Risk management tools and strategies

Risk Management Tools

The IT environment is probably the most complex and rapidly developing field in the modern day society and it presents individuals and groups with numerous opportunities and challenges. But what is often overlooked is the fact that the IT sector in itself faces numerous risks, such as the possibility for an IT effort to exploit a vulnerability within the system or the risk that an IT effort would cause more harm and strains on the IT system.

In such a context then, the management of the IT risks is a crucial process which has to be completed by all parties. The specialized literature on the topic of IT risks is rather scarce, given the relative novelty of the topic, as well as the difficulty in generating a solution to mitigating the IT risks. Within a business context, the common recommendation is that of developing and implementing strategies that are tailored to the specific issues of the system. Within the IT context nevertheless, the emphasis falls on the automation of the risk management techniques, in order to generate both operational as well as cost efficiencies in the processes of the IT departments.

At the specific level of risk management automation, there are several tools that can be employed by the IT departments across the globe. One example in this sense is represented by the automation of risks with the usage of the NIST standards (National Institute of Standards and Technology), which is implemented through nine gradual; stages, as follows:

(1) The characterization of the system through questionnaires, document review and automated scanning tools through the use of the Security Content Automation Program (SCAP).

(2) The identification of the natural, human and environmental threats. The use of the Microsoft products is mostly common at this stage, which identifies the following threats: environmental, human error, malicious insiders and malicious outsiders.

(3) The identification of the sources of vulnerability through scanning process and the use SCAP and the Automated Risk Management program.

(4) The assessment of the control levels and the safeguarding of the system

(5) The determination of the likelihood as high, medium or low, based on the motivation of the threat, its capability and the control of vulnerability.

(6) The assessment of the impact as high, low or medium, based on the impact on the assets, the organizational mission, reputation and interest and the death or injury of humans in the system.

(7) The determination of the risk in terms of risk assessment through the computation of algorithms and the identification of low, medium or high impacts.

(8) The formulation of control recommendations through reports which "give a mapping of the featured safeguards which are missing, against the identified risks in order of impact" (ACR 2 Solutions)

(9) The documentation of the results in tables and charts of baseline reports and risk assessment charts.

All in all, "information security risk management has become so complex that only automation will make it possible to enjoy a reasonable degree of information security. The products from ACR, including scanning, risk assessment and integrated risk management, can help deal with the ever increasing threats to information security. The NIST protocols define "appropriate safeguards" for information security. The ACR automation of the NIST protocols makes the appropriate safeguards usable and affordable" (ACR 2 Solutions).

Another potential solution to automating the assessment of IT risks is represented by SMART-Ra, a private solutions which addresses several limitations in other automated tools, such as the absence of metrics or the operational complexities. The SMART-Ra solution is characterized by the following:

The formal assessment of the risks through the employment of the ISO 27005 standards and the OCTAVE techniques

The systematic assessment of the risk through the PDCA model (plan, do, check, act)

The automated risk assessment through the Fast Ra feature, which "provides fully automated risk assessment with a built in database of standard assets, threats, vulnerabilities and controls" (Website of SMART-RA)

The creation of detailed reports such as multi-criterion filtering or exports to other formats

The monitoring of risks through the monitoring of risk mitigation controls and the identification of the new risks after mitigation (Website of SMART-RA).

Last, the third potential solution to automating the IT risk assessment is represented by the Symantec Risk Automation Suite (SRAS), which is also a privately developed solution, characterized by more flexibility and ease of usage.

"SRAS automates and orchestrates enterprise IT security and risk management. SRAS simplifies and integrates network discovery, baseline configuration management and vulnerability management enabling reporting for enterprise risks and regulatory compliance. It offers flexible agent-based or agent-less data gathering options across multiple hardware and software platforms. SCAP validated, enterprise proven" (Website of Symantec).

The Symantec Risk Automation Suite is characterized by four distinctive features, as revealed below:

The use of a SOA architecture which allows the centralization of the managerial efforts and the integrated reporting across security tools through the decision support portal

The rapid discovery of assets and inventories across the entire networks

The identification of vulnerabilities through the detection and reporting for the operating systems, the network, the infrastructure and the applications and databases

The configuration of the auditing and policy management through the preservation of "an accurate inventory system configurations, including installed software, user accounts and system changes based upon SCAP compliant assessments" (Website of Symantec).

The table below reveals a comparative analysis of the three tools of risk automation in the field of Information Technology.

Advantages