b-it risk management report 2-01-2008 12818026.en-us
TRANSCRIPT
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
1/52
IT Risk Management Report 2:
Myths and Realities
Trd throuh Dcmbr 2007Volum 2, Publihd Jury, 2008
IT
RIsk
M
anageM
enT
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
2/52
IT Risk Management is more than using
technology to solve security problems. With
proper planning and broad support, it can give
an organization the confidence to innovate,
using IT to outdistance competitors.
Greg Hughes, Chief Strategy OfficerSymantec Corporation
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
3/52
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risk Management concepts guide an increasing number of IT decisions, but myths about IT Risk persist. Recent information helps correct
misunderstandings about IT Risk, and direct attention to emerging areas of concern.
Myth one: IT Risk is Security Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Relationships among Security, Compliance, Availability and Performance Risks help explain industry and public perceptions.
But even as IT professionals take a less security-centric view of IT Risk, data loss threats are growing in importance.
Myth two: IT Risk management is a project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Project management serves IT well, but falls short when IT Risk environments and business goals change constantly.
Matching assessment and mitigation efforts to incident rates is a key to responsible, cost-effective IT Risk Management.
Myth three: Technology alone mitigates IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
IT Risk mitigation is more complex than deploying technology. Balanced controls depend on trained personnel following clear,
effective processeswith supporting technologies to keep them informed and effective.
Myth four: IT Risk Management is a science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
With roots in Operational Risk Management, process-improvement disciplines, and business governance, IT Risk Management
spans the boundary of business management and science. Emerging frameworks and best practices help guide effective implementations.
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
With IT at the core of many critical business processes, IT Risk Management is a business imperative. Effective management
not only protects information and infrastructure, but unlocks resources for the pursuit of strategic business initiatives.
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
4/52
2
excutiv summryIT Ricompi scurity, avilbility, Prormc, d Complic lmth
bcom criticl iu or xcutiv d bord o dirctor. I thi cod volum o th IT
Ri Mmt Rport, symtc xtd it lyi o IT proiol iiht ito th
tur o IT Ri d th mot ctiv wy to m it, with ddd ocu o avilbility d
Prormc Ri.
Th Rport ddr pritt myth bout IT Ri, cocludi tht:
IT proiol r dopti mor blcd, l scurity-ctric viw o IT Rimor o
thm ow avilbility Ri criticl or riou th y othr lmt
Complic Ri i mor th scurity Ri ormlizd by lw: dt brch, out d
ditr my cu irrcovrbl lo o cutomr loylty, rvu, d compy vlu
Rctiv or ul projct-oritd IT Ri Mmt i bttr th othi. But IT
proiol xpcttio o mothly icidt i cottly-chi lobl d riol
bui d tcholoy viromt cll or cotiuou, proc-oritd pproch
Bt-i-cl oriztio dploy cotrol blcd cro trtic, upport, dlivry, d
curity ctori, poitioi thmlv to corrct th mii or ulty proc tht
cu mot icidt
Ovr th pt yr, urvy prticipt w o improvmt i at Ivtory Cliictio
d Mmt cotrol, d dcli i Dt Licycl Mmt
IT Ri Mmt build o Oprtiol Ri Mmt d mucturi qulity
dicipli, purrd o by srb-Oxly d othr rultio cti Corport
govrc, d upportd by it ow mri rmwor, tdrd, d bt prctic
symtc rcommd cotiuou IT Ri Mmt proc trti with ri
mt, pyi clo tttio to culturl d trii iu, d ddri lo-trm
tructurl improvmt wll rly wi. Mot implmttio will ocu o scurity
Ri d ocitd cotrol i th rly t, but hould ollow up with avilbility Ri d
dlivry cotrol, d iclud Complic d Prormc Ri with trtic cotrol or
itrtd, ctiv prorm ovr th lo trm.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
5/52
3
Highlights
Thi rport i itdd or xcutiv with rpoibiliti t th itrctio o IT d bui
ri, icludi CIsO d vic-pridt o Ri Mmt, Dt Ctr Oprtio, d
Complic/audit. Rport iiht r bd o th collctiv xpric o IT proiolworldwid, d symtc dp xprti i vry lmt o IT Ri Mmt.
B ur to chc th hihliht:
althouh IT proiol r with coumr bout th vrity o Dt L icidt,
thy my udrtimt thir rqucy: Security Risk and data leakage udr Myth 1
IT proiol xpct IT icidt to occur bout oc pr moth: Incident rates and
reactions udr Myth 2
Proc iu cu 53 prct o IT icidtmot ot bcu o proc i i plc to
m th icidt: The importance of process controls udr Myth 3
IT Ri Mmt i mor th div xrciit idtii trdo mo
ri, cot, d cotrol or coidt, ri-wr puruit o opportuiti: Process
improvement disciplines udr Myth 4
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
6/52
4
Itroductio
a IT rw rom bc-oic pcilty to th cor o icil, tlcommuictio d othr
modr bui, xpour to IT Ri hv row to mtch. not lo o, IT Ri occupid
mll corr o Oprtiol Rith opportuity lo rom mid IT dvlopmt
ddli. Tody, th ucc o oriztio d v tio my hi o mtri brod
ldcp o IT ri.
Th World ecoomic Forum provid o cl. Thy r brdow o criticl
iormtio irtructur mo th mot lily cor lobl ri, with 10 to 20 prctlilihood ovr th xt 10 yr d pottil worldwid impct o $250 billio.1 sutid
ivtmt i ITlmot $1.2 trillio or 29 prct o 2006 privt-ctor cpitl ivtmt i
th U.s. lo2ul rowi xpour to IT Ri.
a th world row mor dpdt o IT ytm d proc, mmt o IT Ri
bcom prcticl city. Tho who lct thi mri dicipli my qudr
opportuiti rom r o trivil or imid thrt, or il to t lmtry prcutio
it iiict thrt.
IT Risk elements
IT Ri comp th ull pctrum o ri tht my ct or rult rom IT oprtio:
xtrl turl ditr or ch i ovrmt rultio, itrl proc tht ct
product or rvic qulity, IT oriztiol d dtctr prormc, lo o itllctul
proprty, uprviory or ll cotrol, d much mor.
symtc dirtit mo th our cl o IT Ri lmt illutrtd i Fiur 1
ccordi to thir ourc d pottil impct o oriztio, pciiclly:
Security Risktht iormtio will b ccd, mipultd or ud by uuthorizd prti
Availability Risktht iormtio or pplictio will b md iccibl by proc,popl or ytm ilur, or turl ditr
Performance Risktht udrprormi ytm, pplictio, t, or oriztio will
dimiih bui productivity or vlu
Compliance Risktht iormtio hdli or proci will il to mt rultory,
IT or bui policy rquirmt
Why IT Risk is important now.
IT Risk: definition, elements, and controls.What weve learned so farand why some myths still endure.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
7/52
5
Fiur 1: IT Ri comp our typ o lmt, ch with it ow drivr d pottil impct.
Dtild dcriptio o th ri lmt, with ourc d pottil impct, my b
oud i rlir rport.3
Todays IT Risk environment
evry oriztio h uiqu IT Ri proil. But drmtic lobl ch i IT Ri ct mot
oriztio. Thr h b o hort o brout IT Ri tori i th populr pr:
Rprcuio rom th tht o mor th 45 millio cutomr crdit- d dbit-crd
umbr crippld ri t rtilr4
a pr o dil-o-rvic ttc dirctd t Wb it i europ coutry brouht
dow ovrmt, bi, d v mll chool Wb it5
Idqut mul iormtio mmt proc plud hlth cr providr
trplt ctr, dirupti d dlyi til ptit cr6
a ovrmt tity i th Uitd kido lot CD cotii 25 millio prol rcord,
icludi icil dtil o mor th 7 millio mili7
Bhid th hdli, symtc Internet Security Threat Report (IsTR) documt th
tritio rom hcr cultur o uic viru outbr d twor vdlim to
udrroud crimil coomy i which b ccout, compromid rvr, pword
d crdit crd r bouht d old i bul.8 Proioliztio d commrciliztio o
mliciou ctiviti, lo with mor it ttc d mor rqut out, hv rid
wr d rultory tttio cro th tir pctrum o IT Ri.
Secur
ity
Availability
Perf
orm
an
ceCom
plian
ce
IT
Risk
Keep Bad Things Out
Keep Important Things In
Internal and External
Malicious Threats
IT Policy and
External Regulations
Application Performance
and IT Performance
Natural Disasters and
System Failures
Ensure Adequate Controls
Automate Evidence Collection
Optimize Resources
Ensure Correct Configuration
Keep Systems Up
Ensure Rapid Recovery
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
8/52
ait th rry o xtrl d itrl IT ri, oriztio dploy cotrolIT proc
d tcholoi did to clo vulrbiliti, miti cotiuity o oprtio t pciid
prormc lvl, d chiv d documt complic with xtrl d itrl policy
rquirmt.
A look back
Th iitil IT Risk Management Report, Volume 1 w publihd i Fbrury 2007 d i
vilbl t www.ymtc.com/bout/ldrhip. From mor th 500 i-dpth urvy,
it dtrmid tht IT proiol:
s thir oriztio mor ctiv dployi tcholoy th proc cotrol
Coidr IT t ivtory, cliictio d mmt, d cur pplictio
dvlopmt proc to b iiict problm r
Trt popl d proc improvmt ovr tcholoi thir bt opportuiti to
mov rom ood to rt
Idtiy r o milimt btw lvl o thir IT oriztio bout ourc o IT Ri
Th mot couri rult w tht bt-i-cl oriztiov thouh thy cd
hihr ri lvlxpricd wr icidt th l-ctiv oriztio. Thir ctiv
d it mor it ttc my b ttributbl to th blcd ivtmt cro
r o cotrol to mitit th ull pctrum o IT ri.
This report
From Fbrury to Octobr 2007, symtc urvyd 405 IT Proiol bout vriou pct
o IT Ri Mmt. Mthodoloy d mpli wr rlly comprbl with tho
o th irt urvy; pl th appdix or dtil. Thi rport o it idi complmt
Volume 1 i vrl wy, pciiclly by:
Icri mphi o avilbility d Prormc Ri, to blc th scurity d
Complic mphi o Volume 1
Blci rcurri d w urvy mtril to ch i th IT Ri viromt
ic collctio o rlir iormtio
6
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
9/52
nw urvy qutio ddrd mri iu with importt implictio or IT Ri
Mmt, pciiclly:
Data leakageri to oriztio iormtio t rom both xtrl mliciou
ctivity d itrl rror
Endpoint managementth d to xtd policy-bd cotrol ovr ixd d mobil
dpoit i prwli, porou, worldwid twor
Data center virtualizationIT Ri Mmt implictio o dopti virtuliztio
tcholoi to improv utiliztio d productivity o tor d rvr
Zero-day exploitsth d or w d th tim dd to crt d
dimit mliciou cod tht xploit publihd vulrbility covr o zro
Th cod urvy xtd d urthr di y iu d trd rid i th irt.
Thi rport will compr rult it tho o th irt urvy to idtiy trd d
dirc, d xplor w iiht rom th ltt rrch.
Progress and persistent myths
Th urvy dt itl, d covrtio with IT proiol roud th world, rvld
cotrdictio. awr o th importc o IT Ri Mmt to oriztio d
th IT proio cotiu to ri. Yt i mri dicipli, thi wr h ot yt
diplld w pritt miudrtdi bout th tur d xtt o IT Ri, th
bt wy to m it, d th hortcut d trp tht li lo th pth.
Thi Rport ppli w urvy dt d symtc Coulti xpric to th lyi o
our myth bout IT Ri Mmt, pciiclly tht:
IT Ri d IT Ri Mmt r xcluivly or primrily cocrd with IT scurity
IT Ri Mmt i ul, miul, or othr priodic xrci
Tcholoy cotrol r uicit to ddr mot IT Ri Mmt cocr
IT Ri Mmt i cic, with pricipl tht r uivrl cro tim, orphy,
d bui viromt
7
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
10/52
IT Risk covers more than
IT Securityand even Security Risk
presents new challenges.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
11/52
Security is important, but not the whole story.
Compliance: law and policy.
How Availability and Performance are different,
and why they cant be ignored.
9
Myth One: IT Risk is Security Risk
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
12/52
no myth bout IT Ri Mmt i mor pritt th th id tht it i cocrd
primrily with idtiyi d mititi curity ri. It my b tht th word ri m to
pply mor ily to curity th prormc, vilbility, or complic. Or IT proiol
coumr d rly crr xpric my hv coditiod thm to ticipt IT scurity ri
ovr othr. Rrdl o th cu, ovrtimti scurity Ri c cu milloctio o
tim d rourc, d iiict xpour to othr IT ri.
ev wh scurity ri rmi top-o-mid, thy d to b coidrd i blc with th
ull r o IT Ri lmt. Thi ctio rviw om criticl rltiohip mo IT Ri
lmt, d poit out th vlu o blcd pproch.
Fiur 2: Importc rti o IT Ri lmt. ( = 130)*
althouh ocu o scurity Ri prit, urvy rult documt mrc o brodrviw. Fiur 2 how tht lihtly mor urvy prticipt v Criticl or sriou rti
to avilbility Ri th to y othr lmt: 78 prct, it 70 prct or cod-plc
scurity, 68 prct or Prormc, d low o 63 prct or Complic Ri. Thi rult
my rlct ocu o vilbility mo urvy prticipt who r dirctly ccoutbl or it,
d udrtimt th impct o Prormc ri tht w will r ot bui-
criticl. Th dt lo upport two importt cocluio. Firt, mjority o prticipt rt
vry r o IT Ri ithr Criticl or sriou. scod, oly 15 poit prt th top- d
bottom-rtd ctori. IT Proiol r dopti mor blcd viw o IT ri.
10
* I thi Rport, tcd-br rph how ri lvl i cdi ordr rom top to bottom. Thi i ch rom
Volume 1, to hlp rdr combi top ri lvl by rdi rom th cl itd o clculti. Color id to
ri lvl r uchd. Vritio i th umbr o dt poit rprtd i th rph rlct dirc i th
urvy itm prtd to d compltd by prticipt.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
13/52
Security Risk and data leakage
Whtvr thir ri, scurity ri r udibly importt. extrl ttc, mliciou
cod rld oto public twor (with vr-hrii ltcy), d ttmpt t uuthorizd
cc to iormtio d ytm rmi iiict burd or IT dprtmt worldwid.
ad symtc h documtd icri proioliztio d commrciliztio o
computr crim9 lrmi dvlopmt, pcilly or idutri with hih-volum or
hih-vlu lctroic trctio.
scurity ri compromi cutomr trut d rputtio: cutomr riht d xpcttio
dmd tht oriztio protct thir prol iormtio d moy. Cutomr r
pcilly hrd o compi thy crl with thir iormtio 2007 coumr
urvy o dt curity howd 62 prct o coumr mor upt wh iormtio lo
i du to lic rthr th tht.10 Iowtch hihliht th cl o th brchth
vr icidt xpo th prol iormtio o 785,000 cutomr.11 Th 2007 lo by
th Uk ovrmt o mor th 7 millio mili icil rcord udrcor th ri.12
Bcu cutomr withdrw rom trctio providr d vu thy dot trut, dt
l cotitut riou thrt ot oly to coumr, but to lctroic commrc d
bi.13 I th U.s., icil lo rom crdit-crd rud r id to iur, iulti
crdholdr rom dirct icil ri. But w orm o rudphihi, idtity tht, d
udrroud mrti o privt iormtiothrt rputtio, crditworthi, privcy,
utoomy, d othr oicil t. a hitory o riou brch could tm or rvr
oli rtil rowth, rrdl o icil urt. Th m coditio pply i lctroic
bi, curiti, d currcy trdi, whr IT curity ri prt dirct thrt to th
liquidity o icil mrt.
survy rult how tht IT proiol r with thir cutomr bout th rvity o dt
l: 63 prct bliv dt l would hv riou impct o thir bui (
Fiur 3 o p 12).
