Most recent major IT system down time incidents showed that risk exists in every change made to the IT environment (including cultural, process, organizational, new or updated technology, technology obsolescence, infrastructure, project-related, software patches, et cetera.). However, risk is not necessarily a bad phenomenon. An IT organization and connected business model devoid of risk-taking would not allow the enterprise to grow, innovate, transform, expand, or prosper. The problem with IT risk surfaces only when risks are not proactively addressed and when a conscious determination is not made to evaluate the potential for risk versus expected benefits.
Given such risks, we recommend organizations adopt and use information security standards judiciously within the context of specific business requirements. For instance, official certification against industry standards should be considered only when clear-cut business justification exists (e.g., if lack of certification will prevent the organization from doing business with particular client segments). Even policy requirements for internal certification for enabling connectivity on the corporate network should continuously be assessed for practicality and business relevance.
Information security, compliance, and risk management initiatives can benefit from standards in various ways. First, adoption of certain industry standards can contribute toward demonstration of good intent in regulatory compliance.
Second, standards can provide crucial strategic input in security program activities. Standards can act as reference models for information security controls that must be defined and implemented to comply with policy and regulatory requirements. They can provide input for the content of formalized information security architectures and act as a security services framework.
As organizations design models and tools for the deployment of layered security models (a.k.a. trust models), such industry standards can provide the reference for mapping respective security services across different trust levels. Such mapping can be done either directly or indirectly via the organization’s information security architecture. At a more tactical level, standards can provide valuable information for product selection and integration as well as for security technology architecture planning.
Standards do not provide silver bullets for the complex challenges of information security and risk management. However, we recommend that organizations considering standardized risk assessments explore some of the more common formal approaches such as:
STANDARDS NOT EQUAL
However, it is our experience that the first three methods (FRAP, CRAMM, and OCTAVE) have significant flaws, and each may suffer from a common ailment. To provide high scalability and repeatability of the risk assessment process, each methodology requires extensive standardized documentation throughout the risk assessment. In addition, as stated previously, each risk assessment is a complex activity requiring a knowledgeable team with a comprehensive set of skills and experience.
Effective implementation of FRAP, CRAMM, or OCTAVE requires a dedicated, interdisciplinary analysis team made up of ITO and line-of-business participants to administer the risk assessment. Our experience indicates much of the effort (and resulting costs) of implementation for each of these risk assessment methods requires a substantial investment of human resources and time commitment for implementation, user training, and document management.
Although META Group believes these methods are beneficial and may be applicable to a few organizations, a mature risk assessment process must already be well accepted within the organization before attempting to implement these rigid methods, notwithstanding the fact that each is associated with the high overhead of training, documentation and implementation (i.e., people, time, and money). Currently, Meta Group recommends three approaches to risk assessment we believe meet the needs of our client organizations:
• Small organizations with little or no regulatory control can employ a simple and informal threats-and-controls model, similar to a significantly scaled-down OCTAVE model.
• Mid-tier, slightly larger or more mature organizations may want to use FRAP.
• Organizations with more stringent requirements, based on organization size, IT complexity/diversity, or stringent regulatory oversight, should consider employing the Delphi Risk Assessment Method (DRAM) approach.
Ultimately, IT managers must customize and adopt a risk assessment process that fits the culture of the organization.
We suggest organizations adopt an assessment process that best models IT asset interdependencies, identifies business impacts, assesses risks, determines levels of risk acceptance (risk posture), and identifies required and cost-justified controls on the basis of overall risk assessment. In this case, DRAM may be a better fit than FRAP, CRAMM, or OCTAVE and may be more effective (and information security-specific) than COBIT alone.
DRAM exists in two versions to provide for two sets of risk assessment processes: 1) the continuous assessment of current risk against production systems; and 2) the evaluation of new technology deployments or application designs. The DRAM method is best used when the opinion of experts is required to support decision making. Generally, three conditions lead to the need for expert opinion:
• No historical data exists from which to extrapolate.
• External factors or change overwhelm the relevance of historical data.
• Subjective factors, such as ethical or moral concerns, overwhelm historical data.
Each of these three conditions may exist in any of the previously mentioned risk assessment methodologies. The reason for using the DRAM risk assessment approach is that the information gathering is anonymous — information is not weighted by certain executives or business units, which is often the case during in-person planning sessions. To the best of our knowledge, DRAM is the first publication of a formal approach to risk assessment using the Delphi Method as a base.
RISK ASSESSMENT PROBLEMS
In the broadest context, the real problem with IT risk management and information security lies in the IT organization’s inability to categorize, capture, and communicate risk as part of an overall value management process. Many CIOs find it extremely difficult to define the requisite balanced investment needed for risk management (RM) controls, policies, people, and processes.
Furthermore, in more than 70 per cent of Global 2000 IT organizations (ITOs), there is no established performance or communication process in place for RM. This is largely because ITOs have done a poor job of understanding their businesses’ tolerance for risk, and they often are unable to categorize risks, assess the threats, identify vulnerabilities, and communicate residual IT risks back to the business.
All too often, the ITO staff (including management) neither fully appreciates nor understands the types and categories of risk, the assessment processes, and the IT risk ecosystem, and it does not know how to avoid, mitigate, or manage risk.
Continued legislative requirements (e.g., Sarbanes-Oxley, and Canadian interpretation thereof (Bill 198), Basel II, the USA PATRIOT Act, privacy acts) are driving the maturation of formal risk assessment and will continue to do so through 2005. By the end of 2004 and into 2005, we expect more than 50 per cent of the Global 2000 organizations to (re)evaluate various risk assessment methodologies and implement an ongoing, continuous risk assessment process to identify and mitigate IT-related risks.
— Helmer is vice-president, strategic solutions at META Group Canada.
