Chapter 1

Introduction

Overview

Detailed study has been started to understand Risk Management both conceptually and as a process on its own comprising on several stages, tasks and responsibilities. A series of interviews has been performed with an Information System Support Analyst working within the IT industry in order to identify key aspects of Organisational Risk Management in a typical IT firm. It has been identified, by reading several online research journals and conducting interviews that Risk Management can be better understood either by studying different case studies or practically meeting key risk management individuals preferably working within the IT industry to seek knowledge on types of risks these individuals forecast and the measures identified to avoid the probability of their occurrence.

Focus of this research has been maintained towards differentiating the application of Risk Management within small and large IT organisations using CRAMM as a methodology. Relevant risk management individuals are yet to be identified and approached for interviews and further analysis of the topic. Some evidence of the study to date is as follows:

Overview of Risk Management Process

An efficient and effective risk management strategy plays a vital role towards building an organisation's Information Technology security. A major objective of a successful risk management process is not just safe guarding the organisation's IT infrastructure but also the organisations ability to achieve its objectives. Hence risk management should not just be treated solely as an IT task but more of a strategic policy implementation that is later on based on strong computerised systems.

It has been recognised by a number of experts and risk management organisations that risk management and analysis are although critically important for organisations, they can be unsustainable without effective IT tools and methodologies.

Risk can be defined as the impact or effects of a weakness within a system, a department or an organisation. Risk is usually studied based on the calculations and estimations of its probability and the impact of occurrence. Organisational risks can be highly devastating for it to achieve its goals. Hence, organisations are always working towards strengthening their risk management strategies and measures so to avoid the impact and probability of its occurrence. An effective risk management policy usually comprises the following stages:

  • Identification of Risks
  • Risk Assessment
  • Risk Analysis
  • Potential Risk Treatments
  • Risk Management Plan
  • Execution of Plan
  • Review and Evaluation of the Plan

Keeping the key objectives of this research under consideration, the study is being performed towards understanding the development framework of a typical risk management software application which will be effective enough for assessing, analysing and mitigating risks which are expected to occur within IT organisations and systems.

Importance of Risk Management in IT Organisation

Effective Risk management is vital for every development and production based organisation. Ina typical IT organisation, development of various vital computer applications is always an ongoing process whereby new ideas are being computerised every day. This never ending development involves a wide variety of IT resources being involved. Even a smallest harm to such vital resources can result into huge costs or time delays to the company. Hence, for an IT organisation, irrespective or their size, it is essential to have an effectively designed, tested and reviewed risk management process so to avoid the worse consequences.

Within an IT environment, there are risks involved in everything they do because of a heavy usage of high profile computer applications and hardware being used non-stop. In order to be sure that all the processes and systems are being used within the safety and risk proof standards, it is essential to have a continuous risk identification and analysis process. Risk management contributes to the following vital factors:

  • Increased certainty
  • Better service delivery
  • Effective change management
  • Efficient use of resources
  • Better decision making
  • Surety to invest in new Innovations
  • Safer working environment

In order to understand risk management in detail, it is essential to identify various risk management methodologies and frameworks currently applied in the market. Several risk management frameworks have been identified and studied to differentiate their applications and effects on risk occurrences and impacts.

Risk Management Methodologies - CRAMM

It has been recognised by a number of experts and risk management organisations that risk management and analysis are although critically important for organisations, they can be unsustainable without effective tools, methodologies and frameworks. As expressed in the proposal, this research studies a market leading Risk Management methodology called CRAMM (CCTA Risk Analysis and Management Method).

The idea of CRAMM came into reality in 1987 by CCTA (Central Computing and Telecommunications Agency) of the United Kingdom government and is one of the market leading risk management frameworks on today. CRAMM is a sophisticated methodology and is currently on its version 5.0 which comprises of a three staged risk management framework:

  • Asset identification and valuation.
  • Threat and vulnerability assessment.
  • Countermeasure selection and recommendation.

CRAMM is simply a framework that uses a specific format. This format includes the following key components:

  • Interviews, meetings and surveys to gather data
  • Divides IT assets into sub categories such as: data, software and physical assets
  • Helps you realise the impact of the occurrence of a risk
  • Identifies the likelihood of a threat to occur

Research Justification

An effective risk management strategy, when transferred into hardcoded software applications, provides assurance to the higher level executives of an organisation towards successfully achieving the following objectives:

  • The smooth development and delivery of products.
  • Time, cost and quality assurance of products to meet the standards.
  • Analysing, assessing, controlling and managing the risks involved, with in time.
  • The standards of operations in terms of effectiveness and efficiency.

However, risk management process can be different based on the size of organisations. This research paper will also identify the difference of risk management implementations between large and small organisations.

Project Aims and Objective

A major aim of this research work is to focus on the fundamentals of risk management strategy and the implementation of risk management systems using CRAMM as a risk management methodology, with in small and large business organisations.

Another key objective of investigating risk management is to understand how large and small organisations are currently safe guarding their key internal and external information assets stored on various IT platforms and avoid the high probability of risks that can hinder them achieving their objectives. This research will help gain a better idea of how organisations approach and accomplish their mission statements safe guarding their internal systems which are the hubs and stores for better information sharing.

Another key objective of this research work is to study the stages involved in the designing and implementing an effective computerised risk management system in a generic business organisation. Initial study into risk management concludes the purpose of the process is to minimise the probability of high and low impact risks involved in implementing different IT systems which assist in smooth running of an organisation. Based on this study the research work will further provide a design and implementation of a risk management system keeping in mind the key components, features and objectives of such smart systems.

