Beating IT Risks
.pdf
54 |
|
|
|
|
|
|
|
|
|
|
|
IT risk portfolio |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 3.2—Project risk relationships
delivery by individual providers fails to meet your needs. When multiple suppliers are required to work together, a strategy that guides this ‘multi-source’ arrangement is essential – otherwise gaps, overlaps and disconnects occur and assuring the delivery of end-to-end services becomes extremely difficult.
Project risk relationships
Poor management of project risks can drive risks in the implemented service (see Figure 3.2). This translates as IT service continuity and information asset risks, including:
•A late or undelivered project results in a continued reliance on the existing, unimproved IT services.
•Delivery of new and different vulnerabilities, flaws and weaknesses along with the new system. New and changed systems go through a post-implementation period that requires heightened alertness and responsiveness in the user base and IT support team. Defects that must be fixed may require unwelcome outages.
•Information assets may not retain their integrity when being migrated across to the new system, with the introduction of anomalies and inconsistencies.
•Any gaps in training of the user base can become manifest as service degradation after go-live.
Poor management of project risks can drive risks in the implemented product, translating as applications and infrastructure risks, including:
•A ‘quick and dirty’ engineering approach within a project can result in a system that is difficult to operate, support, maintain and enhance.
•Even if the new solution has been effectively engineered, it is still new to the operators and a learning curve must be climbed. Ineffective training and
Introducing the IT risk portfolio |
55 |
|
|
handover from the project team to the operations and support team can create a lasting legacy of risk in the production system.
•Poor product choices are made in projects – without regard for an overarching strategy and without adequate consultation and involvement of those who will be responsible for the system downstream. Future applications and infrastructure teams can be hamstrung and those reliant on them sorely disappointed when a ‘not invented here’ and a ‘no guarantees’ response is encountered when problems arise.
Service provider and vendor risk relationships
Poor management of service provider risks can drive project risks (see Figure 3.3). A major milestone in any project is the successful contracting of the solution delivery partners. This milestone will require a watertight contract for each service provider relationship. This should be a complete and sufficient statement of work and a sufficient level of shared understanding between both parties as to how the service provider’s work will be managed and delivered. Unfortunately in some projects this milestone is not reached until the end; in some projects, never. When ‘delivery to contract’ is unclear, it is no surprise that poorly managed service provider risks may manifest themselves in product and service delivery risks within the context of the project.
The possible risks are as extensive as the set of project tasks and deliverables that may be reliant on service providers, which can extend to responsibility for the entire project. Particularly acute are the interrelationships between project tasks and service provider engagement – for example, the difficulties in defining a full scope of work without having completed analysis, additional details
Figure 3.3—Service provider risk relationships
56 |
IT risk portfolio |
|
|
discovered in technical design that require a change in system and project scope, etc. Management of multiple suppliers, potentially in prime and subcontractor formation adds another level of complexity and difficulty to project risk management.
Poor management of service provider risks can drive ongoing application and infrastructure risks. When IT services are outsourced and the systems are in the hands of service providers these risks intertwine. Outsourcing is effectively a decision to contract for services, transferring responsibility for applications and infrastructure asset management to providers. They are then held responsible for the delivered service, to a defined standard of performance, for an agreed cost. Even in an outsourcing context, application and infrastructure risks will still exist in their own right (i.e. applications can be flaky, infrastructure foundations shaky), however there will be a reliance on the outsourced service provider to manage these risks on your behalf. While some view outsourcing as transfer of risk, we view it as a transfer of risk management responsibilities. The Australian National Audit Office report that a major outsourcing project did not transfer the risk as intended, but retained most of it (ANAO, 2001).
When a more straightforward vendor relationship exists – i.e. IT products are purchased from a vendor and licensed for use – it is simpler to separate the risks into either a product failure or a vendor failure. If a product fails then the vendor is relied upon to fix it – any vendor service failings in the ‘break–fix’ cycle can have serious consequences. If the vendor fails, then no matter how solid the product, because of various risks associated with the lack of support, lack of an upgrade path and so on, it will be necessary to migrate to a new product, generally much more quickly than planned.
Applications and infrastructure risk relationships
Poor management of applications and infrastructure can drive on-going IT service continuity and information asset risks (see Figure 3.4). Applications and infrastructure exist to support the delivery of IT services and to build and safeguard information assets. Weaknesses and vulnerabilities in applications and infrastructure, when exploited by threats, can cause whole or partial IT
Figure 3.4—Applications and infrastructure risk relationships
Introducing the IT risk portfolio |
57 |
|
|
service failures. In many businesses, temporary loss of primary computer systems can cause significant pain through temporary disruption of business processes, while permanent damage to critical application and data servers can truly represent a ‘worst case’ scenario that can cripple business operations. Some organizations are equipped with disaster recovery plans and facilities to allow a re-establishment of applications on a standby infrastructure. In such an instance data back-up and recovery procedures are vital if information assets are to be recovered.
