SlideShare a Scribd company logo

130C h a p t e r10 Managing IT-Based Risk11 This c.docx

Download as DOCX, PDF
L
LyndonPelletier761

The chapter discusses the evolution and complexity of managing IT-based risks, emphasizing that as organizations become more reliant on technology, the stakes of risk management have escalated. Modern risk management must be a strategic, holistic activity that involves various stakeholders beyond just IT specialists, and it should address a wide range of internal and external risk factors. It highlights that despite recognizing the importance of IT risk management, many organizations struggle with integration and maturity in their risk management processes.

Education
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
130 C h a p t e r 10 Managing IT-Based Risk1 1 This chapter is based on the authors’ previously published article, Smith, H. A., and J. D. McKeen. “A Holistic Approach to Managing IT-Based Risk.” Communications of the Association for Information Systems 25, no. 41 (December 2009): 519–30. Reproduced by permission of the Association for Information Systems. Not so long ago, IT-based risk was a fairly low-key activity focused on whether IT could deliver projects successfully and keep its applications up and run-ning (McKeen and Smith 2003). But with the opening up of the organization’s boundaries to external partners and service providers, external electronic communica- tions, and online services, managing IT-based risk has morphed into a “bet the com- pany” proposition. Not only is the scope of the job bigger, but also the stakes are much higher. As companies have become more dependent on IT for everything they do, the costs of service disruption have escalated exponentially. Now, when a system goes down, the company effectively stops working and customers cannot be served. And criminals routinely seek ways to wreak havoc with company data, applications, and Web sites. New regulations to protect privacy and increase
accountability have also made executives much more sensitive to the consequences of inadequate IT security practices—either internally or from service providers. In addition, the risk of losing or compromising company information has risen steeply. No longer are a company’s files locked down and accessible only by company staff. Today, company information can be exposed to the public in literally hundreds of ways. Our increasing mobility, the porta- bility of storage devices, and the growing sophistication of cyber threats are just a few of the more noteworthy means. Therefore, the job of managing IT-based risk has become much broader and more complex, and it is now widely recognized as an integral part of any technology-based work—no matter how minor. As a result, many IT organizations have been given the responsibility of not only managing risk in their own activities (i.e., project develop- ment, operations, and delivering business strategy) but also of managing IT-based risk in all company activities (e.g., mobile computing, file sharing, and online access to infor- mation and software). Whereas in the past companies have sought to achieve security Chapter 10 • Managing IT-Based Risk 131 through physical or technological means (e.g., locked rooms, virus scanners), under-
standing is now growing that managing IT-based risk must be a strategic and holistic activity that is not just the responsibility of a small group of IT specialists but also part of the mind-set that extends from partners and suppliers to employees and customers. This chapter explores how organizations are addressing and coping with increas- ing IT-based risk. It first looks at the challenges facing IT managers in the arena of risk management and proposes a holistic view of risk. Next it examines some of the charac- teristics and components needed to develop an effective risk management framework and presents a generic framework for integrating the growing number of elements involved in it. Finally, it describes some successful practices organizations could use for improving their risk management capabilities. A Holistic View of it-BAsed Risk With the explosion in the past decade of new IT-based risks, it is increasingly recog- nized that risk means more than simply “the possibility of a loss or exposure to loss” (Mogul 2004) or even a hazard, uncertainty, or opportunity (McKeen and Smith 2003). Today, risk is a multilayered concept that implies much more is at stake. “IT risk has changed. IT risk incidents harm constituencies within and outside companies. They damage corporate reputations and expose weaknesses in com-
panies’ management teams. Most importantly, IT risk dampens an organization’s ability to compete.” (Hunter and Westerman 2007) As a result, companies are now focused on “enterprise risk management” as a more comprehensive and integrated approach to dealing with risk (Slywotzky and Drzik 2005). Although, not every risk affecting an enterprise will be an IT-based risk, the fact remains that an increasing number of the risks affecting the enterprise have an IT-based component. For example, one firm’s IT risk management policy notes that the goal of risk management is to ensure that technology failures or data integrity do not compromise the company’s strategic objectives, the company’s reputation and stake- holders, or its success and reputation. But, in spite of the increasing number and complexity of IT- based threats facing organizations and evidence that links risk management with IT project success (Didraga 2013), it remains difficult to get senior executives to devote their attention (and commit the necessary resources) to effectively manage these risks. A recent global survey noted, “while the security community recognizes that information security is part of effective business management, managing information security risk is still overwhelmingly seen as an IT responsibility worldwide” (Berinato 2007). Another study of several organizations found that none had a good view of all key risks and 75 percent had major gaps in their
approach to IT-based risk management (Coles and Moulton 2003). In short, while IT has become increasingly central to business success, many enterprises have not yet adjusted their processes to incorporate IT-based risk management (Hunter and Westerman 2007). Knowing what’s at stake, risk management is perennially in the top ten priorities for CIOs (Hunter et al. 2005) and efforts are being made to put effective capabilities and processes in place in IT organizations. However, only 5 percent of firms are at a high level of maturity in this area, and most (80 percent) are still in the initial stages 132 Section II • IT Governance of this work (Proctor 2007). Addressing risk in a more professional, accountable, and transparent fashion is an evolution from traditional IT security work. At a Gartner symposium the following was pointed out: “[T]raditionally, [IT] security has been reactive, ad hoc, and technically-focused. . . . The shift to risk management requires an acceptance that you can’t protect yourself from everything, so you need to measure risk and make good decisions about how far you go in protecting the organization.” (Proctor 2007) Companies in the group largely reflected this transitional state. “Information
security is a primary focus of our risk management strategy,” said one manager. “It’s very, very visible but our business has yet to commit to addressing risk issues.” Another stated, “We have a risk management group focused on IT risk, but lots of other groups focus on it too. . . . As a result, there are many different and overlapping views, and we are missing integration of these views.” “We are constantly trying to identify gaps in our risk management practices and to close them,” said a third. There is, however, no hesitation about identifying the sources of risk. Every com- pany in the group had its own checklist of risk items, and experts have developed several different frameworks and categorizations that aim to be comprehensive (see Appendix A for some of these). What everyone agrees on is that any approach to deal- ing with IT-based risk must be holistic—even though it is an “onerous” job to package it as a whole. “Every category of risk has a different vocabulary,” explained one focus group manager. “Financial, pandemic, software, information security, disaster recovery planning, governance and legal—each view makes sense, but pulling them together is very hard.” Risk is often managed in silos in organizations, resulting in uncoordinated approaches to its management and to decision-making incorporating risk. This is why many organizations, including several in the focus group, are attempting to integrate the wide variety of issues involved into one holistic enterprise risk management strat-
egy that uses a common language to communicate. The connection among all of the different risk perspectives is the enterprise. Any IT problem that occurs—whether with an application, a network, a new system, a ven- dor, or a hacker (to name just a few)—has the increasing potential to put the enterprise at risk. Thus, a holistic view of IT-based risk must put the enterprise front and center in any framework or policy. A risk to the enterprise includes anything (either internal or external) that affects its brand, reputation, competitiveness, financial value, or end state (i.e., its overall effectiveness, efficiency, and success). Figure 10.1 offers an integrated, holistic view of risk from an enterprise perspec- tive. A wide variety of both internal and external IT-based risks can affect the enterprise. Externally, risks can come from the following: • Third parties, such as partners, software vendors, service providers, suppliers, or customers • Hazards, such as disasters, pandemics, geopolitical upheavals, or environmental considerations • Legal and regulatory issues, such as failure to adhere to the laws and regula- tions affecting the company, including privacy, financial reporting, environmental reporting, and e-discovery
