DOCSLIB.ORG

Questioning the Need for Separate IT Risk Management Frameworks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Questioning the Need for Separate IT Risk Management Frameworks Questioning the need for separate IT risk management frameworks Nicolas Racz1, Edgar Weippl1,Andreas Seufert2 1Institut fürSoftwaretechnik undInteraktive Systeme TU Wien Favoritenstr. 9-11/188 1040 Wien,Austria 2Institut fürBusiness Intelligence, Steinbeis Hochschule Berlin {racz, eweippl}@ifs.tuwien.ac.at; [email protected] Abstract: Thegrowing importance of enterprise risk management andthe resultingintegration efforts put theneed for separate IT risk management frameworks in question. In this research we analysecommonand distinct elements of theCOSO enterprise risk management andISACA RiskITframeworks. The analysis affirmsthe hypothesis that separate IT risk managementframeworks are redundant. 1 Motivation The alignment of IT with business objectives is an important part of contemporaryIT management. Ever sincethe creationofthe terms “enterprise risk management” (ERM) and “governance,risk, andcompliance” (GRC) the searchfor integration possibilities within these disciplines has been ongoing. Howeveras of todaydifferent frameworks are used forthe management of business risksand IT risks. The emergenceofhorizontal integration(across disciplines andacross departments) andvertical integration(across the organisationalhierarchyand across processlevels) has helped to realise that formerly separate approaches areoften redundant[Mi07],which provokes the authorstoestablish the hypothesis that a separate management of IT risksmight not be justified. 2 Status quo in research andpractice A quick scan of the ACM, SpringerLinkand EmeraldInsight databases showsthat in research as of todayenterprise risk management andITriskmanagement (IT-RM) have hardlyevercrossedpaths. FoleyusesERM processestomanagesecurityrisks [Fo09].In their high-level processmodelfor IT GRCmanagement, Racz et al. [RWS10]use COSO ERM[CO04] as risk management standard, assumingthat the selectionofaframework that does not focusonITwould facilitate integrationwithnon-ITGRC in future research. 245 In practice enterprise risk management andITriskmanagementare also treated as separate topics. With ISO 31000:2009[ISO09] (superseding AS/NZS 4360:2004 [AS04])and ISO/IEC27005:2008[ISO08] the InternationalOrganizationfor StandardizationtreatsERM andinformation security risk management (including IT- RM)intwo distinct standards.ISO 31000 does not even referenceISO/IEC27005.The alignmentofITwithbusinessinpractice is mainly done throughthe IT governance and management frameworks COBIT(Control Objectives forInformationand related Technology [ITG07])and ITIL (IT Infrastructure Library [OGC07]). These frameworks suggest enablingalignment through deriving IT goals from business goals. We canconcludethatwhile theconnectionofITrisks with business objectives is enforced at present, the merger of IT-RMwithERM on a processlevel is hardlylooked at. The frame of referencefor research of integrated GRC[Ra10]recommends identifying integration possibilities on the strategic, process, organisational and technology level. Strategically, throughthe alignment of IT goals with businessgoals, the integrationisalready ongoing. We suggest to take the next step andtoreview potential synergiesofERM andIT-RM on the processlevel.Following the claimof ERM to coverall risksofanenterprise, IT-RM should eitherbe completelycovered by ERM andtherefore be redundant; or it might enhancethe broaderERM throughdetailed considerationofITspecifics in the risk management process. 3 Methodology As a first step in evaluating ourhypothesiswe decidedtocarry outanexemplary comparison of an ERM frameworkwithanIT-RM framework. Of course a comparison of twoframeworksisnot representative,but we selectedwidely-used frameworks (see below) that therefore suffice to provide afirst indicationabout the hypotheses’ validity. The results should then be discussedwithother expertsat the Informatik2010 GRC workshop before takingfurther action. The methodology applied consists of four steps. First, we selected aframework forERM andone forIT-RM.Second, the frameworks’ commonalitieswere identified.Third,weanalysedthe references of the ERM frameworktoITriskand vice versa. Finallywe discussedand summedupthe results. In the selectionprocess foranERM framework we considered ISO 31000:2009 and COSO ERM, twowell-knownstandards forERM.Their processmodels are very similar.Onahigh level they only differ in theirwording.