chap 1 - 5 risk,risk management and information technology risk management
Transcript of chap 1 - 5 risk,risk management and information technology risk management
Page 1 of 41
CHAPTER 1.0: INTRODUCTION TO RISK, RISK MANAGEMENT AND INFORMATION
TECHNOLOGY RISK MANAGEMENT
Allah does not charge a soul except [with that within] its capacity...
Surah Al-Baqarah (the Cow) verse 286
(Source: Terjemahan Al-Hidayah Al-Qur’an Al-Karim, 2013)
Of all the wonders that I yet have heard
It seems to me most strange that men should fear
Seeing that death, a necessary end
Will come when it will come
– William Shakespeare, Julius Caesar
(Source: Shakespeare Online, 2014)
1.1 Introduction to Risk
Based on Islamic perspective by analyzing Surah Al-Baqarah verse 286, even that verse did
not clearly mention about modern word of risk, but we still can relate this verse with this
unwelcomed event. Generally risk can be refers to something that might happen, usually bad
and this verse explain to us that Allah s.w.t would not ever give a test or burden (risk) to his
followers except the one which they could effort it. So, here we can said that any risk that
come to us actually can be prevent, solve and can be control. However, it is depend on us in
handling such risk either by making precautionary plans or even taking any necessary
corrective actions.
Referring to great dramatist, William Shakespeare; he also comes out with his dramatic and
meaningful languages on the most fearful occurrence in human’s life which is the death.
However, we are not going to discuss on the death but the last sentence does give a
Ilaa akhir ayat….
Page 2 of 41
meaningful phrase to us which refers to an event that we cannot control. If something wants
to happen, it just happens and same goes with risk. This is because in most events, we as
human being do not have any power to stop any coming tragedies or catastrophes that will
harm our assets or even our precious life.
At a mean time, searching some ideas from scholars, they have their own definition on risk.
Risk is the idea that something might happen, usually something bad and risk is the
probability that exposure to a hazard which will lead to a negative consequences (Ropeik
and Gray, 2002). In other words, risk management can be said as a thinking of events that
will occur which are will give burden and negative effect to the victims since it has exposed
them to the danger. Other than that, risk also can be defined as a measure of the probability
and severity of adverse effects (Lowrance, 1976).
So, in order to get a better understanding on risk, three topics will be covered in Chapter 2
which is on the basic concept of risk, risk perceptions and also global risk award. Basic
concept of risk will brings the reader the concept perceived by scholar- Haimes, a respective
body- CLUSIF and also ISO/IEC 27005 standards.
1.2 Introduction to Risk Management
Risk Management can be referred as a process consisting of welldefined steps which, when
taken in sequence, support better decision making by contributing to a greater insight into
risks and their impacts (Sai Global, 2003). In other words, risk management is a procedure
that guide the organization in making a good decisions that suits with the coming or potential
risks that might faced by them. Due to that, Chapter 3 will give details to the reader on risk
management, starting from another brief definition on risk mangement and its revolution.
Then, the other matters pertaining risk management also has been discussed such as on the
process of risk management, risk management as an integral part of overall management,
total risk management, multi-tiered risk as well as the key roles of related officers in handling
risk. So, it seems that the management such as Chief Risk Officer have to understand all
Page 3 of 41
these roles so that they can manage well any potential or coming risks, thus minimizing the
negative effect that might influence company performances, even though zero negative
effect cannot achieve.
1.3 Introduction to Information Technology Risk Management
Since risk might disturb the operation of the organization, managing risk also need to cover
to the extend of the information technology used by the organizations too because in this
modern era, information technology is a compulsary tool for the organizations. Due to that,
chapter 4 will elaborate more on what information technology risk management is all about.
Process of information technology risk management, five phases of information technology
mitigation program and top ten emerging information technology risks will be covered well
under that chapter.
Page 4 of 41
CHAPTER 2.0: RISK
2.1 What is Risk?
Risk is often defined as a measure of the probability and severity of adverse effects (Haimes,
1998). Risks should be deal appropriately because entities, companies and organizations
own “assets” of both tangible and intangible that could be involved in risks and will give some
consequences to these entities (CLUSIF, 2008).
Assets are the mandatory elements needed for entities, organizations or even for a small
business to run their operations. In very general terms, an asset can be defined as anything
that could be of value or importance to the entity (CLUSIF, 2008). In 2008, both International
Organization for Standard (ISO) and International Electrotechnical Commission (IEC) has
come out with Information Technology – Security Techniques – Information Security Risk
Management (ISO/IEC 27005) and has clearly differentiated between both primary assets
and supporting assets that involved in the daily operations of the organizations in Annex B
(informative) Identification and Valuation of Assets and Impact Assessment (ISO/IEC 27005,
2008).
i) Primary assets
There are two types of primary assets:
a) Business processes (or sub-processes) and activities such as processes
that contain secret processes.
b) Information such as strategic information on how to achieve the objectives
as well as information for the exercise of both mission and vision of the
organization.
ii) Supporting assets
There are many types of supporting assets such as
a) Hardware which is consist of data processing equipment, transportable
equipment, fixed equipment, processing peripherals such as printer and
Page 5 of 41
also electronic medium such as CD ROM, removable hard disc and back-
up cartridge. Appendix 1 also portrays some information on hardware.
b) Software includes any programs that contributing to data processing set’s
operation and can be divided into two which is system software and
application software. System software might consist of system
management programs, system support programs as well as system
development programs. Then, application software might consist of
general purpose application programs and application specific programs
(Humayun Kabir, 2014). Refer appendix 2.
c) Network which consist of medium and supports network such as Public
Switching Telephone Network, Ethernet and GigabitEthernet. Network
also consists of passive or active relay and also communication interface.