Chapter 10 • Managing IT-Based Risk 133 Internally, some risks are well known, such as those traditionally associated with IT operations (availability, accessibility) and systems development (not meeting sched- ules or budgets, or delivering value). Others are newer and, although they must be managed from within the organization, they may include both internal and external components. These include the following: • Information risks, such as those affecting privacy, quality, accuracy, and protection • People risks, such as those caused by mistakes or lack of adherence to security protocols • Process risks, such as problems caused by poorly designed business processes or by failure to adapt business processes to IT-based changes • Cultural risks, such as risk aversion and lack of risk awareness • Controls, such as ineffective or inadequate controls to prevent or mitigate risk incidents • Governance, such as ineffective or inadequate structure, roles, or accountabilities to make appropriate risk-based decisions Finally, there is the risk of criminal interference, either from
inside or outside the organization. Unlike other types of risk, which are typically inadvertent, crimi- nal actions are deliberate attacks on the enterprise, its information, or sometimes its employees or customers. Such threats are certainly not new. Everyone is familiar with viruses and hackers. What is new, however, is that many more groups and individu- als are targeting organizations and people. These include other national governments, organized crime, industrial spies, and terrorists. “These people are not trying to bring systems down, like in the past,” explained a group member. “They are trying to get information.” External Risk Legal/ Regulatory Hazards Third Parties ENTERPRISE RISK Internal Risk People Processes Culture Governance System Development
Operations Information C R I M I N A L I N T E R F E R E N C E Controls figuRe 10.1 A Holistic View of IT-Based Risk 134 Section II • IT Governance Holistic Risk MAnAgeMent: A PoRtRAit Tackling risk in a holistic fashion is challenging, and building an effective framework for its management is challenging. It is interesting to note that
there is much more agree- ment from the focus group and other researchers about what effective risk management looks like than how to do it. With this in mind, we outline some of the characteristics and components of an effective, holistic risk management program: 1. Focus on what’s important. “Risks are inevitable,” admitted a manager. “The first question we must ask is ‘What are we trying to protect?’” said another. “There’s no perfect package, and some residual risk must always be taken.” A third added “Risks are inevitable, but it’s how they’re managed—our response, contingency plans, team readiness, and adaptability—that makes the difference.” In short, risk is uncertainty that matters, something that can hurt or delay an enterprise from reach- ing its objectives (Hillson 2008). Although many managers recognize that it’s time to take a more strategic view of risk, “[W]e still don’t have our hands around what’s important and what we should be monitoring and protecting” (Berinato 2007). Risk management is therefore not about anticipating all risks but about attempting to reduce significant risks to a manageable level and knowing how to assess and respond to it (Slywotzky and Drzik 2005). Yet, more than protecting the enterprise, risk management should also enable IT to take more risk in the safest possible way (Caldwell and Mogul 2006). Thus, the focus of effective risk management should not be about saying “no” to a risk, but how to say “yes,” thereby
building a more agile enterprise (Caldwell and Mogul 2006). 2. Expect changes over time. Few companies have a good grasp of risk management because IT is a discipline that is evolving rapidly (Proctor 2007). As a result, it would be a mistake to codify risk practices and standards too rapidly, according to the focus group. Efforts to do this have typically resulted in “paperwork without context,” said one manager. Within a particular risk category, risk management actions should be “continuous, iterative, and structured,” group members agreed. In recognition of this reality, most participant organizations have a mandatory risk assessment at key stages in the system development process to capture the risk picture involved with a particular project at several points in time and many have regular, ongoing reviews of required operational controls on an annual or bian- nual basis to do the same thing. In addition, when incidents occur, there should always be a process for evaluating what happened, assessing its impact, and deter- mining if controls or other management processes need to be adapted (Coles and Moulton 2003). Finally, organizations should also be continually attempting to sim- plify and streamline controls wherever possible to minimize their burden. This is a process that is often missed, admitted one manager. However, despite the fact that each of these steps is useful, it is
also essential to stand back from these initiatives and see how the holistic risk image is developing. It is this more strategic and holistic view that is often missing in orga- nizations and that firms often fail to communicate to their staff. One of the greatest risks to organizations comes from employees themselves, not necessarily through their intentional actions, but because they don’t recognize the risks involved in their actions (Berinato 2007). Therefore, many believe it is time to recognize that risk cannot be managed solely through controls, procedures, and technology but Chapter 10 • Managing IT-Based Risk 135 that all employees must understand the concepts and goals of risk management because the enterprise will always need to rely on their judgment to some extent (Symantec Corporation 2007). In the same vein, many managers frequently do not comprehend the size and nature of the risks involved and thus resource their management inappropriately (Coles and Moulton 2003). As a result they tend to delegate many aspects of risk management to lower levels in the organization, thus preventing the development of any longer-term, overall vision (Proctor 2008; Witty 2008).
3. View risk from multiple levels and perspectives. Instead of dealing with security “incidents” in a one-at-a-time manner, it is important to do root cause analysis in order to understand risks in a more multifaceted way. To date, risk management has tended to focus largely on the operational and tactical levels and not viewed in a strategic way. One manager explained, “We need to assess risk trends and develop strategies for dealing with them. Tactics for dealing with future threats will then be more effective and easier to put in place.” Another noted, “We must aim for redundancy of protection—that is, multiple layers, to ensure that if one layer fails, others will catch any problems.” Furthermore, risk, security, and compliance are often intermixed in people’s minds. Each of these is a valid and unique lens through which to view risk and should not be seen as being the same. For example, one expert noted that 70 percent of a typical “security” budget is spent on compliance matters, not on protecting and defending the organization (Society for Information Management 2008), and this imbalance means that overall spending in many firms is skewed. One firm uses the “prudent man” rule to deal with risk, which recommends a diversity of approaches—being proactive, prevention, due diligence, credibility, and promoting awareness—to ensure that it is adequately covered and that all stakeholders are
properly protected. Monitoring and adapting to new international standards and laws, completing overall health checks, and analysis of potential risks are other new dimensions of risk that should be incorporated into a firm’s overall approach to risk management. deVeloPing A Risk MAnAgeMent fRAMewoRk With a holistic picture in mind, organizations can begin to develop a framework for fill- ing in the details. The objective of a risk management framework (RMF) is to create a common understanding of risk, to ensure the right risks are being addressed at the right levels, and to involve the right people in making risk decisions. An RMF also serves to guide the development of risk policies and integrate appropriate risk standards and processes into existing practices (e.g., the SDLC). No company in the focus group had yet developed a comprehensive framework for addressing IT- based risk, although many had significant pieces in place or in development. In this section, we attempt to piece these together to sketch out what an RMF might contain. An RMF should serve as a high-level overview of how risk is to be managed in an enterprise and can also act as a structure for reporting on risk at various levels of detail. Currently, many companies have created risk management policies and require all staff to read and sign them. Unfortunately, such policies are typically so long and complex as