“Establishingthe context” in the ISO standard corresponds to the “internal environment” of COSO ERM,“risk evaluation” and“risk treatment” equal “riskresponse”and “control activities”,etc. Eventuallywe opted forCOSO ERM, as it is the successorofthe widely implemented COSO frameworkfor internal control[CO92], a de-factostandard explicitly acknowledgedinthe US Public CompanyAccounting Oversight BoardAuditing Standard No.5forfinancial reporting[PCA07].The standard is referenced in the Sarbanes OxleyAct of 2002, whichofall regulations passed in the newmillennium probablyhas thestrongest impact on risk management andinternal control systems. 246 ForITriskmanagement we chose the ISACARiskITFramework because it complementsCOBIT,which is arguablythe most appropriate control andgovernance frameworkusedbymanyorganisations world-wide to ensure alignmentofITand business goals [RYC04]. The framework’simportance is expected to grow sincethe new COBITversion 5, which is currently in development, planstoconsolidate andintegrate the Risk IT framework[ISA10]. ISO/IEC27005:2008 wasalsoconsidered. As it includes all aspects of informationsecurity(includingnon-ITaspects), its scope surpasses the ISACAframework,which is limited to information technology.Inour opinion Risk IT is more detailed,and it drawsout the specifics of IT-RM more clearly. The identificationofthe frameworks’ commonalitiesinthe second phase of ourresearch wasdonethrough a mappingofthe described processesofISACA RiskITtothose of COSO ERM. The documentation of COSO ERM proved to be a hurdle. On the highest level the frameworkconsistsofseven processes andthe “internal environment” component. Unfortunatelythe processes are notbrokendown. Instead COSO just names the basic sub-components,suchas“risktolerance” or “inherent andresidual risk”. In ordertomap the processes of ISACARiskIT, we hadtogothrough the complete descriptionofthe COSO componentstofindifthe same processes were included. The qualitativeanalysisofreferencesfromERM to IT-RM andvice versa in the third research step wasfollowedbyadescriptive discussion andsummary of the insights gained in the researchprocess. 4 Results and discussion 4.1Mapping of ISACA RiskITtoCOSOERM Ourcomparisonofriskmanagement frameworks is based on the assumptionthat “risk” in ERM has the same characteristics as “risk” in IT-RM. In COSO ERM, risk is “the possibilitythat an event will occurand adverselyaffect the achievement of objectives; events with a potentiallypositive impact mayoffset negative impactsortheymay represent opportunities” [Co04].Throughout the framework“risk” then also refers to upside risk (opportunities).According to ISACARisk-IT,ITriskis“acomponent of the overall risk universe of the enterprise [...]. IT risk is businessrisk[...]. It consists of IT- relatedeventsand conditions that couldpotentiallyimpactthe business” [ISA09].The twoframeworksconsequentlyshare a common understandingofthe term“risk”. ISACARisk-IT consists of the threeprocessesriskgovernance, risk evaluation, andrisk response on level one, with threesub-processes each on level two. Level threecomprises 43 processes. COSO ERM on the otherhanddescribes 8highlevel processes with 41 sub-components.While theERM frameworkismoreprofound on the internal environment component andonriskaggregation, Risk IT is more specific when it comes to IT specific andcommunicationprocesses. Still,all but sevenofthe IT-RMprocesses caneasilybe mapped to COSO components (see appendix A). 247 Twoofthe exceptions deal with ERM integration: “RG2.2: Co-ordinate IT risk strategy andbusinessriskstrategy”,and “RG2.3: Adapt IT risk practices to enterprise risk practices”. They treatthe alignment of IT andbusinessrisks on astrategic andona processlevel; we will analysethemlater on in the sectionabout ERM references in the IT-RM framework. Threeother processesthat couldnot be mapped belong to the processgroup “RG3: Make risk-aware business decisions”: “RG3.1: Gain management buy-in forthe IT risk analysis approach”, “RG3.2: Approve IT risk analysis”,and “RG3.5: Prioritise IT risk response activities”.Management buy-in forriskanalysis approaches andtheir approval is notexplicitly mentionedinCOSO ERM, butit could seamlesslybe integrated with the “internal environment” component. Prioritisationof response activitiesisprobablysoself-evidentthat COSO ERM does not highlight it; in COSO the prioritisationcould be part of risk response.Furthermore the processes “RE2.4: Performapeer review of IT risk analysis” and “RE3.3: Understand IT capabilities” do not existinCOSO ERM. Peer reviewsare a control mechanismthat can be seamlesslyincludedin the ERM process. Understanding IT capabilities is an extremelygeneral “process” that is a prerequisite forany kind of IT activity, therefore suitable to be addedtothe “internal environment” component of COSO ERM. As we cansee,drawing from the standards IT risksmay be treated like anyother risk,as the IT-RMframework is completelyabsorbedinCOSO ERM, apart from the ERM integrationspecifics (RG2.2,RG2.3)analysedbelow. The ISACAframework does not explain whyanIT-specific risk management frameworkinthe hierarchical relationship to ERM wouldbe necessary. It even disposes of the
