Information Technology Acid Test

One of today’s realities is that most companies are dependent on technology to support the fulfillment of their strategic objectives. But while technology represents a strategic and tactical requirement for most businesses, it is also a source of risk. Generally speaking, technology risk is considered the risk of a given piece of technology (hardware or software) failing to perform as intended. This could include: system failures, misuse, obsolescence, inappropriate selection, vendor failure, etc. All of these types of failures will have an immediate and consequential impact on business operations. Therefore, it is critical that management fully understand its IT risk profile and proactively manage those risks through sound governance.

Note that this test is different than the Information Security Acid Test, which focuses specifically on the risk of exposure of confidential data, in any form or location. Rather, this test focuses on the business impact of potential technology failures.

In this test there are five program and governance areas described below. Score your organization based on the scale provided, then add up your total score and compare with the analysis at the end of the test.

Governance

The company has an information technology management program built on a sound governance structure including strategic planning, effective communication and proactive management tools.

• A comprehensive strategic technology plan and budget that articulates the technology that will be required to support the company’s strategic objectives.
• Some form of IT Steering Committee with representation from executive management that is charged with the oversight of the strategic IT plan, budget and implementation.
• Strong, collaborative communication between IT and key business areas to ensure that business needs are clearly understood and supported by the right technology solutions.
• Clear policies are established that define both acceptable use and risk mitigation. These policies are communicated and accessible to staff and are matched with suitable internal controls.
• Technology standards have been established to ensure consistent use of technology, compatibility of new technology with existing systems and that no technology will be acquired which cannot be adequately supported.

How would you rate your IT governance?

Management Program

A well developed and documented information technology management program exists that includes:

• Qualified IT management and staff capable of assisting in developing IT strategy, supporting the existing IT infrastructure and leading the process of change management.
• Company staff are provided periodic training in technology standards, acceptable use of company-issued technology and procedures for problem resolution.
• Proactively managing the technology infrastructure so that critical components are not allowed to function beyond their point of obsolescence or reasonable lifespan.
• A formal change management process for both new and updated technology that includes cross-functional involvement, risk assessments, approval stages, acceptance criteria, proactive communication and contingency strategies.
• A management program for third parties that either provide or support key technology infrastructure.

How would you rate your IT management?

Risk Assessment

A comprehensive IT risk assessment structure exists which includes:

• An IT inventory and classification process, which catalogs the technology infrastructure (hardware and software) and includes a classification system for identifying both criticality and risk.
• A comprehensive risk assessment framework covering the business risks of technology failure, including potential threats (internal & external), vulnerabilities & mitigating controls.
• Broad risk awareness, including: Executive & Board level awareness of the overall IT risk profile and mitigation strategies, IT level awareness of business risks (the risk to the business of a technology failure) and business level awareness of technology risks (ways that the technology can possibly fail).
• An assessment of third parties providing or supporting key parts of the technology infrastructure.
• Occasional independent testing of the technology infrastructure, particularly the security and monitoring technologies.
  

How would you rate your IT risk assessment structure?

Monitoring & Protection

The organization has the ability to monitor and protect technology assets from potential threats, including:

• Real-time monitoring of technology-based systemic threats, such as computer malware (e.g., viruses, Trojans, key loggers), spam, cyber-attacks (e.g., denial of service), etc.
• State of the art technology and techniques are used to protect against live threats either with or without user interaction.
• Internal risks are actively monitored and managed, such as suspicious system activity, system degradation, email abuse, unauthorized wifi hotspots, etc.
• IT staff members stay informed of technology trends through ongoing training, involvement in trade associations and user groups, industry literature, technical conferences, etc.
• Mobile technology (laptops, PDAs, etc.) is safeguarded through systemic protections (device encryption, tracking technology, etc.) as well as user policies, procedures, training and an incident response process for when devices are lost.

How would you rate your IT Monitoring & Protection?

Incident Response

A process for responding to unexpected incidents involving technology solutions, including:

• A support center has been established in some form (whether internal or outsourced) to respond to user needs, where requests are captured, prioritized, addressed and resolved in a timely fashion.
• An incident response team has been established to respond to larger IT incidents quickly, with documented, test procedures.
• The business continuity/disaster recovery plan covers all key technology infrastructure with detailed recovery documentation, clear roles & responsibilities and periodic testing.
• Business areas have developed contingency or offline procedures for all technology-dependent processes in the event of a technology failure.
• A process has been developed for post-incident analysis to establish lessons-learned and to take appropriate action to reduce risk as necessary.

How would you rate your Incident Response process?

Summary of ratings:

Total the five scores and use the following to analyze the state of your third party risk management program.

41 – 50 Excellent – Your program has most or all of the key elements in place.  While there are always opportunities for improvement, based on this score you are likely addressing the majority of your information security risk.

31 – 40 Good – While some elements are obviously in place, there are definitely some areas that could be strengthened.  A more detailed analysis of the information security program should highlight where the weaknesses are and provide direction as to how to manage this risk more proactively.

21 – 30 Poor – There are some obvious weaknesses in the program that should be addressed as quickly as possible.  By strengthening the areas described above the institution should be able to reduce its information security risk significantly.

11 – 20 Critical – The program has severe structural challenges, and is allowing the institution to accept a material amount of information security risk. Most of the program is probably managed inconsistently, individually, or not at all. A detailed assessment should be completed as soon as possible and an action plan developed to strengthen all of the elements of information security risk management.

0 – 10 – Extremely Critical:  Simply put, there is no information security program. The institution is accepting a huge amount of risk, whether it realizes it or not. A score of less than 11 is consider extremely critical and means the institution is highly exposed to legal, financial, operational, reputation and regulatory risk related to information security.

The purpose of this analysis is not intended to be exact science or be an indication of compliance with legal or regulatory requirements. It is intended to provide a general barometer as to the health of the information technology management program. For a more detailed analysis, or for expert guidance in improving your IT governance, contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com