IT risk management process
IT风险管理流程

In business, IT risk management entails a process of identifying, monitoring and managing potential information security or technology risks with the goal of mitigating or minimising their negative impact.

Examples of potential IT risks include security breaches, data loss or theft, cyber attacks, system failures and natural disasters. Anything that could affect the confidentiality, integrity and availability of your systems and assets could be considered an IT risk.

Steps in the IT risk management process
To manage IT risks effectively, follow these six steps in your risk management process:
在业务中，IT风险管理需要识别、监控和管理潜在的信息安全或技术风险的过程，以减轻或尽量减少其负面影响。

潜在的IT风险包括安全漏洞、数据丢失或被盗、网络攻击、系统故障和自然灾害。任何可能影响您的系统和资产的机密性、完整性和可用性的行为都可能被视为IT风险。

IT风险管理流程的步骤
要有效管理资讯科技风险，请在风险管理程序中遵循以下六个步骤：

1. Identify risks
   Determine the nature of risks and how they relate to your business. Take a look at the different types of IT risk.

2. Assess评估 risks
   Determine how serious each risk is to your business and prioritise them. Carry out an IT risk assessment.

3. Mitigate减轻 risks
   Put in place preventive measures to reduce the likelihood of the risk occurring and limit its impact. Find solutions in our IT risk management checklist.

4. Develop an incident response
   Set out plans for managing a problem and recovering your operations. Devise and test your IT incident response and recovery strategy.

5. Develop contingency应急 plans
   Ensure that your business can continue to run after an incident or a crisis. Read about IT risk and business continuity.

6. Review processes and procedures程序
   Continue to assess threats and manage new risks. Read more about the strategies to manage business risk.

7. 识别风险
   确定风险的性质以及它们与您的业务的关系。来看看不同类型的IT风险。

8. 评估风险
   确定每种风险对您的业务的严重程度，并对它们进行优先级排序。进行IT风险评估。

9. 减轻风险
   落实预防措施，降低风险发生的可能性，限制其影响。在我们的IT风险管理清单中查找解决方案。

10. 制定事件响应
    制定管理问题和恢复操作的计划。设计并测试您的IT事件响应和恢复策略。

11. 制定应急计划
    确保您的业务在发生事件或危机后仍能继续运行。了解IT风险和业务连续性。

12. 审评进程和程序
    继续评估威胁和管理新的风险。关于管理业务风险的策略。

IT risk controls
As part of your risk management, try to reduce the likelihood of risks affecting your business in the first place. Put in place measures to protect your systems and data from all known threats.

For example, you should:
信息技术风险控制
作为风险管理的一部分，首先要努力降低风险影响业务的可能性。采取措施保护您的系统和数据免受所有已知威胁的侵害。

例如，你应该：

Review the information you hold and share. Make sure that you comply with data protection legislation, and think about what needs to be on public or shared systems. Where possible, remove sensitive information.
Install and maintain security controls, such as firewalls, anti-virus software and processes that help prevent intrusion and protect your business online.
Implement security policies and procedures such as internet and email usage policies, and train staff.
Use a third-party IT provider if you lack in-house skills. Often, they can provide their own security expertise. See how to choose an IT supplier for your business.
If you can’t remove or reduce risks to an acceptable level, you may be able to take action to lessen the impact of potential incidents.
查看您持有和共享的信息。确保您遵守数据保护法规，并考虑在公共或共享系统中需要什么。尽可能删除敏感信息。
安装和维护安全控制，如防火墙、防病毒软件和流程，帮助防止入侵和保护您的在线业务。
执行安全政策和程序，如互联网和电子邮件的使用政策，并培训员工。
如果缺乏内部技能，请使用第三方IT提供商。常情况下，他们可以提供自己的安全专业知识。了解如何为您的企业选择IT供应商。
如果您无法将风险消除或降低到可接受的水平，您可以采取行动来减轻潜在事件的影响。

Mitigate IT risks
To mitigate IT risks, you should consider:

setting procedures for detecting problems (eg a virus infecting your system), possibly with the help of cyber security breach detection tools
getting cyber insurance against the costs of security breaches
You can also use the National Cyber Security Centre’s (NCSC) free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

The NCSC also offer a free Cyber Action Plan. By answering a few simple questions, you can get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack.
降低IT风险
要降低IT风险，您应该考虑:

设置检测问题（如病毒感染您的系统）的程序，可能需要网络安全漏洞检测工具的帮助
针对安全漏洞的成本获得网络保险
您还可以使用国家网络安全中心（NCSC）的免费检查您的网络安全服务来执行一系列简单的在线检查，以识别面向公众的IT中的常见漏洞。

NCSC还提供免费的网络行动计划。通过回答几个简单的问题，您可以获得一份免费的个性化行动计划，其中列出了您或您的组织现在可以采取哪些措施来抵御网络攻击。