IT GRC - Let's Talk About Risk!

Earlier this week we discussed IT Governance, Risk, and Compliance (IT GRC) with a specific focus on IT Governance. To read more of that post, click here. Today we are going to focus on the second component of IT GRC, IT Risk.

In keeping with consistency, Gartner defines IT Risk as "the potential for an unplanned, negative business outcome involving the failure or misuse of IT" (Gartner, 2012). This is a broad definition that could encompass many different aspects that an organization should be concerned about that includes two suggestions about why risk might occur: 

• Failure
• Misuse

These are both excellent reasons for IT Risk within an organization. If your infrastructure fails, your risk increases. If your users do not use your systems, both hardware and software, as intended, your risk will increase. Related to these causes are the potential outcomes which are the first part of the Gartner definition. These outcomes are as follows:

• Unplanned Business Outcome
• Negative Business Outcome

When it comes to IT Risk, we want to look at three main areas of focus. **Note, this is going to be a high level overview of these three areas as each one could be its own blog post!** The three areas that we want to evaluate and interrogate are:

1. People- Truth is, people are the weakest link in Information Security and IT Risk. The human aspect of IT is being exploited every day to allow evil doers access to your organization. Think of phishing emails and ransomware. These are perfect examples of no matter how great your technology is, a human being can make a poor decision and cause great harm. Another item related to people is assessing whether they need to have access to the information in question. Not all your staff need access to electronic protected health information just like not all your staff need access to your HR system or payroll system. 
2. Processes - This is an area where organizations struggle. Other terms for this might be controls or policies and procedures. People don't like policies or procedures (think about the dreaded password policy), but, they are essential for organizations to put in place to mitigate their risk. What processes do you have in place to reduce the risk of unplanned business outcomes or negative business outcomes due to failure or misuse?
3. Technology - As strange as this might sound, this could be the easiest of the three to manage. Technology works out of the box (with proper configuration of course). The areas where technology fails us is when we don't have proper processes in place (think patch management when it comes to vulnerability management) or people mess it up (does writing passwords on a post-it note sound familiar?) Keep up with your patches, make sure you close your ports and you are ahead of the game (this is over-simplified but you get the point).

IT GRC is a huge topic to discuss and can be a huge undertaking for an organization. This is why on August 3rd, Compass IT Compliance is hosting a webinar that discusses IT GRC programs, what they are, and how to get started with one in your organization. Details are below and click on the link to register. Till next week when we talk about everyone's favorite part of IT GRC.......Compliance!

When: Wednesday August 3rd @ 1:00 PM EST

Duration: 30 Minutes with Q&A Session

Where: Online, register below

Reference:

Gartner. (2012, February 10). IT risk - Gartner IT glossary. Retrieved July 26, 2016, from Gartner IT Glossary, http://www.gartner.com/it-glossary/it-risk