11
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
14/52
Fiur 3: Impct vrity timt or dt l rom corport iormtio ytm. (=277)
But our urvy prticipt judd tht th probbility o mjor dt l icidt t thir
oriztio i comprtivly mll: oly 46 prct o thm xpct icidt ot oc
yr ( Fiur 4); liht mjority xpct icidt oly oc vry five yr.
I thi rlitic mt, or r urvy prticipt udrtimti thi rid
ovrtimti th ctiv o thir mititio ort?
Icidt rt or dt l r otoriouly complictd, du to:
Lc o coitcy i rporti tdrd cro oriztio d juridictio
stro poit o viw hld by oriztio tht rport icidt dt, .. coumr-privcy
dvoccy roup d bi idutry oriztio
a udrtdbl rluctc o victimizd oriztio to diclo icidt xcpt to thir
cutomr d rquird by lw
a twoold thrhold problm: mllr icidt my ot b widly rportd, o icidt rt
m lowr, but vr impct m hihr
a miuidd ocu o crimil ctivity, lthouh mot brch r du to mploy rror14
Bcu o th ctor, dt l icidt iormtio my b rportd i rmtd,
icoitt hio, ldi to lowr prdictio o icidt rqucy.
survy prticipt coidc i dt protctio my b miplcd, iv th brod
vilbility o tol dt or l o th Itrt. Idtiti, complt with U.s. b ccout,
crdit crd, ovrmt-iud idtiictio umbr d birthdt, r vilbl or
purch oli rom U.s. $14 to $18.
12
Not
applicable
Not
considered
Minimal
impact
Some
impact
Serious
impact
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
15/52
ad with lr impct poibl rom v il dt-curity brch, symtc rcommd:
Crul lyi o curity vt lo ui tcholoy d rvic vilbl rom Md
scurity srvic Providr (MssP)
Moitori o trd cro th curity thrt ldcp, ui th Symantec Internet
Security Threat Report d othr ourc
at miimum, quic rviw o twor dpoit, coidri vulrbiliti to both
itrl rror d xtrl mlc
evlutio o om o th w, iormtio-ocud curity tool dvlopd pciiclly to
hlp oriztio ddr dt l
Fiur 4: etimtd rqucy o dt l rom corport iormtio ytm. (=277)
Compliance
Complic Ri tm rom ilur to mt rultory or bui rquirmt or
iormtio hdli or proci. I hihly rultd idutri, complic ilur my
compromi th oriztio rputtio, proitbility, or v xitc.
sic my rultio ovr privcy d iormtio curity, Complic i omtim
drivtiv o scurity. But Complic Ri i mor th scurity Ri ormlizd by
lw. Rultio icludi w U.s. Fdrl rul or ll dicovry brod th cop o
Complic Ri byod curity cocr. ad v rultio urltd to IT my rquir
drmtic ch to IT irtructur d proc, ddi complxity d compti or
crc IT rourc with mititio o othr ri. Th U.s. srb-Oxly act o 200215 d
th eU Mrt i Ficil Itrumt Dirctiv16 r jut two rct xmpl o rultory
iititiv ot imd t scurity Ri, but with r-rchi coquc or IT.
13
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
16/52
Th complic oblitio o oriztio ubjct to locl, riol, d tiol rultio
iclud th cot o mitii d rporti complic to th tictio o xtrl
rultor, th chll o tti d mti itrl polici d tdrd to ur
tht xtrl rquirmt r mt, d oblitio ovri th curity, vilbility d
prormc o thir IT rvic or itrl clit.
Compliance impacts
Th IT Policy Complic group xmid icil impct o IT complic i 2007. atr
idi ocitio btw complic d lowr rt o dt lo d tht, th tudy
dtrmid tht tr lo d tht icidt, public compi xpricd iht-prct
dcli i toc pric, ctiv cutomr b, d hort-trm rvu.
I dditio, th tudy oud tht irm pt vr o $100 pr lot rcord i lititio,
ttlmt, rtortio, d improvmt.17 nocomplic with tdrd d itrl
polici itroduc ri v wh rultory cotrol r modrt. Combii th dirct
d idirct impct with itibl lo o rputtio, loylty d mploy morl jutii
th ri o Complic criticl IT Ri.
14
IT Risk: Value and Vulnerability
IT Risk element Compromised core values Risk origins
scurity Trut, cutomr rputtioextrl ttc, mliciou cod,phyicl dtructio, ippropritcc, dirutld mploy
Complic Ll, fcil, d oprtiolitrity
Chi or miudrtood rultio,mii or poorly-dfd IT polici,iufcit uditi cpbility
Prormc efcicy d productivityPoor ytm rchitctur, tworcotio, ifcit cod, idqutcpcity, ictiv proc di
avilbilityFicil d upply-chi itrity,commrcil rpoibility
ntwor ilur, idqut chmmt, dt ctr ilur,riol ditr
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
17/52
Availability and performancedifferent kinds of risk?
avilbility Ri cocr iccibility o iormtio or pplictio duri ytm out
d rcovry. Prormc ri cocr rduc bui productivity or vlu wh tm,
ytm or pplictio udrprorm. Ot ovrhdowd by scurity d Compliccocrd omtim urcoizd outid IT th ri dir i vrl importt wy.
Frequency and impact
scurity d complic ri ttrct tttio bcu o thir hih viibility d impct:
viru outbr, dt lo, or lwuit my rquir diclour, r tpl o th bui
pr, d r dvtti to th idividul d compi ivolvd. I th U.s. lo, twic-
wly updt brly p up with th rt o w dt brch, om ivolvi hudrd
o thoud o rcord18 d millio-dollr i. I cotrt, commo vilbility d
prormc vt td to b icrmtl, d my cp otic w cod dly i
rvi Wb it, w prct poit lowr trctio cpcity, r-mi i mti
rcovry-tim or rcovry-poit objctiv. Yt th cumultiv burd o IT udrprormc
w y oriztio, d il brout vt my b ouh to bri it dow.
Transfer of harm
a cod dirc i tht whil scurity d Complic ri ivolv trr o hrmrom
thi to victim or ovrmt to oriztioavilbility d Prormc ri ot ply out
iid th wll, rducd rvu, ddd xp, or lot proit. stholdr c, hould,
d do compli, but icrmtl vilbility d prormc hortll rrly ttrct outid
tttio, or r th ctd oriztio lily to it.
But wh thy occur, vilbility d prormc ditr c b ihtmr crio:
trctio proci t crwl o th buit hoppi dy o th yr or duri mrt
crh, ilur ccdi throuh bcup ytm duri it or riol ditr, or til
rvic mii wh thyr dd mot. Wor, avilbility d Prormc ditr r
ot irrcovrbl ovr th hort trm.
A reciprocal relationship?
Filly, om IT proiol avilbility d Prormc rciprocl to scurity d
Complic. Thi m tru t th xtrm: iormtio locd i o th oc loor
miht b cur d rom th ll d rultory coquc o diclourthouh t
rt cot to it vilbility, d th prormc o ytm tht u or rv it.
15
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
18/52
But th rciprocl rltiohip scurity d Complic hv with avilbility d Prormc
xtd to th middl roud. evry improvmt i ditributio o iormtio ri th
ri it will ll ito th wro hd, or violt pricipl ovri it u. Liwi, ttmpt
to cur iormtio ot m it l vilbl, d my compromi th prormc o
ytm tht proc it. Thi rciprocl rltiohip i t th cor o my touh dciio i IT
Ri Mmt.