Load more

Recommended publications
  • Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
    1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction .............................................................................................................................. 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley .... 2 1. Is there an overall approach to IT risk and control consideration that should be followed? .......................... 2 2. Why is it so important to consider IT when evaluating internal control over financial reporting? ............... 4 3. How should Section 404 compliance teams define “IT risks and controls”? .................................................. 5 4. How does management identify and prioritize IT risks? ................................................................................. 5 5. What guidance does COSO provide with respect to IT controls? .................................................................. 6 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls? ........................................................................................................... 6 7. How do COSO and COBIT facilitate a Section 404 compliance effort? ........................................................ 6 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts? .......................................................................................................................
    [Show full text]
  • GTAG 1: Information Technology Controls
    Information Technology ControlsA uditing Application Controls Authors David A. Richards, CIA, President, The IIA Alan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200March 20057 Copyright © 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. GTAG — Table of Contents: Section 1 Section 19 Letter from the President..........................................ii Appendix H – CAE Checklist ................................423 Section 2 Section 20 IT Controls – Executive Summary ............................iii Appendix I – References ........................................445 Section 3 Section 21 Introduction ..........................................................1 Appendix
    [Show full text]
  • The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework
    100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 40 FEATURE The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework The tremendous rise of cybersecurity attacks, have their own proprietary frameworks or use a coupled with organizations’ exploration of new hybrid of frameworks. Do you have something technologies such as artificial intelligence (AI) and to say about this blockchain to expand their business or better Selecting a Risk Management Method or article? secure their controls, gives cause to review the Framework foundational framework that is being used to Visit the Journal pages identify, assess and action IT risk impacting What criteria are firms using to select the frameworks of the ISACA® website business objectives. This is a perpetual struggle: they use? How often are these frameworks and their (www.isaca.org/journal), reviewing the use of new technologies and their basic tenets reviewed? Is the selected framework find the article and click communicated to the employees of the firm? Is the on the Comments link to impact to the organization’s objectives, profit framework or methodology selected by the firm share your thoughts. mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new understood by all? Do these frameworks use https://bit.ly/2RCieXY credit card or the old news of Internet of Things quantitative factors or qualitative factors to evaluate (IoT) or driverless cars, enterprise risk and cyberrisk risk? Short of performing a scientific survey of departments or groups must be working overtime organizations to inventory and evaluate the to evaluate and drive the analysis of risk.