Router, hub, switch and automatic exchange can be the best example of
passive or active relay and General Packet Radio Service (GPRS) and
Ethernet adaptor can be the best example for communication interface.
Wide scope of risks such as its nature, consequences and impact should be addressed
accurately and precisely by the organizations since it will give negative effect to the assets of
the organization either primary assets or supporting assets or even both. If the assets of the
organizations have been ruin by any kind of risks, for sure the operation of the organizations
will be disrupted and daily operations will be temporarily stop. Failure in analyzing the risks
might lead the organizations to fail in completing targeted tasks and both short and long term
vision of the organization cannot be achieved successfully. Research shows that an
organization inability to resume in a reasonable time span to normal business activities after
a major disruption is a key predictor to business survival (Brown et al, 2012).
Page 6 of 41
2.2 Basic Concept of Risk
The concept of risk has appeared in numerous investigations of decision making both
descriptive and an explanatory construct. After using various approaches, the study of risk
has comeout with three basic assumptions (Pollatsek and Tversky, 1970) and has been
stated clearly as below:
1. Risk is regarded as property options such as gambles, course of action the affects
choices among them (Pollatsek and Tversky, 1970). In other words, this first
assumption stated that the risk is exist when we make an option and risk is derives
from our own action and decisions. Other than gambles, we also can use the option
in making some investment in a business as a next example. Due to our option,
choice or decision to spend some money to invest in a company will exposed us to
the risk of being loss of that money if there is no profit in return. So, risk is arise due
to our course of action to invest.
2. Options can be meaningfully ordered with respect to their riskiness (Pollatsek and
Tversky, 1970). In other words, this second assumption do explain about the choice
or option that we choose or make is depend on the risk of that action itself. For
example is the risk between drugs trafficking and also smuggling cigarette. Generally
with our basic knowledge of law, we can say that the risk of trafficking the drugs have
higer risk as compared to smuggling cigarette.
Thus, taking into the consideration of meaningfully ordered with respect to their
riskiness, for sure we will choose to smuggling cigarette due to its low level of
riskiness as compared to trafficking the drugs – assuming we are criminal person. In
Malaysia, these two action do have different level of risk due to different level of
punnishment imposed by the law where trafficking the drugs have higher risk for the
guilty person if they get caught.
Page 7 of 41
According to Section 39B (1) for trafficking dangerous drugs, any gulity person who
brings contravines any of the provision of subsection (1) –- shall be gulity of an
offence against this Act and shall be punnished on conviction with death. “Dangerous
drug” means any drug or substance which is for the time is being compromised in the
First Schedule (Law of Malaysia: Dangerous Drugs Act, 1952). List of dangerous
drugs under First Schedule of this provision has been attached under appendix
number 3.
Then, for cigarette smugling, it will be investigated under Section 135 of the Customs
Act 1967 which provides a maximum fine of 20 times the value of goods seized or
imprisoned for three years or both (Official Website Royal Malaysia Customs
Department, 2013) (Law of Malaysia: Customs Act 1967). So, after analyze these two
acts in respect to their riskiness, for sure we will reluctant to trafficking the drugs and
start to choose smuggling cigarette – assuming we are criminal person.
3. The risk of an option is related in some way to the dispersion, or the variance, of its
outcomes (Pollatsek and Tversky, 1970). In other words, it means that the risk of an
option is later will depend on the outcomes of that option itself. For example, take into
consideration as in assumption number two (2) as in the above, between both
trafficking drugs and smuggling cigarette, we choose the option to smuggling
cigarette.
The risk of this option – smuggling cigarette – is depend on the outcome of this
smuggling activity itself. If the outcome is we are successfully smuggle the cigarette,
there is no risk since the difficult phase of smuggling, avioding from getting caught by
the authority bodies has come to an end. However, another way around will happen if
we get caught by authority body such as Royal Malaysian Customs and for sure at
Page 8 of 41
this phase we as a smuggler facing with high risk since will be charged under Section
135 of the Customs Act 1967 as what has been discussed in the above.
2.3 Where Do Our Fears About Risk Come From?
“People are disturbed, not by things, but by the view they take of them”
- Epictetus, 200 A.D
This phase explained that the fears that we feel is actually depend on how we perceived
things or our mind setting regarding that particular event; either we perceived it as good or
bad or even as a chances for us to improve or as an obstacle to our previous and future
effort. Similar with risk, it is actually depend on how we see that risk, how we perceive risk
and mind setting towards that risk either that coming risk or even risk that we are facing now
can be a chance for us to improved existing security or not. Sub-section 2.2.1 below
explained details about perception on risk.
2.3.1 Risk Perceptions
Perception of risk here can be referred to the thinking of people towards the risk, which is
mostly negative and it might consist of different level of thinking. People also often think risks
might bring huge impact to themselves, families and their surroundings or even small impact.
Listed below are three perceptions of people, explained on their thinking about risks (Ropeik
and Gray, 2002).
1. Most people are more afraid of risks that are new than those they have lived with for
a while . In other words, new comers are more afraid on risks that are coming to them
rather than those who already spent years or decades of their life in that place. For
example, new neighbors are more alert on the safety of their house at night as
compared to the citizens who already familiar with that residential area.
