Popular Pages

Reliable Reports using Quick Incidents
Facilities management: Not just any old job
Standards and practice. ITIL, the next generation - a leap forward
Down under ITIL
The history of TOPdesk

Editors choice

Reliance helps improve safety of NHS lone workers
In Practice: Process Awareness
The New World of Work
Web Form or Phone Call?

Recent comments

i like your awesome information aft
If you are really interested in fac
Whether we appreciate it or not, pe
lhbcfsg
knbtxjdw

Examining risk

Information regarding your organisation runs, more or less, a safety risk. Certainly you wish to limit that risk as much as possible. For this reason, government organisations are already obligated to carry out risk analysis. In response to the implementation of TOPdesk software at a government organisation, TOPdesk and 3-ANGLE Software & Services b.v. have released an example report. This is intended as a resource for TOPdesk users who wish for their applications to undergo a risk analysis. This article describes what a risk analysis consists of and how much risk you run with TOPdesk.

The Risk Analysis

The first step of risk analysis is the ‘A&K analysis’ (threat and vulnerability analysis). For the threat analysis the damage is determined which exists when the application is unavailable, the data in the database are untrustworthy or when the trustworthiness of the data is not guaranteed. This is established by afterwards assessing what the damage is for ‘worst case scenarios’. The vulnerability analysis shows which threats an application is exposed to and how vulnerable the organisation is to these threats. To make such an analysis, the surroundings - equipment and staff - of the application need to be inventoried.  

A conclusion, with regards to an A&K analysis may look something like this: “The risk levels for the use of TOPdesk for the registration and processing of malfunction calls and incidents are at a basic level for all impact types. In other words, it is established that the risks with regards to the availability of the application and the trustworthiness and integrity of the saved and edited data are low. In this case it would be unnecessary to take severe measures”.

Determining Risk Levels

For the risk analysis, 3-ANGLE uses the CRAMM methodology. CRAMM stands for CCTA Risk Analysis and Management Method. This methodology is used frequently in the Netherlands by government organisations and in the business world. The CRAMM methodology is supported by software which assesses the risk levels based on all the entered damage and vulnerability data and threats. A risk profile based on this is then set up. A similar profile indicates to which extent an application, such as TOPdesk’s Incident management, is exposed to risk with regards to availability, trustworthiness and integrity for example.

After the Analysis

Carrying out a risk analysis is not the only procedure. The real work only begins after the A&K analysis.  The outcome of an analysis is always a number of ‘recommended’ measures. How many of these recommended measures should be implemented and to which extent you decide to implement them, depends on how much risk you run.

Information Security

Safeguarding information is an important issue for many organisations and the need to establish information safeguarding policies is growing. The ‘Code for Information Security’ is used by many organisations as a guideline. It is important that organisations are aware of the guidelines, which must be followed when carrying out a risk analysis for information systems. CRAMM software helps organisations select the appropriate measures. TOPdesk can then be used again to register security incidents, after which the next A&K analysis will be based on the newest data.

Links

TOPdesk corporate website
TOPdesk Community
TOPdesk Extranet
Career at TOPdesk