Recently, a huge number of articles, books and seminars related to IT risk management issue have appeared. Everyone agrees that IT risk management is needed because it brings many benefits to the organization and additionally protects it from potential losses. Most of the available studies focus only on the approach to IT risk management and IT risk analysis, referring to commonly known publications (e.g. ISO 27005: 2018 or NIST SP800-30). I have also encountered situations that the analysis was done literally "once and for all," because the process was too time-consuming and laborious to carry out it again. This is not the purpose of this process.
Therefore, I decided to present a more practical look at the process of conducting IT risk analysis and assessment, taking into account in particular possible scenarios of challenges, as well as the method of developing conclusions and taking corrective actions after the analysis.
When conducting IT risk analysis, the most important rule is to describe the approach in such a way that the process is repeatable and results understandable and comparable. Let's consider how we will manage the results, changes and of course subsequent iterations after the analysis process.
Unfortunately, you cannot skip this stage. It is hard to grasp IT risk analysis unless it is splintered into stages. Before starting the process, we must establish a list of key IT resources and their valuation, list of threats, list of vulnerabilities, and then pair the resources, threats and / or vulnerabilities. Let's try to pre-group the resources, because some will be subject to the same or similar threats, e.g. a group of data carriers understood as USB sticks, disks, memory cards, etc., especially if we are dealing with a large company or low staff availability. The next step is to prepare a preliminary list to carry out the analysis process. We should always remember that the best source of information will be employees who deal with the issue of protecting these resources on a daily basis. When identifying risk, we should also consider other factors associated with it, for example, the risk category or the possible impact of its materialization.
IT risk analysis and assessment
The definition of "risk" often depends on the methodology used. For me, the most important thing is how to really carry out this process. Should this process be assessed quantitatively or qualitatively? We often come across the same problem - the assessment is subjective. Therefore arises the question "Who should do this assessment"? There is also an alternative solution involving the usage of a questionnaire for IT risk analysis and assessment that contains only specific Yes / No questions instead of "How do you assess the risk ...?", for example:
The next step after the risk assessment is usually the decision how to handle with the risk (the best known is acceptance, avoidance, reduction, etc.), and based on it develop a risk management plan / corrective actions. There is also of course IT risk monitoring and review process that should be implemented on a regular basis. Is this really the end? The proposed approach, based on the use of surveys with specific Y / N questions, provides the IT risk analyzer with much more information than just estimating IT risk. Potentially, all questions that received negative answer can be considered as a resource deficiency. Short questionnaires sent to the right people can provide detailed and specific information on the security status of IT resources throughout the organization.
The article uses materials from SAP SE and RSA Security.
The article uses SAP SE and RSA Security materials.