Other relationships exist between the classes of IT risk that are not illustrated on the series of IT risk relationship diagrams, primarily for simplicity. These include:
•When loss or corruption of data residing in operational systems occurs there may be related IT service continuity impacts. Integrity of information processing in many cases is reliant on integrity of information.
•The qualities of the applications and infrastructure selected and utilized on a project can be a significant contributor to project risk. Using new and untried or inappropriate technologies on projects can result in difficulty in estimating project effort and a ‘trial and error’ approach to design.
Impacts of IT risks
Many different corporate objectives can be directly or indirectly impacted by IT risks. At one extreme a major IT risk event may prove a fatal blow to a company; at the other extreme an IT risk event may be a minor irritation.
A range of example business impacts that can result from different IT risks is shown in Table 3.1. These generic categories and diverse categories only hint at the range of potential consequences. Which of your corporate objectives are reliant on IT? These may be the areas most vulnerable to an IT risk in your business.
Wider impacts of your IT failures
You may prefer an alternative definition of IT risk:
An IT risk is something that can go wrong with IT and cause a negative impact on the business.
This definition recognizes that in addition to the business risks of IT there are wider risks to users and societies from your IT behaving badly.
58 |
IT risk portfolio |
|
|
Table 3.1—Business impact examples attributable to IT risk causes |
|
|
|
Impact |
IT risk cause and examples |
|
|
Financial |
A costly IT project fails to deliver and the investment is written off. |
|
Example: Sydney Water spent A$60 million on a customer information |
|
and billing system project that was cancelled in late 2002 (NSW Auditor- |
|
General, 2003). |
|
A major outsourcing deal blows out. Example: UK magistrates court Libra |
|
contract costs have nearly doubled (IntoIT, 2003). |
|
Misuse of systems to perpetrate crime or fraud. Example: Kidder Peabody |
|
suffered significant loss with the illicit trading activities of Joseph Jett who |
|
fabricated profits of approximately US$339 million, perpetrated through |
|
insider abuse of trading and accounting systems (Dhillon and Moores, 2001). |
Reputational |
Major business processes visible to the public grind to a halt because of |
|
an IT service outage. Example: Extensive Bank of America ATM outages |
|
in January 2003 caused by corruption of their database servers by the |
|
SQL Slammer worm (Infosecurity, 2004). |
|
Sensitive customer information is disclosed resulting in fraudulent misuse. |
|
Example: Softbank in Japan reported the leakage of 4.5 million customer |
|
records in February 2004 and attempted extortion (Softbank, 2004). |
Regulatory |
Integrity of information resulting in a penalty for breach of legislation |
or legal |
Example: AT&T incorrect billing resulting in successful legal action by |
|
the State of Florida in 2004. |
|
Failure to comply with legislation. Example: 14 years after legislation |
|
required the coastguard to develop a vessel identification system, no |
|
such system exists (GAO, 2002). |
Customer |
Customer service is significantly impaired. Example: |
|
Cigna HealthCare’s $1 billion IT overhaul and CRM initiative went |
|
live in a big way, with 3.5 million members of the health insurance |
|
company moved from 15 legacy systems to two new platforms in a |
|
matter of minutes. The migration did not go smoothly. In fact, |
|
there were glitches in customer service so significant that millions |
|
of dissatisfied customers walked away, causing the nation’s fourth |
|
largest insurer to lose 6 percent of its health-care membership in |
|
2002.—CIO, 2003 |
|
Closing for business. Example: Early in 2004 the SCO Group was the |
|
target of the MyDoom virus that pointed infected computers at the SCO |
|
Group corporate website in a massive denial of service attack. Their site |
|
couldn’t cope and was soon closed for business. Business could be |
|
restarted only at a new Internet address (AFR, 2004b).* |
|
Failing to deliver what the customer needs. Example: The UK eUniversity |
|
flopped after having attracted only 900 students (Times, 2004). |
Competition |
Being outstripped by a rival with a better service. Example: In a press |
|
release relating to Google’s IPO, Standard & Poor’s reveal that more than |
|
six out of ten Google users would switch search engines if a better |
|
service came along (Standard & Poor’s, 2004). |
|
|
Note : * Research from Hovav and D’Arcy (2003) indicates that in general the sharemarket does not penalize companies that are not ‘Internet-specific’ companies when they experience such an attack.
Introducing the IT risk portfolio |
59 |
|
|
The risks and impact of systems failing is the focus of Peter Neumann’s book Computer-Related Risks (1995) and a valuable on-line resource.16 The collection and analysis of diverse failures provides ample evidence that IT risks do in practice result in actual loss events in a wide variety of applications in different industries.