Availability impacts
Wh bui proc dpdomtim compltlyo IT ytm d proc,
IT ilur cu bui ilur. Rrchr t Drtmouth d th Uivrity o Virii
ivtitd o xmpl: hypothticl ilur o th suprviory Cotrol d Dt acquiitio
(sCaDa) twor t oil riry. sCaDa ilur would immditly hut dow productio
bcu o ty cocr. Th rrchr timtd coomic impct o $405 millio rom
hypothticl t-dy out t upplir tht cotributd 10 prct o th U.s. oli
upply. Th ctd upplir would br oly $255 millio o th impct; othr i th upply
chi would um th rmii $180 millio lo.19
Th xmpl hihliht two importt ct: Firt, IT ytm vilbility i ot quivlt to
bui vilbility. scod, i coctd world o lobl upply chi d collbortio
twor, vilbility ilur i o bui ccd dirctly ito othr.
Performance impacts
Prormc ri compromi bui icicy. a thouht xprimt illutrt th poit:
1 prct lo i lbor productivity i jut iv miut o iht-hour dy. But or U.s.
or Wtr europ oriztio o 10,000 mploy, tht m lo cot pproximtly
$4.25 millio i w vry yr.* How my oriztio c y tht thy lo o mor th
25 miut o productiv tim (bout 5 prct) rom low ytm rpo tim, iicit
pplictio di, poor itrtio, or milid IT d bui prioriti? Fiur 5 timt
th ul cot o productivity lo o tht cl d l, or oriztio o dirt iz.
Fiur 2 howd tht 68 prct o urvy prticipt rtd Prormc Ri criticl or
riou thrt. add to th dirct impct o Prormc Ri o productivity ollow-o ct
o cutomr tictio d upply-chi icicy, d it bcom clr why Prormc
Ri i importt trt or IT Ri Mr.
16
* aum 60 prct o mploy i th Uitd stt d 40 prct i Wtr europ, ll ri thir
tiol vr hourly w: $18.58 or th U.s. d $23.31 or th Uk. U.s. vr w pr U.s. socil scurity
admiitrtio, Octobr 2007; Uk pr ntiol sttitic Oic, novmbr 2007.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
19/52
Fiur 5: Hypothticl ul cot o uproductiv tim, xprd millio o dollr pr miut lot ch dy,
or oriztio o dirt iz.
Beyond Security-centric IT Risk Management
Blcd ivtmt i cotrol r th y to uccul mmt d mititio o IT
Ri, d rquir blcd mt cro IT Ri lmt. ev wh curity cocr
domit thir ri viromt, oriztio mut t cr tht curity-ctric viw do
ot blid thm to vry rl vilbility d prormc ri tht my b lctd, or v
rid by thir mititio ort.
17
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
20/52
IT Risk Management is a continuous
process, to address constantly-
changing IT Risk and business
environments.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
21/52
IT change outpaces point-in-time planning
IT Risk Management is adaptive and continuous.
Start with policy, and deploy the right controls.
19
Myth Two: IT Risk Management is a Project
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
22/52
alrdy ivolvd i hudrd o projct, buy etrpri IT dprtmt my th
mt o IT Ri o-o projct, ollowd by djutmt to rmdit pciic
dicici. But thi i utictory i world whr ri r cottly chi.
Oriztio mut moitor IT ri cotiuouly, d m rqut ch to thir
mmt trty. ad whil it crtily tru tht th iitil t o IT Ri mt
will rmbl othr projct, d tht th proc c proit rom th m dicipli d
ocu tht m y IT projct ucc, th projct prcptioli th irihti
mtlity tht prcdd itc dt v th bt ittio d ort.
aul projct or rdom ct o ri mmt,20 r bttr th othi t ll. But
oriztio put thmlv t ri wh th cdc o thir IT Ri Mmt prorm
il to mtch th rt o ch i thir ri viromt. ectiv, cotiuou IT Ri
Mmt proc my b itroducd to oriztio without compromii th
dicipli d o miio urroudi th luch o mjor iititiv. Thi ctio rviw
om o th wy tht bui d tcholoy ch ct th ri viromt, d
outli om wy ldi oriztio hv itroducd IT Ri Mmt ito thir cor
bui proc.
Incident rates and reactions
IT scurity, Complic, avilbility, d Prormc icidt ult th modr
oriztio t lrmi rt. Jut th popl o th rot lidmiitrtor chrd
with moitori d rpodi to th icidt vry dy. For IT Ri Mmt prorm
to m wht thy mur, oriztio d to mur th rt o th icidt.
W d urvy prticipt to timt th rqucy o our typ o IT icidt: rultory
o-complic, mjor iormtio lo, mjor IT ilur, d mior IT ilur; rult r how
i Fiur 6 throuh 9. W oud tht:
66 prct o prticipt xpct rultory o-complic vt t lt oc
vry iv yr
59 prct xpct mjor lo-o-iormtio vt t lt oc vry iv yr
63 prct xpct mjor IT ilur t lt oc yr
69 prct xpct mior IT ilur t lt t tim yr
Th timt prdict IT icidt bout oc moth or vr oriztio. at uch
icidt rt, ul or bi-ul IT Ri Mmt i clrly iuicit.
20
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
23/52
Figure 6: Participants expected incidence o regulatory non-compliance by their organizations. (n=405)
Figure 7: Participants expected incidence o severe impacts rom loss o inormation conidentiality, availability,
or integrity. (n=405)
21
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
24/52
Figure 8: Participants expected incidence o severe impacts to their IT organizations that interrupt critical business
operations. (n=405)
Figure 9: Participants expected incidence o minor impacts to their IT organizations that impair the work o individuals
or groups. (n=405)
The changing risk environment
Not only are IT and business environments rie with every kind o IT Risk, but the risks are
constantly changing. In the Introduction, we saw evidence o a transition in the type o Security
Risk aced by organizations; in act, every category o IT Risk is evolving all the time, driven by
technology change, company go-to-market strategy, and the macro business climate.
Other elements o IT Risk are changing just as ast. The Compliance Risk environment is inconstant lux as regional and national governments enact new legislation, organizations
introduce rameworks and standards or IT Governance and other processes, and companies
adjust policies to meet the needs o their unique business strategies and environments.
Availability Risk changes, or example when entering new markets with unreliable power and
communications inrastructuresand in disaster-prone areas, it can literally vary with the
22
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
25/52
weather. Perormance Risk shows long-term trends based on the availability and aordability o
high-perormance systems, applications, and personnel. But it also shows seasonal variations
based on demand cycles that vary rom one organization to another, and the resources available
to meet them.
IT Risk Managementa continuous process
With such variability in IT Risk environments over time, any project-oriented or point-in-
time IT Risk Management process will quickly ind itsel overtaken by events. Changing IT
Risk environments call or adaptive IT Risk Management that anticipates and responds to
environmental change as it remains aligned to strategic organizational objectives. Adapting
environmental and event monitoring to the requency o IT incidents represents a critical best.
Major changes in business strategy are rare, but operational and go-to-market adjustments
happen every day. For example, sotware-as-a-service applications oer lexibility and rapid
time to market, but present signiicant challenges across the spectrum o IT risks. IT Risk
Management programs must track such developments, understand their business context, and
develop a Risk Management posture to accommodate and support them.
Risks rom technology are evolving, too. The SymantecInternet Security Threat Report tracks
changes in the Internet threat landscape over time in its Future Watch eature covering
emerging threat activity likely. Figure 10 illustrates some recent topics. As discussed above,
annual benchmarks are only a single contributor to an organizations continuous assessment o
IT Riskalert managers will supplement them with both ormal and inormal indicators o risks
introduced by changing technology, people, and processes.
Figure 10: Summary o the Symantec Internet Security Threat Report Future Watch topics.
23
ISTR Future Watch Topics
Polymorphous Win32 malicious
code
Web 2.0 security threats and
AJAX attacks
Microsot Vista
Increased vulnerabilities due to
ault injection uzzers
Modular malicious code
Bot networks
Phishing targets and methods
Advanced spyware developments
Wireless security threats
VoIP threats
Mac OS security
Malicious code and virtual worlds
Automated evasion processes
Advanced web threats
Diversifcation o bot usage
Volume VIISept 2005 Volume XSept 2006 Volume XIISept 2007
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
26/52
Continuous IT Risk Management for continuous improvement
Oriztio u tcholoy to cptur or tr w mrt d build icici, ivitbly
xpoi thmlv to w ri thy do. Cotiuou IT Ri Mmt prorm
volvi t th pd o bui chc hlp thm mur d th mitit or ccpttho ri i wy tht mtch thir trty or curi utibl comptitiv dvt.
