IT RISK MANAGEMENT

IT Risk Management  Residual risks – pertains to the IT risks  Significant threats that s deemed to Determining Value to It Resources
that the organization will accept and will adversely affect the organization will be
 IT Risk management is the process of be not be addressed. prioritized in the risk management Factor - Description
identifying risk to an organization’s process.  Criticality – It resource is valuable if it is
information systems and taking steps to o Risks that will significantly impact the crucial in the organization’s operation and
reduce the risk to an acceptable level. organization must be address and Vulnerability analysis success.
prevented/mitigated.  Vulnerability pertains to a weakness in the
 Risk management involve three major IT system that makes the probability of  Financial impact – It resource has value if
activities: o Risks deemed insignificant will be one or more threats more likely. it helps in generating revenues and
accepted by the organization. profits.
o Risk identification – knowing the  Vulnerability analysis is the review of the
applicable IT risk to the information IT Risk Identification IT system to discover weaknesses that  Replacement cost – IT resource is
system could lead to a risk of occurrence of a valuable if it is expensive to recover when
 IT Risk identification – requires the threat. lost or destroyed.
o Risk analysis – determining the extent organization to identify, classify and
of exposure to IT risks prioritize: Information Technology Resources  Protection cost – IT resource is valuable
if it requires a high cost to protect
o Risk response/treatment – o The IT resource that must be Components - Description against threats.
implementation of strategies to address protected by the organization, and  Hardware – Physical infrastructures used
significant risks in the information system.  Reputation cost – IT resource is valuable
o The threats that poses danger on if public knowledge would cause damage to
Risk Appetite and Residual Risk identified IT resources.  Software – Programs installed on the reputation and potential liability.
hardware that execute user commands.
 Risk management does not entail total Identifying IT resources Threats to IT Resources
elimination of IT risks due to:  IT resources assets refer to the  People – Employees and trusted outside
components of the information system service providers involved in the IT Environmental threats
o Inherent limitation of internal control used by the organization. system.  Threats caused by environment factors
procedures not involving human agents and is beyond
 Potential threats on identified IT  Data – Information processed, the organization’s control.
o Cost involved in implementing strategies resources must be determined and transmitted and stored in the information  Typically includes:
to address risks against perceived assessed. system. o Natural disasters
benefits o Service interruptions
Classifying and prioritizing IT resources  Network – Connectivity of the information
 Risk appetite – refers to the quantity and  IT resources must be classified based on system, either within or outside the Technological threats
nature risks that organizations are willing its criticality or importance to the organization.  Threats caused by failures in the
to accept based on the assessed trade- organization. components in an information system.
off between cost and benefit.  Procedures – Instructions on the internal  Typically includes:
 IT resources deemed critical to the logic and user tasks in the information o Hardware failure
o Conservative organizations will have low organization will be prioritized in the risk system. o Software failure
tolerance to IT risks and will implement management process. o Technological obsolescence
very stringent strategies to protect
systems. Identifying and prioritizing threats to IT Human threat
resources
o Aggressive organizations will have high  Threats will be identified based on the  Threats involving human agents, which
tolerance to IT risks and would have existing IT resources of the may be accidental (non-malicious) or
less stringent controls. organizations. intentional (malicious)
 Typically includes: IT Risk Analysis Qualitative Risk Analysis  Estimated number of times a threat will
o Trespassing/ Unauthorized access occur in a year (e.g., if threat occurs twice
o Sabotage  IT Risk analysis – requires the  A qualitative risk analysis is an in-depth a year, ARO is 2.0, if every two years,
o Extortion organization to: examination of in-scope assets with a ARO is 0.5)
o Malware detailed study of threats (and their
o Human error o Assess the probability and potential probability of occurrence), vulnerabilities Single loss expectancy (SLE)
o Theft impact of threats to the information (and their severity), and statements of  [AV x EF]
system impact.
Example of Vulnerabilities  The amount of expected financial loss on
o In simple terms, risk analysis is express  The threats, vulnerabilities, and impact IT resources when the threat occurred
Threat – Possible Vulnerabilities as: Risk = Probability x Impact are all expressed in qualitative terms such once.
 Natural disasters – Insufficient of as High-Medium-Low or in quasi-numeric
insurance coverage, lack of fire Probability analysis terms such as a 1-5 numeric scale. Annualized loss expectancy (ALE)
suppression system.  For any given threat and IT resource, the  [ARO x SLE]
probability that the threat will be  The purpose of qualitative risk analysis is
 Service interruptions – Back-up power realized needs to be estimated. to identify the most critical risks in the  This is the expected annualized loss on IT
source is inexistent or is not working due organization, based on these rankings. resource value due to threat realization.
to lack of maintenance.  Management will need to perform some
research and develop a best estimate,  The value in a qualitative risk analysis is
 Hardware failure – Insufficient based on available data. the ability to quickly identify the most
maintenance on hardware critical risks without the additional
Impact analysis burden of identifying precise financial
 Software failure – System errors are not  A threat, when realized, will have some impacts.
timely detected or corrected effect on the organization.
Quantitative Risk Analysis
 Obsolescence – Vendor support  Impact analysis is the study of estimating
availability is not periodically reviewed the impact of specific threats on specific  Quantitative risk analysis is a risk
IT resources. analysis approach that uses numeric
 Trespassing/espionage – Simplistic methods to measure risk.
password, physical security is too lenient Risk calculation
 An entity calculate the risk involved after  The advantage of quantitative risk
 Sabotage – Missing firewall and intrusion determining frequency and impact. analysis is the statements of risk in terms
prevention system that can be easily compared with other IT
 To calculate the risk, risk shall be will be resources and risks.
 Extortion – Missing firewall and intrusion equal potential impact when the risk
prevention system occurs multiplied by its probability. Asset Value (AV)
 Value assigned to an It resource, which is
 Malware – Outdated or missing anti-viral Assessing the risk acceptability equivalent to potential financial loss,
software  When the assessed risk is above the replacement cost, and reputation cost
entity’s risk appetite, the appropriate risk
 Human error – Lack of training on treatment needs to be adopted. Exposure factor (EF)
information security  Percentage of the IT resource’s total
 When the assessed risk is below than the value that will be lost when a threat
 Theft – Physical security is too lenient, risk appetite, the entity may choose to occurs.
mobile devices are unprotected accept the risk and continue to monitor.

Annualized rate of assurance (ARO)

IT Risk Treatment  Risk transfer Strategy Selection  Cost of implementing controls
o Acquisition and development
 IT risk treatment pertains to the o Some or all the risk is being transferred Feasibility study o Implementation costs
development of strategies that will to some external entity, such as an  Alternative strategies are assessed o Training costs
address identified threats to IT insurance company or business partner. against major constraints (restrictions/ o Vendor-support costs
resources and vulnerabilities on the IT limitations) so that management can o Maintenance costs
system. o Examples: purchasing an insurance policy determine the organization’s ability to
to shield the organization from implement those strategies.
Strategy selection potential asset damage or loss and
 There are various strategies that an outsourcing certain business processes.  Factors considered in the strategy
organization can implement to address feasibility study includes:
identifies IT risks.  Risk avoidance
o The organization abandons the activity o Technical feasibility – Availability of
 Determination of appropriate strategy altogether, effectively taking IT technology necessary to develop and
depends on various factors, such as risk resource out of service so that the implement a strategy
appetite, threat level and asset value. threat is no longer a threat.
o Economic feasibility – Availability of
Justify strategy o Examples: closure of a business site funds to implement a strategy
 The cost of implementing a strategy must that is prone to natural disaster or
be justified based on its perceived terminating an entire database to o Legal feasibility – Identification of
benefits. prevent leakage of personal information. conflicts between the strategy and the
organization’s legal responsibilities.
 Require performance of feasibility  Risk acceptance
studies and cost-benefit analyses. o The choice to do nothing on potential o Operational feasibility – Degree of
exploitation of vulnerabilities. compatibility between the existing
Implementation and monitoring procedures and personnel skills of the
 Selected Strategy must be implemented o Can only be done on threats identified organization and the strategy.
throughout the organization are assessed to be within the
organization’s risk appetite. o Schedule feasibility – Ability of the
 Strategies are monitored to determine organization to implement a strategy
whether the control is working effectively o Not applicable on risk that can cause within an acceptable timeline.
in addressing identified risk. serious damage to the organization.
Cost-benefit analysis
Risk Treatment Strategies
 Cost-benefit analysis enables the
Component - Description management to determine whether the
 Risk mitigation benefits of implementing a strategy
o Implementation of solutions, policies outweighs the related costs.
and procedures that will reduce an
identified risk.  Benefits of implementing controls
o Protection of IT resources
o Examples: installing anti-virus software o Address vulnerabilities
to prevent malware attack and password o Loss prevention
controls to prevent unauthorized access
to system and program files.