Planning for an Internal IT Risk Assessment
An effective risk management program protects the company and its ability to perform their mission. Sarbanes-Oxley, Section 404, requires public companies to annually assess and report on the effectiveness of internal controls over financial reporting. A component of risk management is information technology (IT) risk management and should be part of any IT security program.
Every organization, no matter whether private or public, has a mission. Information Technology plays a critical role in helping the organization meet the objectives of that mission.
For example, if your organization’s mission is to become one of the nation’s (or county’s or state’s) largest financial holdings companies, and you offer services such as commercial and retail banking, mortgage financing and servicing, consumer finance and asset management, then what are you going to protect and how are you going to protect it? The primary goal of information systems and technology is to enable the business to succeed. Within those information systems, significant risk may be hiding. An internal IT risk assessment can unearth those before the auditors do.
Requests for information arising from internal or external IT auditors are normally fielded by the IT and Security departments. In one particular audit I experienced while working for a financial firm, there was an IT audit finding due to the existence of numerous Domain Admins (everyone in IT had made himself or herself a Domain Admin and Domain Admins have total access to everything on a Windows network). Not good.
The IT people could not understand why their privileges needed to be restricted. The parent company was mortified at the audit finding and a significant reorganization took place based on that finding. If the IT department had understood the concepts of risk management, things may not have gone so badly.
There are some basic risk management concepts that need to be ingrained into the technology manager’s mind before developing applications, and before deploying applications and technology. For starters, IT managers can look to the National Institute of Standards and Technology for some guidance. NIST Special Publication 800-30, published in July 2002, entitled Risk Management Guide for Information Technology Systems is a good place to start. It is free and does a decent job of explaining the basic concepts and providing a risk management methodology.
For example, “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organizationâ€, is the opening definition of risk. (pg. 8)
I have come to appreciate the documents produced by NIST and use them frequently in my work as an Information Security Officer. The risk assessment methodology uses a 9 step process (pg. 9):
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
The document also provides sample interview questions, such as (pg. A-1):
• Who are valid users?
• What is the mission of the user organization?
• What is the purpose of the system in relation to the missions?
• How important is the system to the user organization’s mission?
• What is the system-availability requirement?
…
What is even more helpful is a sample risk assessment report outline (pg. B-1) included in the NIST document.
Most companies today hire outside consultants to perform the IT risk assessment. However, you can be better prepared to handle such an assessment if you do your homework first. With management support and IT’s commitment to work through this, you can perform an internal IT risk assessment with some success yourself. Collaborating with an outside risk assessment firm, in addition to performing your own risk assessment, will prepare you to meet the demands of supporting the organization’s mission.