136 Section II • IT Governance to be overwhelming and ineffective. “Our security policy alone is two hundred pages. How enforceable is it?” complained a manger. Another noted that the language in his company’s policy was highly technical. As a result, user noncompliance in following the recommended best practices was considerable. Furthermore, a plethora of commit- tees, review boards, councils, and control centers are often designed to deal with one or more aspects of risk management, but they actually contribute to the general complex- ity of managing IT-based risk in an organization. It should not be surprising that this situation exists, given the rapidity with which technologies, interfaces, external relationships, and dependencies have developed within the past decade. Organizations have struggled to simply keep up with the waves of legislation, regulation, globalization, standards, and transformation that seem to continually threaten to engulf them. An RMF is thus a starting point for providing an integrated, top-down view of risk, defining it, identifying those responsible for making key decisions about it, and mapping which policies and standards apply to each area. Fortunately, current technology makes it easy to offer multiple views and multiple lev- els of this information, enabling different groups or individuals
to understand their responsibilities and specific policies in detail and see links to specific tools, practices, and templates, while facilitating different types of reporting to different stakeholders at different levels. By mapping existing groups, policies, and guidelines into an RMF, it is easier to see where gaps exist and where complexities in processes should be streamlined. A basic RMF includes the following: • Risk category. The general area of enterprise risk involved (e.g., criminal, opera- tions, third party). • Policies and standards. These state, at a high level, the general principles for guiding risk decisions, and they identify any formal corporate, industry, national, or international standards that should apply to each risk category.2 For example, one company’s policy regarding people states the following, in part: Protecting the integrity and security of client and corporate information is the responsibility of every employee. Timely and effective reporting of actual and suspected privacy incidents is a key component of meeting this respon- sibility. Management relies on the collective experience and judgment of its employees.
Another company policy regarding culture states, “We need to embed a risk man- agement focus and awareness into all processes, functions, jobs, and individuals.” • Risk type. Each type of risk associated with each category (e.g., loss of information, failure to comply with specific laws, inability to work due to system outages) needs to be identified. Each type should have a generic name and defi- nition, ideally linked to a business impact. Identifying all risk types will take 2 Some international standards include Committee of Sponsoring Organizations (COSO) of the Treadway Commission, www.coso.org; SAI Global, www.saiglobal.com; and the Office of Government Commerce’s Management of Risk (M_o_r) (www.ogc.gov.uk/guidance_management_of_risk.asp). http://www.coso.org http://www.saiglobal.com http://www.ogc.gov.uk/guidance_management_of_risk.asp Chapter 10 • Managing IT-Based Risk 137 time and probably require much iteration as “there are an incredible variety of specific risks” (Mogul 2004). However, developing lists and definitions is a good first step (Baccarini et al. 2004; Hillson 2008; McKeen and Smith 2003) and is already a common practice among the focus group companies, at
least for certain categories of risk. • Risk ownership. Each type of risk should have an owner, either in IT or in the busi- ness. As well, there will likely be several stakeholders who will be affected by risk- based decisions. For example, the principal business sponsor could be the owner of risk decisions associated with the development or purchase of a new IT system, but IT operations and architecture as well as the project manager will clearly be key stakeholders. In addition to specialized IT functions, such as IT security, audit and privacy functions in the business will likely be involved in many IT risk-based decisions. Owners and stakeholders should have clear responsibilities and account- abilities. In the focus group, some major risk types were owned by committees, such as an enterprise risk committee, or the internal audit, social responsibility and risk governance committee, or the project risk review council on which stakeholder groups were represented. • Risk mitigation. As an RMF is developed, each type of risk should be associ- ated with controls, practices, and tools for addressing it effectively. These fall into one of two categories: compulsory and optional. Group members stressed that overemphasis on mitigation can lead to organizational paralysis or hyper-risk sensitivity. Instead participants stressed the role of judgment in
right sizing miti- gation activities wherever possible. “Our technology development framework does not tell you what you have to do, but it does give you things to consider in each phase,” said one manager. “We look first at the overall enterprise risk presented by a project,” said another, “and develop controls based on our evalu- ation of the level and types of risk involved.” The goal, everyone agreed, is to provide a means by which risks can be managed consistently, effectively, and appropriately.3 • Risk reporting and monitoring. This was a rather controversial topic in the focus group. Although everyone agreed it is important to make risk and its management more visible in the organization, tracking and reporting on risk have a tendency to make management highly risk averse. One manager said: We spent a year trying to quantify risks and developing a roll- up report, but we threw it away because audit didn’t understand it and saw only one big risk. This led to endless discussion and no confidence that IT was handling risk well. Now we use a very simple reporting framework presenting risk as high, medium, or low. This is language we all understand. There are definitely pressures to improve risk measurement (Proctor 2007), but clearly care must be taken in how these metrics are reported.
For example, one company 3 “Risk Management Guide for Information Technology Systems” (csrc.nist.gov/publications/nistpubs/800-30/ sp800-30.pdf), the National Institute of Standards and Technology’s Special Publication 800-30, provides guidance on specific risk mitigation strategies. 138 Section II • IT Governance uses a variety of self-assessments to ensure that risks have been properly identified and appropriate controls put in place. However, as risk management procedures become better understood and more codified, risk reporting can also become more formalized. This is particularly the case at present with operational process controls and fundamen- tal IT security, such as virus or intrusion detection. However, risk monitoring is an ongoing process because levels and types of risk are changing continually. Thus, an RMF should be a dynamic document as new types of risk are identified, business impacts are better understood, and mitigation practices evolve. “We need to continually monitor all categories of risk and ask our executives if the levels of risk are still the same,” said a focus group member. It is clear that failure to understand how risks are changing is a significant risk in itself (Proctor 2007). It is therefore especially important to have
a process in place to analyze what happens when an unforeseen risk occurs. Unless efforts are made to understand the root causes of a problem, it is unlikely that effective mitigation practices can be put in place. iMPRoVing Risk MAnAgeMent cAPABilities Risk management in most areas does not yet have well- documented best practices or standards in place. However, the focus group identified several actions that could lead to the development of effective risk management capabilities: • Look beyond technical risk. One of the biggest inhibitors of effective risk manage- ment is too tight a focus on technical risk, rather than on business risk (Coles and Moulton 2003). A traditional security approach, for example, tends to focus only on technical threats or specific systems or platforms. • Develop a common language of risk. A clearer understanding of business risk requires all stakeholders—IT, audit, privacy, legal, business managers—to speak the same language and use comparable metrics—at least at the highest levels of analysis where the different types of risk need to be integrated. • Simplify the presentation. Having a common approach to discussing or describing risk is very effective, said several focus group members. While the work that is behind a simple presentation may be complex,
presenting too much complexity can be counterproductive. The most effective approaches are simple: a narrative, a dashboard, a “stoplight” report, or another graphic style of report. • Right size. Risk management should be appropriate for the level of risk involved. More effective practices allow for the adaptation of controls while ensuring that the decisions made are visible and the rationale is communicated. • Standardize the technology base. This is one of the most effective ways to reduce risk, according to the research, but it is also one of the most expensive (Hunter et al. 2005). • Rehearse. Many firms now have an emergency response team in place to rapidly deal with key hazards. However, it is less common that this team actually rehearses its disaster recovery, business continuity, or other types of risk mitigation plans. Chapter 10 • Managing IT-Based Risk 139 One manager noted that live rehearsals are essential to reveal gaps in plans and unexpected …
130C h a p t e r10 Managing IT-Based Risk11 This c.docx