The design will include the following key four components of a typical risk management system:

  • Risk Analysis
  • Risk Assessment
  • Risk Control
  • Risk Management

Project Problem Areas

Research has been fairly successful till now although time constraint is one of a concern as it took a considerable time for project proposal to be accepted. Due to this, the study has just started lately so it is slightly early to determine the problem areas however, while conducting research following aspect have been identified to be particularly challenging:

  • The most challenging aspect of this research to date is one of the key objectives of understanding Risk Management from a practical point of view I.e. how risk management is performed within real IT organisations. To accomplish this it is vital to conduct several interview sessions with an individual working in an IT organisation preferably within the risk management environment.
  • Another challenging task is to identify the application of CRAMM within the IT environment. Till now the research has only identified CRAMM within ITIL environment which is although relevant but very specialised. This will hinder the understanding and relevance of CRAMM as a leading methodology within IT industry.
  • Based on the above factor, it will be difficult to identify the technical design and architecture of such a risk management application which is one of the major objectives of this research.

The above factors are challenging yet interesting since every dissertation project brings along difficulties and challenges to accomplish. Above factors are difficult but not impossible to achieve.

An effective risk management strategy, when transferred into hardcoded software applications, provides assurance to the higher level executives of an organisation towards successfully achieving the following objectives:

  • The smooth development and delivery of products.
  • Time, cost and quality assurance of products to meet the standards.
  • Analysing, assessing, controlling and managing the risks involved, with in time.
  • The standards of operations in terms of effectiveness and efficiency.

However, risk management process can be different based on the size of organisations. This research paper will also identify the difference of risk management implementations between large and small organisations

Literature Review Aims and Objective

A major aim of this research work is to focus on the fundamentals of risk management strategy and the implementation of risk management systems using CRAMM as a risk management methodology, with in small and large business organisations.

Another key objective of investigating risk management is to understand how large and small organisations are currently safe guarding their key internal and external information assets stored on various IT platforms and avoid the high probability of risks that can hinder them achieving their objectives. This research will help gain a better idea of how organisations approach and accomplish their mission statements safe guarding their internal systems which are the hubs and stores for better information sharing.

Another key objective of this research work is to study the stages involved in the designing and implementing an effective computerised risk management system in a generic business organisation. Initial study into risk management concludes the purpose of the process is to minimise the probability of high and low impact risks involved in implementing different IT systems which assist in smooth running of an organisation. Based on this study the research work will further provide a design and implementation of a risk management system keeping in mind the key components, features and objectives of such smart systems.

The design will include the following key four components of a typical risk management system:

  • Risk Analysis
  • Risk Assessment
  • Risk Control
  • Risk Management

Problem Area

In this competitive digital era where organisations depend on various types of database driven Information Systems to store internal and external information which is a key to their success, companies need strong risk management strategies and measures in order to protect their knowledge base and other important information assets. These assets together help organisation achieve their goals and objectives and are based on different IT platforms. Hence, effective risk management strategy establishes strong policies, controls and measures to safe guard these assets.

Brewer, Dr. David agrees in March 2003 that an efficient and effective risk management strategy plays a vital role towards building an organisation's Information Technology security. A major objective of a successful risk management process is not just safe guarding the organisation's IT infrastructure but also the organisations ability to achieve its objectives. Hence risk management should not just be treated solely as an IT task but more of a strategic policy implementation that is later on based on strong computerised systems.

(Brewer, Dr. David. (March 2003))

It has been recognised by a number of experts and risk management organisations that risk management and analysis are although critically important for organisations, they can be unsustainable without effective IT tools and methodologies.

Risk Management Concept

Brewer, Dr. David expresses about this competitive digital world in another article in 2002 by that organisations depend on various types of database driven Information Systems to store internal and external information which is a key to their success, companies also need strong risk management strategies and measures in order to protect their knowledge base and other important information assets. These assets together help organisation achieve their goals and objectives and are based on different IT platforms. Hence, effective risk management strategy establishes strong policies, controls and measures to safe guard these assets.

(Brewer, Dr. David. (March 2003))

While discussing risks involved in Ecommerce, Changduk, J., Han, I., Bomil debates in 2000 that risk can be defined as the impact or effects of a weakness within a system, a department or an organisation. Risk is usually studied based on the calculations and estimations of its probability and the impact of occurrence. Organisational risks can be highly devastating for it to achieve its goals. Hence, organisations are always working towards strengthening their risk management strategies and measures so to avoid the impact and probability of its occurrence. An effective risk management policy usually comprises the following stages:

  • Identification of Risks
  • Risk Assessment
  • Risk Analysis
  • Potential Risk Treatments
  • Risk Management Plan
  • Execution of Plan
  • Review and Evaluation of the Plan

Keeping the key objectives of this research under consideration, the study is being performed towards understanding the development framework of a typical risk management software application which will be effective enough for assessing, analysing and mitigating risks which are expected to occur within IT organisations and systems.

(Changduk, J., Han, I., Bomil (2000))

Risk Management in Information Technology Industry

As per several interview sessions with Mr Dilawer Khan of Cerillion technologies Ltd, London, Effective Risk management is vital for every development and production based organisation. In a typical Information Technology organisation, development of various vital computer applications is always an ongoing process whereby new ideas are being computerised every day. This never ending development involves a wide variety of IT resources being involved. Even a smallest harm to such vital resources can result into huge costs or time delays to the company. Hence, for an IT organisation, irrespective or their size, it is essential to have an effectively designed, tested and reviewed risk management process so to avoid the worse consequences.