Page 9 of 41
2. Most people are more afraid to the risk resulted from human-made rather than risks
that are natural. For example, the radiation from nuclear waste or cell phones that
derives from human actions, will give more apprehension to people rather than the
radiation from the sun which scientifically have a far greater risk.
All these can be perfectly portrayed by the guideline on managing nuclear radiation
by Japan and the safety information by Samsung on their product, to give a little
distance between pacemaker and the device such as for Samsung Galaxy Note 8.0
due to its negative effect to the device (Samsung Electronics, 2013). However,
human awareness on sun radiation is less since they are keeping contributing to
ozone depletion due to the usage of hazardous goods to the ozone which contain
chlorofluorocarbons (CFC) such as refrigerator and pesticides spray.
3. Most people are more afraid on risks imposed on them rather than on risks derive
from their action. For example, smokers are more afraid on asbestos and other indoor
air pollution in their workplace rather than negative effect from smoking behavior.
Then, something that even worst, risks derived from cigarette smoke also not only
harm to the smoker but also to the passive smoker because smoke contains
carcinogens materials which might lead to cancer. However, people are still less
afraid on risks derived from their action of smoking and this can be portrayed on the
increasing number of smoker regardless of age.
There is an increasing number of young people and even children, as young as 13,
who have addicted to smoking and also a sharp increase in female smokers in
Malaysia, especially among young women, girls and even expectant mothers (The
Star Online, 2012).
As a conclusion, understanding basic concept of risk might help the management in
analyzing the risks such as its nature, consequences and impact that risks will bring to the
Page 10 of 41
organization. It is crucial to be implemented because it will help the organization to get ready
to any negative circumstances come to them as well as in providing and preparing necessary
actions. Failure in analyzing the risks might drive to fail in completing routine activities of the
company and thus, might reducing financial achievement and stability of the company.
Page 11 of 41
CHAPTER 3.0: RISK MANAGEMENT
3.1 What is Risk Management?
Risk Management is a process consisting of welldefined steps which, when taken in
sequence, support better decision making by contributing to a greater insight into risks and
their impacts (Sai Global, 2003). In other words, risk management is a process which define
the procedures that should be taken by the organizations in order to dismiss and handle the
risks and its negative consequences to the organization’s operations.
In another point of view, risk management is commonly distinguished from risk assessment,
even though some may use the term risk management to connote the entire process of risk
assessment and management (Haimes, 1998). Risk management begins with three basic
questions:
1. What can go wrong?
This questions derives and demand the organizations to define and find what are the
risk that might be faced by the assets.
2. What will we do to prevent it?
This questions derives and demand the organizations to find and address
precautionary action that should be implemented in order to prevent such risks.
3. What will we do if it happens?
This questions derives and demand the organizations to find and address corrective
actions that should be implemented if the risk cannot be avoided and had occured.
Page 12 of 41
3.2 Fifty Years Revolution of Risk Management
As the title indicates, listed in Table 1 below is fifty years risk management revolution,
starting from modern risk management.
Year Revolution
1955-1964 Origin date of modern risk management
Sources: Crockford, 1982; Harrington and Neihaus, 2003; Williams and Heins,
1995
1963-1964 First two academic books were published by Mehr and Hedges in 1963 and
Williams and Hems in 1964
Source: Dionne, 2013
1970-1980 The use of derivatives as instruments to manage insurable and uninsurable
risk begin and developed quickly in 1980s
Source: Dionne, 2013
1980 Companies began to consider financial management or risk portfolio
Source: Dionne, 2013
1990 Operational risk, liquidity risk and international regulation of risk began
Source: Dionne, 2013
2001
Sarbanes Oxley regulation was introduced in United States
Source: Dionne, 2013
Table 1: Risk Management Revolution
(Sources: Crockford, 1982; Harrington and Neihaus, 2003; Williams and Heins, 1995;
Dionne, 2013)
Page 13 of 41
3.3 Risk Management Process
Figure 1: Risk Management Process
(Source: Locke and Gallagher, 2011)
As illustrated in Figure 1 in the above, both information and communication flows has taken
place in the the risk management process whereas black arrows have take a roles in
representing the primary flows within this process. As we know, information and
communication are vital in managing everything in daily life since these two things can help
us to get clear with what we want to do and supposed to do. Thus, similar roles of both
information and communication also applicable in this risk management process.
Adequate information is very crucial since necessary information can make risk management
process to be done to face the actual coming risks accurately and precisely. For example, is
the adequate informations on the nature of the risk itself such as when that catastrophy might
occur or the level of its negative impact towards organization’s assets either small or huge.
Same goes with the communication where it plays vital role in transmitting the information
Frame
Assess
Respond
Monitor
Information and
Communications Flows
Information and
Communications Flows
Page 14 of 41
(data) throughout the organization or even to the respective officers. Be precise and
truthfulness in disemminating the information is crucial since it shows the transparency and
allow exact decisions to be made. In other words, right decision in managing the risk can be
done if respective officers are able to analyse the valid information and it can be achieve if
there is a good and effective communication between those parties.
Generally, risk framing plays important part in this process by informing all the activities
moving from risk assessment to risk response and to risk monitoring in sequential step-by-
step. For example, new legislation, directives, or policies may require the organizations to
implement additional risk response measures immediately. This information is communicated
directly from the risk framing component to the risk response component where specific
activities are carried out to achieve compliance with the new legislation, directives, or
policies. However, this flow should passed through risk assessment in which addressing
what should the organizations are supposed to do taken place, before monitoring process on
the activities carried out is happen.
