|
IsecT consultants employ a structured and proactive approach to IT risk management. We normally follow this sequence:
We usually start with an impact assessment, deliberately taking the business perspective to identify major management concerns. This step helps us avoid getting sidetracked into dealing with immaterial issues. In practical terms, we would typically facilitate a risks workshop involving senior people from IT and the business, the output being a business impact report. The next step is a full risk analysis to identify potential threats and vulnerabilities relating to the impacts previously identified. The output is a risk matrix showing key (worst case) threats, vulnerabilities and impacts on one axis and risk categories on the other ( e.g. to focus on information security risks, we explicitly use the ISO/IEC 27002 definition of security, namely confidentiality, integrity and availability, to examine the risks comprehensively). The controls design step involves looking at the risk matrix from a practical point of view, reviewing the organization's existing security/controls already addressing the identified risks and specifically seeking evidence of control weaknesses. This step may involve specifying and cost-justifying additional controls. The output includes brief descriptions of existing or necessary additional controls in the risk matrix, and if necessary more detailed business proposals or specifications for any additional control requirements. Risk mitigation involves addressing the control weaknesses by developing, testing and implementing the additional controls. At IsecT, we generally favour preventive controls and we always seek cost-effective control measures, especially simple, cheap procedural controls rather than complex, expensive technological ‘solutions’ (which themselves tend to introduce additional risks and dependencies!). Contingency planning: with the best will in the world, despite all the controls implemented already, some impacts are so severe, some threats so strong and some vulnerabilities so difficult to eliminate that the organization faces unacceptable residual risks. In IsecT’s methodology, contingency planning is an integral part of risk management not a separate activity. Wherever practicable, we prefer to help clients implement cost-effective controls to prevent risks, but detective and corrective controls (including contingency plans) are sometimes appropriate.
The most advanced organizations continually review and improve their control environments in order to respond quickly to new threats, vulnerabilities and impacts, and to confirm that controls remain effective in practice. Call IsecT for help to establish best-practice proactive risk management processes in your organization, including routine and ad hoc risk reviews, IT audit and information security management.
We can also help with the management of project risks. The following 21 project risk factors, identified by international research over the last 30 years, were prioritised by 1,500 IT project managers (list was in a report published by Computer Weekly, no longer online):
Most important
1. Lack of top management commitment
2. Misunderstanding of scope/objectives/requirements
3. Lack of client/end-user commitment/involvement
4. Changing scope/objectives
5. Poor planning/estimation
6. Inadequate project management
7. Failure to manage end-user expectations
8. Conflict among stakeholders
9. Change in senior management ownership
10. Lack of adequate change control
11. Shortage of knowledge/skills in the project team
12. Improper definition of rôles and responsibilities
13. Artificial deadlines
14. Specifications not frozen
15. New or radically redesigned business process/task
16. Employment of new technology
17. Poor control against targets
18. Number of organisational units involved
19. Lack of effective methodologies
20. Staff turnover
21. Multiple vendors
Least important
We have hands-on experience of dealing with all these risks and more besides. If you recognise your own problems on the list, call us for help!
|
