This is part 2 of our 5-part series on application-based risk management. In part 1, we learned how to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. Here, we will discuss the next step which is prioritizing applications in order to focus risk assessment and mitigation efforts on the critical issues.
Prioritize applications
Multiple stakeholders commonly carry out IT risk assessment, involving many objects—applications, processes, technologies, services—and a variety of risks to be assessed. Thus, a clear focus should be set on only the relevant objects. This should be done in two phases. First, identify the most risk-relevant applications—those which are most important to protect—and make them a priority. These will be applications that support business-critical capabilities or are subject to compliance regulations. Second, perform a detailed risk and mitigation survey. The survey is to fine-tune the reasoning for an application being risk-relevant. Using workflows, calculation routines and reporting tools can automate this process and follow-up analyses, thus making it less costly in terms of labor. The answers, for example, “major breach of law” for regulatory risk, can then be mapped to metrics reflecting the type of violation, such as confidentiality, integrity, or availability. These metrics are then added up to provide a risk-relevance score for the application.
Roles:
- IT Compliance Manager, CISO
Activities:
-
Define questions and mappings to metrics
-
Survey application owners
-
Decide on prioritization
Deliverables:
- List of applications for risk assessment
Best-practice recommendations:
-
Be pragmatic—pursue a qualitative approach directed at relevant stakeholders
-
Use only a compact set of questions with simple answers
-
Map the answers to numeric values for easier analysis
Here is a sample survey of questions to ask for each application:
1. Data and Content | What is the classification of the data and content according to the predefined classification scheme? |
|
2. Regulatory | To what extent are laws, regulations, norms or similar applicable? What are the consequences of non-observance? |
|
3. Contractual Relevance | Are there applicable contractual obligations with customers, suppliers or partners that may result in penalty payments? |
|
4. Downtime | How long can the service be down without major impact? |
|
5. Financial Implications | What is the maximum total damage for the unit under the assumption of a worst-case scenario (including penalty payments, opportunity costs and indemnities?) |
|
Figure 1: Here we see a metrics scheme that gives a specific value to each answer depending on which type of protection requirement it would need.
Stay tuned for our next episode on assessing the risks to applications to be able to suggest and evaluate possible mitigations.