Risk management

Risk Management

Risk management in IT involves the identification, organization, and management of risks in an organization. It is normally done in a way that balances the costs associated with using security solutions to protect the organization and the benefits that they bring. In simpler terms, risk management allows the organization to spend more on the prevalent or more threatening risks and spend little on the insignificant risks.

Risks are an integral part of any organization. There will always be a cyber security risk facing an organization at any given time. Therefore, it is of importance to the organization that all the risks to its IT infrastructure and data are identified and managed. IT risk management should cover a wide scope since risks can arise from many causes. Human error, natural calamities, cyber attackers, and hardware failure are all potential causes of these risks. Risk management is often described as a 5-step process in the organization.

Identification

This is the first step in the risk management cycle. At this point, an organization will focus on uncovering and getting detailed information about the risks that it faces. As said before, risks can emanate from different things thus the responsible persons need to be open-minded when looking for risks. Financial uncertainties, changing regulations, management issues, accidents, and disasters can all be sources of risks. Risks also keep on changing periodically thus risk management should be repeated often. To ensure that most of the risks faced are uncovered, the following are some of the strategies could be used:

  • Interviews – interviewing different personnel in the organization could help uncover many potential risks. For instance, an interview with the guards could help uncover the risks to physical security controls. An interview with a normal user could help discover risks associated with system accounts and also the hardware they use. Interviews will yield a wide variety of risks that will be obtained from the users of organizational assets that are protected or from the personnel in charge of enforcing some security controls.
  • Checklists – there are some common risks that may have been identified over a long period of time in previous risk identification exercises. Since they are already known, the team identifying risks should just go through them as a checklist. However, this method is limited to organizations that already keep a list of common risks. Additionally, this method cannot uncover new risks.
  • Assumptions – assumptions about security risks can be made when there are supporting facts that can be considered true even without proof. For instance, users could be assumed to be creating weak passwords in a system that has no password requirements. The absence of the password requirement can be assumed to lead to the creation of weak passwords even if the user passwords are not known.

Risk analysis

Once the risks have been identified, there needs to be a process of determining the probability of occurrence as well as the impacts. As highlighted earlier, risk management helps the organization spend more resources on the significant risks while spending little on those risks that can hardly happen. Risk analysis is key in ensuring that the nature of a risk and its consequences to the organization are known.

The information obtained at this step is important to the whole process and might determine the success or failure of the risk management exercise. Risk analysis is done through qualitative or quantitative risk analysis. In either way, a risk is analyzed in terms of its impact to the organization across several metrics such as schedule, budget, and resources it takes.

Risk assessment

This is an in-depth evaluation of a risk. This step looks at the probability of the risk occurring and its consequences. From this, it is able to decide whether the risk is acceptable or not. According to this sort of filtration of risks, acceptable risks are just assigned low priority since the organization is ready to take them as they cannot do much damage. They tend to have low impacts and low probability of happening.

Risk mitigation

In this step, the unacceptable risks are mitigated. The organization develops ways to address these risks to ensure that they do not occur and if they occur they have minimal impact on the organization. Therefore, risk mitigation will include the prevention tactics as well as contingency plans. Prevention tactics will curtail the risk from occurring. When the risk does occur, the contingency plans will handle the rest.

Risk monitoring

Risk mitigation is not the end of risk management. Risks change priorities with changes in their severity of impact or possibility of occurrence. Therefore, they should be followed up continuously. Risk monitoring includes the periodic review and updating of the risks. Alongside this, new risks are discovered as well.

There are four approaches that the organization can take on risks. These are:

  • Risk avoidance – this is where an organization is focused on the complete elimination of the risk
  • Risk reduction – this approach aims to reduce the severity of the impacts that a risk can have once it occurs
  • Risk sharing – this is a clever approach whereby the organization distributes the consequences of a risk to other parties such as vendors.
  • Risk retaining – organizations can take this approach if they have other business goals that have more priority. Therefore, instead of addressing the risk, the organization can simply retain it at a certain level provided that the resources saved in doing so might lead to more profitable investments.

ISO and Risk Management related blog posts :

https://www.erdalozkaya.com/category/iso-20000-2700x/

To watch Risk management related session:

For more you can check the IDC web site as well 

Digital Trust and Risk Management by Erdal Ozkaya
Risk Management

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

ISO 27001

ISO 27001 domains – Crush Course

ISO 27001 domains I am teaching for the last 3 years ISO 27001 classes Australia wide, and wanted to put together... read more
What is OpSec?

Importance of Operational Security?

Operational security is often regarded as the convergence point of operational risks and cybersecurity. It is the middle ground between... read more
ISO 27001

PDCA in ISO27001 – Free guide to learn

PDCA in ISO27001 PDCA in ISO27001 The plan, do, check and act cycle (PDCA) Plan (establishing the ISMS): Establish the policy, the ISMS objectives,... read more

What is IT Security Policy :0

What is IT Security Policy ? The essence of an IT security policy, is to establish guidelines and standards for accessing... read more
ISO 27001

4 Free ISO Courses you will enjoy learning

4 Free ISO Courses in Advisera ,  ISO 27001:2013 Foundations Course In this online course you’ll learn everything you need to know... read more
ISO 27001

ISO/IEC 27001:2005 Information Technology

Source : IsecT Ltd. ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their... read more
Vulnerability Management Strategy

Creating a Vulnerability Management Strategy – Free Guide

Creating a Vulnerability Management Strategy Often, an exploitation of a vulnerability might lead to a disaster recovery scenario. Therefore, it is... read more
Chief Audit Executive Conference Erdal Ozkaya

Chief Audit Executive Conference 2019- Free to join

Chief Audit Executive Conference The United Arab Emirates Internal Audit Association (UAE-IAA) is a vibrant organization founded by a dedicated group... read more
ISO 27001

Checklist of ISO 27001 Mandatory Documentation

Checklist of ISO 27001 A great documentation by Advisera, which provides you clause by clause Explanation of ISO 27001, which I... read more
ISO 27001

FREE ISO 27001 Toolkit

FREE ISO 27001 Toolkit The FREE ISO27k Toolkit consists of a collection of ISMS-related materials contributed by members of the ISO27k Forum, either individually... read more