IT Risk Assessment Services

No matter the industry, every organization has a mission that cannot be compromised. As the use of automated IT systems to support mission critical process increases, risk management has become critical to protecting an organization’s information assets, and therefore its mission. IT-related risks that are not identified, and mitigated could have adverse effects on an organization’s mission and could impact, productivity, financial reporting, financial loss, public safety and confidence. In today’s market and economic environment, organizations can not afford these risks.

An effective risk management process is an essential component of any successful IT security program. The principal goal of this process should be to identify specific high risk areas facing the organization and implement solutions to protect the organization and its ability to perform their mission, not just protect the physical IT assets.

Key Risk Factors facing your organization include the following:

• Natural and Environmental Threats: Floods, earthquakes, hurricanes, electrical storms, fires, long-term power failure, pollution, chemicals and other such events.
• Human Threats – Intentional and malicious acts, unintentional acts, negligence, or error.

Cherry, Bekaert & Holland (CB&H) provides IT risk assessment procedures to our clients as part of their efforts to identify potential risks that could adversely affect mission critical operations and the associated activities relevant to availability, integrity, and confidentiality objectives. This risk assessment process allows our clients to consider the extent to which potential risks have an impact on the achievement of these objectives.

Our IT risk assessment process includes an identification of selected operational areas, system characterization, and identification of mission critical systems. Consideration is given to risk factors for each operational area (e.g., complexity, public sensitivity, financial significance and control environment), ultimately providing for an identification of significant risks by area. CB&H then identifies potential enhancements that should be implemented to address such risks.

Our work plan includes the following:

• Accumulation of risk assessment criteria to be used in the performance of the risk assessment process.
• Accumulation and evaluation of the organizational and financial data and relevant correspondence to provide for an initial assessment of areas and activities subject to risk.
• Interviews with selected employees and key management personnel and a questionnaire with a key focus on current IT controls. Our interviews and questionnaire are focused on the identification of risks through consideration of risk factors common to operating environments and how the Organization addresses such risks.
• An evaluation and analysis of risks identified, including assignment of relative importance (based on likelihood and impact), based on our review of organizational and financial data, review of relevant correspondence and our interviews with employees and management personnel.
• Internal control analysis to determine if the current internal control procedures adequately mitigate the risks faced by the Organization.
• Penetration and vulnerability assessments to identify gaps in configuration settings and network security.
• Development of a custom Risk Matrix & Internal Controls Analysis to determine potential risks that have not been adequately mitigated by the current internal control structure.
• • Discussion of our preliminary conclusions and recommendations with designated management personnel.
• Completion of a formal IT Risk Assessment Report based on the Evaluation Model of inherent and residual risk which is summarized by the control domain levels.
• Development of a formal Implementation Plan that can be used wto establish a timeline for implementing the recommended controls by assigning resources and responsible parties, as well as budget requirements.