Seven steps to managing IT Risk

Came across this overview read from a Gartner research note recently. It lays out seven recommended steps managing risk.

• Implement a framework for risk assessment and mapping.
• Establish the responsibilities of risk managers with their areas of responsibility.
• Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
• Determine the threat level, and focus on those risks with the highest impact on performance.
• Establish levels of controls for processes commensurate with the perceived threat.
• Record and retain risk incident and near-miss information.
• Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Great advice. These seven steps are precisely what IT-GRC solutions should help an Enterprise accomplish. They provide the construct (aka think configuration wizard) for establishing and maintaining a quality risk management program. If you have on your company priority list advancing the the risk mitigation/management capabilities or if you've recently been burned, take the time and check out some of our new product demonstration videos. We strive to be transparent around what we offer with our software. That's why our marketing isn't really "marketing" it's live product in action. Come check it out.

Top 3 conclusions about IT Risk Management we like hearing

I read a nice summary of a recent Symantec 40 page survey on IT Risk Management and felt compelled to share the links and highlights that jump out. Symantec was recently noted as a leader in IT-GRC per this Gartner report.

The summary I read was posted by John Edwards over at ITSecurity.com.

Here are the conclusions that grabbed our eye:

• Businesses would be far better served if they viewed security as an IT risk management element that can be addressed alongside other critical elements, such as availability, performance and compliance.
• Technology alone can't mitigate IT risk. While technology plays a critical role in IT risk mitigation, balanced controls and frameworks are also necessary in order to provide complete risk management capabilities.
• Management should consider implementing a continuous risk assessment process.

2008 - The Year of IT Risk Management?

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!

IT Risk Management vs. Information Security survey

I was playing catch-up on blog reading and came across this interesting post by a favorite blogging colleague of mine, Anton Chuvakin, "Review of my 2007 Security Prediction: Too Wimpy."

Prediction #4 about Risk Management lead to some very intriguing survey results. Here is a copy of the graphic from those results which says it all...




A personal point I can add here is this actually makes some sense to me.

Here at Securityworks we are 100% focused on talking IT Risk Management. When I talk with customers they are usually talking (strategic = risk) vs. (tactical = security). Another thing to realize is IT risk encompasses more then technical control monitoring/management solutions (that is only 50% of the scope as discussed in my previous post). IT Risk also spans people & processes (e.g., non-technical controls). Since that typically requires getting into process improvement it is naturally discussed as a strategic initiative due to the time/effort associated with it.

So now with 2007 ending and looking ahead to 2008 we should be trying to use this opportunity to be more strategic before tactical day-to-day tasks re-consume us. IT-GRC solutions (which Gartner, Forrester, etc are calling these solution) help you do this! So go ahead, take a look...this is going to be a hot area for 2008 based on what I'm seeing and hearing for a variety of reasons.

Is there a "silver bullet" to IT Compliance Management?

Is there a "silver bullet" to IT Compliance Management
by: Ryan Shopp

A few times I've found myself getting confused or having trouble explaining the relationships between policies, standards, controls, audits, etc when answering questions about IT Compliance & Risk Management? I came across a great two part thread in my blog reader that help crystallize things for me. It also enabled me to finally layout a logical response to a request I hear often. Is there a "silver bullet" to my IT compliance program? Here are some of those key points (from that posting) to help me answer that better now.

• ...numerous standards organizations have issued leading or “best” practices for control design and implementation; however, neither SOX (Sarbanes-Oxley Section 404) nor the PCAOB (Public Company Accounting Oversight Board) recommends a specific set of controls.


• ...In 2004, (PCAOB) issued a statement that COSO (“Committee of Sponsoring Organizations’ Internal Control—Integrated Framework"), or any other generally accepted control framework could be used. Note: it did not say COSO was the only one.


• But COSO can pose a problem...COSO doesn’t set out details. As its name implies, it is a framework.


• Each organization must still go through the difficult process of setting out its own system of internal control to meet its perception of COSO—which, in broad terms, is more of a philosophy than a set of rules.


• To fill the gap between theories and practice in implementing effective general IT controls, managers have turned to other externally developed standards and frameworks, such as the Information Technology Infrastructure Library (ITIL) from OGC, CobiT from ISACA, or the 20000-series of information security standards from the ISO/IEC

Bottom line, today there is no "silver bullet" for an enterprise. They can't simply flip a switch (or install a software product) and say "we have all the IT controls in place we need to meet x, y or z." It's a process, which must include a starter kit of controls and then review, massage and even extend based on your unique business vs. compliance requirements. To solve this "process" you need to work to automate various portions of the process itself, only then will IT compliance close in on the proverbial "silver bullet."

Special thanks to Xenia Ley Parker posts on IT Compliance Institute for the informative thread.

Auditor Answer: Can Internal Policies Overrule the "Rules?"
Auditor Answer: What are the "Right" Controls?