Dpdi o oriztio iz d trty, cotiuou IT Ri Mmt prorm
my b ully td i it ow dprtmt or t or th CIO. Rrdl o it cop, vry
prorm d puh to t trtd. symtc h idtiid th prcticl irt tp tht
hv hlpd IT oriztio luch uccul Ri Mmt prorm:
1. Put one person in chargecho ccordi to your oriztiol tructur d
dymic, but with th uthority to m thi hpp
2. Use an event as a catalyst IT icidt tht provid momtum or IT RiMmt m th bt o bd itutio
3. Perform an initial risk assessmentvoid th tmpttio to jut do omthi, d
u t lt quic, qulittiv mt to ocu ort or quic rtur o modt
ivtmt
4. Start dialogues at the executive and board levelIT Ri Mmt uccd wh th
whol oriztio i bhid it: trt t th top
Controls
Oc udrwy, uccul IT Ri Mmt prorm d to moitor cotrol to
th itrl viromt, d pproprit ourc o iormtio to moitor th xtrl
viromt.
Mor rqut moitori o itrl cotrol hlp cut icidt d ocitd lo. Th IT
Policy Complic group dtrmid i 2007 tht oriztio tht moitor IT cotrol mor
rqutly xpric wr icidt:
Oriztio with th wt urportd dt lo d complic dicici r
moitori d muri cotrol oc vry o to thr w, d o vr t lt oc
vry two wirm with mot IT complic dicici d th hiht ltt dt lor moitori d muri cotrol oc vry 6.8 to 8.5 moth.21
24
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
27/52
Information
Covrtio with bui mr provid vlubl iiht ito trtic dirctio d
o-to-mrt iititiv; IT vdor c hlp prdict ytm uprd d othr oprtiol
iormtio.
IT lyt c hlp idtiy IT trd d mri iu to hlp mr th xtrl
viromt. O vlubl ourc i th Symantec Internet Security Threat Report, which or
ix-moth updt o itrt thrt ctivity tht iclud lyi o ttc, vulrbiliti,
mliciou cod, d trd i phihi d pm.
Myth and reality
Th myth tht IT Ri Mmt c b ddrd i il projct, or v ri
o poit-i-tim xrci cro budt priod or yr, ior th dymic tur o th
itrl d xtrl IT Ri viromt. Wor, thi viw ior th opportuity vluo cpbl IT Ri Mmtidtiyi ccptbl ri, murd it thir cot
d bui vlu, or implmti mititio proc tht llow oriztio to t
clcultd ri with coidc.
25
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
28/52
Peopleexecuting processes
supported by technologyare your
most valuable resource to manage
IT Risk
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
29/52
Process effectiveness is a known weakness.
Frameworks, controls, and the road to improvement.
Key process controls and the critical role of training
27
Myth Three: Technology alone mitigates IT Risk
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
30/52
Oriztio m IT ri by dployi cotrol. Th p wid vrity o ctiviti,
d typiclly ivolv popl xcuti proc with tcholoicl upport, or xmpl
by ui complic mmt otwr to crt polici mppd it rultio
d bt prctic, d th moitor d documt complic. Th Fbrury, 2007IT Risk
Management Report, Volume 1 xmid rltiohip i th u o iht tcholoy cotrol
d iht proc cotrol. I tcholoy dicipli popultd by my pcilit with
iri bcroud, it w o urpri to id ttmpt to olv pritt problm
rmd i eiri trm. IT proiol rtd thir oriztio mor ctiv dployi
tcholoy cotrol to ddr IT Ri th thy did proc cotrol.
Th lyi lo dtrmid tht bt-i-cl oriztio ollowd mor blcd
pproch i dployi tcholoy d proc cotrol. For th 2008 tudy, w xpdd th
lyi to covr lrr t o cotrol, ch with lmt o popl, proc, d tcholoy.
Best in class: risks and incidentsFor thi tudy, w d prticipt to rt th ctiv o implmttio o 18 cotrol
criticl i mi IT Ri, rrd ito our ctori: trtic, upport, dlivry, d
curity cotrol ( idbr o p 33 or dcriptio). W dividd our 405 prticipt ito
qurtil bd o thir ovrll ctiv cro ll 18 cotrol.
a i lt yr tudy, w clcultd prt idx or complic d bui proc
ri, or ch qurtil (cro ix complic d v bui-proc IT Ri r),
tothr with th rt t which prticipt xpctd IT icidt. Th rult r how i
Fiur 11.
Fiur 11: expctd icidt rt d rti or two ctori o IT Ri i oriztio i ch IT Ri Mmt
prormc qurtil. Proiol rom bttr-rtd oriztio thmlv ci mor IT Ri, but xpct
wr icidt. (=405)
28
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
31/52
a thy did i Volume 1, th rult how tht prticipt who rtd thir oriztio
ctiv i mi IT Ri w thm ci rtr complic d bui proc ri
but xpctd wr IT icidt. Th rltiohip ut tht oriztio mor ctiv t
dployi cotrol r rwrdd with lowr rt o icidt.
Best in class: balanced controls
Wht prt bt-i-cl prormr rom othr prticipt? a clor loo rvl tht
oriztio i th Bt qurtil dploy trtic, upport, dlivry, d curity cotrol with
uiormly hih ctiv ( Fiur 12). Thi cotrt with oriztio i th Wort
qurtil, which dploy curity cotrol t modrt lvl o ctiv, but how l
ucc with trtic d dlivry cotrol.
ai, rdr o lt yr rport will id w urpri: oriztio with tro
prormc rti dploy cotrol ctivly cro th ull r. no cotrol or ctory
lo ld to hih prormc combitio o ctiv cotrol hlp bt-i-cl
oriztio chiv thir xpcttio o lowr rt o IT icidt.
Fiur 12: ectiv rti or our ctori o cotroltrtic, upport, dlivry d curity
by prormc qurtil. (=405)
The importance of process controlsIT proiol r milir d comortbl with tcholoy cotrol. But proc cotrol r
ot th y to voidi riou icidt, dmotrtd i tudy coductd by symtc
d rrchr rom MIT Ctr or Iormtio Rrch i 2007. Th tudy xmid root
cu o 85 vrity-o curity d vilbility icidt. Fiur 13 o p 30 how th rult.
29
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
32/52
Proc-bd iu cud 53 prct o icidt. I 63 prct o th c, o pr-
did proc xitd to m th icidti oly 22 prct did xiti proc
il to m it. eviromtl coiurtio iu ccoutd or 51 prct o icidt root
cu; d t ill or 41 prct.
Fiur 13: Root cu o IT icidt. (Totl xcd 100 prct: 63 prct o th icidt hd multipl root
cu). (=85)
The promise of process frameworks
How c othr oriztio build tro proc to chiv bt-i-cl prormc?
Fortutly, thy hv hlp. IT ldr hv ocud coidrbl tttio i rct yr o
IT srvic Mmt (ITsM) proc rmwor d tdrd, icludi th Iormtio
Tcholoy Irtructur Librry (ITIL) rmwor md by th Uk Oic o govrmt
Commrc, th IsO/IeC 17799 curity d 20000 udit tdrd, d th Cotrol
Objctiv or Iormtio d rltd Tcholoy (CobiT) bt-prctic uidc mtril
o IT govrc.22 Followi i th trditio o th qulity dicipli tht trormd
mucturi i th 1980 d 1990, th rmwor d tdrd ddr cottly-
chi IT irtructur d dt-ctr coiurtio rom th tdpoit o rvic
dlivrd to IT d-ur.
