How do you go about measuring the risk for your company and then actually decide to...

We use the following 3-stage process to measure the information technology risk in our company –

(1) Identify Critical Sources of Risk:

We first strive to identify the major sources of risk such as spam or junk mails, firewall breaches, virus attacks, malwares and others. We then seek ways to mitigate the risk threats from these sources by putting proper checks and balances in place.

(2)In-depth Risk Analysis including Quantification:

We use a Risk Register which includes different elements such as Risk Type and its Description, Risk Category, Root Cause, Risk Probability, Risk Impact and others.

We also make use of Expected Monetary Value Analysis to quantify risk.

(3) Incorporate Risk in SDLC (System Development Life Cycle) and in Decision Making:

We include risk management in every stage of SDLC for information system development so as to minimize risk from the initiation phase itself. Also we include risk as part of our key decision-making strategies.

Some simple and cheap ways to eliminate risks are as follows –

• Use company-wide firewall.
• Have official e-mail Ids issued to employees.
• Put restriction on movie or free software downloading sites accessed during office hours.
• Disable software download on the PC’s of employees.
• Disable Pen Drive access in the PC’s of the employees.
• Have proper anti-virus installed on the server and ensure daily virus checks on employees’ computers during lunch times.
• Keep abreast of latest viruses, malwares and others and communicate the same to employees.