In lesson 6 the discussion was about risk and how to have procedures in place to mitigate those risks. The first step in creating procedures is to assess what types of risk the organizations can be exposed to internally and externally. An assessment also should be done on what type of effect the risk exposure might have on the organization and what would be the probability that it could occur. In reading the articles in this lesson there are tools available to assess risks and provide solutions in correcting the risks if it occurs. COBIT is one tool that organizations can use to help manage IT risks. It provides guidelines for business to assess and create procedures to address risk.

Having procedures and a plan in place to mitigate risk will ensure that organizations will be able to recover or continue to do business while they recover from the risk. Reading the article for continuity plan, a high number of companies do not have a business continuity plan in place if a interruption occurs in there business or if a plan is in place they do not update the plan or place emphasis on running through the plan in a mock setting where a interruption would occur. I believe have continuity plan in place is very important and having it updated every few months to current risk situations that could happen is also important. Putting the plan into action every few months is also beneficial as this will determine if the organizations needs to update the plan and it provides insight on how well the organization implements the plan.

Organizations should have in place a well developed IT security governance framework. The development of a IT framework starts with management and moves through the organization getting individuals involved in the process of designing the framework. Having individuals involved educates them and gives them responsibility to manage risk. The framework should consist of identifying the risk and evaluating all potential risks that could occur or that have occurred. After the risk(s) have been identified and evaluated the organization must look at the cost and damage a risk can do. If the cost is greater than mitigating the risk then the organization must invest in the mitigating tools but if cost of the risk is lower than mitigating the risk then organization should not invest in the mitigating tool. Another part of the framework is having in place policies relating to the use of IT that all employees must adhere to. The policy should outline the behaviour that is expected of them and must layout rules for use of IT during work hours or accessing company files at home and explanation to employees of how not adhering to these polices could put the organization at risk.

Once the organization has the framework implemented, they must monitor and make any changes to the framework. Having the IT security governance framework monitored will help identify new risks and way for the organization to update the framework.

Risk management is very important aspect of an organization if not dealt with correctly the impact could be costly. With IT security governance plan implemented, which is monitored and updated on schedule basis will mitigate any costly risk(s). Security for organizations should be a high priority and making sure that their employees are aware of all polices relating to security. As organizations rely more and more on IT to do business, having plans that can mitigate business interruptions implemented is very important in preventing risks as well as adapting to new technologies.