Step 1. Inventory Assessment

 

When assessing IT security risks for a department, the first step to develop a plan is to take an inventory to determine the scope. In this step, the physical and information assets that constitute the department are identified. Characterizing the department and IT system provides information (e.g., hardware, software, system connectivity, and critical information) essential to defining the risk.

Identifying IT security risk for a department requires an understanding of the department's physical, IT and network environment. Create a spreadsheet. Name the items you want to protect individually specifying location and owner.

Sample:

(See definitions below)

Hardware

Operating System

Software
Interfaces

Type of Info

Crit/Confid. Info

Owner

Processes

Dell Latitude; w/Pentium 4

XP

Netscape v7.0; MS Office

Stevens Network

Budget

No

Doe, Jane

Accounting

Hardware (name the equipment)
Software (name the applications and provide quantity...make sure they're licensed)
System interfaces (e.g., Networked or Standalone?; who do you connect to?)
Type of Information (what type of information do your systems hold)
Critical/Confid. Info (is the department in receipt of confidential, private, or identity bearing data)
Owner (staff providing IT services)
Processes (the processes performed by the system)

Ahead to Risk Assessment - Back to Introduction