Page 15 of 41
3.4 Risk Management as an Integral Part of Overall Management
Technological Age
Risk Management ≈ Optimal Balance
Figure 2: Risk Management as an integral part of overall management
(Source: Haimes, 1998)
In order to develop an effective and meaningful protection for organizations, risk
management must be put as an integral part of the overall management of a system. This is
because if there is some failure on the hardware, the software, the organization, or on the
human involved, then for sure it also will lead and cause to the system failure. Thus, risk
management should taken place all over the organization integrally.
Discussing more on role of risk management as an integral part, for a better understanding
especially for the one who have no basic knowledge, “whole” should be the best word to
replace word of integral. In other words, the risk management can be said as the whole part
of the overall management in an organization and frankly speaking, risk management has
been said to be the whole part because of it comprised of both risk assessment and
management where involved all angles. The premise that risk assessment and management
Uncertain Benefits Uncertain Costs
Technology Management:
Man/Machine/Software Systems
-Planning
-Design
-Operation
Risk Management
Page 16 of 41
must be an integral part of decision making process necessitates following a systematic,
holistic approach to dealing with risk (Haimes, 1998).
Depicted in Figure 2 in the above is on the integral part of overall management played role
by risk management. As shown in the above, risk management do covers all important
aspect in the organization such as man, machine, software systems, planning, design,
operation as well as the benefits and also cost faced by the organizations. In other words, we
can say that risk management does cover the input - man, machine and system software and
also cover the processes - planning and design. It also concern on risk that might exist in
daily operations, some reducing or added benefits and also on the inclination cost faced by
the organizations.
Page 17 of 41
3.5 Total Risk Management
Total Risk Management (TRM) can be define as a systematic and statistically based holistic
process that builds on a formal risk assessment and management (Ropeik and Gray, 2002).
TRM plays significant role in answering two sets of triplet questions for risk assessment and
management and also addresses the set four sources of failures within a hierarchical-multi
objective framework (Haimes, 1998). TRM paradigm has been depicted clearly in Figure 3
and as a part from TRM; source of failure also has been depicted in Figure 4, in the name of
system failure.
Figure 3: Total Risk Management
(Source: Haimes, 1998)
Risk Assessment Questions:
What can go wrong?
What is the likelihood that it would go wrong?
What are the consequences?
Source of Failure:
Hardware Failure
Human Failure
Software Failure
Organizational Failure
Risk Management Questions:
What can be done?
What options are available and what are
their associated trades-offs in terms of all
costs, benefits, and risks?
What are the impacts of current
management decisions on future options?
Page 18 of 41
Figure 4: System Failure
(Source: Haimes, 1998)
3.6 Multi-tiered for Risk Management
In order to integrate the risk management process throughout the organization, a three-tiered
approach is employed to addresses risk at the: (i) organization level; (ii) mission/business
process level; and (iii) information system level (Locke and Gallagher, 2011). The risk
management process is suggested to be carried out without any interrupted in every each of
these tiers, aiming to achieve the continuous improvement on the risk-related activities of the
organizations. Figure 5 below illustrate on multi-tiered of risk management.
Human
Failure
Hardwar
e Failure
Organizati
onal
Failure
Softwar
e
Failure
Page 19 of 41
Figure 5: Multi-tiered Organization-Wide Risk Management
(Source: Locke and Gallagher, 2011)
Tier 1:
Organization
Tier 2:
Mission/Business Processes
Tier 3:
Information Systems
Tactical Risk
Strategic Risk
-Inter-Tier and Intra-Tier
Communications
-Feedback Loop for Continuous
Improvement
-Traceability and Transparency of
Risk-Based Decisions
-Organization-Wide Risk Awareness
Page 20 of 41
3.7 Key Roles
Risk management is obviously a part of management responsibility. As portrayed in Table 2 below, this sub-section describe the key roles of
the personnel, groups of people who actually should support and participate in the risk management processes.
Position Role
Senior Management - Ensure necessary resources are effectively applied to develop the capabilities needed to accomplish the mission
- Assess and incorporate results gain from risk assessment activity so that it can be use in decision making process
- Provide full support and involvement in assessing and mitigates IT-related mission risks
Chief Information
Officer (CIO)
- Make precise decisions Responsible for the agency’s IT planning, budgeting, and performance and also information
security components
System and
Information Owners
- Responsible in ensuring proper controls in place in order to address integrity, confidentiality, and availability of the IT
systems and data they own
- Responsible for changes to their IT systems by give some approval and sign off on changes to their IT systems such as
on system enhancement, major changes to the software and hardware
Business and
Functional Managers
- Play an active role in risk management process
- Have the authority and full responsibility for making the trade-off decisions essential to mission accomplishment
- Their involvement in the risk management process enables the achievement of proper security for the IT systems, which,
if managed properly, will provide mission effectiveness with a minimal expenditure of resources
Information System
Security Officer
(ISSO)
- Responsible for their organizations’ security programs, including risk management
- Play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to
the IT systems that support their organizations’ missions
- Act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis
IT Security
Practitioners
- Responsible for proper implementation of security requirements in IT systems
- Identify and assess new potential risks and implement new security controls as needed to safeguard IT systems such as
on network, system, application, together with database administrators, computer specialists, security analysts and
Page 21 of 41
security consultants
Security Awareness
Trainers (Security/
Subject Matter
Professionals)
- Develop appropriate training materials and incorporate risk assessment into training programs in order to educate the end
users so it can minimize risk to the IT systems
Table 2: Key Roles
(Source: Stoneburner, Goguen, and Feringa, 2002)
As a conclusion, all the above personnel have to know their own job scopes or requirements in handling, supporting and participating in the risk
management processes. It is vital for every each of them to really follow all those stated key roles so that the necessary action can be done.
