Case Study

ICT Risk Assessment for Council

Client Details
  • Council – Review current ICT Policies, Strategy, BCP and carry out an ICT Risk Assessment
The Challenge(s)
  • Council being audited by the Audit Office annually, address lack of Risk Management Policy
  • Increase in the effectiveness and competence of attacks
  • Complexity of deploying solutions from multiple vendors
  • Pressures from Management and stakeholders to secure environment
  • Limited Budget and Resources
The Solution
  • Evaluation of risks against future planned projects and upgrades
  • Follow an ISO 27001 ISMS approach and methodology
  • Review current risks; review risk registers and gain an understanding of the current security posture
  • Identify and classify the information, crown jewels, sources, locations, and critical infrastructure
  • List potential attack vectors and rate all risks
  • Carry out workshops with key stakeholders (including decision makers) to make sure that everyone understands the risks. Identify the costs and consequences of the risks.
  • Provide a revised ICT Risk Register with a high-level plan that can be integrated within the ICT Strategy
What did we learn?
  • There is a wide gap of understanding between Management, ICT Team and the councils staff. Expected outcomes and goals can vary quite dramatically.
  • Collating all the information and details in a simplified format and helping all stakeholders understand and accept the real risks is the key minimising time and budget wastage.
  • Improving and investing in security needs to become an integral part of ICT Strategic Planning.
  • In some cases, the risk can be addressed by the adoption of some relatively simple and low cost strategies.