When assessing IT security risks for a department, the first step to develop a plan is to take an inventory to determine the scope. In this step, the physical and information assets that constitute the department are identified. Characterizing the department and IT system provides information (e.g., hardware, software, system connectivity, and critical information) essential to defining the risk.
Identifying IT security risk for a department requires an understanding of the department's physical, IT and network environment. Create a spreadsheet. Name the items you want to protect individually specifying location and owner.
(See definitions below)
Type of Info
Dell Latitude; w/Pentium 4
Netscape v7.0; MS Office
Hardware (name the equipment)
Software (name the applications and provide quantity...make sure they're licensed)
System interfaces (e.g., Networked or Standalone?; who do you connect to?)
Type of Information (what type of information do your systems hold)
Critical/Confid. Info (is the department in receipt of confidential, private, or identity bearing data)
Owner (staff providing IT services)
Processes (the processes performed by the system)
Ahead to Risk Assessment - Back to Introduction