Properly addressing responsible person also important to be done by the organization so that they can give full focus on that respective area
since there is no redundancy on the tasks allocated to them.
Page 22 of 41
CHAPTER 4.0: INFORMATION TECHNOLOGY RISK MANAGEMENT
4.1 What is Information Technology Risk Management?
Rephrasing the definition of risk management from Sai Global in 2003, as what has been
discussed in Chapter 3.1, risk management is a process which define the procedures that
should be taken by the organizations in order to dismiss and handle the risks and its negative
consequences to the organization’s operations. Thus, clearly we can said that information
technology risk management is the effort from the management in extrapolating, monitoring,
handling, and minimizing the risk that happen towards information technology used by the
company.
The use of information technology not only will create a digital society (Gutmann, 2001) but
also usefull in communicating and disseminating the information within and through out the
organization. However, if there is any catastrophy or natural disaster or even human made
disaster, for sure the process of communicating and disseminating the information in the
organization will be distrupted. Due to that, it is crucial for the organization to have their own
information technology risk management so that the organization will be able to run their
daily operation without any disturbances as well as to make the whole process to run
smoothly.
Then, to help the organization to manage risk that arise in their information technology, sub-
topic 4.3 will discussed further on the process of information technology risk management.
4.2 Information Technology Risk Management Process Overview
In order to get a better understanding, sample of information technology risk management
process from University of Virginia will be discussed clearly under this sub-topic. The sample
from this university has been choose because of this university does have their latest
information on this as compared to others. Four steps on information technology risk
management process of University of Virginia are listed as below. However, to make the
Page 23 of 41
explanation achieve the reader clearly, some additional information has been added briefly
on some points.
Step 1: Information Technology (IT) Mission Impact Analysis (see appendix 4)
Verify department’s critical assets such as hardware, software, information, people
Hardware: Hardware consists of electronic components and related gadgetry
that input, process, output, and storage data according to instructions
encoded in computer programs or software (Kroenke and McKinney, 2013).
For the example of hardware, please refer to appendix 1.
Software: There are two basic types of software – system and application.
System software is required to use the computer whereas application
software processes the user’s data (McLeod and Schell, 2004). For the
example of software, please refer to appendix 2.
Information: Information is processed data that is meaningful, which is it
usually tells the user something that she or he did not already know (McLeod
and Schell, 2004).
People: As part of the five-component framework, one of the five fundamental
components of an information system; includes those who operate and
service the computers, those who maintain the data, those who support the
networks and those who use the system (Kroenke and McKinney, 2013).
Step 2: Information Technology (IT) Risk Assessment
Assess departmental security practices according to standard decided by
organization, state and federal
Plot your department’s assets from Step 1 to the threat scenarios provided (and
others that your department identifies)
Assign weight to each threat to your assets based on the likelihood of it occurring in
your environment and the impact of any vulnerability
List threats based on their priority of harm the organization
Page 24 of 41
Plot these threats back to answer the strategies provided (and others your
department develops)
Construct (or update if you already have one) your department’s safety plan for
justifying or accepting the identified risks
Take into account previously implemented strategies and existing plans – use (and
document) effort and analysis that you have already produced
Document your key decisions and justifications
Step 3: IT Mission Continuity Planning
Create (or update) a response plan for your department to use in the event that
critical IT assets are lost, unavailable, corrupted or disclosed
Test your plan
Step 4: Evaluation and Reassessment
Repeat Steps 1-3 every three years or when there are significant changes to
departmental IT assets or risk environment
Review the success of your prior analysis, testing and any responses made, whether
they were corrective, preventative or post-incident
Incorporate responses to any intervening changes such as new operating system,
critical applications or data.
(Source: University of Virginia Information Technology Security Risk Management
(ITS-RM) Program Version 4.0, 2014)
However, the time frame or time taken to complete this process will vary depend on the size
of the organization itself. The bigger the organization, the longer time will be needed. Due to
that, organizations should establish internal deadlines for the completion of each step of the
process in order to ensure steady progress and to avoid any delay which out from the actual
Page 25 of 41
time frame. Delay of this process only will result the organization dumbly response to the risk
and for sure will lead to the disturbances and failure to the organization’s operation process.
Chart 1 will provide more brief idea on this process.
Page 26 of 41
Chart 1: Information Technology (IT) Security Risk Management Process Flow
(Source: University of Virginia Information Technology Security Risk Management (ITS-RM)
Program Version 4.0, 2014)
Step 1 – Identify Critical
Information Technology (IT)
Assets
Step 2 – Assess Risks
For each critical asset:
Assign weight to likelihood & impact of threats to each asset
Prioritize threats Select response strategies Develop security plan
Step 3 – Mission Continuity
Planning
Create a response plan to
use in the event that critical
IT assets are lost,
unavailable, corrupted or
disclosed
Step 4 – Evaluation and Reassessment
Required at least once every three years
Critical
Assets
List
Security
Plan
Disaster
Recovery
Plan
Interim
Manual
Procedures
Page 27 of 41
4.3 Five phases of Information Technology Mitigation Programme
A successful IT risk mitigation program consists of five phases such as Management and
governance, assessment, planning and design, implementation and testing, and monitoring.
