Managing IT risk is part of running any business these days. Regardless of the type of business, understanding and managing one’s IT risks will help to increase security, reduce management costs and achieve greater compliance. Managers who fail to identify, assess and mitigate IT risk are setting themselves up for serious security breaches, reputational damage, and financial losses. Further, those leaders who think that managing IT risk is the job solely of the IT staff may be in for a big shock.
Firstly, we need to understand that Information is an asset that, like other important business assets, has value to an organization and therefore needs to be suitably protected. We need to ensure that information is accessible only to those authorized to have access, that we safeguard the accuracy and completeness of information, and that we ensure that authorized users have access to that information when required.
Before discussing how to go about determining one’s level of risk, it is important to understand risk nomenclature:
A risk is the possibility of a threat (or source) acting upon a vulnerability (or weakness) causing harm to an asset (or resource).
A risk is qualified (or measured) by what the probability (or likelihood) is of the event happening and what the impact (or severity) would be of the consequences.
Risk Management is all about discovering your most critical assets and understanding their weaknesses and loss expectancy and then focusing your attention on the highest probability and highest impact areas in order to prioritize your risk treatment efforts.
The following figure (from ISO/IEC 15408, “Common Criteria”) depicts the value relationship of owners to their assets. Ultimately the challenge is to introduce effective countermeasures (or safeguards) that restrict a threat agent (the catalyst that performs the threat) from successfully exploiting a known threat against an asset’s vulnerabilities.
Before any risk analysis can be performed, a Security Risk Profile must first be created for the asset(s) in question. The security risk profile gathers information about the asset to help rate its sensitivity to security risks. Factors that are considered include Financial, Legal, and Reputational damages or Regulatory constraints/restrictions that may result from a security violation. It is important that a designated Asset Owner rates the asset’s importance to the organization from an information security perspective and within the context of the entire enterprise environment. Assets are normally assigned a value (High, Moderate, Low) relative to the organization’s tolerance for risk.
Once the risk is assessed, a Risk Map is used to plot the probability and impact of the risk occurring. The map allows one to visualize risks in relation to each other, gauge their extent, and plan what type of risk treatments should be implemented. Below is a simplified example of a Risk Map. As you can see, there are various risk treatments available to decision makers.
describe the image
By looking at the business risks this way, the most critical risks can be addressed and mitigated first.
It’s critical to the IT risk management process that executives not only be informed of risks, but that they assist in the quantification and definition of the business impact these risks impose. They need to sign off on the risk position adopted for the organization’s assets. Only when the IT department and senior management are aligned in the identification, assessment and remediation of IT risk will an organization be able to achieve higher levels of security and compliance.
By aggregating and reporting on the impact of security risks within IT and how these risks impact the business, security professionals can become an integral part of business decision-making and help guide the organization to a more risk-aware culture.