By Michael D. Cohn
For any organization, risk management is a vital, but time- and resource-hungry activity. Changes in governance and advances in technology have broadened the scope of required risk management services, creating disconnected or soloed risk management initiatives. Customer information, regulatory compliance, vendor management and disaster recovery are just some of the vital categories, all of which require regular assessment to be an effective means of understanding and mitigating risk. The objective of an information technology risk assessment is to properly identify and inventory every technology asset of the organization, including hardware and business software application; identify threats; and measure the likelihood and impact if those threats materialize. But just as the IT organization can not operate in a vacuum, the IT risk assessment must not remain in a silo. So what are the stops on this journey?
Traditional risk management procedures involve periodic assessments. An inherent disadvantage of this system is that the pulse of an organization’s risk management is only monitored at intervals. An assessment of just one aspect of an organization can take three or four weeks itself, to say nothing of the time between assessments. In this time between assessments, the only information available is unlikely to be current, and if third-party consultants performed the assessment, they would need to be called back to consult on issues or to perform an assessment update. Much time and effort is wasted in this model.
For an IT risk assessment to be a foundational element of an organization’s risk management program, methodology and mechanisms must be in place to support continuous update and evaluation as threats emerge, and controls and responses are developed.
Threats, Likelihoods and Impacts
The number of information technology threats facing an organization can at times be a daunting list, which is likely to grow. How likely your organization may be subjected to any threat will be dependent on your use of third-party vendors, exposure of the technology from the Internet, the number of people accessing the technology and the required availability of the system. And even if the likelihood of that threat is high, the impact to the origination must be measured. Traditional impact areas are loss of confidentiality, data integrity and availability.
If the risk assessment process can transform these security concepts into a business language a department manager can understand, then the organization can benefit in three areas. First, the assessment can be distributed throughout the organization, rather than by higher-ups, reducing the elapsed time from beginning to end. Second, department managers are most familiar with the transaction processing and use of technologies in their areas. They should know the risks and controls, and will be in the best position to perform a comprehensive and fair assessment. Third, the risk assessment results will leave the organization with one of four choices: accept the residual risk, develop a response if the threat occurs, mitigate through additional controls or transfer the risk.
Leveraging the Results
The Federal Financial Institutions Examination Council (FFIEC), in their 2002 IT Security Handbook, formalized the IT Risk Assessment compliance requirements. For a few years thereafter, the regulatory hurdle was to ensure an IT risk assessment was completed. The hurdle was then raised, requiring a documented information security program that could be tested by third-party auditors. The regulators were looking for a testing or audit program whose scope was risk-based and supported by the risk assessment results. The updated 2006 FFIEC IT Security Handbook strengthened the risk assessment methodology to explicitly measure and document TLC, or threats, likelihood and controls. We have observed some organizations leverage the IT risk assessment results into four other operational areas.
Customer information privacy programs: The organization must develop information privacy and safeguarding programs as stipulated by the Gramm-Leach-Bliley Act. Customer’s non-public personal information (NPPI) resides in both technology software systems and the voluminous amount of paper documents resident in organizations. To the extent the IT risk assessment is complete and reliable, the results can be leveraged into the development of the privacy program to identify and risk-rate those systems that are storing or transmitting confidential NPPI.
Disaster recovery planning (DRP): Although not obvious, the risk assessment results should strongly correlate to the organization’s business impact analysis (BIA) that supports the DRP. High-risk systems should normally be the same systems that are deemed critical by the BIA and are required to be restored in the first 24 hours of a disaster. The correlation is never perfect, but the gaps should be easily explained. Conversely, low-risk systems will most likely be restored after 72 hours in the event of a disaster.
IT capital expenditures: Intuitively, the high-risk systems will be critical to the organization, not just for security concerns, but they also tend to be high-capacity systems that directly support front office activities. The refresh or update cycle for these systems should be faster than less essential and low-risk systems. So, as the organization prepares the IT capital budget or looks out into the future, these systems should be on the shortest refresh cycle to ensure the organization is making IT investments into those areas likely to result in the highest returns.
Vendor management: The IT risk assessment will identify a list of high-risk technologies. The identification of a high-risk system will typically correlate to the identification of a high-risk vendor. Once again, the correlation may not be perfect, but the gap should be small and easily identified. High-risk technology vendors should receive a thorough review once a year. If the organization can leverage the IT risk assessment for technology vendor management activities, the incremental effort remaining is to identify high-risk, non-technology vendors for frequent and thorough monitoring.
The IT risk assessment, a required regulatory compliance activity, will continue to change, and uses for the results will continue to expand. Whereas we started a few years ago with the need for an information security program and a risk-based IT audit plan, some organizations have leveraged the results into additional operating activities. In anticipation of the next frontier, it is likely that the IT risk assessment may be a foundational element to enterprise risk management programs as these programs mature, develop and are deployed.
Michael D. Cohn, CPA, is senior manager at Wolf & Co. P.C. (www.wolfandco.com). He can be reached at email@example.com.