Management and governance: Both business conditions and IT capabilities and costs
change over time. IT risk management and governance is the process by which an
appropriate IT risk posture is maintained long term. Key elements include:
Creating policies with clear roles and responsibilities to establish the context of “risk”
as related to the company’s enterprise
Defining key risk indicators (KRIs) for IT risk (indicators that can be measured and
monitored to give an early warning to changes in the company’s risk profile)
Embedding IT risk management considerations into the operational processes of the
enterprise
Evaluating, reporting and communicating on the IT risk profile
Re-evaluating IT risks and updating mitigation strategies as appropriate
Assessment: The first step of this phase is to clearly identify and evaluate the types of IT
risk an organization might face and to gauge its ability to rapidly respond to risk events.
Assessment is an ongoing process that involves:
Defining the key value-producing business services that the organization performs
and quantifying their value
Decomposing the business services into the business components required for their
delivery
Establishing the business impact to the service if a given business component is
nonfunctional
Defining the most significant threats and their relevant risks to the business
components by evaluating the probability of each threat’s occurrence and the impact
should it occur
Page 28 of 41
Determining the business services impact based on the effects to the business
components
Establishing and implementing appropriate, cost-effective strategies to mitigate the
defined risks based on understanding the organization’s “risk appetite”
Determining external risk dependencies and how the organization and systems would
respond if compromised
Planning and design: During the planning and design phase, the organization develops
mitigation strategies for managing IT risks. This phase includes:
Determining ways to sustain critical operations in the event of a disruption by defining
strategic business continuity, disaster recovery and crisis management plans
Designing a business-requirement-based architecture for the organization’s IT
environment
Optimizing the balance between the organization’s investments in IT risk
management and their business value
Implementing and testing: This phase gives the organization an opportunity to validate the
effectiveness of its plans, as well as identify weaknesses. Key elements include:
Creating test plans, executing a successful test, identifying gaps and recommending
fixes
Integrating IT and business needs
Validating that the IT risk solution is current and actionable
Monitoring: Continuous monitoring of KRIs helps ensure that the organization can identify
changing risk levels and take action before the risks materialize and impact a key business
service. The keys to successful IT risk monitoring include:
Mapping IT service components to the business services they support
Defining KRI thresholds that represent a potentially abnormal condition
Page 29 of 41
Implementing mechanisms to alert appropriate agents (both people and technology)
to take preventive or corrective action
Page 30 of 41
4.4 Top 10 Emerging Information Technology Risks
Due to the globalization process, information technology risks are keep to emerge from day to day and might harm the organizations. However,
all these information technology risks is actually vary in its level of risk - according to the industry, technology or business processes itself.
Listed in tabular form below are ten emerging information technology risks by Mazoguchi in 2012 and listed in no particular order. Elaborated
below also the issues that might arise from the risks.
No. Emerging IT Risk Issue Risk
1 Social
Networking
Use of social media technologies is expanding into new areas
such as for user communities, business collaboration, and
commerce.
• Brand protection
• Unauthorized access to confidential data
• Regulatory or legal violations
2 Mobile Devices Rapid creation on number of smart devices, and its smart
function
• Loss / release of critical business data
• Security and identity management
• Application development challenges
3 Malware Malware continues to increase in sophistication, and has more
avenues for execution.
• Loss or theft of critical information
• Hardware impacts
• Cash impact
• Lost productivity
4 End User
Computing
End User Computing (EUC) applications continue to evolve
given resource constraints of economic downturn.
• Misstated financial statements
• Unsupported decision making
• Regulatory concerns
• Loss or corruption of data
5 Corporate
Espionage
More specific targeted efforts (often for gain), assisted by
increase in mobile computing technologies.
• Loss or release of corporate data
• Denial of service
• Intellectual Property loss
6 Project Backlog Economic downturn caused decrease in IT investment and
deferral of critical projects resulting in large project backlogs.
• Project delays or failure
• Completed projects short changing security and
Page 31 of 41
controls
• Failure to achieve business objectives
• Poor or inadequate vendor management
7 IT Governance Reduced enterprise IT support / budgets and increased ease of
technology deployments has led to multiple “shadow IT”
organizations within enterprises. Shadow groups tend to not
follow established control procedures.
• Failure to comply with corporate IT policies and
controls
• Operational impacts
• Information security risks
• Regulatory violations
• Duplication of efforts, increased costs and
inefficiencies
8 Electronic Record
Management
Increased deployment of ERM solutions, with corresponding
data conversions and process changes.
• Loss of data in conversion process
• Regulatory violations if inadequate controls exist
• Storage, retention, and forensic issues
9 Data
Management
Lack of ability to identify types/location of enterprise data and
also lack of robust data stratification schema to categorize
sensitive data.
• Regulatory penalties
• Brand damage
• Increased cost of compliance
10 Cloud Computing Proliferation of external cloud computing solutions, corporate-
and user-based. Different deployments available; data,
applications, services.
• Administrative access
• Data management
location/compliance/recovery/security
• Dependent upon availability of cloud provider and
internet connection
• Long-term viability
Figure 6: Top 10 Emerging Information Technology Risks
(Source: Mizoguchi, 2012)
Page 32 of 41
CHAPTER 5.0: CONCLUSION
In a nut shell, all three main topics have been covered well in specific chapters allocated.
