Most IT organizations struggle with ensuring visibility into and control over IT risks due to the complexity of IT environments in large corporations. It is a challenge to ensure consistency in measuring and managing IT risk, and assessing its impact on disparate areas of the organization. It is becoming increasingly important to automate the IT risk management process to ensure effective monitoring & mitigation of IT risks.
Automating the IT Risk Management process is critical for organizations who want to secure their IT investments from internal and external risks related to information security, infrastructure, project management and business continuity processes. Furthermore, a well defined IT GRC program based on frameworks such as COBIT and ISO 27002 cannot achieve high maturity scores without process automation for risk and compliance management.
IT RISKS FACED BY ORGANIZATIONS
Companies are faced with IT risks from multiple sources which are not restricted to information systems.
Today, corporate battles can be fought using cyber warfare, wherein competitors steal sensitive information by hacking into corporate systems or exploiting their vulnerabilities. Such unethical acts of sabotage and vandalism can cause severe losses to an organization’s revenue, brand value and market share. Moreover, the organization is held liable for any data theft incidents related to payment card or patient healthcare information.
AUTOMATION OF THE IT RISK MANAGEMENT PROCESS
IT operations, fraud and surveillance systems such as threat and vulnerability management, configuration and compliance auditing and identity governance systems can be used as sources for automating the IT Risk Management process. Incidents arising from these systems can be mapped to IT Risk repositories, enabling incident response teams to evaluate their risk to the organization.
For instance, details about a newly registered Internet Explorer vulnerability in the National Vulnerability Database (NVD) can be automatically downloaded onto the IT Risk Management solution. Based on the Common Vulnerabilities and Exposures (CVE) list, the IT Risk Management solution can trigger an incident investigation and bind the incident to the information security asset or group of assets. The solution can then classify the risk ratings and severity of the incident based on the risk criteria (confidentiality, integrity, availability, effectiveness, efficiency, compliance and reliability) of the asset.
Following classification, the automated system can trigger the necessary action plan for owner(s) of the information asset. Should the vulnerability become a threat, the asset owner can trigger the risk assessment process and use the CVE# number to trigger proactive patch management. The asset owner can also discard the incident if it has little or no impact on the business (false alarm). In this way, risk management automation can bring more rigor and discipline to the tasks of IT threat and incident resolution, thus reducing compliance costs and business losses.