Risk Management and Information Systems Control

Introduction to Risk

An Overview of Risk Management

First of all, what is risk? There are many different definitions of risk, but let us take a look at this one. Risk is defined as the probability of an event and its consequence. The important thing to remember is that risk is also as much as it is a danger; it is opportunity. For many organizations, they see risk as the opportunity to make a greater reward by taking a greater risk. However, for us in the IT field, we quite often look at risk from more of a negative sense. Risk is an adverse event of what could go wrong. It has some impact on our assets, whether or not those assets are the IT systems, or whether or not the assets themselves are the business product or service that we are providing. What happens is that a risk event exploits a weakness or a vulnerability in our system, leading them to an unwanted impact. We can see that ISACA with the CRISC identifies the risk management life cycle through four main areas: risk identification, which would make up 27% of the examination, risk assessment, making up 28% of the examination, risk response and mitigation, making up 23%, and finally, risk and control monitoring and reporting, which makes up 22% of the examination questions. In later courses, we will take a look at each one of those four sections.

However, let us take a look at risk rather from the perspective of how it is looked at within the NIST special publication 800-39. This gives us an understanding of the overall risk management framework. The risk management framework allows us to examine in detail the various steps or phases that would make up an effective risk management effort. We see that there is a direct relationship between all of these various phases, and in the center, the one that is called to frame the risk. Furthermore, if you follow instead the ISO 27005, it calls this the context of the risk. The framing of the risk, as we see, interacts with all of the other three areas: the assessment, the response, and to monitor. And just to show the relationship between this document, the special publication 800-39, and the ISO standard 27005, ISO 27005 will call the framing section the context, and it will call the response section, the risk treatment. The context or the frame is important. If we are going to do a risk management effort, we need to put a boundary or a frame around the effort we are going to do. Within that boundary is the scope of the project.

That which is outside of that boundary, is out beyond our scope. It is not something we are going to consider during this risk management effort necessarily. We will have to look at it at other times. Nevertheless, we need to understand what is within our area of responsibility. There are many things within the context or the frame. The internal factors, such as what is management's approach towards risk. Some management loves risk because it has that opportunity, it has that little bit of adrenaline rush that says, Hey, if I take this chance and it works, things are great. Other companies have very risk-averse management, and they tend to be a lot more conservative or careful, and they say, let somebody else take the chances; instead we will just be careful, sit back here, see what happens and learn from their mistakes. There will be plenty of time for us to get into that market after somebody else has gone in and taken the initial chance. Those are internal parameters, really driven by risk ownership or the attitude of senior management towards risk. However, we have several external parameters as well.

Are we in a heavily regulated industry?

Are we in an industry that is very, as you say, competitive and, if I do not keep moving ahead, we will soon be left behind?

We need to understand these factors before we begin performing the risk management effort. We have to understand the context, how our business operates so that the risk management effort we do will be aligned with the culture of our organization.

Determining Asset Value

Risk is all about protecting assets. An asset is something you like. Sometimes an asset has a very tangible value, such as money or your laptop. However, many assets have intangible values: morale of the employees, the reputation, the value of the brand. Those are things that are sometimes more difficult to put a monetary value on. Nevertheless, when we take a look at what are the risks to our organization, we must understand we are not just protecting physical items.

In many cases, we are protecting those intangibles that make up the culture and attitude of our company, of our employees and our customers. The general rule is kind of simple, though very hard to enforce. The general rule of risk management is to protect the assets but do not spend more on protecting them than they are worth. To carry the point to the extreme, we should never spend a million dollars on a thousand-dollar problem. The point is that risk management should be responsible and accountable to ensure that we understand the value of the asset, both tangible and intangible. From that, we can make appropriate risk response decisions, what should we do with that risk, and certainly not spend a lot of money on something that did not matter. But how do you determine asset value?

Asset value is rather difficult to determine in many cases because It is affected in some cases by external factors, such as regulation and financial liabilities that are beyond our control. The value of an asset can often be:

What would a competitor pay for that?

What is it worth to an outside party?

I might not have thought it was that important, but the competitor sure was glad to have it in their hands. I have to realize that the value of that asset is not just based on my evaluation but very often, those external factors. We also can say: what is the value of that system? If we have an IT system, or we have a piece of equipment that manufactures a product, the value of that IT system is its value in supporting the business, that value of that piece of equipment is its value in not only supporting the overall product or service that our company provides but in some cases that downstream liability. If this piece of equipment does not manufacture that widget and that widget is needed in another process, the value of this equipment is also linked to the value of that other process. So we need to understand, as accurately as we can, what are the values of our various assets to business operations.

What would be the fines, the penalties we would pay if we did not protect those assets adequately?

What is its value to our adversaries, to our competitors?

We also bring in here the whole idea of protecting our intellectual property (IP) or maybe our formulas, or perhaps our new research and development. In many cases, e.g. a pharmaceutical organization, the value of their research into a new drug is maybe the value of the entire future of the organization, and that needs to be very carefully protected so that it is not inadvertently released or available to somebody else. In our case, we are going to focus a little bit more on the IT side of things. IT assets themselves include things like major applications that we are running on our systems that do everything from controlling manufacturing to controlling finance, Wand so on. They also include things like general support systems, perhaps like payroll. They include a high impact program; in some cases, our interface to our customers or something controlling our internal systems and operations. IT today includes things like our heating, ventilation, air conditioning, power, all of these things that are necessary for our businesses to operate. However, the important thing to remember when evaluating IT assets is that while that server or while that piece of equipment may have a particular value, is that true value related to the true value to the business. If that system did not work, we could say the impact on IT might be thousands, replacing that equipment, rebuilding the system. However, the impact on the business could have been millions because the business was unable to provide a necessary service to its customers and clients. We need, therefore, to identify:

Which systems we have are mission-critical?