This exploration of the causes and effects points to a wide range of IT risks, catalogued on the following basis:
•Sources of problems arising in system development, including: system conceptualization, requirements definition, system design, hardware and software implementation, support systems, analysis of system concepts and design, analysis of the implementation, evolution and decommission; and
•Sources of problems in system operation and use, including: natural environmental factors, animals, infrastructure factors, hardware malfunctions, software misbehaviour, communication media failures, human limitations in system use
– installation, misuse of the overall environment or of the computer systems – unintentional and intentional misuse.
Importantly, Neumann sets out the system-related causes in the context of human causal factors. In most cases, computers share only part of the blame. Multiple contributing causes are also the rule rather than the exception, illustrating that a compartmentalized approach to managing IT risks is limiting.
Neumann’s focus is on understanding the impact on people and society at large from computer-related failures and drawing lessons to be learned, particularly for systems designers and developers (Neumann, 1998, 2000, 2002). Others have studied IT risks as seen by the public including Internet addiction, isolation, depression and cyber-stalking (Sjoberg and Fromm, 2001).
The ‘misbehaviour’ of computers studied by Neumann spans a wide range of computer systems including robotics, control systems, communication networks, and computers used in planes, ships, spacecraft, nuclear power plants, etc. We focus on a narrower range of computer system, dealing mainly with commercial IT systems within two categories: applications and infrastructure.
16 This topic is the focus of an online forum moderated by Peter Neumann: the Risks Forum newsgroup, or Risks to the Public in the Use of Computers and Related Systems, known as comp.risks in the USENET community, sponsored by the Association for Computing Machinery (ACM) Committee on Computers and Public Policy (CCPP), which Peter Neumann has chaired since 1985. An archival search and retrieval system is accessible at http://www.risks.org or http://catless.ncl.ac.uk/Risks/. A summary, Illustrative Risks to the Public in the Use of Computer Systems and Related Technology is accessible at http://www.csl.sri.com/users/neumann/illustrative.html.
60 |
IT risk portfolio |
|
|
Implementing an IT risk management capability
Given the universe of threats, the diversity of vulnerabilities and the shapeshifting nature of the IT risk landscape, how can you cope? How can you win?17 Is your organization crisis-prone or crisis-prepared (Mitroff and Alpaslan, 2003)?
Is your organization quietly establishing man-made disasters? (Apologies to those who prefer gender-neutral language, however the field of failures in complex systems has been somehow attributed to the male of the species [Pidgeon and O’Leary, 2000].)
We’ve established the need for an IT governance framework and provided an overview of the integrated IT risk portfolio management approach and the loss impacts it will help you guard against and mitigate. Now you need to get moving.
An effective IT risk management capability is one that meets your business needs,18 considering the following key design elements:
•Strategy and policy;
•Roles and responsibilities;
•Processes and approach;
•People and performance.
These elements are explored below with indicative questions and schedules that ensure that coverage is complete.
Strategy and policy
A set of IT risk management strategies and policies is required to define the overall objectives of IT risk management, establish the importance and priority of IT risk management, ensure adequate coverage of potential areas of IT risk and provide ground rules and principles for those managing risks.
Some of these policies will include the adoption of national or international standards in certain areas (such as US NIST, 2003). You may need to go further, to question whether the standards are good enough, or whether it is necessary to develop internal standards, recognizing that adoption of standards as points of reference does not automatically mean that 100% compliance is necessarily the goal.
Your IT risk management policies should be formally documented and endorsed by the IT governance team (refer to Chapter 2) and communicated actively throughout the organization, providing useful answers to questions such as:
17To keep an eye on who is winning, check the high-level scoreboards: incident statistics on attacks on US Federal Government sites are tracked at www.fedcirc.gov (one more attempt by the bad guys) and cybercrime convictions at www.usdoj.gov/criminal/ cybercrime/cccases (registering the ‘slam dunks’ for the good guys).
18The requirements of public sector vs private sector organizations in managing IT risk are likely to be significantly divergent ( Jordan and Musson, 2001).
Implementing an IT risk management capability |
61 |
|
|
•How is IT risk management integrated with wider business risk management activities?
•To what extent is decision-making with respect to IT risks delegated and what are the authorities at different levels of management?
•What are your classes of IT risk and how is each class of risk managed? Obviously we’d suggest the IT risk portfolio seven as your starting point!
•What is the company’s overall risk appetite and how should all employees interpret this when dealing with IT risks?
•What are the critical potential impacts on the business from IT risks that are the primary focus for risk management effort?
•How are funds and resources to be allocated to IT risk management activities?19
•What constitutes a material risk that, if identified, should be reported and if so, to whom should it be reported?
•Which risks are managed proactively – that is, in advance of the defined unwanted and unwelcome event – and which risks are managed reactively, after the occurrence of one or more unwanted and unwelcome events?
