Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Strategic Management of IT Risk SIM ACADEMIC Saturday December 11, 2004

advertisement 
Strategic Management of IT Risk
SIM ACADEMIC
Saturday December 11, 2004
This research was made possible
by the support of CISR sponsors
and, in particular, CISR patrons
Gartner and DiamondCluster.
George Westerman
Center for Information Systems Research (CISR)
MIT Sloan School of Management
Phone: (617) 253-2939, Fax: (617) 253-4424
georgew@mit.edu, http://mitsloan.mit.edu/cisr/
Four key enterprise IT risks
Objective
Definition
Continuity
Keeping existing processes running and recovering from
interruptions
Ensuring that people have appropriate access to
Access
information and facilities they need, but that unauthorized
Management
people do not gain access
Integrity
Ensuring that information is accurate, timely and complete,
and meets the requirements of internal and external
stakeholders
Strategic
Change
Ensuring that new strategic initiatives, such as acquiring a
firm, conducting a major business process change, or
launching a new product / service, can be successfully
implemented when needed
© MIT Sloan Center for Information Systems Research 2004 - Westerman
Center for Information Systems Research
1
Key drivers of IT risk*
1.
2.
3.
4.
5.
6.
7.
8.
9.
*
Old/complex infrastructure
Non-standardized infrastructure or applications
Poor infrastructure management (patches, backup, etc.)
Knowledge of legacy or new skills missing
Over reliance on contractors or key employees
Poorly understood systems and processes
Applications do not meet business or
regulatory requirements
Major change underway or recently completed
Lack of RM process and awareness (will discuss later)
These drivers had statistically significant correlations with two or more of continuity, access management,
integrity and/or strategic change risk, based on 119 survey responses. Drivers listed here are summary level
combinations of multiple items from the survey.
© MIT Sloan Center for Information Systems Research 2004 - Westerman
Center for Information Systems Research
Hierarchy of IT risk factors
Poor IT/Business relations
Customers demand integrated service
Missing skills for new initiatives
STRATEGIC
CHANGE
Apps do not meet business requirements
Big implementation underway
(or recently complete)
Manual data integration required
Applications need standardization
Network not reliable to all locations
Lack of internal controls Non-compartmentalized data
Infrastructure not standardized
Old technology
Ineffective patch management
Poor backup/recovery
Over reliance on key employees or contractors
Poorly understood processes and applications
INTEGRITY
ACCESS
MANAGEMENT
CONTINUITY
Each factor in a category (level) of the IT risk pyramid is statistically significantly correlated with the
amount of risk in that category, and with one or more levels above it, based on 119 survey responses.
© MIT Sloan Center for Information Systems Research 2004 - Westerman
Center for Information Systems Research
2
Three elements of effective IT risk management
Risk Governance
Complete & effective risk-related
policies combined with a mature,
consistent process to identify,
assess, prioritize, & monitor risks
over time.
IT Installed Base
Simplification
IT infrastructure
and applications
that have inherently lower risk
because they are well-architected
and well-managed.
Risk Expertise and Awareness
Skilled group of people who know how
to identify and assess threats and
implement effective risk mitigation.
The rest of the staff is risk-aware.
Center for Information Systems Research
© MIT Sloan Center for Information Systems Research 2004 - Westerman
Good process enables clearer decisionmaking
Security Risk Map from EquipCo (2002)
Risk
 DOS Safeguards
High
 Disaster Recovery /Continuity
 Infrastructure vulnerabilities
 Anti-virus
Business Impact
 User education
 Cyber crime
 Information privacy
 Access Management
 Supply chain security
 Application security
 Web Services
 PKI -Key Management
 Wireless LAN’s
 Email encryption
 PDA / Handheld’s
 Secure IM application
Low
Low
Probability of Threat
© MIT Sloan Center for Information Systems Research 2004 - Westerman
High
Center for Information Systems Research
3
Conclusion: Strategic Management of IT Risk
 IT risks are complex (and can be very costly)
• IT threats and vulnerabilities drive four key enterprise
risks
• Risk factors are inter-related
• Risk factors form a hierarchy
 Process is a critical component of risk management
capability
 IT risk management can be a strategic tool
• Avoiding surprises
• Reducing fire-fighting (increasing focus on valueproviding activities)
• Improving IT’s ability to do strategic change
• Better relationships between business and IT
© MIT Sloan Center for Information Systems Research 2004 - Westerman
Center for Information Systems Research
4
Related documents
At a time of change and challenges, leadership becomes an
At a time of change and challenges, leadership becomes an
Session 17: Experimentation, Replication and Innovation 15.567 Reading Guide and Assignment
Session 17: Experimentation, Replication and Innovation 15.567 Reading Guide and Assignment
15.692J Industrial Relations Research Seminar
15.692J Industrial Relations Research Seminar
Antonio M - TKG Management Consulting
Antonio M - TKG Management Consulting
Document13436573 13436573
Document13436573 13436573
Problem Wk.5.1.2: Ranger
Problem Wk.5.1.2: Ranger
IT Engagement Model: How Companies Link Company - Wide IT Governance to
IT Engagement Model: How Companies Link Company - Wide IT Governance to
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
Developing a Common Language About IT Risk Management
Developing a Common Language About IT Risk Management
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
15.571 Generating Business Value from Information Technology
Download
advertisement