Effective Risk Management with Alfabet – Part 2

This is part 2 of our 5-part series on application-based risk management. In part 1, we learned how to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. Here, we will discuss the next step which is prioritizing applications in order to focus risk assessment and mitigation efforts on the critical issues.

Prioritize applications

Multiple stakeholders commonly carry out IT risk assessment, involving many objects—applications, processes, technologies, services—and a variety of risks to be assessed. Thus, a clear focus should be set on only the relevant objects. This should be done in two phases. First, identify the most risk-relevant applications—those which are most important to protect—and make them a priority. These will be applications that support business-critical capabilities or are subject to compliance regulations. Second, perform a detailed risk and mitigation survey. The survey is to fine-tune the reasoning for an application being risk-relevant. Using workflows, calculation routines and reporting tools can automate this process and follow-up analyses, thus making it less costly in terms of labor. The answers, for example, “major breach of law” for regulatory risk, can then be mapped to metrics reflecting the type of violation, such as confidentiality, integrity, or availability. These metrics are then added up to provide a risk-relevance score for the application.

Roles:

  • IT Compliance Manager, CISO

Activities:

  • Define questions and mappings to metrics

  • Survey application owners

  • Decide on prioritization

Deliverables:

  • List of applications for risk assessment

Best-practice recommendations:

  • Be pragmatic—pursue a qualitative approach directed at relevant stakeholders

  • Use only a compact set of questions with simple answers

  • Map the answers to numeric values for easier analysis

Here is a sample survey of questions to ask for each application:

1. Data and Content What is the classification of the data and content according to the predefined classification scheme?
  • public
  • internal
  • confidential
  • private confidential
  • strictly confidential
  • individual-related-public
2. Regulatory To what extent are laws, regulations, norms or similar applicable? What are the consequences of non-observance?
  • no relevance
  • misdemeanor
  • minor offense
  • penalty
  • major breach of law
3. Contractual Relevance Are there applicable contractual obligations with customers, suppliers or partners that may result in penalty payments?
  • none
  • up to 10% of contract volume
  • up to 30% of contract volume
  • up to 50% of contract volume
  • in excess of 50% of contract volume
4. Downtime How long can the service be down without major impact?
  • no availability requirements
  • less than 1 week
  • less than 1 day
  • less than 4 hours
  • less than 1 hour
5. Financial Implications What is the maximum total damage for the unit under the assumption of a worst-case scenario (including penalty payments, opportunity costs and indemnities?)
  • not relevant
  • less than €500,000
  • less than €2.5 million
  • less than €10 million
  • more than €10 million
  • unknown

Figure 1: Here we see a metrics scheme that gives a specific value to each answer depending on which type of protection requirement it would need.

Stay tuned for our next episode on assessing the risks to applications to be able to suggest and evaluate possible mitigations.