IT risk reg

are there any standards which can be used to help establish a corporate risk register specific to IT? I know most projects have risk logs but I am more talking about the organisation on the whole, and risks specific to IT. I am keen to learn what standards/frameworks are out there, and how the risks are identified and fed into the register. And what the overall benefit of having such is. Most individual teams I presume know their risks, e.g. loss of service, security compromise, disgruntled customers, reputation, non-compliance etc etc. I just unsure how organisations pull this altogether for a corporate risk register.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ganesh GuruduSenior ConsultantCommented:
This is interesting and broad  topic.

Why dont you go through the CISSP topics on this? this is widely accepted standards.

Certified Information Systems Security Professional (CISSP) is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)²

  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security
pma111Author Commented:
not every IT risk is a security risk though.
btanExec ConsultantCommented:
The fundamental of risk mgmt is the register. Indeed the minimal level of register done is normally at project level which covers the systems build or maintain. The register covers project and IT risks to make it complete. The usual threat, severity level, impact, residual risk and control will be part of the register. Importantly, it is the residual risk that requires acceptance by the system owners.

At a larger end for corporate, you would have a scorecard compiling the risk assessment and categorise the critical vs non critical system. The no of acceptance and residual risk marks the overall "scoring" on how exposed and prepared against the threats specific to the system. It forms a report card. Mgmt tend to focua on criticality of the acceptance level for critical system that have many residual not taken care and accepted.

Broadly that is one mean of aggregated risk profile of the corporate. And there are other measures of maturity level of the readiness of the corporate that takes in the assessment into account and include governance and compliance risk.

I suggest you can look at NIST risk framework and steps to its applications at organisation level.
The Risk Management Framework and associated RMF tasks apply to both information system owners and common control providers. In addition to supporting the authorization of information systems, the RMF tasks support the selection, development, implementation, assessment, authorization, and ongoing monitoring of common controls inherited by organizational information systems.

Execution of the RMF tasks by common control providers, both internal and external to the organization, helps to ensure that the security capabilities provided by the common controls can be
inherited by information system owners with a degree of assurance appropriate for their information protection needs. This approach recognizes the importance of security control effectiveness within
information systems and the infrastructure supporting those systems.

Since the tasks in the RMF are described in a sequential manner, organizations may choose to deviate from that sequential structure in order to be consistent with their established management and system development life cycle processes or to achieve more cost-effective and efficient
solutions with regard to the execution of the tasks. Regardless of the task ordering, the last step before an information system is placed into operation is the explicit acceptance of risk by the authorizing official.

Organizations may also execute certain RMF tasks in an iterative manner or in different phases of the system development life cycle. For example, security control assessments
may be carried out during system development, system implementation, and system operation/maintenance (as part of continuous monitoring).

Organizations may also choose to expend a greater level of effort on certain RMF tasks and commit fewer resources to other tasks based on the level of maturity of selected processes and activities within the organization. Since the RMF is life cycle-based, there will be a need to revisit various tasks over time depending on how the organization manages changes to the information systems and the environments in which those systems operate.

Managing information security-related risks for an information system is viewed as part of a larger organization-wide risk management activity carried out by senior leaders. The RMF must simultaneously provide a disciplined and structured approach to mitigating risks from the operation and use of organizational information systems and the flexibility and agility to support the core missions and business operations of the organization in highly dynamic environments of operation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Bryant SchaperCommented:
What type of risk are you referring to?  Projects, security or operations?

Many frameworks exist, (ISC)² and NIST, IEEE and PMP have some info as well.

It comes down to narrowing the question a bit
pma111Author Commented:
I'm really talking about a comprehensive risk log which covers all the aforementioned categories.
Bryant SchaperCommented:
then you will need all the frameworks I would think and meld them together
btanExec ConsultantCommented:
you can just simply say you want all risk log and try to combine. The context of risk mgmt must still be maintain, it is not a number game. Establish the categories that you see impact the corporate in term of the People, Process and Technology. There are some example shared by experts but importantly, you need to break down to asset classification and build the register collectively. This make sense for very complex and huge system, divide and conquer, you can imagine your company as a big system and start doing the assessment. If you really just seeking on log aggregate and need a situation  picture then use SIEMS to build that. Ingest the log (security) and then does a compliance check and identified the top 3 weakness which than you can apprise the mgmt area to improve or strengthen it...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.