When performing IT risk assessments, be sure to identify both internal and external risks, threats and vulnerabilities....
Clearly, you will want to interview subject matter experts in IT, but also identify interview candidates from other departments.
Assuming you have completed a business impact analysis, you probably know who can serve as subject matter experts (SMEs) from IT and other departments. Before scheduling any interviews, prepare a proposal and project plan for the IT risk assessment and review it with management. Obtain the necessary authorizations and funding, and keep management informed of the risk assessment's progress.
If you don't have a list of SMEs, work with human resources to identify potential candidates. Remember that SMEs from other departments are regular users of IT systems, and they can offer valuable insights from their unique perspectives. Formulate questions that will help elicit their views on internal and external risks, threats and vulnerabilities. Provide a brief summary on the need for IT risk assessments before starting the interview.
Use the same approach with IT staff, as they will be able to focus more on specific technologies and their associated risks. Try to schedule half-hour interviews with department SMEs and one-hour interviews with IT. This will minimize the interruption to department SMEs. The longer interview time for IT should be sufficient to gather the risk data you need.
Here is a list of suggested user interview questions for IT risk assessments:
- How well have your IT systems performed for you?
- What problems have you experienced with these systems, if any?
- If you had problems, what kind of impact, such as loss of productivity, occurred?
- What internal risks, such as loss of power, could affect the performance of those systems?
- What external risks, such as loss of internet access, could affect the performance of those systems?
- What natural threats, such as severe weather or flooding, could affect your systems?
- What vulnerabilities, such as a security breach, could affect your systems?
- What else could negatively affect your use of your critical systems?
The above questions can be modified for IT SME interviews.
Conducting IT risk assessments is an essential part of the disaster recovery process. While it's important to interview SMEs from IT, be sure to also interview SMEs from other departments, as they can provide insights on the user side, which are just as important as those on the technical side.
How risk assessments and business impact analyses work together
Key risk questions to ask if you're tight on time
Risk assessments are just part of BC/DR planning
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
Business continuity and resilience go hand in hand and play a role in an organization's disaster recovery plan. Essentially, business continuity is ... Continue Reading
A data archiving plan might not be simply important for your organization -- it could be necessary, given legal and compliance requirements. Make ... Continue Reading
In order to migrate backup data from the cloud back to an on-premises environment, you should follow these steps to ensure your data will be safe and... Continue Reading