IT Risk Assessment Checklist

What is IT risk assessment?

With threats to sensitive data growing in both number and sophistication every day, organizations cannot afford a scattershot approach to security. Instead, they need to focus their limited IT budgets and resources on the specific vulnerabilities in their unique security posture.

To do this, they need to identify, analyze and prioritize the risks to the confidentiality, integrity or availability of their data or information systems, based on both the likelihood of the event and the level of impact it would have on the business. This process is called IT risk assessment.

Why do you need IT risk assessment?

  • IT risk assessment should be the foundation of your IT security strategy to understand what events can affect your organization in a negative way and what security gaps pose a threat to your critical information, so you can make better security decisions and take smarter proactive measures.
  • IT risk assessment helps you determine the vulnerabilities in information systems and the broader IT environment, assess the likelihood that a risky event will occur, and rank risks based on the risk estimate combined with the level of impact that it would cause if it occurs.
  • IT risk assessment is required by many compliance regulations. For instance, if your organization must comply with HIPAA or could face GDPR audits starting May 2018, then information security risk assessment is a must-have for your organization in order to minimize the risk of noncompliance and huge fines.

To begin your risk assessment, take the steps listed in the following checklist. This simple checklist is just one of several tools available to conduct information security risk assessments in your organization. Once the step is complete, simply check it off.

Identify your risks to jump-start an A-class risk mitigation program

1. Collect the information you need to assess risks. Here are a few ways to do it:

  • Interview management, data owners and other employee
  • Analyze your systems and infrastructure
  • Review documentation

2. Find all valuable assets across the organization that could be damaged by the threats. Here are just a few examples:

  • Servers
  • Website
  • Client contact information
  • Trade secrets
  • Customer credit card data

3. Identify potential consequences. Determine what harm the organization would suffer if a given asset were damaged. This is a business concept, the likelihood of financial or other business losses. Here are a few consequences you should care about:

  • Legal consequences
  • Data loss
  • System or application downtime

4. Identify threats and their level. A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Here are a few common types of threats:

  • Natural disasters
  • Software failure
  • Hardware failure
  • Malicious human actions (interference, interception or impersonation)
  • Data backup failure
  • Power outage

5. Identify vulnerabilities and assess the likelihood of their exploitation. A vulnerability is a weakness that allows some threat to breach your security and cause hard to an asset. Vulnerabilities can be physical, such as old equipment, or a problem with software design or configuration, such as excessive access permissions or unpatched workstations.

6. Assess risk. Risk is the potential that a given threat will exploit the vulnerabilities of the environment and cause harm to one or more assets, leading to monetary loss.

7. Create a risk management plan predict risks, estimate impacts, and define responses to each risk.

8. Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off.

9. Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, you investigate why it happened, and then you try to prevent it from happening again or at least make the consequences less harmful.