Typically, different vulnerabilities and threats will exist within different areas, all contributing to the risks under review. Where appropriate, the assessment of current mitigation may be undertaken by different business areas. For example, mitigating risks associated with access controls is in fact a shared responsibility between IT, business managers and human resources. The risk cannot be isolated and mitigated simply by introducing new software. A process, agreed to by all parties, must be developed and adhered to in order to ensure
Identify the processes that are currently being used to mitigate the vulnerability or threat. Mitigation categories refer to types of controls. The most common controls are:
Standard Operating Procedures (SOPs)
Other types include:
The assessment of current controls should review four key areas:
Are there controls in place for this vulnerability or threat? (i.e., Do they exist? )
Are these controls properly implemented? (i.e., Are they implemented everywhere they are required? Are they implemented consistently?)
Are the controls effective in managing the vulnerability or threat? Have the controls been effective in the past at addressing similar potential risks? Have the potential risks been realized (i.e., have the risks previously matured) in the past?
Are there safeguards or
Based on the effectiveness of existing controls and in light of the detailed review of vulnerabilities and threats, make recommendations on what else can be done to mitigate vulnerabilities and threats. Additional controls, new processes and/or new technology may be necessary. Obviously the final recommendations incorporated into the risk mitigation plan should present the options felt to offer the optimal value-added return on investment for the resources required and hence deliver the greatest impact to the business.
Once recommendations have been made for all risks, validate that they:
are consistent and will address the risks
will be acceptable to those, across all business areas, who will work with them on a day-to-day basis
do not contradict existing controls or cause negative effects outside the scope
are justified in terms of the anticipated costs, potential risk and the anticipated reward
Measuring compliance is critical to the overall success of the entire risk management process. Determine if the risk management methods are actually having a positive impact and be able to measure the extent to which the mitigation controls are in fact being used. Clearly, compliance measurement is somewhat onerous; however, successful
Scope of compliance measurement, that is, who will be measured, where and when measurements are to be taken and possibly by whom.
How to perform data capture, for example, self-assessment questionnaires, Web-based tools, interviews, audit results, and metrics returned from execution of routine processes. (Do not underestimate time required to capture data.)
How to solicit responses, for example, how to ensure responses are made to questionnaires, how to ensure data are returned as
Methods to measure responses, that is, determine how to use the data to measure compliance.
Follow-up actions that may be required.
Other information may need to be gathered in this initial planning task, including:
inventory of what is currently under control, and
the conflict resolution process and escalation process.
Risk management is an important corporate business process and sound management practice. Using IT risk management practices is critical to business success in the e-business age. Using a risk management framework to assess IT risks enables companies to make logical decisions about risk and helps to determine where to use resources to mitigate risks. Finally, and most importantly, using a process like the one described in this chapter does work. The key is to use the process consistently and make it part of the corporate culture.