Within an IT environment, Mr Khan claims, there are risks involved in everything they do because of a heavy usage of high profile computer applications and hardware being used non-stop. In order to be sure that all the processes and systems are being used within the safety and risk proof standards, it is essential to have a continuous risk identification and analysis process. According to Mr Khan, risk management contributes to the following vital factors:

  • Increased certainty
  • Better service delivery
  • Effective change management
  • Efficient use of resources
  • Better decision making
  • Surety to invest in new Innovations
  • Safer working environment

(Information gathered during an interview with Mr Khan: Cerillion Technologies Ltd, London - 21/11/2009)

In order to understand risk management in detail, it is essential to identify various risk management methodologies and frameworks currently applied in the market. Several risk management frameworks have been identified and studied to differentiate their applications and effects on risk occurrences and impacts.

Risk Management in SMEs and Large Businesses

With the drastic growth in advertising and marketing over the internet, organisations, be at large multinational setups or SMEs; have invested considerable revenue into making themselves pronounced globally over the growing world wide web. Organisations have not just invested in advertising over the internet but also the way businesses used to share or spread confidential information has changed drastically due to more and more advancements in the ease of communication channels provided by the internet. Now days, businesses communicate globally over various internet interconnected networks by converting information into several formats such as digital and other web based storage and sharing medium, and allow others to share over the widely interconnected network.

As companies and businesses are becoming paper free and performing web based transactions, more and more viruses, malware, spam, phishing and other online criminal activities have started to become evident. These intangible criminal activities have, on several occasions, resulted in businesses losing huge chunks of investments and have affected the level of trust users gained on business over the internet. These threats have also increased the requirement for investments in securing business assets by protecting the Technical resources of the company and implementing strong IT controls and protocols to keep information protected.

An interesting article called "An Open Framework for Risk Management" by Craft, R., Wyss, G., Vandewart, R., Funkhouser, D in 2000 debates that with the progress in communication and information sharing platforms, online collaboration has become a major part of every organisations daily tasks. What was gathered from interviewing Mr Khan was relevant to this journal whereby he expresses this collaboration is important for companies yet carry a threat of information security. Organisations need to ensure that any medium that is being used for internal or external collaboration has been fully protected. Organisations tend to invest towards information security depending on their financial limitations. Hence, the biggest difference in the strength of information security between SMEs and large organisations is that SMEs can only invest a limited amount towards securing their information and collaboration channels.

Small and medium enterprises are also found to be less aware of the consequences of information security threats where as they seem to be more interested towards investing into new communication channels and transfer of digital information. However, the lack of finances to be invested towards securing these channels has resulted into a major negligence towards the information security. These smaller firms also act as outsourcing companies to the large organisations where by the SMEs handle full or part of a project or a task on a contractual basis whereby both the firms are interlinked with each other while SMEs being the weaker platform in terms of security. Large firms fail to understand that a weak connection attracts cyber criminals to attack.

(Craft, R., Wyss, G., Vandewart, R., Funkhouser, D - (2000))

Overview of CRAMM - Risk Management Methodology

One of key objectives of this research is to perform a detailed investigation of a UK Government's Risk Analysis and Management Method called CRAMM. Research has been performed from various online resources based on this method as well as CRAMM practitioners have been consulted to attain a closer and more practical view about the method.

This research will later on discuss a perfect scenario where by CRAMM can be implemented and the technical design of CRAMM Risk Analysis System.

CRAMM Method

Organisations, these days, are reliant on the resources they have and the assets that they built during the span of their business. These assets usually include data that these businesses hold, equipment which is necessary to make use of this data and services that these business offer. These assets are bare necessities of any organisation and hence protecting these assets is vital for a long lasting income.

In order to protect the necessary assets of an organisation, various risk analysis, assessment and management methodologies have been practiced and implemented. Risk analysis and assessment involves gathering the information of a potential risk that may occur and assessing the impact of such incident. Risk management involves taking measures to reduce the probability of such risks and identifying procedures to follow if a risk occurs.

UK government's security service created a risk assessment and management software called as CRAMM. CRAMM is not just a software tool but a complete management strategy that was developed by UK government national security authorities to implement a secure and risk free working environment in businesses.

CRAMM assesses risks based on three parameters; value of assets, potential threats and susceptibility which measures the probability of risks based on weaknesses of procedures and standards. These parameters are considered as different assets which are considered and clearly studied during the initial risk analysis stage of CRAMM. This information is usually gathered with the help of the main leaders of these assets such as Data Managers, Technical Support Staff etc and the review that results from this assessment includes counter measures to either avoid the occurrence of risks or develop steps to follow if a risk occurs to minimise its affects.

Following are the stages involved in CRAMM process, also expressed in the form of a diagram. These stages can also be considered as automated steps while dealing with CRAMM software:

  • Initiation
  • Identification and Valuation of Assets
  • Information Impact Valuation
  • IT Software Applications Valuation
  • Threat and Vulnerability Assessment
  • Full Risk Analysis
  • Rapid Risk Analysis
  • Risk Calculation

Chapter 3 Risk Management with CRAMM

It has been recognised by a number of experts such as Craft, R., Wyss, G., Vandewart, R., Funkhouser, D in an article called "Guide for Selecting Risk Analysis Tools." In 1999, and risk management organisations that risk management and analysis are although critically important for organisations, they can be unsustainable without effective tools, methodologies and frameworks. As expressed in the proposal, this research studies a market leading Risk Management methodology called CRAMM (CCTA Risk Analysis and Management Method).