More Related Content

PDF
7350_RiskWatch-Summer2015-Maligec
Christine Maligec, CRM-E, CRIS
 
PDF
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
PDF
Vulnerability Assessment ( Va )
Monica Rivera
 
PDF
Security Risk Management Essay
Apa Papers For Sale Trinity
 
PDF
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
 
PDF
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
PDF
Secure by design
Arun Gopinath
 
PDF
Secure by design building id based security
Arun Gopinath
 
7350_RiskWatch-Summer2015-Maligec
Christine Maligec, CRM-E, CRIS
 
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
Vulnerability Assessment ( Va )
Monica Rivera
 
Security Risk Management Essay
Apa Papers For Sale Trinity
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
Secure by design
Arun Gopinath
 
Secure by design building id based security
Arun Gopinath
 

Similar to 130C h a p t e r10 Managing IT-Based Risk11 This c.docx (20)

PDF
eCrime-report-2011-accessible
Charmaine Servado
 
PDF
Five principles for improving your cyber security
WGroup
 
DOCX
Classmate 1Cybersecurity risk can be characterized as the ris.docx
bartholomeocoombs
 
PDF
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
PDF
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
DOCX
Provide a MEMO.docx
write30
 
PDF
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
PDF
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
PDF
security-team-guide-reducing-operational-risk.pdf
gokuforhelp
 
PDF
The evolving role of IT managers and CIOs
IBM Rational software
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
PDF
The meaning of security in the 21st century
The Economist Media Businesses
 
DOCX
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
MargenePurnell14
 
DOCX
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
bagotjesusa
 
PDF
S36169184
American Research Journal of Humanities & Social Science
 
PDF
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Booz Allen Hamilton
 
PDF
Effects of IT Governance Measures on Cyber-attack Incidents
The International Journal of Business Management and Technology
 
PDF
Securing the Digital Future
Cognizant
 
PDF
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
eCrime-report-2011-accessible
Charmaine Servado
 
Five principles for improving your cyber security
WGroup
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
bartholomeocoombs
 
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Provide a MEMO.docx
write30
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
security-team-guide-reducing-operational-risk.pdf
gokuforhelp
 
The evolving role of IT managers and CIOs
IBM Rational software
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
The meaning of security in the 21st century
The Economist Media Businesses
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
MargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
bagotjesusa
 
S36169184
American Research Journal of Humanities & Social Science
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Booz Allen Hamilton
 
Effects of IT Governance Measures on Cyber-attack Incidents
The International Journal of Business Management and Technology
 
Securing the Digital Future
Cognizant
 
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 

More from LyndonPelletier761 (20)

DOCX
300 words Building healthier cities and communities involves local.docx
LyndonPelletier761
 
DOCX
300 words APA format, Select a current example of a policy issue t.docx
LyndonPelletier761
 
DOCX
300-400 wordsClick here to access American Rhetorics Top 100 .docx
LyndonPelletier761
 
DOCX
3. Describe one of the five major themes of Progressive Reform outli.docx
LyndonPelletier761
 
DOCX
3. How do culture and business of Ireland compare with US culture an.docx
LyndonPelletier761
 
DOCX
3-page paper which you use the article from the below websites.docx
LyndonPelletier761
 
DOCX
3-page APA format reaction paper to the first four stages of develop.docx
LyndonPelletier761
 
DOCX
350 words. Standard essay format- no sources needed1. Explain wh.docx
LyndonPelletier761
 