Mor th 20 prct o billio-dollr compi hv lrdy compltd o or mor ITIL
implmttio,23 d my mor r udrwy. Th bui bit th oriztio
hop to chiv iclud:
IT rvic improvmt uch coitt prormc it srvic Lvl armt
with IT ri miimizd, md, or ccptd
IT proc improvmt icludi oprtiol bt prctic, with documttio o
complic to pproprit polici d tdrd
30
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
33/52
stdrdiztio o IT irtructur d proc, to rduc cot, complxity, d tim-to-
vlu o IT ivtmt
ad w will i th xt ctio, ivtmt i trii d t dvlopmt r mo
th mot productiv pth to improvd prormc.
Process trends
Whil itrviwi or lt yr tudy, w obrvd tht vrl oriztio wr mi
lr ivtmt i cur pplictio dvlopmt proc. Prticipt xplid tht
thy wr buildi mor cur IT oprti viromt by limiti curity problm t
th ourc. Compri thi yr rult with tho, w hv 10 prct improvmt i
th umbr o prticipt rti cur pplictio dvlopmt ovr 75 prct ctiv.
Thi idict tht oriztio r mi thouhtul, ctiv ivtmt to m IT Ri.
W prdict tht Problm Mmt will b th xt r to improv scur applictioDi did. ITIL hlp li IT iititiv with bui ol, ui Problm Mmt to
miimiz th dvr impct o Icidt d Problm o th bui tht r cud by
rror withi th IT Irtructur, d to t to th root cu o Icidt d th iitit
ctio to improv or corrct th itutio.24
Our rrch with MIT howd tht IT icidt hr root cu. W xpct tht IT Ri
Mmt prorm mtur, thy will bi to dploy mor robut Problm Mmt
proc to limit root cu o IT icidt, ui or modiyi tcholoy dd, but
rlyi primrily o proc to m pciic, idtiid root cu.
I Volume 1 w otd cocr ovr th low rti o th at Ivtory Cliictio d
Mmt cotrol. Prticipt i th currt urvy rportd liibl icr i
ctiv or thi cotrol, till th mot poorly rtd i th tudy. I dditio, th currt
urvy how dcli o 17 prct i th umbr o prticipt who rt Dt Licycl
Mmt ovr 75 prct ctiv.
Th combitio o th two trd i cocr. Both o th cotrol cliy ytm
d iormtio, pplyi uiqu polici to ch cl. Thi proc li th trtmt o
ch cl with bui objctiv. W o th cotrol ut tht t will b
trtd qully, o tht om ytm, proc, d objct will b ovrprotctd d othr
udrprotctd rom IT Ri, rulti i cot d rvic iicici.
31
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
34/52
Technology in support of process
althouh tcholoy cot ubtitut or proc dicipli d xprti, tcholoy
olutio c hlp tdrdiz, utomt, d rport y murmt rltd to proc
ctiv, icri th p o wr d cotrol o trid prol. Proc-upport tcholoi iclud otwr d pplic to it IT oriztio with:
Coiurtio d Ch Mmt, to improv th dicovry, mppi, corrltio, d
trci o ch to pplictio d rvr
Prormc Mmt, to idtiy udrprormi t d irtructur tir, d
hlp iolt root cu o udrprormc
Proviioi Mmt, or coitt ptch dploymt cro oprti ytm d
orphi, voidi icomptibiliti d timi iu
Tcholoy ply criticl rol i th mititio o IT Ri. But popl d proc, upportd
by tcholoy, dtrmi how ctiv your prorm will b. a oriztio mturity i
dployi IT Ri Mmt will dictt which ivtmt r mot pproprit or your
oriztio t thi tim. ad whil vry oriztio i uiqu, cor Ri Mmt
problm r commo to ll oriztio.
32
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
35/52
33
Strategic Controls
IT policy, trty, d rchitctur
Oriztiol tructur, rol, d
rpoibiliti
govrc, complic d cotiuou
improvmt
Dt licycl mmt
Support Controls
at ivtory cliictio d
mmt
Phyicl d viromtl mmt
Coiurtio, ch d rl
mmt
Icidt, rpo d problm
mmt
Delivery Controls
srvic lvl mmt
Oprtiol di, worlow d
utomtio
scur pplictio di, dvlopmt
d tti
sytm build d dploymt
Cpcity mmt
avilbility mmt
srvic cotiuity mmt
Security Controls
authtictio, uthoriztio d cc
mmt
ntwor, protocol d hot curity
Trii d wr
Key Controls for Managing IT Risk
Th y cotrol litd blow wr drivd rom xtiv tudy o publihd cotrol
tdrd or IT mmt, icludi th Iormtio Tcholoy Iormtio Librry(ITIL), CobiT, d IsO 17799, wll rom symtc xpric i wori with
top-prormi oriztio throuhout th world.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
36/52
IT Risk Managementlike other
business processesrequires
disciplined planning and execution.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
37/52
35
An emerging business discipline, not a science.
Origins of IT Risk Management.
IT Risk Management in context: Risk Management,
Business Strategy.
35
Myth Four: IT Risk Management is a science
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
38/52
Thi lt myth i mor widprd withi th prctic o IT Ri Mmt th i th
bui commuity t lr. a IT Ri Mmt bcom mor widly prcticd,
diciplid, d documtdd pcilly tdrd d rmwor cour
coitt prcticprctitior my com to it t o ixd pricipl d
rltiohip, uivrlly pplicbl cro idutri d orphi.
Roots and progress
But IT mmt i mri bui proc, ot cic. Rthr th xprimt
d lyi, IT Ri Mmt rli o th xpric ccumultd by idividul d
oriztio thy m thir wy cro chi bui ldcp.
W c idtiy thr primry cotributor to th currt prctic o IT Ri Mmt:
Operational Risk Management
I th Ri Mmt mily, Ficil Ri Mmt i th cic, d Oprtiol Ri
t o d hoc proc to ddr vt ri rom ir d rud to upply-chi ilur.
It divrity i cpturd i it diitio: th ri o lo rom idqut or ild itrl
proc, popl, d ytm, or rom xtrl vt25i ct, covri y ri tht
cot b compltly hdd or iurd it.
By 2002 th itrcoctd o itrl d xtrl twor d bui proc hd
lrdy iv IT Ri Mmt pcil ttu. Loiclly d txoomiclly till orm o
Oprtiol Ri Mmt; IT Ri Mmt mrd prt prctic bcu:
My bui oprtio d trctio ow too plc tirly withi IT ytm
Th pc o tcholoy ch rquird mor rpid dpttio i tcholoy d proc
cotrol th do othr orm o oprtiol ri
Th dicipli o IT Ri Mmt rquird pcilizd owld d ill mo both
IT proiol d bui mr
Process improvement disciplines
Proc improvmt mthodoloi trormd ctori worldwid i th lt 1980 d
throuhout th 1990, d luchd o o th rtt productivity dvc i hitory.
Mucturi dicipli drov build qulity to uprcdtd hiht, whil computr-itiv Mucturi Rourc Pli d etrpri Rourc Pli tcholoi
bro throuh old umptio bout productivity d ivtory mmt.
36
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
39/52
a w piori compi dmotrtd tht th icici could wor v cro
compy boudri, i upply prtr d ditributor twor tht combid with th
commuictio icici o th Itrt to luch th -commrc rvolutio.
IT Ri Mmt i thir turl uccor. Too ot viwd mrly div xrci,IT Ri Mmt hlp compi idtiy both ri d opportuiti i thir bui
viromt, d trd-o btw ri d cot, or ri d opportuiti. With trd-o
idtiid d murmt ytm d cotrol i plc, oriztio c t pproprit
ri coidtly, to puru opportuiti thy miht othrwi oro.
Business and IT Governance
Rultio ovri bui coductmot promitly srb-Oxly i th Uitd
sttrid th ccoutbility o corport oicr d diclour tdrd or bui
iormtio, with iiict implictio or IT. srb-Oxly w xtrl timulu
or my compi, th irt tht orcibly lid bui d IT trti, d md IT
govrc top-o-mid iu or my chi xcutiv.
To mt th rquirmt o srb-Oxly, eU Privcy d Mrt Dirctiv, idutry-
pciic rultio uch th Hlth Iormtio Portbility d accoutbility act (HIPaa)
d th Pymt Crd Idutry (PCI) Dt scurity stdrd, IT dd wy to oriz,
vlut, d blc th rquirmt ytmticlly to uid ctiv ctiod IT Ri
Mmt w wll dptd or th t.
