Risk Management – Great Start Guide (101)

Risk management
18Sep
By ISO 20000/2700x 0 Comments

Risk Management

Risk management in IT involves the identification, organization, and management of risks in an organization. It is normally done in a way that balances the costs associated with using security solutions to protect the organization and the benefits that they bring. In simpler terms, risk management allows the organization to spend more on the prevalent or more threatening risks and spend little on the insignificant risks.

Risks are an integral part of any organization. There will always be a cyber security risk facing an organization at any given time. Therefore, it is of importance to the organization that all the risks to its IT infrastructure and data are identified and managed. IT risk management should cover a wide scope since risks can arise from many causes. Human error, natural calamities, cyber attackers, and hardware failure are all potential causes of these risks. Risk management is often described as a 5-step process in the organization.

Identification

This is the first step in the risk management cycle. At this point, an organization will focus on uncovering and getting detailed information about the risks that it faces. As said before, risks can emanate from different things thus the responsible persons need to be open-minded when looking for risks. Financial uncertainties, changing regulations, management issues, accidents, and disasters can all be sources of risks. Risks also keep on changing periodically thus risk management should be repeated often. To ensure that most of the risks faced are uncovered, the following are some of the strategies could be used:

  • Interviews – interviewing different personnel in the organization could help uncover many potential risks. For instance, an interview with the guards could help uncover the risks to physical security controls. An interview with a normal user could help discover risks associated with system accounts and also the hardware they use. Interviews will yield a wide variety of risks that will be obtained from the users of organizational assets that are protected or from the personnel in charge of enforcing some security controls.
  • Checklists – there are some common risks that may have been identified over a long period of time in previous risk identification exercises. Since they are already known, the team identifying risks should just go through them as a checklist. However, this method is limited to organizations that already keep a list of common risks. Additionally, this method cannot uncover new risks.
  • Assumptions – assumptions about security risks can be made when there are supporting facts that can be considered true even without proof. For instance, users could be assumed to be creating weak passwords in a system that has no password requirements. The absence of the password requirement can be assumed to lead to the creation of weak passwords even if the user passwords are not known.

Risk analysis

Once the risks have been identified, there needs to be a process of determining the probability of occurrence as well as the impacts. As highlighted earlier, risk management helps the organization spend more resources on the significant risks while spending little on those risks that can hardly happen. Risk analysis is key in ensuring that the nature of a risk and its consequences to the organization are known.

The information obtained at this step is important to the whole process and might determine the success or failure of the risk management exercise. Risk analysis is done through qualitative or quantitative risk analysis. In either way, a risk is analyzed in terms of its impact to the organization across several metrics such as schedule, budget, and resources it takes.

Risk assessment

This is an in-depth evaluation of a risk. This step looks at the probability of the risk occurring and its consequences. From this, it is able to decide whether the risk is acceptable or not. According to this sort of filtration of risks, acceptable risks are just assigned low priority since the organization is ready to take them as they cannot do much damage. They tend to have low impacts and low probability of happening.

Risk mitigation

In this step, the unacceptable risks are mitigated. The organization develops ways to address these risks to ensure that they do not occur and if they occur they have minimal impact on the organization. Therefore, risk mitigation will include the prevention tactics as well as contingency plans. Prevention tactics will curtail the risk from occurring. When the risk does occur, the contingency plans will handle the rest.

Risk monitoring

Risk mitigation is not the end of risk management. Risks change priorities with changes in their severity of impact or possibility of occurrence. Therefore, they should be followed up continuously. Risk monitoring includes the periodic review and updating of the risks. Alongside this, new risks are discovered as well.

There are four approaches that the organization can take on risks. These are:

  • Risk avoidance – this is where an organization is focused on the complete elimination of the risk
  • Risk reduction – this approach aims to reduce the severity of the impacts that a risk can have once it occurs
  • Risk sharing – this is a clever approach whereby the organization distributes the consequences of a risk to other parties such as vendors.
  • Risk retaining – organizations can take this approach if they have other business goals that have more priority. Therefore, instead of addressing the risk, the organization can simply retain it at a certain level provided that the resources saved in doing so might lead to more profitable investments.

ISO and Risk Management related blog posts :

https://www.erdalozkaya.com/category/iso-20000-2700x/

To watch Risk management related session:

For more you can check the IDC web site as well 

Digital Trust and Risk Management by Erdal Ozkaya
Risk Management

Share this post

Author

Named among Top 50 Technology Leaders 2021 by CIO Online & IDC, working with an ardent passion for raising cyber awareness and leveraging new & innovative approaches. He is committed to the delivery of accurate, accessible resources to inform individuals and organizations of cybersecurity and privacy matters in the internet age. Dr Erdal is a collaborative team leader with the key areas of his expertise spanning end-to-end IT solutions, management, communications, and innovation. In addition, he is a well-known public speaker, an award-winning technical expert, a book author, and writer of certifications (courseware and exams) for prestigious organizations such as Microsoft, EC Council, and other expert-level vendors. Some of his recent awards are: 2021: Best CISO for Banking and Financial Sector CIO Online & IDC : Top 50 Technology Leaders, Security Magazine Top CISO, Tycoon Success Magazine, Most Powerful 10 Middle East Businessman EC Council CEH Hall of Fame 2020: Khaleej Times "CISO Power List" , Cybersecurity Legend by GEC Media Group, "Super Hero CISO", by Enterprise IT Top CISO by Security ME Magazine 2019: CISO Mag " Hall of Fame" and Cybersecurity Influencer of the year , Microsoft Regional Director 2018 : NATO Center of Excellence Award 2017: Microsoft Platinum Club (employee of the year ), Security Professional of the year and more...

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

ISO 27001
20May

Checklist of ISO 27001 Mandatory Documentation

Checklist of ISO 27001 A great documentation by Advisera, which provides you clause by clause Explanation of ISO 27001, which I... read more

ISO 27001
20May

ISO/IEC 27001:2005 Information Technology

Source : IsecT Ltd. ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their... read more

ISO 27001
20Jan

PDCA in ISO27001 – Free guide to learn

PDCA in ISO27001 PDCA in ISO27001 The plan, do, check and act cycle (PDCA) Plan (establishing the ISMS): Establish the policy, the ISMS objectives,... read more

ISO 27001
02Oct

FREE ISO 27001 Toolkit

FREE ISO 27001 Toolkit The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually... read more

ISO 27001
20Aug

ISO 27001 domains – Crush Course

ISO 27001 domains I am teaching for the last 3 years ISO 27001 classes Australia wide, and wanted to put together... read more

Chief Audit Executive Conference Erdal Ozkaya
18Jul

Chief Audit Executive Conference 2019- Free to join

Chief Audit Executive Conference The United Arab Emirates Internal Audit Association (UAE-IAA) is a vibrant organization founded by a dedicated group... read more

Vulnerability Management Strategy
08Jan

Creating a Vulnerability Management Strategy – Free Guide

Creating a Vulnerability Management Strategy Often, an exploitation of a vulnerability might lead to a disaster recovery scenario. Therefore, it is... read more

ISO 27001
16Jun

4 Free ISO Courses you will enjoy learning

4 Free ISO Courses in Advisera ,  ISO 27001:2013 Foundations Course In this online course you’ll learn everything you need to know... read more

28Mar

What is IT Security Policy :0

What is IT Security Policy ? The essence of an IT security policy, is to establish guidelines and standards for accessing... read more

What is OpSec?
03Jun

Importance of Operational Security?

Operational security is often regarded as the convergence point of operational risks and cybersecurity. It is the middle ground between... read more