The idea of CRAMM came into reality in 1987 by CCTA (Central Computing and Telecommunications Agency) of the United Kingdom government. The main purpose of CRAMM was to provide security to UK government department's information systems and is now one of the market leading risk management frameworks working as a qualitative risk analysis and management tool towards reducing probability of risk occurrences in businesses of almost any nature.

(Gilbert, I.E. (1999))

CRAMM is a sophisticated methodology and is currently on its version 5.0 which comprises of a three staged risk management framework:

  • Asset identification and valuation.
  • Threat and vulnerability assessment.
  • Countermeasure selection and recommendation.
  • CRAMM is simply a framework that uses a specific format. This format includes the following key components:
  • Interviews, meetings and surveys to gather data
  • Divides IT assets into sub categories such as: data, software and physical assets
  • Helps you realise the impact of the occurrence of a risk
  • Identifies the likelihood of a threat to occur

CRAMM's latest version in market is 3.0 which is a highly user interactive tool specifically for Information Technology sector. This version is ideal for identifying the security requirements of an information management system. CRAMM complies the rules and standards of British Standard policy (BS) 7799:1995

IT Risk Assessment with CRAMM System

Initiation

CRAMM risk analysis consists of set of human interaction activities such as interviews, questionnaires and meetings. This research initiates by setting objectives, scope and boundary of the review, identification of project scope, stakeholders and the end deliverables. The research is based on reviews which initiate by initial interview sessions with the stakeholders conducted by CRAMM experts. These can be as many interviewees as defined by the intensity of the project which are then documented in the Initial Documentation of CRAMM risk Analysis.

Identification and Valuation of Assets

As expressed by Mr Khan in an interview, Krause, M., Tipton, H.F (2002) also expresses the importance of realistic estimates before starting the CRAMM analysis of an IT organisation or department. He states that it is essential to estimate the actual value of organisational resources. Based on the valuation of assets, CRAMM experts then identify the level of security that needs to be audited and implemented. In a typical IT organisation there are various types of assets off which the three assets are as followed:

  • Data
  • Software Applications
  • Physical Assets (Hardware and Network)

After clear identification of assets, it is necessary to identify the inter dependencies of assets so to be able to revaluate the level of importance of individual asset. Interrelated assets include Intranet, Email, Extranet and other information collaboration sources. At this stage, the CRAMM risk analysts need to be extra cautious since at the beginning of the project if the asset models are made too critically it will complicate the whole analysis however, any lack of detail may cause unrealistic results

(Krause, M., Tipton, H.F (2002)).

The analysis process starts with gathering the information sources, storage mediums and channels of communication. In order to get this information in its most appropriate and complete manner, it is essential to identify the actual personnel who are responsible for data/information management in the company. In a generic IT organisation, there are Data Model Managers, Intranet Supervisors and Product Managers who are the key sources of information as well as the real owners of the key business data. It is then required by the CRAMM practitioners to start their reviewing process by initiating several interview sessions with these personnel. Since, these are pure IT individuals and may not have any knowledge of the CRAMM reviews, it is essential for the Analyst to provide introductory lessons prior to commencing their analysis so to avoid capture of unnecessary or lack of information.

(Labuschagne, L., Eloff, J.H.P (20020))

Information Impact Valuation

Once the individuals are determined and taught about CRAMM reviews, the estimation of asset values start. Here the key pointer is to identify and analyse the consequences of loss of information such as breach in a contract and unavailability of information for specific period of time. The data owners help identify the instants where data can be unavailable (web failure, data theft, confidentiality etc).

CRAMM experts usually have pre defined sets of guidelines to follow in case of different types of disasters. These guidelines and standards are usually generic which can be personalised with a little analysis and efforts. The initial analysis of information sources, it becomes easier for analysts to manipulate the guidelines and prepare an analysis document specifically based on the individual scenario. These guidelines avoid utilising big numbers. Analysts tend to replace 4 digit numbers with 1. I.e. 4,000 = 4 and 100,000 = 100. This technique avoids the probability of making small numeric errors for assets

(Krause, M., Tipton, H.F (2002.

IT Software Applications Valuation

Another long interview session was arranged with Mr Khan of Cerillion Technologies whereby it was identified that in previous analysis of information, CRAMM analysts interviewed the key stakeholders involved in information management. However, when we consider Software Applications as assets these are not physical yet easy to analyse and study in comparison to information. This is because the impact of unavailability of such applications can be easily measured and tested by either communicating with the Technical Support personnel or practical exercises such as switching off the applications. This measurement then helps identifying the cost that the company could incur should such an incident occurs.

Although software applications are considered and measured amongst the other physical assets, the nature of their databases and the actual data inside databases should be measured amongst rest of the information sources. Here comes the concept of three tear architecture of applications. If an application has three tear development architecture, the consequences of any harm to few layers could still allow the organisation to recover quickly with less cost. However, the business could bare a huge impact in case of any harm to the database, depending on the nature of the data.