Current state of IT Risk Management
Mot bui popl r milir with Ri Mmt, but w udrtd th mri
prctic o IT Ri Mmt, d wr till pprcit it rol i tody coctd
oriztio.
IT Ri Mmt combi th rior d brdth o Oprtiol Ri Mmt, th
productivity ocu o Mucturi dicipli, d th tholdr poit o viw commo
to ovrc rmwor. It dd proc d tcholoy cotrol uiqu to th IT world,
d i mri bui dicipli, li Ficil Ri Mmt or supply-Chi
Mmt, cpbl o mi uiqu cotributio to oriztiol ctiv.
37
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
40/52
Frameworks and best practices
Documtd bt prctic or IT Ri Mmt r crcr th or IT Oprtio
Mmt rmwor li ITIL, or xmpl. stdrd uch IsO 17799, Th Cod o
Prctic or Iormtio scurity Mmt sytm, d th brodr autrli/ nwZld stdrd o Ri Mmt, as/nZs 4360:2005 c hlp, but th r rrc
rthr th prctic uidli. Frmwor d tdrd provid xcllt trt, but
vry oriztio will dd d ri prioriti d proc pproprit or it ow ri
viromt d oriztiol ol.
Throuh it rrch d clit wor, symtc h idtiid our IT Ri Mmt bt
prctic tht r rlly pplicbl cro oriztio:
1. Assess risk and scopebor ti ctio, th lilihood d probbl impct o
ch ri. ev impl, qulittiv mt will hlp you void covr p d wt
your prorm t udrwy. kp i mid tht ot ll IT Ri mut b limitd: quic,
chp corrctio my b ouh to bri ri to ccptbl lvl.
2. Build a risk-aware culturebcu bui t ri or proit, iv ri vrio
c b brrir to ucc. IT Ri Mmt hould build cultur tht udrtd
oriztiol objctiv, IT ri, mititio cot, d thir itrrltiohip.
3. Develop peopleMIT rrch citd i Chptr 4 howd tht 41 prct o IT icidt
hv root cu bd i t ill. I prt tudy, IDC d symtc oud
tht trii d tm ill lvl hv prooud impct o IT prormc.26 Trii
ivtmt py o, or xmpl, by rocui tm ort o hih-vlu ctiviti, whichc improv tm productivity by 10 prct or mormor th ouh to covr th cot
o trii.
4. Give it timechl up om rly wi to build momtum, but ocu lo-trm ort
o trtic iu idtiid i your ri mtth llow tho cotrol to mtur
ovr tim. symtc xpric dmotrt tht it my t thr to iv yr or IT Ri
Mmt cotrol to bcom compltly ctiv.
Taking the second step
Th mot importt tp i y IT Ri Mmt prorm i imply tti trtd, di Chptr 3 w utd ui ctlyt vt to t your prorm udrwy. But wht
r th xt tp? Bd o symtc xpric with mri d tblihd IT Ri
Mmt prorm, d lyi o corrltio btw ri d cotrol or urvy
prticipt, w th ollowi loicl implmttio quc or cotrol:
38
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
41/52
1. Security risks and controlsurvy rult ut ddri curity ri irt: bttr
curity cotrol mot troly prdictd improvmt i icidt xpcttio. ad
bcu iormtio curity i IT-ctric, IT c ct with l dpdc o othr to
chiv y wi d i rly momtum.
2. Availability risks and delivery controlsdlivry cotrol, cloly ocitd with
avilbility Ri, hd th cod-trot corrltio with rducd icidt xpcttio.
Our rrch lo idict tht oriztio ci hihr lvl o bui proc
ri dploy dlivry cotrol mot ot. ad bcu bui mr ily rp
th bit o rducd vilbility ri, dlivry cotrol r xcllt tp i mti
bui objctiv outid th l hou.
3. Compliance/performance risks and strategic controlsComplic d Prormc Ri
mot cloly udrpi bui uit dily u o IT rvic. Mi th ri rquir
collbortio to li th ctio o IT with th rquirmt o it bui clit. Lyi oudtio with scurity d avilbility Ri lmt prpr your oriztio or th
mor ophitictd covrtio.
Your oriztio my c uiqu t o ri tht cll or dirt pproch: or xmpl
iurc compy i t-ri rio my ocu o avilbility Ri irt, or compy
udr rultory rviw o Complic Ri. a illutrtd i Fiur 14, limt i criticl
throuhout xcutio. ad rrdl o th ordr o dploymt, u th our bt prctic
uid.
Fiur 14: Illutrtio howi how y lmt o IT xcutio itrct with th mot importt iu i IT/bui
limt. excutio ill pply cro multipl iu, jutiyi ivtmt i ill dvlopmt.
39
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
42/52
40
CocluioTcholoy driv th coolidtio o idutri, lobliztio o mrt, d ivtio d
rivtio o oriztio worldwid. Tcholoy upport collbortio d iovtio t
rt vr bor. But tcholoy ilur c bri tir mt o th coomy to
hlt, corrupt rcord or lv thm iccibl, d compromi mploy productivity.
Mi ri itroducd by IT i bui imprtiv. I thi rport, w hv obrvd tht:
IT ilur i your oriztio rippl throuh cutomr, upplir d prtr
IT ri com rom multipl ourc, ch cottly, d rquir cotiuou prorm o
dicovry, moitori, d mmt
IT ri r md by th combitio o popl, proc, d tcholoy, blci ri
it bui objctiv
IT Ri Mmt i bui proc tht dpt to oriztiol rquirmt, uidd
by bt prctic
a you luch or xpd your IT Ri Mmt prorm, p i mid tht mi IT
Ri rrly m limiti it. Itd, IT Ri Mmt dicipli d prctic hlp
p IT rvic lxibl, dptiv, d lid to oriztiol ol i cottly chi
bui climt. I dditio, IT Ri Mmt c provid th iiht tht llow you to
t clcultd ri with coidc d u IT to driv comptitiv dvt.
The futuresymtc will cotiu it rrch ito IT Ri Mmt to dicovr dditiol prcticl
rcommdtio d bt prctic to hlp oriztio dvlop d implmt thir
ow prorm. Futur rrch will th tt o dploymt d mturity o IT Ri
Mmt prorm, icludi th prvlc o IT Ri Mmt iititiv d th u
o prorm-bd bt prctic. symtc will cotiu to xplor th how th mmt
o IT Ri cotribut to bui productivity, comptitiv dvt, d th pirit o
iovtio.
40
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
43/52
4141
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
44/52
42
appdixMethodology
Data collection
Btw Fbrury 2007 d Octobr 2007, symtc collctd 405 urvy rom IT
proiol ttdi IT vt worldwid (pproximtly 85 prct), or oli t
www.ymtc.com (pproximtly 15 prct). ech prticipt rcivd rport compri
hi or hr rpo to tho o bchmr roup. To ur cdid rpo d protct
prticipt privcy, symtc cotrctd third prty, ecoytm, LLC o Vi Va,
to collct, proc, d rt th urvy rult.
Bcu prticipt occiolly ippd o or mor urvy qutio, th umbr o
rpo my vry rom o qutio to othr.
Differences in questions
For comprio d trd lyi, th currt rport cho vrl qutio rom th
Symantec IT Risk Management Report, Volume 1, which rportd rpo rom 528
prticipt lt yr. Th currt rport lo iclud rult rom qutio did to
xtd dt-t covr or xplor mri iu.
42
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
45/52
43
Demographics
W ildd th urvy to brod roup o IT proiol, cro idutri, iz o
oriztio, prticipt job rol d lobl rio. Th dmorphic providd th vribl
or much o our lyi.
Fiur a1: Prticipt by idutry. (=405)
Fiur a2: Prticipt by job rol: proiol iclud bui, coultt d othr o-IT job uctio.
