|
IT risk management is the application of risk management methods to Information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization'' IT risk management can be considered a component of a wider enterprise risk management system.〔(ISACA THE RISK IT FRAMEWORK (registration required) )〕 The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.〔(Enisa Risk management, Risk assessment inventory, page 46 )〕 Different methodologies have been proposed to manage IT risks, each of them divided in processes and steps.〔 〕 According to Risk IT,〔 it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact. Because risk is strictly tied to uncertainty, Decision theory should be applied to manage risk as a science, i.e. rationally making choices under uncertainty. Generally speaking, risk is the product of likelihood times impact (Risk = Likelihood * Impact).〔"Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)" (OHSAS 18001:2007).〕 The measure of an IT risk can be determined as a product of threat, vulnerability and asset values:〔 〕 Risk = Threat * Vulnerability * Asset A more current Risk management framework for IT Risk would be the TIK framework: Risk = ((Vulnerability * Threat) / Counter Measure) * Asset Value at Risk 〔(IT Risk Management )〕 IT Risk == Definitions == The Certified Information Systems Auditor Review Manual 2006 produced by ISACA is an international professional association focused on IT Governance, provides the following definition of risk management: ''"Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."''〔 〕 There are two things in this definition that may need some clarification. First, the ''process'' of risk management is an ongoing iterative process. It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected. ''Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives''.〔 The head of an organizational unit must ensure that the organization has the capabilities needed to accomplish its mission. These mission owners must determine the security capabilities that their IT systems must have to provide the desired level of mission support in the face of real world threats. Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.〔 Risk management in the IT world is quite a complex, multi faced activity, with a lot of relations with other complex activities. The picture show the relationships between different related terms. The American National Information Assurance Training and Education Center defines risk in the IT field as:〔(NIATEC Glossary of terms )〕 # ''The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA approval. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis, certification, and approval.'' # ''An element of managerial science concerned with the identification, measurement, control, and minimization of uncertain events. An effective risk management program encompasses the following four phases:'' ##a ''Risk assessment, as derived from an evaluation of threats and vulnerabilities.'' ## ''Management decision.'' ## ''Control implementation.'' ## ''Effectiveness review.'' # ''The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems review.'' # ''The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. lt includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.'' 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「IT risk management」の詳細全文を読む スポンサード リンク
|