ICT (information, communication, and technology) systems are the most basic type of risk assessments in Diri: An ICT system is a set-up consisting of hardware, software, data and the people who use them. It commonly includes communications technology, such as the internet. An ICT supports and streamlines business activities, just as Diri improves the risk management process. Framing a risk assessment as a system allows us to limit the scope of the project in a sensible way.
ICT allows us to be:
Information is stored and processed using digital systems. Information also flows between systems following the workflow. Dividing your risk assessments into systems makes the work easier and allows for prioritization.
The ICT area can quickly become a "black box" where new systems are introduced and used without knowing the risks. Management might not know which systems are critical for the day-to-day business and warrant extra security.
Building your risk management program on ICT systems helps you gain oversight and control of one of the most crucial areas of your business. Applying the ICT systems approach to risk management allows you to work strategically with cybersecurity by mapping out the critical systems and gathering key attributes such as system owners and responsible and their security requirements. Diri helps you maintain your ICT system portfolio and the risks associated with each system.
A generic business will have some inbound logistics, production of goods, and distribution of the product. We need many types of ICT systems to support these overarching activities, for example:
While these are just a few examples of system types, they provide a nice pointer to what we mean by systems. For example, Diri is a business management system for quailty control and risk and compliance. ICT systems serve one or more purposes in an organization, for example, a system used for invoicing might also be used for paying salaries. Or they can be two different ICT systems requiring individual risk assessments.
We build the ICT system portofolio in Diri to enable prioritization of the most crucial systems for analysis first. We recommend using the overall risk assessment to guide you in mapping and registering the most critical ICT systemts. The overall risk assessments asks about the organization's most important deliveries, and which IT systems are important for these deliveries to succeed. This approach presents an efficient way to identify business critical systems. Complete the registration and asset evaluation of the business critical systems to prioritize further.
The purpose of delimitation is to scope the assessment such that it can be completed within a sensible time frame. Every business has created its own ICT systems jungle, and we can seldom risk assess everything in one go. It, therefore, makes sense to delimit your risk assessment and divide the ICT area into smaller pieces that are easier to overcome.
It can be hard find a sensible delimitation when conducting a risk asessment: A system can consist of several components, data is transmitted to and received from many other applications, and maybe even the authentication happens in a third-party component. We have not put a strict frame on what an ICT system is, because it sometimes makes sense to incorporate several components into a risk assessment. For example, when assessing web-services it can make sense to include both the hosting, webpage, and related components into one system. Other times just delimiting to a system application is most sensible, such as saying that the scope of this assessment is Salesforce and how it is used in our business.
Diri helps you map several properties of an ICT system that affect risk, such as if the system is internet-facing, how it is hosted, amount of users, and who is going to use the system. All of these properties have an impact on the risk profile of the system and can be used in Diri to help you work on the risks that matter.