Threat and Vulnerability Assessment

The final analysis session that holds the maximum importance is the measurement of the probability of threat occurrences. In order to measure this probability, CRAMM uses a pre defined set of relational tables which allow various combinations of threat groups with the asset groups. CRAMM initiates by dividing assets into groups which are then put against the set of threat groups. The automated decision support capability of CRAMM then allows the risk analysts to be able to determine the interrelations between assets and their probable risks. The type of threat groups to include is usually pre-defined by the customer organisation before the analysis starts. This is because business of different nature is susceptible to different nature of threats depending on their assets and business processes.

In relations to the vulnerability aspect of risk analysis, CRAMM lacks detailed technical analysis in terms of systems applications analysis and design information. It is rather inclined towards the top executives and risks mentioned by them hence an analysis that requires deep down research into applications would not be suitable via CRAMM.

(Information gathered during an interview with Mr Khan: Cerillion Technologies Ltd, London - 21/11/2009)

Once the critical analysis is over, key information has been gathered and key information resources have been identified, CRAMM allows two ways of risk analysis:

  • Full Risk Analysis

Full risk assessment and analysis is mostly recommended where by analysts gather key detailed information from the Support or Network personnel. These sessions are conducted with the help of face to face interviews and questionnaires. The information gathered from this review is then entered into CRAMM in order for it to decide the Risk groups based on it decision making functionality. CRAMM then calculates the probability of possible threats based on five levels: "Very High", "High", "Medium", "Low", "Very Low".

Vulnerability on the other hand is defined on a three point scale: "Low", "Medium" and "High". These levels define the probability of risk and vulnerability.

  • Rapid Risk Analysis

Rapid risk analysis includes quick analysis of possible risks, threats and vulnerabilities. These are then defined using three pointer valuations I.e. Very Low, Medium and High. Without much of an information analysis, the three levels are pre defined in the system as Very Low being the one where by probability is once in 10 years, Medium is 30% - 50% probability of occurring a considerable risk and High means higher probability of risk occurrence. This information is gathered using qualitative way of data gathering such as brief questionnaires.

  • Risk Calculation

After the analysis and measurement of the probability of each threat against an asset, CRAMM is capable to calculate the level of risk against each Asset Group. The level of risk is depicted using a 1 to 7 (where by 1 = Very Low and 7 = Very High) scale matrix. The matrix compares each Asset, based on its value, to its relevant probable vulnerability and threat.

System then generates executive level reports and graphs for a better and debatable understanding.

(Krause, M., Tipton, H.F (2002)).

CRAMM's Application

Through direct hands on experience on CRAMM based tool it was identified that CRAMM, as a methodology, is flexible enough to be incorporated in any nature of the information system lifecycle from planning through to live operation. CRAMM application can be used at any point in the information system of the life cycle to identify the security and / or eventuality needs for an information system or network. This may include:

  • Strategy planning, to determine the relative costs and implications of the implementation, the organisation may make used of high level risk analysis to identify broad security or contingency.
  • At feasibility study stage, when looking at probable solutions to identify the broad security or contingency requirements and the costs involved at various options, high risk analysis may be required.
  • During analysis stage, of the detailed business and technical environments, where the chosen option needs to be looked into further and polished, high risk analysis may be required.
  • Before putting the software on live environment, it is essential to perform realistic analysis of procedural, personnel and security pre-requisites to ensure standards are in place.
  • for the duration of live running high risk analysis may be required, where concerns about security or contingency issues may arise, E.g. In reaction to a new or increased threat or due to a security breach.
  • In order to ensure all security and audit standards exist as per required, another set of detailed analytical activities is essential vital to the successful implementation of CRAMM.

CRAMM Case Study

A Czech corporation he decision to implement and operate an Information Security Management System using CRAMM. The risk analysis carried out with CRAMM, was an essential part of the project and concluded with system certification in fulfilment with ISO/IEC 27001 (BS 7799).

With the superiority of CRAMM being confirmed via numerous successful certification and spectrum of happy clients, it is now the most commonly used methodology in Europe for risk analysis and management.

Deeming it unnecessary to invest in the methodology and other supporting tools security department specialists, as a result turned to a leading consultancy firm for support. All the company specialists alongside the members of the consultancy firm worked collectively on the chosen "Partnership Approach".

This means of work, effectively utilized all resources and guaranteed the movement of knowledge to internal experts.

RISK ANALYSIS IS A SIGNIFICANT PART OF PREPARATION FOR ISMS CERTIFICATION

Project Initiation

The project team compromised of 4 people, two internal specialists and two consultants, one of which led the project. The methodology chosen was PRINCE2, to be used for project management and all related activities essential for accurate initiation. The Project Initiation Document is the first project output and summarizes everything activity, from the project goal to detailed descriptions of activities, alongside a breakdown of all the resources used throughout the project.

All the information on the subject of the systems and current documentations was gathered at the beginning.

Detailed Risk Analysis

Risk analysis was divided into two parts:

  • Identifying and Modelling Assets
  • Risk Evaluation
  • For any organisation assets associated to information processing are extremely valuable to them with the most important being Data Assets whose recognition tends to be particularly hard. Processed by the company were vast amounts of data regarding their production, clientele, suppliers, and personnel, alongside strategic management information.
  • Overall a total of 10 groups and 54 subgroups were identified. Respondents that were chosen beforehand were interviewed using the data evaluation process. These respondents, who were all users of the data or subgroups were able to inform probable breaches that could cause damage to the company's status, or outcome in financial loss and additional damage. All worst case scenarios of instances where data is unavailable and its disclosure and amendment were looked into.
  • Project Initiation Document

    • Project goals
    • Approach used to conduct the project and methodologies applied
    • Project team and roles
    • Project stages, resources, outputs and responsibilities
    • Timeline
    • Quality assurance plan, project risks

    Introduction

    As previously expressed, the main purpose of this research is to gather realistic and practical information about Risk Management from Risk Assessors and project managers and to learn about their daily life at work and the activities they carry out which allow them to be able to manage risk management with in small and large organisations. Hence, this research is mainly based on both primary and secondary data collection however more reliance can be seen on the primary information gathered through interviews and questionnaire.