Because everyone in the organization becomes a participant in the IT governance and risk management processes, it is critical that policies are promoted widely. Many organizations have IT ‘fair use policies’ that specify the rights and responsibilities of IT users in the organization. Generally these are extensive series of prohibitions that ensure that employees use the provided technology substantially as intended. They are seldom encouraging or facilitating, and have policing status.
Looking beyond the need to clearly articulate the edicts, there are many positive contributions to good IT governance that can be made by technology users, given sufficient guidance and opportunity. Perhaps IT risk management adoption can be adopted in a more voluntary and active fashion in the same way that many take the responsibility to be alert and aware for terrorism or security risks in their day-to-day lives with little instruction.
Roles and responsibilities
IT risk management activities must be built into people’s jobs rather than left to the virtuous or diligent to carry out under their own initiative.20
19 The objective of IT risk management cannot be to eliminate risk completely. Rainer et al. (1991) describe the purpose of risk management as to find the optimum combination of loss prevention and cost. Pfleeger (2000) uses the concept of risk leverage as the risk reduction delivered for a particular expenditure.
20 Sauer et al. (1997) argue ‘undesirable risk-related behaviours can be a logical outcome of a particular form of organization’.
62 |
IT risk portfolio |
|
|
Roles need first to be defined and subsequently the right people need to be selected and allocated to perform these roles. The framework of responsibilities is perhaps best first drawn up in matrix form, considering the different types of IT risks and the risk management lifecycle. We provide examples of those who may take specific responsibilities in Table 3.2.
The examples within this matrix illustrate that each IT risk class has different roles and responsibilities. An individual may ‘wear many hats’ in dealing with IT risks, based on the roles they hold.
Some important considerations include:
•Separation of duties – ensuring that for each class of risk an independent role undertakes monitoring and review activities;
•Balancing the need for specialist input – contributing an understanding of a process, system or specific risk, and managerial decision-making – weighing up all the factors and determining a course of action;
• Fitting IT risk management roles into existing structures where there is a natural fit. For example, risk management treatment actions would be naturally aligned with the project manager for project risks;
•Creating new IT risk management roles when required, for example, a cross-functional business continuity coordination role; and
•Allocating joint responsibilities when necessary and ensuring all slots are taken.
Processes and approach
A repeatable and predictable IT risk management capability is founded on a set of processes that are understood and followed consistently. The risk management process need not be complex. The risk management lifecycle comprises the following steps, deployed in different ways for different types of risks:
1.Identification / discovery – getting IT risks on the radar of management;
2.Assessment / analysis – understanding the IT risk in the context of the whole portfolio of IT risks and assessing the likelihood of occurrence and potential impact on the business;
3.Treatment – determining the best option from many possible courses of action for treating the risk, planning out and completing the required actions; and
4.Monitoring and review – following up to ensure what was planned was actually done and to understand any further changes in the IT risk portfolio.
An escalation process is required in cases where the normal risk management approach proves insufficient. The completion of the risk lifecycle also requires a formal closure process step (i.e. taking previously identified risks off the management radar when they are no longer significant or relevant).
|
strategicand |
emergent |
ITarchitects |
andplanners |
|
|
|
ITstrategy |
andplanning |
manager |
|
|
|
Business |
functional |
heads |
ITstrategy |
andplanning |
manager |
Director |
corporate |
strategy |
|
withpossibleindividualroles |
applications infrastructure |
|
System System |
administrator, administrator, |
users,application systemsupport |
supportteam andoperations |
team,vendors |
Applications Infrastructure |
manager manager |
Vendormanager Vendor |
(ifapackage) manager |
|
|
Businesssystem Infrastructure |
owners manager |
Applications |
manager |
|
|
Chiefinformation Chief |
officer information |
officer |
|
RiskmanagementresponsibilitiesbyITriskclass, |
ITservice information service |
continuity assets providers |
Staffinvolved Information Project |
inbusiness custodiansand managers |
processes systemusers ITservice |
delivery |
managers |
Business Security Outsourcing |
continuity manager andvendor |
coordinator manager |
ITservice Contract |
delivery manager |
manager |
Business Business Outsourcing |
functional functional andvendor |
heads heads manager |
ITservice Chief |
delivery information |
manager officer |
Director Chief DirectorofIT |
ofITservice information servicedelivery |
delivery officer |
Audit Audit |
Table3.2— |
projects |
|
Projectteam |
|
|
|
|
Project |
manager |
|
|
|
|
Project |
manager |
|
|
|
|
Directorof |
ITprojects |
Audit |
|
|
responsibilities |
|
Identification/ |
discovery |
|
|
|
Assessment/ |
analysis |
|
|
|
|
Treatment |
(Actions |
assignedby) |
|
|
|
Monitoring |
andreview |
|
|