Understanding on risk, risk management and on information technology risk management is
crucial for every one of us in this modern era even though the elaborations in this project
paper are more focusing to the organizations. As an individual, having a good understanding
on these three topics also important since we also might involved with any unpredictable
risks and at the end, we also might be one of the member of the organization. Thus,
knowledge on these topics is useful in overcoming risks.
Reevaluating back on what has been addressed by Surah Al-Baqarah verse 286 and also
dramatic phases from William Shakespeare; something I can conclude from these two
sources is that actually if something wants to happen such as any catastrophe, natural
disaster or even human made disaster, we as human being for sure cannot avoid all these
events. As a Muslim, if Allah said “Kun Faya Kun”, everything will happen and nothing can
avoid it. As stated in Surah Yassin verse 82, whenever He (Allah) intends a thing, He needs
only to say: "Be (Kun)," and it is Faya Kun.
However, to give us some relief, we as a Muslim have to come back to our Holy Quran. As
stated before, verse 286 of Surah Al- Baqarah stated that Allah does not charge a soul
except (with that within) its capacity. So, here we can say that any risks coming is just a trial
from Allah to his slaves and it is depend on us on how to perceived that trial, neither from
positive perspective nor negative. However, it is our duty to try our best since we have a
chance to do so.
“Work for the affairs of the world as if you were going to live forever but work for the
Hereafter as though you will die tomorrow.”
The Prophet Muhammad pbuh
Page 33 of 41
APPENDIXES
Appendix 1: Hardware - Example of Computer Hardware
(Source: Warepin, 2010)
Page 35 of 41
Appendix 3: List of dangerous drugs under First Schedule of Dangerous
Drugs Act 1952
FIRST
SCHEDULE
[Sections 2, 11(1) and
17(3)] PART I
Raw Opium
Coca
Leaves
Poppy-
Straw
Cannabis
PART
II
Prepared Opium
Cannabis
Cannabis resin and substances of which such resin forms the base
PART
III Acetorphine
Acetyl-alpha-methylfentanyl
Acetylmethadol
Alfentanil
Allylprodine
Alphacetylmethad
ol Alphameprodine
Alphamethadol
Alpha-methylfentanyl
Alpha-
methylthiofentanyl
Alphaprodine
Page 36 of 41
2-amino-1-(2, 5-dimethoxy-4-methyl) phenylpropane
Amphetamine
Anileridine
Benzethidine
Benzylmorphine
Betacetylmethad
ol
8-beta-11-dihydroxy-delta-9-tetrahydroxycannabinol
8-beta-hydroxy-delta-9-tetrahydrocannabinol
Beta-hydroxyfentanyl
Betahydroxy-3-
methylfentanyl
Betameprodine
Betamethadol Betaprodine
Bezitrami Butorphanol
4-bromo-2, 5-
dimethoxyphenylethylamine
(2C-B) Cathinone
Clonitazene
Cocaine
Codoxime
Concentrate of poppy-straw
(the material arising when
poppy-straw has entered
into a process for the
concentration of its
alkaloids, when such
material is made available
in trade)
delta-8-
tetrahydrocannabinol delta-
9-tetrahydrocannabinol
Desomorphine
Page 37 of 41
Appendix 4: Steps 1- IT Mission Impact Analysis Questions
Unit Name: ___________________ Sub-Unit Name: ___________________
Mission Impact Analysis Questions
This section identifies information, computing hardware and software, and associated
personnel that require protection against unavailability, unauthorized access,
modification, disclosure or other security breaches.
Note: Any use of highly sensitive data (including Social Security numbers, protected
health information, etc.) is inherently a critical component of the unit’s mission and a
source of significant risk.
1. What’s your department’s mission?
2. What are the key functions your department performs to implement
your mission?
3. What IT hardware infrastructure and assets are critical to the
performance of those key functions? Please list these assets and
prioritize them based on their criticality to the functions identified above.
Be sure to include individual, departmental, central UVa and external
(e.g., vendor) assets as appropriate, and list a system administrator,
model number and operating system, where applicable, for each asset.
Examples:
•Servers (including those hosted by others)
•Desktops/laptops/mobile devices that host critical or highly sensitive
data
4. What software applications are critical to the performance of those key
functions? Please list these and prioritize them based on their criticality
to the functions identified above. Be sure to include individual,
departmental, central UVa and external (e.g., vendor, federal and state)
assets as appropriate.
Note: Even common applications, like web browsers and Microsoft
Office, may be critical and must be kept updated and secure to protect
your systems.
5. What IT data assets are critical to the performance of those key
functions? Please list these assets and prioritize them based on their
criticality to the functions identified above. Be sure to include individual,
departmental, central UVa and external (e.g., vendor, federal and state)
data swapping assets as appropriate.
Page 38 of 41
Examples:
•Academic: instructional resources, databases necessary to maintain a
given research program
•Administrative: sensitive student or financial data necessary for
business operations and student services
•Health-related: sensitive patient data, both clinical and research
•External data provider
6.Do you store student SSNs in the department, whether in paper or
electronic form? If so, provide 1) a complete location inventory of these
numbers, and 2) an explanation of the legal requirement and/or business
process that necessitates their storage.