    Major preference has been given to data gathered through several interview sessions with an Information Systems Analyst working within the Information Technology industry for over 6 years. This individual has been vigorously involved in risk management and analysis. This is to identify the real nature of tasks that risks managers perform within their working span. Other than interviews a questionnaire has been designed and distributed amongst Information Technology professionals, Risk Assessors and Strategic Management staff for them to be able to express their views by answering a set of both open and closed ended questions.

    A big part of information has also been gathered from various articles and academic journals present on the internet. While gathering this secondary data, every effort has been made to maintain the basic focus of this research and analyse the similarities between secondary data and information gathered through interview sessions with a professional working and applying basic risk management concepts with in large and small organisations.

    Since a major objective of this research is to study and understand the fundamentals of risk management strategy and the implementation of risk management systems using CRAMM as a risk management methodology, with in small and large business organisations.

    Another key objective of investigating risk management is to understand how large and small organisations are currently safe guarding their key internal and external information assets stored on various IT platforms and avoid the high probability of risks that can hinder them achieving their objectives. This objective has been achieved by various interview sessions with Mr. Khan of Cerillion Technologies Ltd. This research will help gain a better idea of how organisations approach and accomplish their mission statements safe guarding their internal systems which are the hubs and stores for better information sharing.

    Another key objective of this research work is to study the stages involved in the designing and implementing an effective computerised risk management system in a generic business organisation. Initial study into risk management concludes the purpose of the process is to minimise the probability of high and low impact risks involved in implementing different IT systems which assist in smooth running of an organisation. Based on this study the research work will further provide a design and implementation of a risk management system keeping in mind the key components, features and objectives of such smart systems.

    The design will include the following key four components of a typical risk management system:

    • Risk Analysis
    • Risk Assessment
    • Risk Control
    • Risk Management

    Research Framework

    Research framework consists of series of interviews and a questionnaire to gather qualitative and quantitative data. There have been almost 6 interview sessions whereby each lasted for 1:00 to 2:00 hours. These sessions included both questions and training sessions on CRAMM based risk management tools whereby the interview has helped understand the key basics of Risk Management process and its stages as well as computerized tools used by Strategy makers, risk assessors or project managers in small and large organisations to perform their functions efficiently. For better understanding, the questionnaire has been written in English and is divided into three parts to capture data for the key three objectives of this research. This framework also includes information gathered by studying through various journals and articles online written by highly experienced and qualified individuals within the Risk management market.

    Sampling

    The target interviewees are mainly Risk Managers and Strategy makers who are working within the information systems development environments.

    Data Collection Tool

    The main data collection tool is a questionnaire designed in order for Risk Assessors or Project Managers to be able to think about the processes and techniques they use to perform their jobs and deliver projects with in time and budget. Questionnaire consists of both open and closed ended questions designed for ease of use by the target audience. The questionnaire will try to analyze the target interviewees and their views on the focus area which will help in the development of the final end product which is a working model of what has been learnt about project managers through this research.

    Data Analysis

    This research provided a close study on risk management as a process and identify the nature of task and stages involved which lead to an efficient strategy. Key data analysis has been focused towards meeting the main three objectives of this research which are to understand how small and large organisations are currently safe guarding their business against risks, what is CRAMM and how does CRAMM strategy incorporated with Information Technology becomes useful for businesses and the third objective of identifying the technical design of a CRAMM based risk management system.

    Academic research/Secondary Research

    A vast number of academic journals, articles and research papers have been studied to establish a bridge between the point of view gathered while interviewing Mr Khan of Cerillion Technologies Ltd and what has been expressed by various different researchers online.

    It has been noticed that these articles follow a specific conceptual approach towards the whole process of project management. Researchers tend of idealize the process of managing an IT project as a sequential process made of strict set of similar stages for projects of almost every nature. It was, however, identified that Project Management is completely different for Information System Development projects.

    SAS for Risk Management

    The leading provider in new generation of business intelligence software and services that creates true enterprise intelligence. Creating intelligence using huge amounts of data, SAS is the only vendor that completely integrates data, analytics, and business intelligence tools. Used at over 38,000 sites including 99 of Fortune 100 businesses, SAS solutions allow organizations to benefit through the development of profitable relations with their clientele and suppliers, helping them stay on top.

    The SAS Solution

    SAS provides a firm-wide solution which consists of processes for managing risk, discovering unique opportunities and communicating those opportunities to management, shareholders and outside analysts. SAS Risk Dimensions makes it possible for institutions to manage data throughout the organization, enabling the analysis of complex situations and production of regulatory reports. It provides a single, comprehensive environment for data management that lets you:

    • Gain access market data from anywhere in the world (irrelevant of geographic location, legacy system or origin).
    • Qualify, clean and organize that data within a powerful environment that includes business rules, intelligent process and validation.
    • Identify and evaluate multiple dimensions of risk, as well as your company's overall risk.

