A guide to managing the risk assessment process

Our guide, a risk assessment primer for midmarket CIOs, addresses the various types of risks within the IT department and how they can be mitigated. Learn more about how CIOs can address risk within disaster recovery, data management and project management, using the tools and resources available here.

For free advice and resources on more IT and business topics, visit our list of Midmarket CIO Briefings.

Table of contents

• How to build (and sell your business on) a risk management strategy
• Quantifying and assessing risk in IT decision-making processes
• Mitigating risk with information security basics
• Risk management strategies for disaster recovery, business continuity
• Risk assessment tools and resources
• More resources

How to build (and sell your business on)   a risk management strategy virtualization contracts

Table of Contents

Be careful what you wish for. Now that security has the attention of business management and boards of directors, CIOs must learn how to translate an information security program into terms the business understands. The first rule of thumb? Focus on results, not details.

Gartner Inc. recommends five tips for linking security to corporate performance:

• Formalize a risk and security program.
• Map key risk indicators to key performance indicators.
• Don't use operational metrics in executive communications.
• Link risk initiatives to corporate goals.
• Communicate to executives what works and what doesn't.

Find out more in "Using key risk indicators to sell your information security program." Also:

• Risk management strategy for an information technology solution provider
  Looking to create an enterprise risk management strategy for an information technology solution provider? Security management expert David Mortman weighs in.

Quantifying and assessing risk   in IT decision-making processes

Table of Contents

As many midmarket CIOs continue to face budget pressures, some are now slashing a mainstay of the IT budget: vendor maintenance contracts for software and hardware systems.

Hard-pressed to find more places to cut, CIOs are increasingly inclined to take the risks of going off vendor maintenance, or of moving to a cheaper third-party provider, interviews suggest. This is true even for mission-critical systems and even though it means forfeiting their rights to upgrade.

The surprising punch line? For CIOs who do not plan to upgrade a system soon, or carry more licenses than they now need because of layoffs, the gamble might be just the right thing to do.

Learn more in "CIOs taking risk of cutting vendor maintenance contracts to save money." Also:

• How to quantify business risk exposure to malware
  How safe is your enterprise from data-stealing malware? How can you know where your security program falls short? Find out how to gauge enterprise risk exposure to malware.
• Risky business: How to assess risk during software purchases
  Get advice from industry expert Andy Hayler on assessing risk during technology purchases. Will the product be retired or acquired? Learn how to spot the signs.

Mitigating risk with information security basics

Table of Contents

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.

Last month, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Find out more in "10 must-have steps for an effective SMB information security program." Also:

• How to improve data quality on a tight budget -- a guide
  Many organizations may be tempted to forgo data quality management during a recession, but it is important to assess the ROI for managing data quality, according to an industry expert.
• How to mitigate operational, compliance risk of outsourcing services
  Companies must have an approach to evaluating partner risk, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider.
• Risk management must include physical-logical security convergence
  There is a lot to be learned about using VMware Converter, configuring network connections and more when attempting to virtualize a disaster recovery site remotely.

Risk management strategies for   disaster recovery, business continuity

Table of Contents

His office is on the seventh floor of a building that's nowhere near a floodplain, so Robert Rosen had no particular fear of water damage to his IT equipment. But one weekend, in the office next door, the water filter in an office kitchen cracked, sending a stream of water onto the floor and under the wall into his facilities.

Although critical servers remained dry, the flood ruined equipment that was on the office floor, including 10 surge protectors, six uninterruptible power supplies, six power bricks and one PC. While things were drying out and a length of wallboard was replaced, Rosen implemented a disaster recovery plan that was crafted for an entirely different contingency.

Floods, fires, power failures and pandemic flu can happen. Every IT professional must envision the impact of such disasters on company operations and devise tactics to deal with them. But first, take a step back and start with a comprehensive assessment of all the risks your business faces, of which IT vulnerabilities are an important part.

Learn more about disaster recovery and risk management in "Applying risk assessment to your disaster recovery plan." Also:

• Comparing how-to guides for business continuity standards
  What needs to be done to comply with business continuity standards? First, perform a risk assessment, then define your business continuity strategy.

Risk assessment tools and resources in virtualization

Table of Contents

Using formal risk management tools, companies can more accurately calculate "worst-case scenarios" in IT and the effect their potential loss or corruption will have on the business. So how should you begin your risk management assessment process?

To get you started, we've tracked down some free risk management tools, templates, instructions, calculators and informational guides from across the Web. These free resources offer tools for assessing disaster recovery, risk management and even data loss, including:

• Risk management guidelines and procedures.
• Risk management tools.
• Disaster recovery and risk management assessments.

Go to "Free risk management tools and resources for the enterprise" to learn more. Also:

• How to choose a general security risk assessment
  Looking to do a general security risk assessment, but aren't sure how to choose one? In this security management expert response, David Mortman explains how to assess risk.
• Risk assessment frameworks easy to employ
  You can't protect what you don't know you have. Employing a risk assessment framework should be a priority for midmarket organizations.
• Open Group releases log management update, risk management guide
  The Open Group attempts to restore order to log management, compliance and risk management practices with new and updated standards and a new guide.

More resources

Table of Contents

• Risk management for the midmarket (SearchCIO-Midmarket.com resource center)
• VMware researched and organized (SearchVMware.com resource center)
• Risk management and compliance (SearchCompliance.com resource center)
• Data management: Quality and governance (SearchDataManagement.com resource center)