IT is the backbone of digital business. It must be protected against possible risks to ensure smooth operations. Risks are manifold, some arising from external threats (like viruses, aggressive hackers or data theft) and others from internal sources (such as inappropriate handling of passwords by employees, or poor license and contract management). Such IT security incidents can result in a partial or complete loss of data, the disclosure of sensitive or confidential data, or the manipulation of data. All of this can have a serious impact on business’ ability to perform its tasks.
Due to the increasing pace of business change, risks are prone to modification as often as IT systems. IT risk management should not be a one-off project, but a continuous process targeting constantly changing IT risk and business environments, monitoring the risks, and adjusting the risk management strategy accordingly.
With effective IT risk management processes in place, IT organizations are able to manage IT’s integrity with regard to applications, projects, data, systems, and employees to ensure business continuity. An additional benefit of IT risk management is that it improves operational performance by helping understand IT operational risk so you can implement mitigation measures. Thus, the number of incidents can be lowered, fostering greater business satisfaction. Another reason for wanting to establish a continuous IT risk management process is compliance—the consistent enforcement of and compliance with standards and regulations, such as SOX, Dodd-Frank and data protection laws.
IT risk management comprises the inventorization and prioritization of applications to identify possible risks, the assessment of the risks identified and, of course, their mitigation to reduce the overall threat to the enterprise.
This series will cover Software AG’s recommended approach to IT risk management – steps, roles involved, activities, deliverables, and best-practice recommendations. Finally we will look at how it is supported by Software AG’s Alfabet for enterprise architecture, IT planning and portfolio management.
In this first episode we will look at creating an inventory for the organization’s applications in the context of risk management.
The objective of this phase is to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. This phase also includes description of the interdependencies between the business, applications and the infrastructure in order to establish a comprehensive inventory that can be re-used for future assessments.
When creating the inventory, it is important to keep the actual need for risk assessment in mind to avoid an unnecessarily large scope. Decide on the reach of the assessment (for example, company-wide, region-wide, organizational or domain-wide) and whether to apply quantitative or qualitative criteria for choosing which applications belong in the inventory for risk assessment. A quantitative assessment calculates different risk factors to understand how these contribute to an overall risk value. A qualitative assessment is more descriptive but, in most cases, sufficient to identify risk areas that need attention.
- IT Compliance Manager, CISO
- Inventorize applications, services, technologies, business capabilities and their relationships to each other
- Define metrics and aggregation rules
- Documented IT scope for risk assessment
- Define ownership and responsibility for the application information
- Define roles for quality control and escalation of issues
- Document roles in the IT inventory for transparency and to anchor governance
- Use workflows and wizards to support automation of inventory management and ensure high quality data
- Integrate to primary sources as available
Figure 1: Use either a quantitative or qualitative approach to decide which applications will be in the scope for the risk assessment.
Figure 2: The ability to see the interdependencies of the architecture elements is critical for business continuity. In this view you see all the devices, applications and business processes dependent on each other. The various colors and shades indicate risk of loss (blue) and incidence rate (red) with low indicated by a pale color and high indicated by a deep color. The icons indicate business criticality with the arrow up indicating high importance and down indicating low importance.
Stay tuned for our next episode on prioritizing applications for risk protection and mitigation.