    In order to figure out risk measures SAS provides risk analysis that enables data to be analyzed and explored (firm-wide, by location, by region, by division, by portfolio, by business unit, by line of business, etc.), resulting in almost limitless perspectives and innovative insights with regards to the allocation of capital in relation to risk and returns.

    SAS enables decision makers to act speedily in response to changing market conditions, rapidly identify new strategic directions and uncover sources of prospective problems before they occur via risk reporting. Risk reporting transforms the immense amounts of data generated by your company into more manageable information that can be easily understood.

    Critical Analysis

    Risk management is imperative for IT. Moreover, many development projects do not make the grade to meet is expected of them and next to all online systems face an increasing array of threats. Additional attention needs to be given to these risks by IT professionals. CIPS (Canadian Information Processing Society) has taken the innovation and officially recognized the importance of conducting risk assessment at the beginning of assignments by all means and progressing with risk management throughout assignments.

    The majority of us have a basic appreciation for what is involved in risk management. All commencing activities face several threats, every one of which can lead to unintended results. Everything involves risk to a certain degree. Risk which is left unmanaged can move in and leave you with probable outcomes that are definitely unwanted. To lessen the negative impacts of unplanned events and in turn boost their positive impact, managing risk should be a significant part of risk management.

    Despite, that being a reasonable high level description, it is not always easy to imagine how that should be translated into practice. Available are a large number of risk management best practice guides, and quite a lot of specialized IT risk management best practice guides. A reasonable practice guide developed by a committee many of whom came from the world of finance Canada has its own Risk Management Guideline for Decision-Makers (CAN/CSA-Q850-7).

    In existence are specialized IT risk management best practice guides and standards. The Institute of Electrical and Electronic Engineers has a Software Life Cycle Risk Management Standard (1549-2001) and the Software Engineering Institute of Carnegie-Mellon University has published best practice risk management guides for IT development, acquisition, and operations. The difficulty in hand is to decide which guide to follow and how it fits with everything else that needs to be done.

    The ten risk activities are:

    1. Establish risk management alignment
    2. Identify with relevant strategic business outcomes
    3. Be aware of relevant business process objectives
    4. Identify internal IT objectives and determine risk context
    5. Identity events associated with objectives (business and IT oriented)
    6. Sustain and monitor a risk action plan

    My informal translation of ERM identifies five risk management maturity levels:

    1. Initial - Risk management gets completed, but it takes a "hero" to make it come about.
    2. Repeatable - Risk management is done, but predominantly for the "important" stuff
    3. Defined - There are enforced and employed risk management standards
    4. Measured - There are risk management measures covering everything important
    5. Optimized - Risk management is automatically being refined and enhanced

    My sense is that many British organizations have moved to the Initial level, but not all that far beyond level one. "Risk" is no longer regarded as a four letter word. Furthermore, risk management is now acknowledged as a good thing, although the level of commitment is not high. Heroes are required. IT professionals have to rise to the challenge. Aid your organization progress up the IT risk management maturity scale. Not only, is it the professional action to take but, it will also be good for your career and for your organization's future.

    Chapter 7 Conclusion

    Organizations are involuntarily reacting to pressure from competition are now customising their use of capital. To remain on top and competitive, companies have got to start looking at enterprise risk and measure performance on a risk-adjusted basis. Management must persistently analyse and reanalyse the risk of unpredicted losses versus capital. Businesses who know the difference between superior returns and moderate volatility generally achieve with superior valuations from financial markets. Adapting this belief and incorporate this in your business strategy is the key to executing a risk-based strategic initiative.

    Technology

    Three major pieces are required by the technology to successfully implement an ERM platform. The first piece is the capacity to without difficulty obtain data from unrelated systems, transform the data and load it into same format. The second piece is a flexible risk engine capable of producing the metrics necessary. Last of all, the third piece is the capacity for an ERM platform to effectively communicate metrics all through the business. Communication technologies include portals, scorecards, dashboards, Web-based reporting and traditional report creation tools. It is essential that all three components come together to create an integrated framework on which clients can put together an ERM solution. In addition, the framework must scale with the demands of the organization.

    Why Institutions Need Effective Enterprise Risk Management

    · Company Drivers

    One of the prime objectives of a comprehensive risk management solution is to reduce by and large the volatility of earnings at the same time as maintaining an adequate rate of return. To be successful internally, this concept mean that management must understand that behaviour must be rewarded based on risk adjusted return. Performance based solely on returns or risk diminishes the overall objective of decreasing earnings volatility and increasing shareholder value. Management must work to identify a risk-adjusted rate of return to measure business. These measures tend to reward behaviour that maximizes return while providing an incentive to examine and adjust the risk taken by the corporation.

    External corporations on the other hand must constantly battle for attention from analysts and investors. Firms which tend to be rewarded with higher valuation are those that are able to demonstrate lower earnings volatility than their competitors. Similarly, firms which may observe a lower cost of debt over their competitors are those that are able to demonstrate superior control to creditors.

    · Regulatory Forces

    On several occasions, many companies are forced to re-examine their risk control process due to changes in regulatory requirements. FAS133, FR932.5, the new Basel Capital Accord and a host of other regulations oblige companies to make use of risk management tools for regulatory reporting and compliance purposes. Those companies that fail to acceptably meet regulatory compliance risk facing adverse market reactions or face stiff fines. To comply with these new regulations, for the first time, many firms have begun to create risk methodologies. An effective ERM platform would help clients meet or exceed these new requirements.

