Toll Free: 877-379-8279Managing Risk in the IT Environment
News / By Scott M. Lewis, President / CEO Winning Technologies Inc
News / By Scott M. Lewis, President / CEO Winning Technologies Inc
Managing risk is simply part of being in business; a basic tenet of your business operation. Many companies are simply not in tune with the risk factors that our growing involvement and reliance on technology has introduced to the business model. The purpose of this article is to explore some of the areas of risk that each of us may face and offer some practical suggestions for managing the risk more effectively.
Like most risk avoidance programs, awareness of the risk is the first step to managing it. Technology presents risk areas that we do not commonly consider. The risks can occur because of the technology itself, be found internally within a company or workgroup or externally in the form of competitors or hackers, be the result of lack of proper procedures or documentation, or the failure to adhere to the policies and procedures in place.
In many cases we can expect to virtually eliminate the risk through some common sense measures. In other cases, we need to carefully consider the amount of prevention to apply to the problem. In rare instances, prevention of a risk is virtually impossible but appropriate controls can minimize damages and establish an audit trail that allows us to understand what happened and why. Management needs to understand the risk factors present in their IT environment- and, in a broader sense, the total technical environment of the company in order to insure that everyone is aware of the risks, the cost of managing the risk and, just as importantly, the cost of NOT managing them.
Technology auditing provides a 360˚ assessment of your IT system. Usually conducted by an outside specialist or group of specialists, the IT audit has been widely employed by publicly held companies in the wake of Sarbanes Oxley. However, in 2011 acknowledging the risks around IT management I would not be surprised that we will see new government regulations and auditing requirements in private organizations soon. Designed to evaluate the strengths and weaknesses of your system, the IT audit encompasses each of the individual areas we will address in this article and may be the fastest and most cost effective way to get a handle on the state of your information system.
Generally the audit will review your infrastructure, security preparedness, staffing and procedures, license compliance, and disaster preparedness. Winning Technologies offers an IT assessment which serves as a pre-audit tool to allow an organization to quickly get an idea of the current state of their system.
The first step in managing your overall technology is to make sure you document the system.
There are a number of reasons for doing this:
• It insures that various members of the company are keeping their eye on IT- the IT group itself, direct supervision, and senior management. The simple process of overseeing your system will help insure its integrity. Technology is an area that needs oversight without proper oversight you do run the risk of having high expenditures with little return on investment because you are always trying to implement the new stuff on the block.
• Having a documented strategic plan for IT becomes a tool to plan an overall IT strategy around. It allows you to better plan for growth, system upgrades and, should you choose to insure these assets, back-up to make sure you are adequately covered.
• In the event that you have a need to bring in other resources- whether it is outside consultants or temporary help while your in-house IT resource is not available- the process of orienting new people to the "nuances" of your system becomes much easier and more efficient.
A growing area of risk for any business is exposure to potential fines for non compliance with licensing standards. A relatively new area, the exposure for not properly monitoring and documenting software licenses can be tremendous. In addition to tremendous financial exposure, the damage to a company's good name can be as costly as the fines themselves- and most companies are probably in danger of not being in total compliance. Why is this? Not because most companies have not properly purchased software for their users, or are installing pirated copies of software throughout the company. The reason why many companies sweat out a compliance audit is because they have not kept the correct records to properly document their purchases. When an audit comes knocking- it's panic time!!!
A little history of licensing compliance: The Business Software Alliance (BSA) is a software industry trade group organized to find and punish people and organizations that illegally "pirate" software. The BSA was organized in 1988 by a group of major software manufacturers (Microsoft, Apple, IBM, Cisco, Intel, etc) to begin cracking down on the illegal use of their intellectual property. According to the BSA, software piracy costs the software industry over $11 Billion per year. As overseas pirates in places like China have proliferated and buying "gray" software over the internet has intensified, the BSA has steadily increased their efforts to "ferret out" illegal software. In fact, last year the BSA sponsored a contest among grade school children to choose from 5 ferret mascots for the agency!!!
So, how do you protect yourself?
F
irst of all, be aware of how "illegal" software gets into your company. According to the BSA the common causes of illegal software are:
• Using one licensed copy of the software to install a program on multiple computers
• Copying disks for installation and distribution
• Taking advantage of upgrade offers without having a legal copy( or enough legal copies) of the version to be upgraded
• Acquiring academic or other restricted or non-retail software without a license for commercial use
• Swapping disks in or outside the workplace
So how can you manage this risk? The first step would be to insure that you are in compliance. This can be done by outside firms or you can attempt to do it yourself. The BSA website actually offers some "free" tools to help you determine if you are in compliance. If you are in compliance-great; make sure you can prove that you are. This means making sure you organize your receipts and other documentation to substantiate the software in your organization.
Another key measure is to make sure that you have published policies in place that prohibit the loading of any software not provided by the company. There are software tools which can help you to monitor to insure that your policy is being complied with. In the case of license compliance an ounce of prevention is truly worth a pound of cure.
This concludes part one of our look at risk in the IT environment, In the next installment, we will explore security issues, planning for disaster, proper planning and procedures, and managing the IT staff more effectively.
