Quantifying the probability and business impact of potential threats
Providing an economic balance between threat impact and countermeasure cost
Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.
The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:
Exposure Factor = Percentage of asset lost caused by identified risk
Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) = SLE X ARO
Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity. IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price. Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.
Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated. Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement. Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.
An entity’s business risk management framework should be a strategic axial enabled to accept diverse strategy spokes. Proactively, business risk management should represent the process whereby an entity methodically addresses risks attached to activities with the objective of achieving sustained benefit within each activity and across the activities portfolio.
Through project collaboration the Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management promote the following risk management process:
Risk management is not an issue any ‘going concern’ should consider a platitude used to demonstrate effective leadership. Those responsible for governance within an enterprise must be, without reservation, administrators dedicated to appropriately handling the risks that their organization encounters. In particular, the risks associated with information and related technology must be comprehensively identified and appropriately managed based on careful consideration of the impact and likelihood of the projected occurrence of detrimental events. It is in this arena that organizational risk management commonly fails to accurately portray the environmental landscape enabling resource optimization of initial investments and operational maintenance for IT.
Based on my careful analysis of the factors associated with information reliability, there is a medium-to-high inherent risk of a researcher conveying unreliable information through citing Wikipedia material due to inadequate identity management issues. Contextually, according to About.com, “In most cases, you should stay away from Internet information that doesn’t list an author… If the author is named, you will want to find his/her web page to:
• Verify educational credits
• Discover if the writer is either published in a scholarly journal
• Verify that the writer is employed by a research institution or university”
To provide an appropriate answer to this foundational question regarding Wikipedia an assessor must take into consideration the primary traits of reliability. Therefore, as previously stated in Wikipedia: An assessment from a user’s perspective – part 1 as well as documented in IT Auditing: Assuring Information Assets Protection, minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral. In other words, information reliability requires representational faithfulness to ensure assertions and supporting purported events are in agreement.
Wikipedia is often been presented as a great research resource; however it is also a public forum, where any authorized user can make a declaration or an assertion. “If you find an article that provides relevant information for your research topic, you should take care to investigate the source to make sure it is valid and reliable. [Academically, this] is an essential step in maintaining sound research ethics.” Thus, an important question concerning any published work classified as encyclopedic material is: How valid and reliable is documented information?
As conveyed by TechTarget.com, “Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity.” In this area, based on my experience, Wikipedia software does not provide adequate mechanisms for user accountability as presented in a position paper by OneName Corporation’s Requirements for a Global Identity Management Service. Specifically, it appears there is no password synchronization defining the one-to-many correspondence that may exist between a user and authorized accounts.
Following the framework outlined in IT Auditing: An Adaptive System, a critical aspect of an IT assessment is the identification of related risks. Though Wikipedia Project Administrators commonly disavow their Internet endeavors are based on a Social Networking System (SNS), their activities appear to fit within an academically accepted definition of Social Media. Thus, there are application inherent risks. “These risk areas are similar to those brought about by other IT, such as inefficiency, wasted investment, insufficient effectiveness and lost opportunity. But, it also has some unique risk areas, including public image damage created by negative comments and postings in social media venues.” Consequently, my first identified weakness was recorded on August 21, 2012 concerning the integrity sub-domain of identity management.
This blog provides content regarding IT Governance, Risk, and Compliance topics. Occasionally, readers will receive suggestions enabling organizational enhancements to IT managerial principles and practices consistent with generally accepted international standards.