    [Show full text]
  • A Risk Management Framework for IT Systems Which Adopt Cloud Computing
    future internet Article ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,* 1 ING Bank, B-1040 Brussels, Belgium; [email protected] 2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea; [email protected] 3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea * Correspondence: [email protected]; Tel.: +82-54-478-7526 Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019 Abstract: Many companies are adapting cloud computing technology because moving to the cloud has an array of benefits. During decision-making, having processed for adopting cloud computing, the importance of risk management is progressively recognized. However, traditional risk management methods cannot be applied directly to cloud computing when data are transmitted and processed by external providers. When they are directly applied, risk management processes can fail by ignoring the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix this backdrop, this paper introduces a new risk management method, Enterprise Risk Management for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management methods by combining each component with another processes for comprehensive perception of risks. In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller migrates some modules to Microsoft Azure cloud.
    [Show full text]
  • ISACA's Risk IT in a Cloud-Based Environment
    ISACA’s Risk IT in a Cloud-based environment Kamal Khan, CISA, CISSP, MBCS, CITP Director, ISACA London Chapter March 2020 Confidential. For internal use only. Agenda • Introduction • Risk IT • Using Risk IT in a Cloud Environment • Conclusion Introduction • Kamal Khan, Director of ISACA London Chapter • Over 30 years experience in Information Systems Audit and Control • Worked in Banking, Utilities, Oil and Gas industries • Worked on initial version of Risk IT and current one which is being revised as Subject Matter Expert • ISACA London Chapter: • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • The ISACA London Chapter • First in the UK • Established in 1981 • Over 4,200 members, largest in the world Risk IT Confidential. For internal use only. Who uses a formal risk management process for their Cloud environment? Who has heard of ISACA Risk IT? What is Risk IT • An ISACA publication. • An end-to-end, comprehensive view of all risks related to the use of IT • Consists of two documents • The Risk IT Framework • The Risk IT Practiotoner Guide Risk IT Principles Confidential. For internal use only. Can we treat Risks in IT separately Enterprise Risk? Risk Universe • IT Risk is a component of the overall risk universe • Also a component of Strategic Risk, Environmental risk etc Enterprise Risk Strategic Environmental Market Operational Credit Compliance Risk Risk Risk Risk Risk Risk IT-related Risk IT Programme and Project IT Operations and IT Benefit / Value Risk Delivery
    [Show full text]
  • Auditing IS/IT Risk Management, Part 1
    Ed Gelbstein, Ph.D., 1940-2015, worked in Auditing IS/IT Risk Management, Part 1 IS/IT in the private and public sectors in various countries There are significant differences between THE PRACTICE for more than 50 years. conducting an IS/IT audit and conducting an IS/ Unfortunately, this is not always the case. This Gelbstein did analog and IT risk management audit. author audited several well-known organizations digital development in the that merely played lip service to risk management 1960s, incorporated digital THE THEORY at all levels. They went through the motions of computers in the control IS/IT auditors ought to be knowledgeable about engaging consultants to run a brief workshop systems for continuous the risk owned by the chief information officer on risk maps (heat maps), asked their staff to process in the late ‘60s and (CIO) and her/his team and those that have been develop them quickly, put them all in a big file early ‘70s, and managed externalized (outsourcing, cloud services, other and claimed they had done risk management. projects of increasing providers, vendors, etc.). In an ideal situation, at Given that internal audit and ERM both exist size and complexity until the least some of the IS/IT audit team should have to provide independent and robust advice to early 1990s. In the ‘90s, he a certification such as ISACA’s Certified in Risk senior management, friction between them—let became an executive at the and Information Systems Control™ (CRISC™). alone a turf war—would be bad for business. preprivatized British Railways Those involved in the enterprise risk This article provides a map of the IS/IT management (ERM) function should be able risk management activities that are auditable and then the United Nations to determine the business impact of the risk and shows how to maintain a collaborative global computing and data associated with IS/IT.
    [Show full text]
  • Risk Management & Governance
    RISK MANAGEMENT & GOVERNANCE KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Pete Burnap – Cardiff University EDITOR: Awais Rashid – University of Bristol REVIEWERS: Chris Johnson – University of Glasgow Ragnor Lofstedt – Kings College, London Jason Nurse – University of Kent Adam Shostack – Shostack & Associates © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Risk Management and Governance Pete Burnap July 2019 INTRODUCTION This Knowledge Area will explain the fundamental principles of cyber risk assessment and manage- ment and their role in risk governance, expanding on these to cover the knowledge required to gain a working understanding of the topic and its sub-areas. We begin by discussing the relationship be- tween everyday risk and why this is important in today’s interconnected digital world. We explain why, as humans, we need effective risk assessment and management principles to support the capture and communication of factors that may impact our values.
    [Show full text]
  • Risk It Practitioner Guide
    TTHEHE RRISKISK ITIT PPRACTITIONERRACTITIONER GGUIDEUIDE Risk Universe, Appetite and Tolerance Risk Awareness, Communication and Reporting Expressing and Describing Risk, Risk Scenarios Risk Responses and Prioritisation Using COBIT® and Val ITTM THE RISK IT PRACTITIONER GUIDE ISACA® With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), and Certified in the Governance of Enterprise IT® (CGEIT®) designations. ISACA developed and continually updates the COBIT, ® Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfil their IT governance responsibilities and deliver value to the business. Disclaimer ISACA has designed and created The Risk IT Practitioner Guide (the ‘Work’) primarily as an educational resource for chief information officers (CIOs), senior management and IT management. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, officers and managers should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment.
    [Show full text]
  • Risk IT a Set of Guiding Principles and the First Framework to Help
    What is Risk IT? www.isaca.org/riskit Risk IT is: • A framework to help establish effective governance and management of IT risk • Part of ISACA’s product portfolio on IT governance • A framework based on a set of guiding principles for effective management of IT risk Risk IT A set of guiding principles and the first framework to help enterprises identify, What does Risk IT do? 3701 Algonquin Road, Suite 1010 govern and effectively manage IT risk. Risk IT: Rolling Meadows, IL 60008 USA • Allows enterprises to customize the components provided in the framework Web site: www.isaca.org to suit their particular needs • Provides an end-to-end, comprehensive view of all risks related to the use of Phone: +1.847.660.5700 IT and a similarly thorough treatment of risk management, from the tone and Fax: +1.847.253.1443 culture at the top, to operational issues E-mail: [email protected] • Enables enterprises to understand and manage all significant IT risk types • Provides tangible business benefits • Allows the enterprise to make appropriate risk-aware decisions • Explains how to capitalize on an investment made in an IT internal control system already in place to manage IT-related risk • Enables integration with overall risk and compliance structures within the enterprise when assessing and managing IT risk What are the benefits of using Risk IT? The benefits of using Risk IT include: • A common language to help communication amongst business, IT, risk and audit management • End-to-end guidance on how to manage IT-related risks • A complete risk profile to better understand risk, so as to better utilize enterprise resources • A better understanding of the roles and responsibilities with regard to IT risk management • Alignment with ERM • A better view of IT-related risk and its financial implications • Fewer operational surprises and failures • Increased information quality • Greater stakeholder confidence and reduced regulatory concerns • Innovative applications supporting new business initiatives In business today, risk plays a critical role.
    [Show full text]
  • CENTER for INFORMATION SYSTEMS RESEARCH IT Risk
    CENTER FOR Massachusetts INFORMATION Institute of SYSTEMS Technology RESEARCH Sloan School Cambridge of Management Massachusetts IT Risk Management: From IT Necessity to Strategic Business Value George Westerman December 2006 CISR WP No. 366 and MIT Sloan WP No. 4658-07 © 2006 Massachusetts Institute of Technology. All rights reserved. Research Article: a completed research article drawing on one or more CISR research projects that presents management frameworks, findings and recommendations. Research Summary: a summary of a research project with preliminary findings. Research Briefings: a collection of short executive summaries of key findings from research projects. Case Study: an in-depth description of a firm’s approach to an IT management issue (intended for MBA and executive education). Technical Research Report: a traditional academically rigorous research paper with detailed methodology, analysis, findings and references. CISR Working Paper No. 366 Title: IT Risk Management: From IT Necessity to Strategic Business Value Author: George Westerman Date: December 2006 Abstract: With information technology becoming an increasingly important part of every enterprise, managing IT risk has become critically important for CIOs and their business counterparts. However, the complexity of IT makes it very difficult to understand and make good decisions about IT risks. CISR research has identified four business risks ⎯ Availability, Access, Accuracy, and Agility ⎯ that are most affected by IT. Since nearly every major IT decision involves conscious or unconscious tradeoffs among the four IT risks, IT and business executives must understand and prioritize their enterprise’s position on each. Three core disciplines ⎯ IT foundation, risk governance process, and risk aware culture ⎯ constitute an effective risk management capability.
    [Show full text]
  • IT Risk Assessment
    IT Risk Assessment Happiest People . Happiest Customers Contents Contents…………………………………………………………………………………………………………2 Introduction………………………………………………………………………………………………..........3 What benefits accrue from an IT risk assessment?………………………………………………………...3 Conducting an IT Risk Assessment………………………………………………….............………………4 Common Pitfalls to Avoid…………………………………………...................………………….……….....5 Our solution for conducting an efficacious IT Risk Assessment.................………………….………......5 Conclusion……………………………………………………………………………………………………….5 About the Author……………………………………………………………………………………………......6 2 © Happiest Minds Technologies. All Rights Reserved Introduction A 2014 study by the Ponemon Institute and HP showed that the average annual cost of cyber crime incurred by U.S. organiza- tions has risen by 96% between 2010 and 2014, to a staggering $12.7 million. All organizations are aware of the danger posed by hackers out to steal data and money, and yet, many fail to keep their security policies and systems updated. Outdated software with vulnerabilities and practices that leave the organization open to threat are still common. In order to protect your organization, you must methodically evaluate the risks, threats, and vulnerabilities surrounding your IT infrastructure. In short, you need an IT Risk Assessment. An IT Risk Assessment is a comprehensive review of the IT organization, with the objective of identifying existing flaws that could be exploited to threaten the security of the network and data. It serves as the basis for deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. What benefits accrue from an IT risk assessment? An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy.
    [Show full text]
  • IT Risk Discussion Paper
    March 2018 IT Risk Discussion Paper DRAFTED BY Marc ANDRIES, David CARTEAU, Sylvie CORNAGGIA, Pascale GINOLHAC, Cyril GRUFFAT, Corinne Le MAGUER CONTRIBUTORS Roméo FENSTERBANK, Thierry FRIGOUT, Pierre HARGUINDEGUY, Christelle LACAZE EXECUTIVE SUMMARY The emergence of cyber-attacks in recent years has heightened concerns about IT risk. These concerns are not specific to the banking and insurance sectors, but they are of particular relevance to these sectors, which are essential components of a properly functioning economy and key actors in protecting public interests. To address these concerns, the supervisory authorities have gradually ramped up their actions in this field. International bodies have developed new IT risk rules, and authorities, such as the ACPR, acting in particular within the framework of the European Single Supervisory Mechanism for the banking system, have strengthened their supervision. This discussion paper emphasises that IT risk management is no longer a topic specific to IT teams, but must be part of an overall approach to risk control and risk management coordinated by the risk management function. Therefore, the operational risk management reference framework must be refined to more effectively include all aspects of IT risk within the recognised categories of operational risk. Under such an organisation, the management body must be directly involved in ensuring the alignment of its IT strategy with its risk appetite, but also in implementing and monitoring the risk management framework. Based on their supervisory experience, the various departments of the ACPR have developed a definition and classification of IT risk that cover its various aspects and enable treating it globally. Institutions supervised by the ACPR can use this classification to develop or reinforce their own risk map.
    [Show full text]