Prepared by: Administrative contact
Name: __________________________
Signature: __________________________
Title: __________________________
Date: __________________________
Approved by: Unit head
Name: __________________________ Signature: __________________________
Title: __________________________ Date: __________________________
Prepared by:
Technical contact
Name:
______________
Signature:
______________
Title:
______________
Date:
______________
(Source: University of Virginia, 2014)
Page 39 of 41
REFERENCES
Brown, C. V., Dehayes, D. W., Hoffer, J. A., Martin, E. W., and Perkins, W. C. (2012)
Management Information Technology 7th Ed. Pearson Education Inc. New Jersey.
CLUSIF. (2008). Risk Management: Concept and Methods. Retrieved on November 2nd,
2014 from www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-managemen
t.pdf
Crockford, G. N. (1982). The Bibliography and History of Risk Management: Some
Preliminary Observations. The Geneva Papers on Risk and Insurance. 7, 169-179.
Dionne, G. (2013). Risk Management: History, Definition and Critique. Retrieved on
November 2nd, 2014 from http://neumann.hec.ca/gestiondesrisques/13-02.pdf
Gutmann, M. (2001). Information Technology and Society. Retrieved on November 2nd, 2014
from http://www.zurich.ibm.com/pdf/news/Gutmann.pdf
Haimes, Y. Y. (1998). Risk Modeling, Assessment and Management. John Wiley and Sons
Inc. New York.
Harrington, S. and Niehaus, G. R. (2003). Risk Management and Insurance. Irwin/McGraw-
Hill, USA.
Humayun Kabir. (2014). What is Computer Software and Types of Computer Software?
Retrieved on November 2nd, 2014 from http://www.easytechtips24.com/what-is-
computer-software-and-types-of-computer-software/
International Organization for Standard (ISO) and International Electrotechnical Commission.
(2008). Information Technology – Security Techniques – Information Security Risk
Management (ISO/IEC 27005:2008). Retrieved on November 2nd, 2014 from http://ww
w.pqm-online.com/assets/files/standards/iso_iec_27005-2008.pdf
Page 40 of 41
Kroenke. D. M. and McKinney. J. E. H. (2013). Processes, Systems, and Information: An
Introduction to MIS. Pearson Education Inc. New Jersey.
Law of Malaysia Act 234. (2006). Dangerous Drugs Act 1952. Publisher the Commissioner of
Law Revision, Malaysia. Percetakan Nasional Malaysia Berhad. Retrieved on
November 2nd, 2014 from http://www.agc.gov.my/Akta/Vol.%205/Act%20234.pdf
Law of Malaysia Act 235. (2006). Customs Act 1967. Publisher the Commissioner of Law
Revision, Malaysia. Percetakan Nasional Malaysia Berhad. Retrieved on November
2nd, 2014 from http://www.agc.gov.my/Akta/Vol.%205/Act%20235.pdf
Locke, G. and Gallagher, P. D. (2011) Managing Information Security Risk: Organization,
Mission, and Information System View. Retrieved on November 2nd, 2014 from Error!
Hyperlink reference not valid.P800-39-final.pdf
Lowrance, W. W. (1976). Of Acceptable Risk. William Kaufman. Los Altos: CA.
Mizoguchi, T. (2012). Information Technology Risks in Today’s Environment. Retrieved on
November 2nd, 2014 from https://chapters.theiia.org/san-diego/Documents/Seminars/
SD_IIA___ISACA_Event_041112_Deloitte_IA_Top_Ten_Risks.pdf
McLeod. J. M. and Schell. G. P. (2004). Management Information Systems. Pearson
Education Inc. New Jersey.
Official Website Royal Malaysia Customs Department. (2013). Keputusan Ketetapan Kastam
November hingga Desember 2013. Retrieved on November 2nd, 2014 from Error!
Hyperlink reference not valid.
Pollatsek, A. and Tversky, A. (1970). A Theory of Risk. Journal of Mathematical Psychology.
7, 540-553
Ropeik, D. and Gray, G. (2002). Risk: A Practical Guide for Deciding What’s Really Safe and
What’s Really Dangerous in the World Around You. Houghton Mifflin. Boston: New
York.
Page 41 of 41
Sai Global. (2003). Risk Management. Retrieved on November 10th, 2014 from http://www.ri
skmanagement.com.au/
Samsung Electronics. (2013). Quick Start Guide. Samsung Electronics Euro QA Lab.
Hampshire: United Kingdom
Shakespeare Online. Retrieved on November 10th, 2014 from Error! Hyperlink reference
not valid.
Smoking a Cause for Concern. (July 12, 2012). The Star Online. Retrieved on November
2nd, 2014 from http://www.thestar.com.my/story/?file=%2f2012%2f7%2f12%2ffocus
%2f11646513&sec=focus
Stoneburner, G., Goguen, A. and Feringa, A. (2002). Risk Management Guide for
Information technology System. Retrieved on November 2nd, 2014 from http://csrc.nist
.gov/publications/nistpubs/800-30/sp800-30.pdf
Terjemahan Al-Hidayah Al-Qur’an Al-Karim. (2013). Al-Qur’an Al-Karim Rasm Uthmani
Dalam Bahasa Melayu Al-Hidayah House of Qur’an Sdn. Bhd
University of Virginia. (2014). Information Technology Security Risk Management (ITS-RM)
Program Version 4.0. Retrieved on November 2nd, 2014 from Error! Hyperlink
reference not valid.informationsecurity/riskmanagement/
Warepin. (2010). Four Categories of Computer Hardware. Retrieved on November 23rd, 2014
from http://www.warepin.com/4-categories-of-computer-hardware/
Williams, A. and Heins, M. H. (1995). Risk Management and Insurance. McGraw-Hill. New
York.