The field of Information Technology is evolving at a fast pace, forcing all the other fields to also develop in the same rhythm. IT as such virtually impacts all aspects of life, from the enjoyment of the leisure time to the completion of the professional tasks. Technologic evolution raises numerous challenges and opportunities for the other domains, which have to keep up with the advancements. Within the business sector, technologic evolutions could translate into increased operational efficiency, but they would also raise the levels of industry competition.
¶ … Risk Management
The field of Information Technology is evolving at a fast pace, forcing all the other fields, such as education, economy or industry, to also develop in the same rhythm. IT as such virtually impacts all aspects of life, from the enjoyment of the leisure time to the completion of the professional tasks.
Technologic evolution raises numerous challenges and opportunities for the other domains, which have to keep up with the advancements. Within the business sector, technologic evolutions could translate into increased operational efficiency, but they would also raise the levels of industry competition.
The fast pace of technologic development poses challenges not only for the outside environments, but also for the very IT sector. Specifically, an essential stage in the success of any process is represented by the control mechanisms, which ensure that an entity implements the adequate solutions and has the ability to attain its pre-established objectives within the imposed conditions. Still, in the case of the IT sector, the quick evolution prevents the entities from testing and developing adequate control mechanisms.
"An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment. Unfortunately, this is still a challenging area for information professionals due to the rate of change in technology, the relatively recent advent and explosive growth of the Internet, and perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on investment is simply too hard to do" (Elky, 2006).
In such a setting then, the practitioners and academicians have yet to devise universally accepted control mechanisms to be employed in the management of risk across the institutions activating in the sector of Information Technology. Given this trait then, practitioners often develop and implement specific control mechanisms, which they devise on the spot, based on the features of the given project or situation.
In the context so far presented, the current project sets out to reveal how risk management tools and techniques can be implemented within a medium size enterprise, with approximately 500 user enterprise architecture. Given this objective, the first necessity within the organizational entity is that of assessing the actual risks. This step is crucial within the medium sized company in order to support the future efficiency of the processes. For instance, it is necessary to identify the nature of the risk in order to develop the proper techniques, or the severity of the risk, in order to prioritize the business and IT controls.
At a generic level, there are two means of assessing the risks, namely the qualitative methods and the quantitative methods. The quantitative methods are numeric and based on the collection and processing of statistical data. The results can be sustained by statistical evidence and can also be extrapolated (DuBrin, 2011). Still, in the context of the medium sized enterprise and a specific IT project, it is believed that a qualitative approach is more suitable, as this is based on the strict observation of the situation and the formulation of conclusions -- that cannot be generalized but which are tailored to the particularities of the risks and features within the medium sized firm (Collier and Agyei-Ampomah, 2009).
The qualitative assessment of risks is conducted through six gradual stages, as follows: (1) the identification of the threats, (2) the identification of the vulnerabilities, (3) the identification of the relationships between the risks and the vulnerabilities, (4) the definition of the likelihood of risk occurrence and materialization, (5) the definition of the impact of the risk manifesting and last, (6) the assessment of the risk. In terms of the management of the risk, this can be completed through either one or more of the following techniques: (1) mitigation of the risks; (2) transfer of the risk from one unit to the other, one project to the other and so on; (3) the acceptance of the risk; (4) the avoidance of the risks; (5) the communication of the risks and the search for risk management strategies, and last, (6) the implementation of the risk management strategies (Elky, 2006).
Once the company has decided to accept and mitigate the risk, it has several solutions to managing the risk. Steve Elky at the SANS Institute points out that there are at least five methods for risk management, namely the NIST methodology (National Institute of Standards and Technology), the OCTAVE methodology, the FRAP methodology, the COBRA methodology and the Risk Watch methodology. The challenge at this level is for the economic agent to identify those precise methodologies which best respond to their specific needs.
In the context of the medium sized company with 500 user enterprise architecture, the recommendation for usage is represented by a combination of three independent tools. Taken separately, each of the risk control tools has its own advantages and disadvantages. Nevertheless, through their combination, the company would become better able to serve its specific needs through the maximization of the advantages of the three methods and the minimization of their shortages. The three methods are the NIST methodology, the COBIT 5 method and risk watch.
The NIST methodology has the primary advantage of being technical and supervising technical process based on standards and rules imposed by the industry. This method is to be applied through nine specific steps, as follows: (1) the characterization of the system; (2) the identification of the threats; (3) the identification of the vulnerabilities; (4) the analysis of the control; (5) the determination of the likelihood; (6) the analysis of the impact; (7) the determination of the risk; (8) the formulation of control recommendations and last, (9) the documentation of the results (Elky, 2006).
Then, the COBIT 5 method is selected due to its ability to serve the business needs of the medium sized enterprise. Specifically, the IT department only represents a means of attaining the greater business objectives of the firm, meaning that the business component of the IT efforts is also essential. The COBIT 5 is as such recommended as it is the only risk management tool designed for IT components, but based on a business framework (ISACA).
You’re 83% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.