    Communicate Risk Measures throughout the Organization

    A successful risk management initiative requires end-to-end communication of company's goals and objectives. This task is carried out amongst the RMS provider and the higher level directors who are the actual strategy makers. It is very common for firms to re-visit at the end of the year a mission statement or goals published at the beginning of the year. The initial definition of the global strategy and mission statement that is used to guide the direction of the firm is decided by the Executive management. The control committee or Chief Risk Officer then go on to shape this predetermined direction further by determining measurable objectives for the fiscal planning period(s).

    Strategic Analysis

    Once company goals and objectives have been communicated, the users need to be able to modify corporate strategy in case they need to avoid a negative situation. Before any form of unified strategy can be made, it is vital that the key indicators that add to the overall strategic objectives are identified. There are available numerous analysis techniques which can aid in determining the cause of abnormal conditions or furthermore provide insight into possible opportunities to improve revenue.

    Most of these Strategic Analysis techniques are common when we talk about enterprise risk management however there utilisation is rarely seen. These strategies are used to identify the what-if analysis for both small and large businesses. Some of these include:

    • Conditional Risk Indicator analysis.
    • Simulations of scenarios.
    • Sensitivity analysis of risk indicators.
    • Risk Indicators Ranking.
    • Multiple period simulations.
    • Shock Analysis.

    The above techniques are mostly designed to allow business to first create the what-if scenarios and then play around with them.

    However, if used correctly, CRAMM, in a small or large organisation, can provide you with a number of benefits, the most important of which the CRAMM user manual identifies as being the ability to provide a method by which expenditure on security and contingency can be justified. This statement reflects the movement of UK Government away from a risk avoidance strategy towards a risk management strategy. In other words you should be aiming at containing the risk and reducing it to an acceptable level, rather than attempting to eliminate it at any cost. Another benefit is that CRAMM will assist you to assess requirements and options for contingency planning.

    Chapter 8 References / bibliography

    • Brewer, Dr. David. "Risk, Security and Trust in the Open World of ECommerce." May 1999. URL: http://www.itsecurity.com/papers/p35.htm.
    • Brewer, Dr. David. "Risk Assessment Models and Evolving Approaches." IAAC workshop, London. July 2000. URL: http://www.gammassl.co.uk/topics/IAAC.htm .
    • [CAI01] "CAIDA Analysis of Code-Red." 15 August 2001. URL: http://www.caida.org/analysis/security/code-red/
    • "Overview of Attack Trends." 19 February 2002. URL: http://www.isalliance.org/resources/papers/attack_trends.pdf .
    • Changduk, J., Han, I., Bomil, S. "Risk Analysis for Electronic Commerce Using Case-Based Reasoning." 1999. URL: http://afis.kaist.ac.kr/download/inter_jnl012.pdf.
    • Chisnall, W. R. "Applying Risk Analysis Methods to University Systems." EUNIS 97, European Cooperation in Higher Education Information Systems, Grenoble, France. 9-11 September 1997. URL: http://www.lmcp.jussieu.fr/eunis/html3/congres/EUNIS97/papers/022701.html .
    • "Computer Economics Security Review 2002." URL: http://www.computereconomics.com/cei/news/secure02.html .
    • Craft, R., Wyss, G., Vandewart, R., Funkhouser, D. "An Open Framework for Risk Management." 21st National Information Systems Security Conference Proceedings. October 1998. URL: http://csrc.nist.gov/nissc/1998/proceedings/paperE6.pdf .
    • "Financial losses due to Internet intrusions, trade secret theft and other cyber crimes soar." March 2001. URL: http://www.gocsi.com/prelea/000321.html
    • "CERT/CC Statistics 1988-2001." URL: http://www.cert.org/stats/cert_stats.html.
    • "About CRAMM." URL: http://www.crammusergroup.org.uk/cramm.htm.
    • CRAMM User Guide, Issue 2.0. Walton-on-Thames: Insight Consulting, January 2001.
    • "New Private-Sector Internet Security Alliance Launched." 23 April 2001. URL: http://usinfo.state.gov/topical/global/ecom/01042303.htm.
    • "A Practitioner's View of CRAMM." September 1997. URL: http://www.gammassl.co.uk/topics/hot5.html.
    • Gilbert, I.E. "Guide for Selecting Risk Analysis Tools." NIST Special Publication 500-174. October 1989. URL: http://csrc.nist.gov/publications/nistpubs/500-174/sp174.txt.
    • Krause, M., Tipton, H.F., "Section 3-1: Risk Analysis." Handbook of Information Security Management. December 1999. URL: http://secinf.net/info/misc/handbook/242-244.html.
    • Labuschagne, L., Eloff, J.H.P, "Risk Analysis Generations - The Evolution of Risk analysis." August 1999. URL: http://csweb.rau.ac.za/deth/research/articles/ra_generations.pdf.
    • "Description of Automated Risk Management Packages that NIST/NCSC Risk Management Research Laboratory have examined." March 1991. URL: http://www.eff.org/Privacy/Newin/New_nist/risktool.txt.
    • Ozier, W. "A Framework for an Automated Risk Assessment Tool." 15 August 1999. URL: http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=228.
    • Hinton, C. "CRAMM." December 2001. URL: http://www.scmagazine.com/scmagazine/sc-online/2001/review/059/product.html.
    • Venter, H.S., Labuschagne, L., Eloff, J.H.P. "Real-time Risk Analysis on the Internet." March 1999. URL: b.rau.ac.za/ifip/workgroup/docs1999/11_sec1999.doc.