Friday, March 27, 2015

The Umbrella of IT Risk Management

We are getting ready to go out.  We've showered, dressed, and are getting ready to leave.
 The forecast indicated a chance of rain.  Should we take that umbrella or not?  What is the likelihood it will rain, and what would the impact be, if we get caught without an umbrella in a downpour.  This eventuality may dampen our evening.  This decision is not unlike the decisions we make in Information Technology.
If we work in Information Technology, our job is to design, implement, test, support, upgrade or replace technology in some way.  This technology exists to support the business mission.  But we can get so involved with the execution of our job that we forget a critical fact - the infrastructure we work with is part of the foundation of our business.  Without that foundation, our business could not continue to operate as efficiently - it would not operate as profitably - it would not operate as securely.  Technology brings business some amazing capabilities, but if that foundation is not stable and secure, our business cannot continue to grow and strive toward its mission.  The business must have confidence in its technology foundation.  It does not want to get caught out in the rain.  We are confident in going out, knowing that umbrella is with us in the car.  Businesses must have that same confidence in the IT infrastructure.
IT Risk Management helps to provide the business with that confidence so critical for organizations today.  They must know that the money, time and resources they are investing is being properly managed.  A big part of that management is the management of IT risk.  IT risk management is all about ensuring that we have properly identified all the assets and data within our IT infrastructure.  Once identified, we classify that data in terms of sensitivity and importance to the business - how critical is that asset or data to keep the business going.  Then we assess those assets in order of criticality, against potential threats to the confidentiality, integrity and availability of the assets.  
Once we have identified the risks and the severity of those risks, we can document those risks in terms of the likelihood the risks will become a reality, and the impact to the business should those risks be manifested.  This methodology is detailed in the NIST Risk Management special publication 800-30.  Those two measurements allow the organization to rate the risk in terms of severity - from that rating the organization can derive a cost-benefit from efforts to remediate risks, as well as prioritize risk remediation efforts.  We can get as deep as needed into this process of defining risks - but we don't need to calculate the Annual Loss Expectancy of everything.  We start simply by seeing that many IT processes or functions fall under the umbrella of IT Risk Management.
IT Risk Management is like an umbrella for other IT security activities.  Vulnerability management is under this umbrella.  Vulnerability management allows the organization to identify and manage vulnerabilities - vulnerabilities are weaknesses or potential openings in the defenses protecting the infrastructure.  Those vulnerabilities are risks - the remediation of those vulnerabilities is a risk management activity.  And often the remediation of a vulnerability involves applying an operating system patch to a system.  Therefore patch management is a subset of vulnerability management.
This hierarchical relationship extends into other IT areas.  Configuration management is an important component of risk management.  In configuration management, we are identifying the configurations as they currently are on our devices, then having a process in place to review, approve and monitor those configurations going forward.  If a configuration changes and we aren't aware of that change, this issue directly impacts the integrity of our infrastructure - the configuration is different than it was before.  The business must be able to know what the configurations are, and that they can trust that this state won't change unless it is approved.  That change could potentially open up a weakness on that device.  Configuration management allows us to control and monitor those changes, thereby limiting the additional risk due to unapproved changes.
Since the changes to configurations can add risk, we can derive that any IT change can add additional risk to our enterprise.  A modified switch or router configuration can be a security issue.  A website change can bring in vulnerabilities.  The installation of an application on the network can open us up for malware.  If you've been working in IT for any length of time, it is likely you know of situations where a change caused an outage or another security issue.  Change Management is the process of documenting, reviewing and approving all changes to the infrastructure.  Proper change management allows us to vet the requested change to determine if it will add additional risk.  It allows us to make sure the change doesn't increase the possibility that the confidentiality of data can be violated.  It allows us to ensure that the change is documented, so that we maintain the integrity of the network.  And it also allows us to ensure that the change won't cause an unintended downtime (lack of availability) or outage in our infrastructure.  
As we can see, configuration management, change management, patch management, and vulnerability management are all under the umbrella of IT risk management.  Other areas under this umbrella are account management, vendor management, incident management, and many other IT general and IT security processes.  When desktop support installs antivirus on a PC, that's managing the risk of malware.  When helpdesk requires user validation for a password reset, that is a risk management activity.  When a developer tests code, he's not only validating functionality and error-free operation, he's also managing risk due to bugs or vulnerabilities.  
From this insight, we can start to see that just about everything we do is either a direct risk management activity, or could affect the IT risk within the organization.  As stewards of our business technical infrastructure, we must be able to see this hierarchical relationship and our part in contributing to the overall risk posture of the organization.  We are entrusted with a particular responsibility within the IT function - we must be sure we always keep the effort to minimize risks as a core part of our job, no matter what IT function we do.  This effort, if taken to heart as a critical component of our activity, allows the business to have confidence in the technology platform upon which they can grow the business and continue to strive toward fulfilling the mission of the organization.
Whether you know it or not, you help to hold up that IT risk management umbrella.  Make sure you always have a good grip in understanding your part - your business counts on it to protect itself against the rain.

No comments: