While these are just a few examples of system types, they provide a nice pointer to what we mean by systems. For example, Diri is a business management system for quailty control and risk and compliance.  ICT systems serve one or more purposes in an organization, for example, a system used for invoicing might also be used for paying salaries. Or they can be two different ICT systems requiring individual risk assessments.

Identifying business critical ICT systems

We build the ICT system portofolio in Diri to enable prioritization of the most crucial systems for analysis first. We recommend using the overall risk assessment to guide you in mapping and registering the most critical ICT systemts. The overall risk assessments asks about the organization's most important deliveries, and which IT systems are important for these deliveries to succeed. This approach presents an efficient way to identify business critical systems. Complete the registration and asset evaluation of the business critical systems to prioritize further.

Delimiting a system risk assessment

The purpose of delimitation is to scope the assessment such that it can be completed within a sensible time frame. Every business has created its own ICT systems jungle, and we can seldom risk assess everything in one go. It, therefore, makes sense to delimit your risk assessment and divide the ICT area into smaller pieces that are easier to overcome.

It can be hard find a sensible delimitation when conducting a risk asessment: A system can consist of several components, data is transmitted to and received from many other applications, and maybe even the authentication happens in a third-party component. We have not put a strict frame on what an ICT system is, because it sometimes makes sense to incorporate several components into a risk assessment. For example, when assessing web-services it can make sense to include both the hosting, webpage, and related components into one system. Other times just delimiting to a system application is most sensible, such as saying that the scope of this assessment is Salesforce and how it is used in our business.

Properties of an ICT system that affect risk

Diri helps you map several properties of an ICT system that affect risk, such as if the system is internet-facing, how it is hosted, amount of users, and who is going to use the system. All of these properties have an impact on the risk profile of the system and can be used in Diri to help you work on the risks that matter.

    • Related Articles

    • Add risks from template

      Create a set of baseline risks for all assessments Currently, the beta version of this functionality in production only allows for copying the template to one risk assessment at a time. The functionality does not copy risk treatments to prevent the ...
    • Copy and re-use risk assessments

      Copying whole risk assessments The copy button is available on all risk assessment objects Are you delighted with one or more of your assessments? Or is the same IT system in use multiple places? Existing risk assessments can be copied and re-used in ...
    • 1 - Overall Risk Assessment

      What is the Overall Risk Assessment? The Overall risk assessment (ORA) provides the easiest way to get started with risk assessments in Diri. The Diri ORA asks you to briefly describe the parts of your organization that impact cybersecurity, such as ...
    • Published Risk Assessments

      Diri AS have made risk assessment templates for copying to ease your way into cyber risk management. The templates are available through the "Published Assessments"-feature on the risk assessment overview. The library will contain templates for ...
    • 3 - The Problem Risk Assessment

      What is the Problem Risk Assessment? Put plainly, the Problem Risk Assessment (PRA) is a simplified risk assessment with lower documentation requirements when compared to IT system assessments. The PRA is an option for risk assessing problems that ...