DOCX
300 - 500 words in APA format (in text citations) and refernce page..docx
LyndonPelletier761
 
DOCX
300 words long addressing the following issues.its a discussion h.docx
LyndonPelletier761
 
DOCX
3. Creativity and AdvertisingFind two advertisements in a magazi.docx
LyndonPelletier761
 
DOCX
3-page APA format reaction paper to the standards of thinking and th.docx
LyndonPelletier761
 
DOCX
3-5 pagesThe patrol division of a police department is the l.docx
LyndonPelletier761
 
DOCX
3-5 pagesOfficer Landonio is now in the drug task force. H.docx
LyndonPelletier761
 
DOCX
3-4 paragraphsAssignment DetailsContemporary criminal just.docx
LyndonPelletier761
 
DOCX
3-4 paragraphsYou have received a complaint that someone in the .docx
LyndonPelletier761
 
DOCX
3-4 pagesAPA STYLEThe U.S. has long been seen by many around t.docx
LyndonPelletier761
 
DOCX
3-5 pagesCommunity-oriented policing (COP) does involve th.docx
LyndonPelletier761
 
DOCX
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
LyndonPelletier761
 
DOCX
3 page paper, double spaced, apa formatThis paper is technically.docx
LyndonPelletier761
 
300 words Building healthier cities and communities involves local.docx
LyndonPelletier761
 
300 words APA format, Select a current example of a policy issue t.docx
LyndonPelletier761
 
300-400 wordsClick here to access American Rhetorics Top 100 .docx
LyndonPelletier761
 
3. Describe one of the five major themes of Progressive Reform outli.docx
LyndonPelletier761
 
3. How do culture and business of Ireland compare with US culture an.docx
LyndonPelletier761
 
3-page paper which you use the article from the below websites.docx
LyndonPelletier761
 
3-page APA format reaction paper to the first four stages of develop.docx
LyndonPelletier761
 
350 words. Standard essay format- no sources needed1. Explain wh.docx
LyndonPelletier761
 
300 - 500 words in APA format (in text citations) and refernce page..docx
LyndonPelletier761
 
300 words long addressing the following issues.its a discussion h.docx
LyndonPelletier761
 
3. Creativity and AdvertisingFind two advertisements in a magazi.docx
LyndonPelletier761
 
3-page APA format reaction paper to the standards of thinking and th.docx
LyndonPelletier761
 
3-5 pagesThe patrol division of a police department is the l.docx
LyndonPelletier761
 
3-5 pagesOfficer Landonio is now in the drug task force. H.docx
LyndonPelletier761
 
3-4 paragraphsAssignment DetailsContemporary criminal just.docx
LyndonPelletier761
 
3-4 paragraphsYou have received a complaint that someone in the .docx
LyndonPelletier761
 
3-4 pagesAPA STYLEThe U.S. has long been seen by many around t.docx
LyndonPelletier761
 
3-5 pagesCommunity-oriented policing (COP) does involve th.docx
LyndonPelletier761
 
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
LyndonPelletier761
 
3 page paper, double spaced, apa formatThis paper is technically.docx
LyndonPelletier761
 

Recently uploaded (20)

PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PDF
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
PPTX
Introduction to Building Materials
Mrunali Vasava
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PDF
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PPTX
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
PDF
LNK 2025 (2).pdf MWEHEHEHEHEHEHEHEHEHEHE
NielDestora
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
Introduction to Building Materials
Mrunali Vasava
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
احياء السادس العلمي - الفصل الثالث (التكاثر) منهج متميزين/كلية بغداد/موهوبين
S LS
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
LNK 2025 (2).pdf MWEHEHEHEHEHEHEHEHEHEHE
NielDestora
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 

