IT and Data Risk Management

PeopleTray is a modern Web application that is provided on a Software as a Service basis. It is a ‘born in the Cloud’ system developed using the Microsoft Azure platform with data stored on the Microsoft Cloud.

As a Cloud hosted system, PeopleTray is a low cost management tool that is easy for your team to access and use.

For most organisations, Cloud systems are likely to be more secure than traditional in-house data storage systems, due to the investment and expertise that large Cloud service providers (Microsoft, Google, Amazon) are able to apply to concepts like service recovery, latency, redundancy, scalability and security.

Storage of data on any computer or system, including a Personal Computer, in-house Server, Hosting or Cloud service has inherent risks which include the risk of loss of data through:

  1. Hardware (equipment/infrastructure/communications) failure
  2. Software failure
  3. Viruses and robots
  4. Process failure (e.g. failure of a backup process)
  5. Human error (e.g. accidentally deleting data)
  6. Theft or sabotage by another person or organisation
  7. Legal risks including those emanating from the jurisdiction in which the data is located
  8. Natural events
  9. Power surge or failure
  10. Failure of a supplier or provider

Storing data external to your in-house PC’s or network also introduces the risk of loss of access to the Internet which would prevent you gaining access to your Cloud based management tools, and your Cloud hosted data.

One of the inherent risks of Cloud based systems emanates from the concept of multi-tenancy. There have been examples of organisations gaining access to the data belonging to another organisation due to both organisations using common infrastructure or services.

The size, expertise and resources of the major Cloud service providers mean that mainstream Cloud services are likely to be lower in overall risk than in-house networks, servers and PC’s.

Nevertheless, even if the risk is lower or considered to ‘acceptable’, it is essential to understand those risks and ensure that a business can survive and quickly recover from a negative event related to the organisations business data including:

  • Disruption of access to data.
  • Loss of data (deletion, destruction or other loss).
  • Theft of data.

Likelihood and Impact of negative events

Risk management involves evaluating the likelihood and impact of a negative event (incident) and ensuring plans and processes are in place to reduce the likelihood and mitigate the impact of negative incidents. The likelihood of a negative event can be difficult to assess, partly because of:
  • A lack of information and randomness of events.
  • The chain of technologies, services and vendors which interact and are in a state of continual change.

The impact of a negative event (data loss) is easier to assess and minimise with advance planning. For example, if data were lost:

  • How many days of work would be lost and at what cost?
  • Would production be impacted?
  • Would the loss impact the ability to service customers, or earn revenue?
  • Would it impact the ability to fulfil responsibilities or obligations (e.g. legal, financial reporting, tax, employees and stakeholders)?
  • Would the loss result in damage to brand or reputation?

Risk Management

Every organisation should have:
  • A risk management plan related to IT and data management. An important part of the plan is to determine which types of data are the most critical and that the business is most reliant on, and which is less critical.
  • Event/Incident procedures.
  • Disaster Recovery Plans.
Two key aspects of risk management relating to IT and data management include:
  • Backing up data in different (multiple) locations using different, unrelated and independent technology and resources.
  • Secure management of usernames and passwords.

PeopleTray provides easy tools to download data to spreadsheets. The downloaded data should be stored securely and backup and recovery processes documented, tested and maintained by suitably qualified people.

The risks and procedures for managing your IT systems and data, including PeopleTray and the data that it stores and manages should be included in your Risk Management Plans, including incident management procedures and disaster recovery plans.

These systems should be developed, validated and maintained by suitably qualified people that are available to your business in a timely manner when required.

Guide to downloading your data from PeopleTray