(=405)
43
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
46/52
44
Fiur a3: Prticipt by oriztio iz. (=365)
Fiur a4: Prticipt by orphic rio. Thi rport iclud prticipt rom th ai Pciic rio, which w
ot rprtd i th prviou rport. (=405)
Use of indexes
Thi rport compild v idx to mur th iiicc or impct o ri, ctiv
mur, or icidt rt cro prticipt, compr rult cro dmorphic or othr
ctori, d or corrltio d comprtiv lyi. ech idx vr dt cro th
rlvt t o qutio.
Th idx r:
Complic Idx support ectiv Idx
Bui Proc Idx Dlivry ectiv Idx
Icidt Rt Idx scurity ectiv Idx
strtic ectiv Idx
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
47/52
45
grl RrcWtrm, gor d Hutr, Richrd. IT Risk: Turning Business Threats into Competitive Advantage. (Boto: Hrvrd
Bui school Publihi, 2007).
Bui Roudtbl. Growing Business Dependence on the InternetNew Risks Require CEO Action. (Whito DC:sptmbr, 2007).
Lmy, Liol. IT Risk Management: A Business Issue of Strategic Importance. (Frmihm, Ma: IDC, July, 2007).
Fily, I. IT Risk Comes Into Fashion. (Boto: aMR Rrch, auut, 2007).
Th Boto Coulti group. Innovation 2007: A BCG Senior Management Survey. (Boto: auut, 2007).
IT Policy Complic group. Taking Action to Protect Sensitive Data. (Fbrury, 2007).
Cldwll, Frch. The 2007 Compliance and Risk Management Planning Guidance: Governance Becomes Central.
(stmord, CT: grtr, Ic. april, 2007).
kr, khlid. 2007 Security Budgets Increase: The Transition to Information Risk Management. (Cmbrid, Ma:
Forrtr Rrch, Ic. Jury, 2007).
Hir, Jy. Choosing Risk Management Methods. (stmord, CT: grtr, Ic. Ju, 2006).
Cldwll, Frch d Moul, Rich, Risk Management and Business Performance Are Compatible. (stmord, CT: grtr,
Ic. Octobr, 2006).
Rmu, Michl, Business Drivers for Enterprise Risk Management. (Cmbrid, Ma: Forrtr Rrch, Ic.
Fbrury, 2007).
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
48/52
46
ed not1 World ecoomic Forum. Global Risks 2007: A Global Risk Network Report. (gv. Jury, 2007), p 8.
2 Buru o ecoomic alyi. National Economic Accounts: Private Fixed Investment in Equipment and Software by
Type. (Whito DC. novmbr, 2007), Tbl 5.5.5U.3 symtc Corportio. IT Risk Management Report, Volume 1. (Cuprtio, Ca. Fbrury, 2007), Tbl 1, p 8.
4 shro gudi. T.J. Mxx scurity Brch Cot sor to 10 Tim erlir etimt, Information Week. (Mht,
nY: CMP Mdi LLC auut 15, 2007).
5 Jrmy kir. etoi Rcovr rom Miv Dil-o-srvic attc, NetworkWorld. (Boto: IDg. My 17, 2007).
6 Dborh g d kim s. nh. W Rlly Did scrw Up, Baseline. (nw Yor: Zi Dvi. My 14, 2007).
7 Tom You. HMRC ico plc dt protctio udr th potliht, Computing. (Lodo: Iciiv Mdi Ltd.
novmbr 29, 2007).
8 symtc Corportio. Internet Security Threat Report Volume XII. (Cuprtio, Ca. sptmbr, 2007).
9 symtc Corportio. Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers
Financial Gain, pr rl. (Cuprtio, Ca. Mrch 19, 2007).
10 Dr. Lrry Pomo d Votu, Ic. 2007 Consumer Survey on Data Security. (Trvr City, MI: Pomo Ititut.
Ju 25, 2007).
11 Iowtch. Global Data Leakage Survey 2006. http://www.iowtch.com/thrt?chptr=162971949&id=20778462
6 (Mocow: Fbrury 15, 2007).
12 Tom You, op. cit.
13 Pomo d Votu, op. cit.
14 symtc Corportio. Stop Data Leakage Now, rticl. (Cuprtio, Ca. april 17, 2007). http://www.ymtc.com/
bui/librry/rticl.jp?id=top_dt_l
15
Lwrc D. Ditz, eq. International Implications of Sarbanes-Oxley: What every IT Professional Should Know.(Cuprtio, Ca: symtc Corportio, Octobr 13, 2006).
16A Balanced Approach to MiFID Compliance. (Cuprtio, Ca: symtc Corportio, Mrch, 2007).
17 IT Policy Complic group. Why Compliance Pays: Reputation and Revenues at Risk. http://www.itpolicycomplic.
com/rrch_rport/pd_mmt/rd.p?ID=10 (July, 2007), p 1.
18A Chronology of Data Breaches. (s Dio, Ca: Privcy Riht Clrihou). www.privcyriht.or/r/
ChroDtBrch.htm
19 scott Dy, ev adrijcic, d M. eric Joho. Cot to U.s. ecoomy o Iormtio Irtructur Filur,
orthcomi i Proceedings of the Fifth Workshop on the Economics of Information Security. (Hovr, nH: Drtmouth
Coll Ititut or scurity Tcholoy studi, 2007). http://www.it.drtmouth.du/librry/207.pd
20 Ji grim. IT Ri Mmt: Rii to th Top o CIO ad, CIO Magazine, irt. (Frmihm, Ma: IDg.
Dcmbr 1, 2007).
21 IT Policy Complic group. op. cit., p 23.
46
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
49/52
4747
22 suy gupt. ITIL adoptio. E-business Blog. http://www.li56.com (Lo al: Li56.com, Octobr 13, 2006).
23 Onill, P. ITIL Adoption Accelerating in IT Service Management, tlcorc. (Cmbrid, Ma: Forrtr Rrch,
Ic. 2006).24 Oic o govrmt Commrc. Best Practices for Service SupportITIL: the Key to Managing IT Services. (norwich:
Th sttiory Oic, 2002), p 95.
25 Doul g. Hom. Managing Operational Risk: 20 Firmwide Best Practice Strategies. (nw Yor: Joh Wily d
so, Ic., 2002), p xxii.
26 Cuhi adro. Information Security and Availability: The Impact of Training on IT Organizational Performance.
(Frmihm, Ma: IDC, poord by symtc Corportio. Ju, 2007).
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
50/52
4848
not
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
51/52
49
nO WaRRanTY. Th iormtio providd i thi documt i bi dlivrd to you as Is d symtc Corportio m o wrrty to it ccurcy or
u. ay u o th iormtio cotid hri i t th ri o th ur. Documttio my iclud tchicl or othr iccurci or typorphicl rror.
symtc rrv th riht to m ch without prior otic.
Copyriht 2008 symtc Corportio. all riht rrvd. symtc, th symtc Loo, d InFORM r trdmr or ritrd trdmr o symtc
Corportio or it ilit i th U.s. d othr coutri. Othr m my b trdmr o thir rpctiv owr.
-
7/28/2019 B-it Risk Management Report 2-01-2008 12818026.en-us
52/52
About Symantec
symtc i lobl ldr i
irtructur otwr, bli
bui d coumr to hv
coidc i coctd world.
Th compy hlp cutomr protct
thir irtructur, iormtio, d
itrctio by dlivri otwr
d rvic tht ddr ri to
curity, vilbility, complic,
d prormc. Hdqurtrd
i Cuprtio, Cli., symtc h
oprtio i 40 coutri.
Mor iormtio i vilbl t
www.ymtc.com
For pciic coutry oic dcotct umbr pl viit our
Wb it. For product iormtio
i th U s cll toll-r
symtc CorportioWorld Hdqurtr
20330 stv Cr Boulvrd
Cuprtio Ca 95014 Usa
Copyriht 2008 symtc Corportio. all riht
rrvd. symtc d th symtc loo r
trdmr or ritrd trdmr o symtc
Corportio or it ilit i th U.s. d othr
coutri. Othr m my b trdmr o thir
rpctiv owr.
1/08 12818026
Coidc i coctd world.