130C h a p t e r10 Managing IT-Based Risk11 This c.docx

  • 1. 130 C h a p t e r 10 Managing IT-Based Risk1 1 This chapter is based on the authors’ previously published article, Smith, H. A., and J. D. McKeen. “A Holistic Approach to Managing IT-Based Risk.” Communications of the Association for Information Systems 25, no. 41 (December 2009): 519–30. Reproduced by permission of the Association for Information Systems. Not so long ago, IT-based risk was a fairly low-key activity focused on whether IT could deliver projects successfully and keep its applications up and run-ning (McKeen and Smith 2003). But with the opening up of the organization’s boundaries to external partners and service providers, external electronic communica- tions, and online services, managing IT-based risk has morphed into a “bet the com- pany” proposition. Not only is the scope of the job bigger, but also the stakes are much higher. As companies have become more dependent on IT for everything they do, the costs of service disruption have escalated exponentially. Now, when a system goes down, the company effectively stops working and customers cannot be served. And criminals routinely seek ways to wreak havoc with company data, applications, and Web sites. New regulations to protect privacy and increase
  • 2. accountability have also made executives much more sensitive to the consequences of inadequate IT security practices—either internally or from service providers. In addition, the risk of losing or compromising company information has risen steeply. No longer are a company’s files locked down and accessible only by company staff. Today, company information can be exposed to the public in literally hundreds of ways. Our increasing mobility, the porta- bility of storage devices, and the growing sophistication of cyber threats are just a few of the more noteworthy means. Therefore, the job of managing IT-based risk has become much broader and more complex, and it is now widely recognized as an integral part of any technology-based work—no matter how minor. As a result, many IT organizations have been given the responsibility of not only managing risk in their own activities (i.e., project develop- ment, operations, and delivering business strategy) but also of managing IT-based risk in all company activities (e.g., mobile computing, file sharing, and online access to infor- mation and software). Whereas in the past companies have sought to achieve security Chapter 10 • Managing IT-Based Risk 131 through physical or technological means (e.g., locked rooms, virus scanners), under-
  • 3. standing is now growing that managing IT-based risk must be a strategic and holistic activity that is not just the responsibility of a small group of IT specialists but also part of the mind-set that extends from partners and suppliers to employees and customers. This chapter explores how organizations are addressing and coping with increas- ing IT-based risk. It first looks at the challenges facing IT managers in the arena of risk management and proposes a holistic view of risk. Next it examines some of the charac- teristics and components needed to develop an effective risk management framework and presents a generic framework for integrating the growing number of elements involved in it. Finally, it describes some successful practices organizations could use for improving their risk management capabilities. A Holistic View of it-BAsed Risk With the explosion in the past decade of new IT-based risks, it is increasingly recog- nized that risk means more than simply “the possibility of a loss or exposure to loss” (Mogul 2004) or even a hazard, uncertainty, or opportunity (McKeen and Smith 2003). Today, risk is a multilayered concept that implies much more is at stake. “IT risk has changed. IT risk incidents harm constituencies within and outside companies. They damage corporate reputations and expose weaknesses in com-
  • 4. panies’ management teams. Most importantly, IT risk dampens an organization’s ability to compete.” (Hunter and Westerman 2007) As a result, companies are now focused on “enterprise risk management” as a more comprehensive and integrated approach to dealing with risk (Slywotzky and Drzik 2005). Although, not every risk affecting an enterprise will be an IT-based risk, the fact remains that an increasing number of the risks affecting the enterprise have an IT-based component. For example, one firm’s IT risk management policy notes that the goal of risk management is to ensure that technology failures or data integrity do not compromise the company’s strategic objectives, the company’s reputation and stake- holders, or its success and reputation. But, in spite of the increasing number and complexity of IT- based threats facing organizations and evidence that links risk management with IT project success (Didraga 2013), it remains difficult to get senior executives to devote their attention (and commit the necessary resources) to effectively manage these risks. A recent global survey noted, “while the security community recognizes that information security is part of effective business management, managing information security risk is still overwhelmingly seen as an IT responsibility worldwide” (Berinato 2007). Another study of several organizations found that none had a good view of all key risks and 75 percent had major gaps in their
  • 5. approach to IT-based risk management (Coles and Moulton 2003). In short, while IT has become increasingly central to business success, many enterprises have not yet adjusted their processes to incorporate IT-based risk management (Hunter and Westerman 2007). Knowing what’s at stake, risk management is perennially in the top ten priorities for CIOs (Hunter et al. 2005) and efforts are being made to put effective capabilities and processes in place in IT organizations. However, only 5 percent of firms are at a high level of maturity in this area, and most (80 percent) are still in the initial stages 132 Section II • IT Governance of this work (Proctor 2007). Addressing risk in a more professional, accountable, and transparent fashion is an evolution from traditional IT security work. At a Gartner symposium the following was pointed out: “[T]raditionally, [IT] security has been reactive, ad hoc, and technically-focused. . . . The shift to risk management requires an acceptance that you can’t protect yourself from everything, so you need to measure risk and make good decisions about how far you go in protecting the organization.” (Proctor 2007) Companies in the group largely reflected this transitional state. “Information
  • 6. security is a primary focus of our risk management strategy,” said one manager. “It’s very, very visible but our business has yet to commit to addressing risk issues.” Another stated, “We have a risk management group focused on IT risk, but lots of other groups focus on it too. . . . As a result, there are many different and overlapping views, and we are missing integration of these views.” “We are constantly trying to identify gaps in our risk management practices and to close them,” said a third. There is, however, no hesitation about identifying the sources of risk. Every com- pany in the group had its own checklist of risk items, and experts have developed several different frameworks and categorizations that aim to be comprehensive (see Appendix A for some of these). What everyone agrees on is that any approach to deal- ing with IT-based risk must be holistic—even though it is an “onerous” job to package it as a whole. “Every category of risk has a different vocabulary,” explained one focus group manager. “Financial, pandemic, software, information security, disaster recovery planning, governance and legal—each view makes sense, but pulling them together is very hard.” Risk is often managed in silos in organizations, resulting in uncoordinated approaches to its management and to decision-making incorporating risk. This is why many organizations, including several in the focus group, are attempting to integrate the wide variety of issues involved into one holistic enterprise risk management strat-
  • 7. egy that uses a common language to communicate. The connection among all of the different risk perspectives is the enterprise. Any IT problem that occurs—whether with an application, a network, a new system, a ven- dor, or a hacker (to name just a few)—has the increasing potential to put the enterprise at risk. Thus, a holistic view of IT-based risk must put the enterprise front and center in any framework or policy. A risk to the enterprise includes anything (either internal or external) that affects its brand, reputation, competitiveness, financial value, or end state (i.e., its overall effectiveness, efficiency, and success). Figure 10.1 offers an integrated, holistic view of risk from an enterprise perspec- tive. A wide variety of both internal and external IT-based risks can affect the enterprise. Externally, risks can come from the following: • Third parties, such as partners, software vendors, service providers, suppliers, or customers • Hazards, such as disasters, pandemics, geopolitical upheavals, or environmental considerations • Legal and regulatory issues, such as failure to adhere to the laws and regula- tions affecting the company, including privacy, financial reporting, environmental reporting, and e-discovery
