Risk management can be relatively straightforward if you follow some basic principles.
Below are some practical hints that you may find useful:
- Take IT security into consideration from the outset when you plan new or changed IT systems.
- Actively look for IT-related risks that could impact upon your business. A workshop will help you to think more imaginatively about risks than doing it alone.
- Consider the opportunity, capability and motivation behind potential attacks.
- Assess the seriousness of each IT risk so that you can focus on those which are most significant.
- Implement standard configurations for PCs, servers, firewalls and other technical elements of the system.
- Do not rely on just one technical control (eg a password). Use 2 factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
- Support technical controls with appropriate policies, procedures and training.
- Make sure you have a business continuity plan covering any serious IT-related risks that you cannot fully control.
- Regularly review and update your IT risk assessment and business continuity plan.
- Establish an effective incident recording and management system.
- Consider certification to the information security management standard ISO/IEC 27001 for your business and your trading partners.