• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 79
  • Last Modified:

IT risk reg

are there any standards which can be used to help establish a corporate risk register specific to IT? I know most projects have risk logs but I am more talking about the organisation on the whole, and risks specific to IT. I am keen to learn what standards/frameworks are out there, and how the risks are identified and fed into the register. And what the overall benefit of having such is. Most individual teams I presume know their risks, e.g. loss of service, security compromise, disgruntled customers, reputation, non-compliance etc etc. I just unsure how organisations pull this altogether for a corporate risk register.
0
pma111
Asked:
pma111
  • 2
  • 2
  • 2
  • +1
4 Solutions
 
Ganesh GuruduSenior ConsultantCommented:
This is interesting and broad  topic.

Why dont you go through the CISSP topics on this? this is widely accepted standards.

Certified Information Systems Security Professional (CISSP) is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)²

Topics
  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security
0
 
pma111Author Commented:
not every IT risk is a security risk though.
0
 
btanExec ConsultantCommented:
The fundamental of risk mgmt is the register. Indeed the minimal level of register done is normally at project level which covers the systems build or maintain. The register covers project and IT risks to make it complete. The usual threat, severity level, impact, residual risk and control will be part of the register. Importantly, it is the residual risk that requires acceptance by the system owners.

At a larger end for corporate, you would have a scorecard compiling the risk assessment and categorise the critical vs non critical system. The no of acceptance and residual risk marks the overall "scoring" on how exposed and prepared against the threats specific to the system. It forms a report card. Mgmt tend to focua on criticality of the acceptance level for critical system that have many residual not taken care and accepted.

Broadly that is one mean of aggregated risk profile of the corporate. And there are other measures of maturity level of the readiness of the corporate that takes in the assessment into account and include governance and compliance risk.

I suggest you can look at NIST risk framework and steps to its applications at organisation level.
The Risk Management Framework and associated RMF tasks apply to both information system owners and common control providers. In addition to supporting the authorization of information systems, the RMF tasks support the selection, development, implementation, assessment, authorization, and ongoing monitoring of common controls inherited by organizational information systems.

Execution of the RMF tasks by common control providers, both internal and external to the organization, helps to ensure that the security capabilities provided by the common controls can be
inherited by information system owners with a degree of assurance appropriate for their information protection needs. This approach recognizes the importance of security control effectiveness within
information systems and the infrastructure supporting those systems.

Since the tasks in the RMF are described in a sequential manner, organizations may choose to deviate from that sequential structure in order to be consistent with their established management and system development life cycle processes or to achieve more cost-effective and efficient
solutions with regard to the execution of the tasks. Regardless of the task ordering, the last step before an information system is placed into operation is the explicit acceptance of risk by the authorizing official.

Organizations may also execute certain RMF tasks in an iterative manner or in different phases of the system development life cycle. For example, security control assessments
may be carried out during system development, system implementation, and system operation/maintenance (as part of continuous monitoring).

Organizations may also choose to expend a greater level of effort on certain RMF tasks and commit fewer resources to other tasks based on the level of maturity of selected processes and activities within the organization. Since the RMF is life cycle-based, there will be a need to revisit various tasks over time depending on how the organization manages changes to the information systems and the environments in which those systems operate.

Managing information security-related risks for an information system is viewed as part of a larger organization-wide risk management activity carried out by senior leaders. The RMF must simultaneously provide a disciplined and structured approach to mitigating risks from the operation and use of organizational information systems and the flexibility and agility to support the core missions and business operations of the organization in highly dynamic environments of operation.
https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Bryant SchaperCommented:
What type of risk are you referring to?  Projects, security or operations?

Many frameworks exist, (ISC)² and NIST, IEEE and PMP have some info as well.

It comes down to narrowing the question a bit
0
 
pma111Author Commented:
I'm really talking about a comprehensive risk log which covers all the aforementioned categories.
0
 
Bryant SchaperCommented:
then you will need all the frameworks I would think and meld them together
0
 
btanExec ConsultantCommented:
you can just simply say you want all risk log and try to combine. The context of risk mgmt must still be maintain, it is not a number game. Establish the categories that you see impact the corporate in term of the People, Process and Technology. There are some example shared by experts but importantly, you need to break down to asset classification and build the register collectively. This make sense for very complex and huge system, divide and conquer, you can imagine your company as a big system and start doing the assessment. If you really just seeking on log aggregate and need a situation  picture then use SIEMS to build that. Ingest the log (security) and then does a compliance check and identified the top 3 weakness which than you can apprise the mgmt area to improve or strengthen it...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now