  • 8. Chapter 10 • Managing IT-Based Risk 133 Internally, some risks are well known, such as those traditionally associated with IT operations (availability, accessibility) and systems development (not meeting sched- ules or budgets, or delivering value). Others are newer and, although they must be managed from within the organization, they may include both internal and external components. These include the following: • Information risks, such as those affecting privacy, quality, accuracy, and protection • People risks, such as those caused by mistakes or lack of adherence to security protocols • Process risks, such as problems caused by poorly designed business processes or by failure to adapt business processes to IT-based changes • Cultural risks, such as risk aversion and lack of risk awareness • Controls, such as ineffective or inadequate controls to prevent or mitigate risk incidents • Governance, such as ineffective or inadequate structure, roles, or accountabilities to make appropriate risk-based decisions Finally, there is the risk of criminal interference, either from
  • 9. inside or outside the organization. Unlike other types of risk, which are typically inadvertent, crimi- nal actions are deliberate attacks on the enterprise, its information, or sometimes its employees or customers. Such threats are certainly not new. Everyone is familiar with viruses and hackers. What is new, however, is that many more groups and individu- als are targeting organizations and people. These include other national governments, organized crime, industrial spies, and terrorists. “These people are not trying to bring systems down, like in the past,” explained a group member. “They are trying to get information.” External Risk Legal/ Regulatory Hazards Third Parties ENTERPRISE RISK Internal Risk People Processes Culture Governance System Development
  • 10. Operations Information C R I M I N A L I N T E R F E R E N C E Controls figuRe 10.1 A Holistic View of IT-Based Risk 134 Section II • IT Governance Holistic Risk MAnAgeMent: A PoRtRAit Tackling risk in a holistic fashion is challenging, and building an effective framework for its management is challenging. It is interesting to note that
  • 11. there is much more agree- ment from the focus group and other researchers about what effective risk management looks like than how to do it. With this in mind, we outline some of the characteristics and components of an effective, holistic risk management program: 1. Focus on what’s important. “Risks are inevitable,” admitted a manager. “The first question we must ask is ‘What are we trying to protect?’” said another. “There’s no perfect package, and some residual risk must always be taken.” A third added “Risks are inevitable, but it’s how they’re managed—our response, contingency plans, team readiness, and adaptability—that makes the difference.” In short, risk is uncertainty that matters, something that can hurt or delay an enterprise from reach- ing its objectives (Hillson 2008). Although many managers recognize that it’s time to take a more strategic view of risk, “[W]e still don’t have our hands around what’s important and what we should be monitoring and protecting” (Berinato 2007). Risk management is therefore not about anticipating all risks but about attempting to reduce significant risks to a manageable level and knowing how to assess and respond to it (Slywotzky and Drzik 2005). Yet, more than protecting the enterprise, risk management should also enable IT to take more risk in the safest possible way (Caldwell and Mogul 2006). Thus, the focus of effective risk management should not be about saying “no” to a risk, but how to say “yes,” thereby
  • 12. building a more agile enterprise (Caldwell and Mogul 2006). 2. Expect changes over time. Few companies have a good grasp of risk management because IT is a discipline that is evolving rapidly (Proctor 2007). As a result, it would be a mistake to codify risk practices and standards too rapidly, according to the focus group. Efforts to do this have typically resulted in “paperwork without context,” said one manager. Within a particular risk category, risk management actions should be “continuous, iterative, and structured,” group members agreed. In recognition of this reality, most participant organizations have a mandatory risk assessment at key stages in the system development process to capture the risk picture involved with a particular project at several points in time and many have regular, ongoing reviews of required operational controls on an annual or bian- nual basis to do the same thing. In addition, when incidents occur, there should always be a process for evaluating what happened, assessing its impact, and deter- mining if controls or other management processes need to be adapted (Coles and Moulton 2003). Finally, organizations should also be continually attempting to sim- plify and streamline controls wherever possible to minimize their burden. This is a process that is often missed, admitted one manager. However, despite the fact that each of these steps is useful, it is
  • 13. also essential to stand back from these initiatives and see how the holistic risk image is developing. It is this more strategic and holistic view that is often missing in orga- nizations and that firms often fail to communicate to their staff. One of the greatest risks to organizations comes from employees themselves, not necessarily through their intentional actions, but because they don’t recognize the risks involved in their actions (Berinato 2007). Therefore, many believe it is time to recognize that risk cannot be managed solely through controls, procedures, and technology but Chapter 10 • Managing IT-Based Risk 135 that all employees must understand the concepts and goals of risk management because the enterprise will always need to rely on their judgment to some extent (Symantec Corporation 2007). In the same vein, many managers frequently do not comprehend the size and nature of the risks involved and thus resource their management inappropriately (Coles and Moulton 2003). As a result they tend to delegate many aspects of risk management to lower levels in the organization, thus preventing the development of any longer-term, overall vision (Proctor 2008; Witty 2008).
  • 14. 3. View risk from multiple levels and perspectives. Instead of dealing with security “incidents” in a one-at-a-time manner, it is important to do root cause analysis in order to understand risks in a more multifaceted way. To date, risk management has tended to focus largely on the operational and tactical levels and not viewed in a strategic way. One manager explained, “We need to assess risk trends and develop strategies for dealing with them. Tactics for dealing with future threats will then be more effective and easier to put in place.” Another noted, “We must aim for redundancy of protection—that is, multiple layers, to ensure that if one layer fails, others will catch any problems.” Furthermore, risk, security, and compliance are often intermixed in people’s minds. Each of these is a valid and unique lens through which to view risk and should not be seen as being the same. For example, one expert noted that 70 percent of a typical “security” budget is spent on compliance matters, not on protecting and defending the organization (Society for Information Management 2008), and this imbalance means that overall spending in many firms is skewed. One firm uses the “prudent man” rule to deal with risk, which recommends a diversity of approaches—being proactive, prevention, due diligence, credibility, and promoting awareness—to ensure that it is adequately covered and that all stakeholders are
  • 15. properly protected. Monitoring and adapting to new international standards and laws, completing overall health checks, and analysis of potential risks are other new dimensions of risk that should be incorporated into a firm’s overall approach to risk management. deVeloPing A Risk MAnAgeMent fRAMewoRk With a holistic picture in mind, organizations can begin to develop a framework for fill- ing in the details. The objective of a risk management framework (RMF) is to create a common understanding of risk, to ensure the right risks are being addressed at the right levels, and to involve the right people in making risk decisions. An RMF also serves to guide the development of risk policies and integrate appropriate risk standards and processes into existing practices (e.g., the SDLC). No company in the focus group had yet developed a comprehensive framework for addressing IT- based risk, although many had significant pieces in place or in development. In this section, we attempt to piece these together to sketch out what an RMF might contain. An RMF should serve as a high-level overview of how risk is to be managed in an enterprise and can also act as a structure for reporting on risk at various levels of detail. Currently, many companies have created risk management policies and require all staff to read and sign them. Unfortunately, such policies are typically so long and complex as