What are the people that we essentially require to have in order for our systems to work?

What equipment do we need?

Moreover, what are some of the dependencies in the logical relationship between our various systems as well?

One of the things we sometimes have to get better at is threat modelling. We have to understand the threats that are out there, and a threat can be defined as any circumstance or event that has the potential to impact our operations adversely. Impacting our operations might mean diminishing or deterioration in quality or service levels, or it could be a complete catastrophic disruption in providing service. We can say that the threat is something that could impact our ability to meet our corporate mission, to provide certain functions, or something that could very much impact our image or reputation. The thing is that we have said that risk is all about protecting assets, and we have to understand what are the threats directly to those assets. The threat to an asset such as a building could be fire or flood. The threat to an IT system could be a loss of power or equipment failure. We need to look at the threats to individuals.

What happens if a competitor hired one of our top engineers?

What would happen if one of our key people in the process was no longer available due to illness?

Those are threats to individuals that could impact our ability to conduct business. We also have to understand that in many cases, something that impacts me as a company could also impact my business partners.

Are there organizations that are relying on maybe some service or product for me?

I have become part of the supply chain, and I need to identify those dependencies because the value of my business could be very much related to the value that others have placed in that supply chain. We could say that many of you could work in industries where if there was a threat, it could not just impact your company, but it could even impact the entire nation itself, the security, the stability, the financial, we should say, operations of the country. A threat typically will impact us through the information system being exploited to unauthorized access or disclosure of information, the destruction or unavailability of a system or a service, the improper modification, either of data or the modification of the process and how it works. So we can see here we need to understand all of the various threats from various angles that could lead to our organization not being able to provide sufficient levels of service.

Identification of Threats

Threats can come both internally and externally. The threat source is the sometimes called threat agent, the element which either alone as a hacker, or in combination as organized crime or an advanced persistent threat, has the potential to result in a risk or give rise to a risk to our company. We need to understand who the threat sources or threat agents are. They execute a threat according to their intent and the method they use to target either the intentional exploitation of a vulnerability or a weakness we have or, in many cases, a threat source may result in an impact entirely by accident. Something that accidentally exploited a vulnerability, an internal employee that deleted the wrong file, for example. In most cases, a threat takes advantage of a control weakness; we could call this a vulnerability.

A vulnerability might be the weakness in that information system or it could be a weakness or a gap in the organization system security procedures. It could be a problem with the internal controls not working correctly, not effective. A, it could be a weakness in the implementation. You take, for example, something like WEP, wired equivalent privacy. This was an example of a problem in the implementation, whereas the algorithm used to encrypt WEP to a wireless traffic was okay, RC4. The way it was implemented meant that it became exploitable. So we could say the threat agent, the hacker, would be able to get unauthorized disclosure or access to information because of a weakness or a vulnerability in the implementation of the encryption protocol. The idea is that a threat source can exploit a vulnerability in order to result in an impact. The outcome of that attack could be quantitative, which could be money.

What did it cost us in money? But the impact also could be qualitative.

What did it cost us in reputation?

What did it cost us in employee morale?

Did our employees kind of lose heart for the organization?

We need to be able to determine that level of impact. Alternatively, we also have to determine how likely is it that this could even happen. Likelihood is the potential or probability of something happening. We sometimes use terms like that was a hundred-year flood. That was the level of a flood we would only expect to the likelihood of once in a hundred years. But what is the problem with calculations like that? Mother nature does not know them, and so we might have a hundred-year flood twice in 10 years, or it could be we go several hundred years without one. The idea of likelihood is the challenge of trying to figure out what is the probability that this is going to affect us, and for us, that is undoubtedly in risk management, we quite often can use some empirical and historical data.

Nevertheless, it is really hard to determine impact and very hard to determine likelihood when we are talking, for example, about new equipment or new business process, which we have no historical data. In most cases, once we have identified a risk, we want to make sure that that risk has been reduced to an acceptable level. Moreover, that reduction in risk represents the residual risk that is still left: what is the level of risk that remains even after I have put in controls. You take something as simple as a car accident. We can have a car, but what is the most valuable asset? The most valuable asset is not just the car but the passengers in the car. So when we look at asset value, we would have to look at the value of the car plus the value of the passengers. We understand that there is the threat of sliding off a road if it is icy. So, therefore, we put in ways to reduce the likelihood. You buy better tires. You know you have got really good tires just before winter comes, for example.

Alternatively, for example, you can reduce the impact by wearing your seatbelt and having airbags. So if you do slide off the road, hopefully, there is less damage to the people. However, we know that even after having good tires and wearing your seatbelt, if a person slides off the road and hits a tree, there is still going to be some level of impact. There is still going to be a residual risk that is there. The idea, though is that you had to make a risk acceptance decision. You knew that was a slippery icy day on the road and you had to make the decision, Am I going to drive today or just stay home? If you decided to drive, you decided to accept that risk and you as the risk owner, the senior manager that had that responsibility, made that decision that, Yes, I will tolerate, I will accept the risk because I will be careful; you know, I have got a good vehicle and certainly will take precautions to try to make sure we do not have a problem. So risk acceptance is that understanding of what level of risk is senior management, the owner of the risk, really willing to tolerate or to accept.

Risk Assessment and Risk Response

How do we determine this through risk assessment? Risk assessment is this concept of continually, and that is an important point, risk is not something we do as a one-time effort, risk is a continuous process of watching, identifying what risk is out there, prioritizing which risk is more significant and, estimating the level of risk. This includes determining the extent to which those adverse circumstances or events could impact our business. So risk assessment kind of has a formula. You take the likelihood of something happening, and