It risk framework

Are there any useful IT risk frameworks that are applicable in general terms to any IT organisation? I appreciate risk is organation specific but high level risks around systems availability security etc are common to all. I was after a baseline of common risks and wondered if these have been defined in any top level framework in which to asses our mitigations/controls.
LVL 3
pma111Asked:
Who is Participating?
 
btanExec ConsultantCommented:
The risk framework from NIST (below) and ISACA RiskIT), are good benchmark on the lifecyle and activities involved. The challenge is getting your stakeholder which may be au fait with such IT exposure and likely end up qith you to do the work instead of system owner. Need some guidance and education to develop the risk register and level of risk and acceptance with various authority identified for approval.
https://en.m.wikipedia.org/wiki/IT_risk

Example, the NIST Cybersecurity Framework encourages organizations to manage IT risk as part the Identify (ID) function
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented

ID.RA-2: Cyber threat intelligence and vulnerability information is received from information sharing forums and source

ID.RA-3: Threats, both internal and external, are identified and documented

ID.RA-4: Potential business impacts and likelihoods are identified

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

ID.RA-6: Risk responses are identified and prioritized

Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
The difficulty with asking for "list of IT risks" is that the threats that your organisation face will be entirely different from us though there can be similar categories which you can further contextualise. So I do advice that you should be l looking at the controls you have in place and the potential risks that your organisation face will be where controls are not in place.

https://simplicable.com/new/technology-risk
0
 
Adam BrownSr Solutions ArchitectCommented:
The NIST Risk Management Framework: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview 
It will give you a good strategic guide for managing risk in general.

If you're looking for specific risks, Info Sec generally views risks as a measured likelihood of something negatively impacting the Confidentiality, Integrity, or Availability of data. There is always a risk of natural disaster occurring, but we have to measure that risk against the cost required to mitigate the damage caused by a risk factor occurring.

Common risks are Natural Disaster, Theft, Equipment failure, Human Error, etc.
0
 
Travis MartinezSmoke JumperCommented:
Is this what you're looking for:

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf

"Risk Management Guide for Information Technology Systems "
0
 
btanExec ConsultantCommented:
For author advice.
0
 
btanExec ConsultantCommented:
No futher inputs received
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.