Information Technology Risk Management includes managing the risk to information and information systems.
What is Risk Management, and why is it important for Information Technology?
Risk influences every aspect of the operation of the organization. Understanding the risks we face and managing them appropriately will enhance resiliency and help the organization achieve its mission and goals. A practical Risk Management Framework (RMF) is good business practice and offers organizational resilience, confidence, and benefits. Let us do a quick overview of Risk, Risk management, Risk Assessment, and IT risk management:
Risk is a situation involving exposure to danger.
Risk Management is the identification and treatment of risk and monitoring risk to ensure that the level of risk is within acceptable limits.
Risk Assessment provides essential information required to determine the
appropriate risk response.
IT Risk Management includes managing the risk to information and information systems.
IT Risk Management
Risk is the effect of uncertainty on an objective as per the ISO31000 framework. Risk Management is all about realizing opportunities and avoiding loss. Risk Management begins with knowing what has to be protected (identifying assets and determining asset value) and understanding risk culture.
IT Risk Management is a continuous process of identifying, analyzing, responding, monitoring, and reviewing risks related to IT from the process, technology, and people perspectives. The organization should continually identify, assess, and reduce IT risks within levels of tolerance set by the senior management to manage IT risks.
Managing IT Risks
The IT Risk Management process should be defined, approved, implemented, communicated, and aligned to the organization's Enterprise Risk Management (ERM) process. This includes identifying, analyzing, treating, monitoring, and reviewing IT risks at appropriate intervals. The IT risk management process should be initiated at an early stage of the program and project implementation; and before procuring new systems, tools, and emerging technologies.
To perform an IT risk assessment, a program should carry out an overall IT infrastructure analysis in compliance with IT best practices, standards, and guidelines.
- Review and evaluate the organization IT infrastructure, including but not limited to: policies, operations, security controls, database management system, data security, helpdesk, mail system, network management, design, access to sensitive or confidential information, logical access control, change controls, change and problem management, preventive maintenance process, backup procedures, asset management policy/procedures, business continuity plan, and disaster recovery planning.
- Review and evaluate the Service Catalogue and define the business requirement for each, including but not limited to service availability, Service Level Agreement (SLA), Recovery Time Objective (RTO), and Recovery Point Objective (RPO).
- Review and evaluate the current Network infrastructure design, security infrastructure design, and system design.
- Review and evaluate a high and low-level design for network and security devices.
- Review and evaluate all the infrastructure Single Points Of Failure (SPOF).
- Review and evaluate the current implemented the design of the data centers Main and Disaster Recovery Sites.
Information Technology Security Assessment
In the context of reducing the risks and developing the robust IT infrastructure, consider the following points to review and evaluate (sample):
- Review Information Security organization including
- Information security policy
- Information security roles and responsibilities
- Segregation of duties
- Responsibility for assets
- Ownership of assets
- Acceptable use Policy
- Access control policy
- Access to networks and network services
- User registration and de-registration
- User access provisioning
- Management of privileged access rights (Admin users)
- Management of User Authentication controls
- Review of user access rights
- Removal or adjustment of access rights
- Application Development and Acquisition
- Systems Development and development approach
- System Acquisition, Development Management
- Change & Patch Management
- Problem & Incident Management
- IT Service Contract SLA
- Data Integrity & Transaction control
- Data Retention & Disposal
- Source Control
- Network Security Assessment and Architecture review
- Data Center firewalls design and configuration
- Rules, permissions, and logs to find any unnecessary holes
- Network segmentation
- LAN infrastructure topology and security configuration review
- Network segmentation
- Security features
- Security patches for software used on the network devices
- Web Application Firewalls (WAF) design and configuration
- wireless security settings to validate security measures in place
- Network Access Control (NAC)
- Internet Routers topology and security configuration review
- Remote Secure Access
- VPN configurations between head and branch offices
- Employee and external VPN user’s configuration & review
- WAN termination devices security review
Risk Identification and Analysis
To obtain information regarding associated threats, information assets should be identified, recorded, and maintained. The existing controls and associated risks should be evaluated regarding their likelihood of occurrence and impact. The following are some potential controls that can help in risk identification and analysis:
- IT risk identification should be performed, documented, and periodically updated in the formal centralized risk register.
- IT risk register should be regularly updated.
- IT risk analysis should address information assets, potential threats, impact, likelihood, existing IT controls, risk owner (business or process owner), implementation owner (control owner), and inherent and residual risks related to the information assets.
IT risks associated with information assets should be adequately treated based on the applicable criteria.
- A developed, approved, and communicated IT risk treatment plan is required.
- A risk management plan for IT should be executed and evaluated on a regular basis.
- IT risk should be treated according to the organization's risk appetite defined by the relevant governance function owner and approved by the IT steering committee.
- IT risk treatment plan should include detailed design and implementation of required controls to mitigate the identified risks.
- The IT risk treatment plan should ensure that the list of treatment options is formally documented.
- Risk acceptance should be least preferred over risk mitigation through the implementation of primary controls.
- Accepting IT risks should be formally documented, approved, and signed-off by the business owner and reported to the risk committee. The accepted IT risk should be within the risk appetite of the organization. The risk acceptance should be renewed periodically, and Risk acceptance should be presented and reported to the risk committee.
- Avoiding IT risks should involve a decision by a business owner and risk committee to cancel or postpone a particular activity or project that introduces an unacceptable IT risk to the business.
- Transferring or sharing the IT risks should involve sharing them with relevant (internal or external) providers and be accepted by the receiving (internal or external) providers.
- Applying IT controls to mitigate IT risks should include identifying appropriate IT controls; evaluating the strengths and weaknesses of the IT controls. The business owner and risk committee should select adequate IT controls and document and obtain sign-off for any residual risk (Risk that remains even after controls are put into place).
- A risk treatment plan should include IT risk treatment actions.
Information technology risks should be treated according to the defined treatment plans and effectively reviewed, monitored, and reported. The following are suggested control requirements:
- IT risk assessment results should be formally documented and reported to the relevant business owners and senior management.
- Risks, impact, likelihood, mitigations, and remediation status, should all be included in an IT risk assessment.
- IT risk should be monitored, including but not limited to tracking progress following the risk treatment plan, and the selected and agreed IT controls are being implemented.
- The design and operating effectiveness of the revised or newly implemented IT controls should be monitored and reviewed periodically.
- The conclusions of the IT risk assessment should be accepted by the relevant business owners.
- The risk committee should approve the conclusions of the IT risk assessment.
- Key Risk Indicators (KRIs) for information technology should be created, implemented, and monitored.
- The IT risk profile and related data should be delivered to the operational risk department to develop an organization-wide risk profile.
- The IT risk profile should be formulated and presented periodically to the senior management, IT steering committee, and board of directors.
Risk management is most effective when it is implemented and applied consistently using a framework adapted to the organization's needs. Senior management is responsible for effective risk management as part of governance and protecting the organization's assets.
Information Technology Risk Management provides a foundation for the Security Program. When you understand the risks you face from a foundational level, you can better prepare yourself to reduce or eliminate the chances of a security incident occurring and the impact it will have on your information and information systems.