It risk framework

Posted on 2018-02-09
Medium Priority
Last Modified: 2018-03-14
Are there any useful IT risk frameworks that are applicable in general terms to any IT organisation? I appreciate risk is organation specific but high level risks around systems availability security etc are common to all. I was after a baseline of common risks and wondered if these have been defined in any top level framework in which to asses our mitigations/controls.
Question by:pma111
  • 3
LVL 44

Assisted Solution

by:Adam Brown
Adam Brown earned 800 total points (awarded by participants)
ID: 42463933
The NIST Risk Management Framework: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview 
It will give you a good strategic guide for managing risk in general.

If you're looking for specific risks, Info Sec generally views risks as a measured likelihood of something negatively impacting the Confidentiality, Integrity, or Availability of data. There is always a risk of natural disaster occurring, but we have to measure that risk against the cost required to mitigate the damage caused by a risk factor occurring.

Common risks are Natural Disaster, Theft, Equipment failure, Human Error, etc.

Assisted Solution

by:Travis Martinez
Travis Martinez earned 400 total points (awarded by participants)
ID: 42463937
Is this what you're looking for:


"Risk Management Guide for Information Technology Systems "
LVL 66

Accepted Solution

btan earned 800 total points (awarded by participants)
ID: 42464330
The risk framework from NIST (below) and ISACA RiskIT), are good benchmark on the lifecyle and activities involved. The challenge is getting your stakeholder which may be au fait with such IT exposure and likely end up qith you to do the work instead of system owner. Need some guidance and education to develop the risk register and level of risk and acceptance with various authority identified for approval.

Example, the NIST Cybersecurity Framework encourages organizations to manage IT risk as part the Identify (ID) function
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented

ID.RA-2: Cyber threat intelligence and vulnerability information is received from information sharing forums and source

ID.RA-3: Threats, both internal and external, are identified and documented

ID.RA-4: Potential business impacts and likelihoods are identified

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

ID.RA-6: Risk responses are identified and prioritized

Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
The difficulty with asking for "list of IT risks" is that the threats that your organisation face will be entirely different from us though there can be similar categories which you can further contextualise. So I do advice that you should be l looking at the controls you have in place and the potential risks that your organisation face will be where controls are not in place.

LVL 66

Expert Comment

ID: 42479751
For author advice.
LVL 66

Expert Comment

No futher inputs received

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Join & Write a Comment

The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question