Five Basic Phase of IT Risk Management Life Cycle
As with most methodologies, risk management, when applied properly, takes on the characteristics of a life cycle. It can be broken out into several phases beginning with identification of information assets and culminating with management of residual risk. The specific phases are as follows:
Phase 1: Identify information assets
Phase 2: Quantify and qualify threats
Phase 3: Assess vulnerabilities
Phase 4: Remediate control gaps
Phase 5: Manage ongoing risk
Phase 1-Identifying Information Assets
The first phase in the risk-management life cycle is to identify the organization's information assets. There are several tasks that must be completed in order to be successful. These steps include the following:
- Define information criticality values
- Identify business functions
- Map information processes
- Identify information assets
- Assign criticality values to information assets
Phase 2-Quantifying and Qualifying Threats
Information threats impact organizations due to lost business, lost resources and recovery costs, and legal and regulatory actions. When threats are realized, these costs often are unaccounted for because they are not identified properly. For example, let's say that our organization is attacked by a malicious worm that causes a temporary loss of processing capacity and several hundred hours of recovery time. The cost may be calculated by quantifying the hours required for recovery and estimating the losses associated with the processing delays. However, has the company's reputation been adversely affected because it was not able to service customers? Were there any lost sales? Were some employees unable to work? What is the organization's legal exposure due to the security breach? As you can see, identifying all the areas within an organization that may be affected requires a fair amount of thought. Therefore, we will help break down the process of analyzing of these threats.
Phase 3-Assessing Vulnerabilities
We now have identified our information assets and the threats to each asset. In this phase, we will assess vulnerabilities. In examining threats, the common denominator is the information asset because each threat is tied to an information asset. When assessing vulnerabilities, on the other hand, the common denominator is the information process. We will first identify process-component vulnerabilities and then combine them to determine our process vulnerabilities. Process vulnerabilities then will be combined to determine business function vulnerabilities. Instead of working from the top down (from business function to process component), we will work from the bottom up in assessing vulnerabilities. We will use the following steps in analyzing vulnerabilities:
- Identify existing controls in relation to threats.
- Determine process component control gaps.
- Combine control gaps into processes and then business functions.
- Categorize control gaps by severity.
- Assign risk ratings.
Phase 4-Control Gap Remediation
By now our risks should be categorized as high, medium, or low. Initially, we will focus on mitigating the most severe risks because we most likely will see the highest return on our investment. In essence, we are likely to mitigate more risk with less money. We will use the following steps in control gap remediation:
- Choose controls
- Implement controls
- Validate new controls
- Recalculate risk ratings
Phase 5-Managing Ongoing Risk
Risk is inherently dynamic in nature, especially the threat component of risk. As a result, we will need to measure risk continually and invest in new controls to respond to emerging threats. There are basically two steps in this phase:
- Create a risk baseline
- Reassess risk
Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007