Information technology risk management
Every company follows a mission that involves the automation of their operations in order to process large quantities of information at a faster pace. Automation of information processing thus requires the need for information technology (IT) which is now recognized as a prime facility for operations management (NIST, 1995). However, any operations has the probability of being affected by disaster and technical problems, hence it is important to consider risk management strategies that are related to the use and application of information technologies.
A risk management procedure that is applied for IT-related operations therefore serves as a critical position in safeguarding the information assets of a company and therefore, its missions and goals, from any IT-related disaster. It should be thus understood that IT risk management is an important function of the management component of a company and not just merely a technical job that is performed by IT professionals of a company. In order to better understand IT risk management, the term risk should first be defined.
The word risk pertains to the holistic negative effect of an incidents to which a place, person or group is vulnerable to (Chadbourne and Sanders, 1999). A risk encompasses both the chances of the incident or disaster occurring, as well as the impact of the incident on the people and place of concern. Thus risk management describes the process of pinpointing the risk, evaluating the type and degree of risk and designing methods that would reduce the occurrence of specific risks in order to prevent its occurrence as well as decrease the damages that may be incurred should a disaster take place.
In terms of a company that employs information technologies, risk management involves to perform sound risk management choices that would secure the company’s IT system as it is used as a storage, processor and transmitter of a company’s information (NIST, 1996). IT risk management thus involves allocation of a portion of the company’s budget in completing such measures in order to minimize damages and ultimately, to prevent any untoward incidents in the future. Information technology is generally employed not only by IT technical professionals, but also by the non-technical employees of a company.
It is thus helpful that the entire personnel of a company are aware of the risk management strategies that have been designed for their company. A number of personnel must be identified that would be responsible for the major operations of the IT risk management program of a company. Included in this prime group are the members of the senior management who generally choose and determine the budget that will be allocated for the security of the company’s IT. Another key position of an IT risk management team is the chief information officer, who is responsible for the implementation of the measures for IT risk management.
In addition, other key positions include the security program manager, the technical support officers for the database, network and system of the company’s IT. Information technology risk management involves three general processes that allow the technology managers to equilibrate both the operational and economic expenditures to protect the IT system of a company, which in turn serves as the quantitative tool that will determine whether a company is successful in achieving its missions and goals.
Although IT risk management schemes are costly and time-consuming, the cost of the damage to an IT system during a disaster is much bigger than the price of the damages and setback a company may experience when a disaster occurs. It is understood that information technology risk management is a responsibility of management. The first process involved in risk assessment is the assessment of possible threats that are related with an information technology system. The result of risk assessment is the identification of particular control measures that may reduce and ultimately prevent the chances of the threat from occurring.
The term risk pertains to the function of the probability of a particular threat to occur given its specific factors that influence the vulnerability of a company’s IT system to experience. In order to determine the chances of a possible disaster that may occur, the risks of an IT system should be examined in connection with the related vulnerability and control features of the IT system. The impact of a risk pertains to the extent of damages that could be incurred amidst the vulnerabilities of an IT system.
The degree of impact is influenced by the possible effects that the damages may make onto the missions and goals of a company. Several steps may be taken in terms of risk assessment. The general first step involves the characterization of the IT system of the company (NIST, 1998). This includes the extent of the hardware and software that comprise a company’s IT system. In addition, the frequent users of the IT system will be identified in order to determine the extent of input each individual technical personnel produces each day. The next step in risk assessment involves the identification of threats to the IT system.
A threat is described as the potential of a particular risk to occur. Any weaknesses of the IT system are considered to be a vulnerability. A threat-source is not considered a risk if there is no identified weakness that can be identified that influences the occurrence of a disaster. In order to determine the chances of occurrence of a threat, the sources of the threat should be considered as well as its related potential vulnerabilities and current controls. The third step of risk assessment involves the identification of vulnerable conditions of an IT system.
The examination of the threat of an IT system must be comprised by an assessment of the vulnerabilities related to environment of the IT system. The objective of this step in risk assessment is to create a list of vulnerabilities that may affect the IT system. The next step in risk assessment is control analysis, which involves the assessment of control measures currently existing, as well as those that are being considered to be added in the near future, in order to minimize and ultimately prevent any damages that may be incurred should a disaster occur (NIST, 2001).
To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment (Step 5 below), the implementation of current or planned controls must be considered. For example, a vulnerability (e. g. , system or procedural weakness) is not likely to be exercised or the likelihood is low if there is a low level of threat-source interest or capability or if there are effective security controls that can eliminate, or reduce the magnitude of, harm.
The fifth step of risk assessment involves the determination of likelihood that a weakness of an IT system may result in the occurrence of a disaster. The determination requires the identification of the capabilities of the sources of the threat, as well as the nature of the weakness of the IT system. In addition, the presence and effectivity of the weakness or vulnerability of an IT system should also be evaluated. The chances of the risks to occur to an IT system are generally described as high, medium or low grade.
Chadbourne BC and Sanders A (1999): To the heart of risk management: Teaching project teams to combat risk. In: Proceedings of the 30th Annual Project Management Institute 1999 Seminars & Symposium, Philadelphia, PA: October 10-16, 1999. National Institute of Standards and Technology (1995): An introduction to computer security: The NIST handbook. NIST Special Publication 800-12. National Institute of Standards and Technology (1996): Generally accepted principles and practices for securing information technology systems.
Special Publication 800-14. National Institute of Standards and Technology (1998): Guide for developing security plans for information technology systems. NIST Special Publication 800-18. National Institute of Standards and Technology (2001):
Security self-assessment guide for information technology systems. NIST Special Publication 800-26. SmartWorks (2008): Managing Risks in your project – A practitioners approach. SmartWorks. Downloaded from http://www. smartworks. us/htm/managerisks. htm on January 5, 2008.