  • 16. 136 Section II • IT Governance to be overwhelming and ineffective. “Our security policy alone is two hundred pages. How enforceable is it?” complained a manger. Another noted that the language in his company’s policy was highly technical. As a result, user noncompliance in following the recommended best practices was considerable. Furthermore, a plethora of commit- tees, review boards, councils, and control centers are often designed to deal with one or more aspects of risk management, but they actually contribute to the general complex- ity of managing IT-based risk in an organization. It should not be surprising that this situation exists, given the rapidity with which technologies, interfaces, external relationships, and dependencies have developed within the past decade. Organizations have struggled to simply keep up with the waves of legislation, regulation, globalization, standards, and transformation that seem to continually threaten to engulf them. An RMF is thus a starting point for providing an integrated, top-down view of risk, defining it, identifying those responsible for making key decisions about it, and mapping which policies and standards apply to each area. Fortunately, current technology makes it easy to offer multiple views and multiple lev- els of this information, enabling different groups or individuals
  • 17. to understand their responsibilities and specific policies in detail and see links to specific tools, practices, and templates, while facilitating different types of reporting to different stakeholders at different levels. By mapping existing groups, policies, and guidelines into an RMF, it is easier to see where gaps exist and where complexities in processes should be streamlined. A basic RMF includes the following: • Risk category. The general area of enterprise risk involved (e.g., criminal, opera- tions, third party). • Policies and standards. These state, at a high level, the general principles for guiding risk decisions, and they identify any formal corporate, industry, national, or international standards that should apply to each risk category.2 For example, one company’s policy regarding people states the following, in part: Protecting the integrity and security of client and corporate information is the responsibility of every employee. Timely and effective reporting of actual and suspected privacy incidents is a key component of meeting this respon- sibility. Management relies on the collective experience and judgment of its employees.
  • 18. Another company policy regarding culture states, “We need to embed a risk man- agement focus and awareness into all processes, functions, jobs, and individuals.” • Risk type. Each type of risk associated with each category (e.g., loss of information, failure to comply with specific laws, inability to work due to system outages) needs to be identified. Each type should have a generic name and defi- nition, ideally linked to a business impact. Identifying all risk types will take 2 Some international standards include Committee of Sponsoring Organizations (COSO) of the Treadway Commission, www.coso.org; SAI Global, www.saiglobal.com; and the Office of Government Commerce’s Management of Risk (M_o_r) (www.ogc.gov.uk/guidance_management_of_risk.asp). http://www.coso.org http://www.saiglobal.com http://www.ogc.gov.uk/guidance_management_of_risk.asp Chapter 10 • Managing IT-Based Risk 137 time and probably require much iteration as “there are an incredible variety of specific risks” (Mogul 2004). However, developing lists and definitions is a good first step (Baccarini et al. 2004; Hillson 2008; McKeen and Smith 2003) and is already a common practice among the focus group companies, at
  • 19. least for certain categories of risk. • Risk ownership. Each type of risk should have an owner, either in IT or in the busi- ness. As well, there will likely be several stakeholders who will be affected by risk- based decisions. For example, the principal business sponsor could be the owner of risk decisions associated with the development or purchase of a new IT system, but IT operations and architecture as well as the project manager will clearly be key stakeholders. In addition to specialized IT functions, such as IT security, audit and privacy functions in the business will likely be involved in many IT risk-based decisions. Owners and stakeholders should have clear responsibilities and account- abilities. In the focus group, some major risk types were owned by committees, such as an enterprise risk committee, or the internal audit, social responsibility and risk governance committee, or the project risk review council on which stakeholder groups were represented. • Risk mitigation. As an RMF is developed, each type of risk should be associ- ated with controls, practices, and tools for addressing it effectively. These fall into one of two categories: compulsory and optional. Group members stressed that overemphasis on mitigation can lead to organizational paralysis or hyper-risk sensitivity. Instead participants stressed the role of judgment in
  • 20. right sizing miti- gation activities wherever possible. “Our technology development framework does not tell you what you have to do, but it does give you things to consider in each phase,” said one manager. “We look first at the overall enterprise risk presented by a project,” said another, “and develop controls based on our evalu- ation of the level and types of risk involved.” The goal, everyone agreed, is to provide a means by which risks can be managed consistently, effectively, and appropriately.3 • Risk reporting and monitoring. This was a rather controversial topic in the focus group. Although everyone agreed it is important to make risk and its management more visible in the organization, tracking and reporting on risk have a tendency to make management highly risk averse. One manager said: We spent a year trying to quantify risks and developing a roll- up report, but we threw it away because audit didn’t understand it and saw only one big risk. This led to endless discussion and no confidence that IT was handling risk well. Now we use a very simple reporting framework presenting risk as high, medium, or low. This is language we all understand. There are definitely pressures to improve risk measurement (Proctor 2007), but clearly care must be taken in how these metrics are reported.
  • 21. For example, one company 3 “Risk Management Guide for Information Technology Systems” (csrc.nist.gov/publications/nistpubs/800-30/ sp800-30.pdf), the National Institute of Standards and Technology’s Special Publication 800-30, provides guidance on specific risk mitigation strategies. 138 Section II • IT Governance uses a variety of self-assessments to ensure that risks have been properly identified and appropriate controls put in place. However, as risk management procedures become better understood and more codified, risk reporting can also become more formalized. This is particularly the case at present with operational process controls and fundamen- tal IT security, such as virus or intrusion detection. However, risk monitoring is an ongoing process because levels and types of risk are changing continually. Thus, an RMF should be a dynamic document as new types of risk are identified, business impacts are better understood, and mitigation practices evolve. “We need to continually monitor all categories of risk and ask our executives if the levels of risk are still the same,” said a focus group member. It is clear that failure to understand how risks are changing is a significant risk in itself (Proctor 2007). It is therefore especially important to have
  • 22. a process in place to analyze what happens when an unforeseen risk occurs. Unless efforts are made to understand the root causes of a problem, it is unlikely that effective mitigation practices can be put in place. iMPRoVing Risk MAnAgeMent cAPABilities Risk management in most areas does not yet have well- documented best practices or standards in place. However, the focus group identified several actions that could lead to the development of effective risk management capabilities: • Look beyond technical risk. One of the biggest inhibitors of effective risk manage- ment is too tight a focus on technical risk, rather than on business risk (Coles and Moulton 2003). A traditional security approach, for example, tends to focus only on technical threats or specific systems or platforms. • Develop a common language of risk. A clearer understanding of business risk requires all stakeholders—IT, audit, privacy, legal, business managers—to speak the same language and use comparable metrics—at least at the highest levels of analysis where the different types of risk need to be integrated. • Simplify the presentation. Having a common approach to discussing or describing risk is very effective, said several focus group members. While the work that is behind a simple presentation may be complex,
  • 23. presenting too much complexity can be counterproductive. The most effective approaches are simple: a narrative, a dashboard, a “stoplight” report, or another graphic style of report. • Right size. Risk management should be appropriate for the level of risk involved. More effective practices allow for the adaptation of controls while ensuring that the decisions made are visible and the rationale is communicated. • Standardize the technology base. This is one of the most effective ways to reduce risk, according to the research, but it is also one of the most expensive (Hunter et al. 2005). • Rehearse. Many firms now have an emergency response team in place to rapidly deal with key hazards. However, it is less common that this team actually rehearses its disaster recovery, business continuity, or other types of risk mitigation plans. Chapter 10 • Managing IT-Based Risk 139 One manager noted that live rehearsals are essential to reveal gaps in plans and unexpected …