2nd Edition

Tracking the trends and news for IT and IT Security

Paul

What is IT Risk Management? Updated for 2023

611da2fbb9d58f01de1d8c29_upguard-favicon-256.png What is IT Risk Management? Updated for 2023>
Upguard Blog – Edward Kost
The terms IT risk and information risk are often used interchangeably. They both refer to risk that threatens the protection of sensitive data and intellectual property.

Risk refers to decision-making situations where all potential outcomes, and their likelihood of occurrence, are known. On the other hand, uncertainty refers to decision-making situations where nothing is known – neither their potential outcomes nor their likelihood of occurrence.

The 7 Best IT Risk Management Strategies and Processes 1) Risk Identification The first step to unmitigated risk transparency is to identify all of your assets and their locations. This can be achieved through digital footprint mapping.

An attack surface monitoring solution could also identify all of your corporate assets and surface potential risks and vulnerabilities.

2) Identify Risk Levels and the Odds of Each Risk Being Exploited Not all sensitive data is equal in the eye of a cybercriminal, some categories are more coveted than others.

A study by IBM and Ponemon found that 80% of assessed data breaches involved customer Personal Identifiable Information (PII).

The level of risk for each data type can then be calculated with a risk formula.

Risk Level = Likelihood of a data breach X Financial impact of a data breach. 3) Prioritize Each Identified Information Security Risk To keep the costs of internal security operations lean, response efforts must be efficiently distributed so that the most critical IT risk are addressed first.

This can only be achieved if critical risks are correctly classified. Though some risk calculations are quite accurate, their evaluation involves a lengthy manual process.

4) Establish a Risk Appetite There are 5 control options: Risk acceptance Risk avoidance Mitigate risk Transfer risk Monitor risk 5) Mitigate Risks These controls should be supported with Incident Response Plans (IRP) to help security teams respond to threats in a timely and controlled manner.

6) Transfer IT Risks In many instances, it’s more efficient and less burdensome for internal security teams to transfer critical risks to either an outside party or a cyber insurance entity.

7) Monitor IT Risks and Compliance Monitoring controls should also assess the effectiveness of mitigation controls. Cyberattackers are always adjusting their tactics to evade security defenses and mitigation strategies. A recent example the use of ransom software in a supply chain attack by cybercriminal group REvil.

Here are 14 important metrics that should be implemented in your IT risk management program. 1) Level of preparedness 2) Unidentified devices on internal networks 3) Intrusion attempts 4) Security incidents 5) Mean Time to Detect (MTTD) 6) Mean Time to Resolve (MTTR) 7) Mean Time to Contain (MTTC) 8) First party security ratings 9) Average vendor security rating 10) Patching cadence 11) Access management 12) Company vs peer performance 13) Vendor patching cadence 14) Mean time for vendors incident response
Link: https://www.upguard.com/blog/it-risk-management

Categories:

Tags: