Risk Review is the process of reviewing the organisation as a whole and looks at every part of the organisation that has involvement in the IT system. This includes looking at Human Resource policies and training to ensure that users know what they should and should not use the IT system for, right through to the physical security of the network.

Risk Review uses a holistic view of an organisation to analyse the security of an IT system. This involves looking at every part of the organisation in the attempt to secure the system against risks and to develop a recovery plan should the risk occur within the system. As part of a Risk Review, Aperio analysts will look at everything from Human Resources recruitment and training procedures to ensure that everyone in the organisation knows the correct way to use the IT system, IT policies to ensure that there has been consideration for how data gets into and out of the network and to ensure that there is an adequate password policy.

The review will also look at the physical security of the network and may include areas such as how secure the server room is e.g. who has server room keys, if the server room is protected by a fire door, if the server room has a fire prevention system installed. The review may also look at how backup tapes are handled e.g. are they stored in a fireproof safe or if a copy of the tapes are stored off site.  Risk reviews may also look at how the system would be recovered should it be the victim of corruption, data deletion or a disaster like a virus attack.

An IT risk review may also look at user education within the organisation across the management structure from the very top i.e. directors right down to ground level users of the organisation e.g. receptionists. Ensuring that there is a complete system of education ensures that all users know about the risks involved in using an IT system and have the knowledge and understanding about how the system can be placed at risk. They should also be aware of the consequences of using the system in an inappropriate way.

After a Risk Review has been completed, a report will be produced by Aperio which will, for example, detail the areas which were review, what each area was reviewed against and then may also detail any changes which the analyst believes could be made to the area of the business to help reduce the risk to the IT system.