What Is Technology Risk? - RiskLens
文章推薦指數: 80 %
Technology (or IT Risk), a subset of Operational Risk: Any risk to information technology or data or applications that negatively impact ... CyberRiskQuantification ChallengesManagingCyberRisk EvolvingRoleofCybersecurity WhyQuantifyCyberRisk? TheFAIR™Standard Solutions ByTopic NIST-CSF+FAIR™ CybersecurityPrioritization&Justification DigitalTransformation Regulatory&Privacy ByRole Board&BusinessExecutives CISOs CIROs CyberRiskAnalysts ByIndustry FinancialServices HealthcarePayers USFederalGovernment Technology&DigitalServices Products&Services FeaturedCapabilities RapidRiskAssessment TopRiskAssessment RiskTreatmentAnalysis Products Packages&Plans Platform Services Training&Certifications FAIR™Training&Certification RiskLensTraining&Certification Resources Blog Events/Webinars CaseStudies eBooks Whitepapers Videos Company WhyRiskLens RiskLensFAIREnterpriseModel™ MeettheTeam Careers Partners News RequestaDemo CyberRiskQuantification ChallengesManagingCyberRisk EvolvingRoleofCybersecurity WhyQuantifyCyberRisk? TheFAIR™Standard Solutions ByTopic NIST-CSF+FAIR™ CybersecurityPrioritization&Justification DigitalTransformation Regulatory&Privacy ByRole Board&BusinessExecutives CISOs CIROs CyberRiskAnalysts ByIndustry FinancialServices HealthcarePayers USFederalGovernment Technology&DigitalServices Products&Services FeaturedCapabilities RapidRiskAssessment TopRiskAssessment RiskTreatmentAnalysis Products Packages&Plans Platform Services Training&Certifications FAIR™Training&Certification RiskLensTraining&Certification Resources Blog Events/Webinars CaseStudies eBooks Whitepapers Videos Company WhyRiskLens RiskLensFAIREnterpriseModel™ MeettheTeam Careers Partners News RequestaDemo Blog | Post WhatIsTechnologyRisk? June16,2021 RiskLensStaff Guides&Tips Share: WhatIsTechnologyRisk? Technologyrisk,ITrisk,cyberrisk–what’sthedifferenceamongthesecommonlyusedterms,andistherereallyadistinctioninatimeofdigitaltransformation? Generally,riskmanagementhaslookedattheworldofriskwiththishierarchy: OperationalRisk:Anyeventthataffectstheorganization’sabilitytooperate Technology(orITRisk),asubsetofOperationalRisk:Anyrisktoinformationtechnologyordataorapplicationsthatnegativelyimpactbusinessoperations.Thiscouldcoverarangeofscenarios,includingsoftwarefailuresorapoweroutage. CyberRisk,asubsetofTechnologyRisk:Losseventscenariosstrictlywithinthecyberrealm,suchasphishing,malware,databreach. Ifitsoundslikethere’slotofroomforcrossoverinthesedefinitions,that’sright.GartnerhassuccessfullyadvocatedforIntegratedRiskManagement(IRM)thattakes“acomprehensiveviewacrossallbusinessunitsandriskandcompliancefunctions,aswellaskeybusinesspartners,suppliersandoutsourcedentities.”InGartner’sview,riskmanagementisacontinuum,asshowninthisgraphic,drivingtowardDigitalRiskManagement(DRM,ontheleft),asbusinessprocessesallbecomedigitalinonewayoranother. DefiningTechnologyRiskinFAIRTerms FactorAnalysisofInformationRisk(FAIR™)isthestandardforquantificationofcyberandtechnologyriskinfinancialtermstoenablejustification,prioritization,andcommunicationofsecurityinvestmentswithinanorganization. InFAIRterms,riskisdefinedasthe ProbableFrequencyandProbableMagnitudeofFutureLoss ThestartingpointforFAIRquantitativeanalysisisariskscenarioorriskstatementthataddressesatechnologyproblemthebusinessneedstosolve.Theformatis: "[ThreatActor]impacts[Confidentiality,Integrity,Availability]of[anAsset]via[SomeMethod]" Forexample: “Analyzetheriskassociatedwithanexternalthreatactorestablishingafootholdonthenetworkthroughatrustedsecurityvendor’sapplication(e.g.SolarWinds)resultinginabreachofsensitivedatainourcrownjewelasset.” TheFAIRstandardshowsthewaytobreakthescenariodownintofactorstoquantifytheprobablefrequencyandimpactofsuchanevent,basedontheorganization’sexperienceorindustrydata. TheFAIRmodelishighlyflexible,andstillvalidwithlesscyber-centricscenarios. TryitNOWatnocost:OurFreeIndustryCybersecurityReportdemonstratesthepotentialfinancialcostofkeynegativecybersecurityeventslikeransomware,insidererrorandmorewithjustafewsimpleinputs. AdditionalResources InthisRiskLenscasestudy,afurnituremanufacturerwantedtodetermineifitshouldkeeppayingtheannualsubscriptionfeeforsupportfromthetechnologyvendorforitsorderfulfillmentsystemorbringthemaintenanceofthesystemin-house. Ifanemployeemisconfiguredthesystem,whatwouldthataccidentcosttheorganizationintermsoflostsales,responsecosts,orotherimpacts?Howwouldthatcomparewiththeongoingsubscriptioncost? Scenario:“Analyzetheriskassociatedwithanon-maliciousprivilegedinsiderimpactingtheavailabilityoftheorderfulfillmentsystemviaamisconfigurationresultinginasuspensionoffulfillment.” QuantifiedriskanalysisontheRiskLensplatformbasedonFAIRshowedthatstayingwiththesubscriptionservicewouldshortenresponsetimetoanoutage,reducingtheimpacttoalevelthatjustifiedthe$1millionannualinvestment. Learnquantitativecyberriskanalysis,enhanceyourcareerinriskmanagementwithFAIRtrainingfromtheRiskLensAcademy. WhatIsanITRiskAssessment? Riskanalysisandriskassessmentaretwomoretermsthatoftenusedinterchangeablybutwithanimportantdistinction.Whileariskanalysismightlookatasinglescenario,ariskassessmentgivesabroaderlookatriskacrossscenariostosupportbusinessdecision-making,particularlytojustify,prioritizeandcommunicatesecurityinvestments.TypesoftechnologyorITriskassessmentsinclude: RapidRiskAssessment:Runaquickseriesofriskanalysestoaggregateandcompareoutcomes,forinstancetoprioritizetoprisksforresponsebasedonlossexposureindollarterms. LearnaboutRapidRiskAssessmentontheRiskLensplatform. AggregateRiskAssessment:Understandandquantifytheorganization’stotalprobablelossexposureforinformationtechnology.Gaingranularinsightsbylookingacrossscenariostospotwhichthreatcommunitiesorassettypesposethegreatestrisktotheorganization,orwhichbusinessunitscarrythemostlostexposure,relevantinsightforaCISO(chiefinformationsecurityofficer)decidingonhowandwheretotargetdefenses. Tofullysupportbusinessdecisions,riskassessmentsshouldbepresentedwithrisktreatmentoptionsfortherisksidentified. Arisktreatmentanalysis Establishesabaselineoflossexposurefromthecurrentsituation Runs“what-if”scenariostocomparetheriskreduction(infinancialterms)fromthecurrentstatethatalternateproposedcontrolsprocesschangescouldachieve. Mayincludeacost/benefitorreturn-on-investment(ROI)analysiscomparingthecostofnewsecurityinvestmentstotheireffectonriskreduction. Webinar:LearnaboutRiskLensRiskTreatmentAnalysisforCost-EffectiveDecision-Making WhatIsITorInformationTechnologyRiskManagement? Riskmanagementisacomprehensiveprocessthatrequiresorganizationsto:(i)framerisk(i.e.,establishthecontextforrisk-baseddecisions);(ii)assessrisk;(iii)respondtoriskoncedetermined;and(iv)monitorriskonanongoingbasisusingeffectiveorganizationalcommunicationsandafeedbackloopforcontinuousimprovementintherisk-relatedactivitiesoforganizations. --NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-39:ManagingInformationSecurityRisk AsNISTadvises,thefirststepinriskmanagementisto“frame”risk,inotherwordsestablishacommonterminologyandmeasurementsystem–ideallyonebasedonastandardsuchasFAIRthatnormalizesriskvocabulary--andonquantitativeanalysisthatmeasuresriskinthefinancialtermsusedtocommunicateacrosstheenterprise,alsotheoutputofFAIRanalysis.Withrisktreatmentanalysis,organizationcanalso“respond”and,withongoingriskassessments,“monitor”throughariskdashboard. CompliancewithITRiskManagementFrameworks Manyorganizationsmakeinformationriskmanagementalessthan“comprehensive”processbyfocusingoncompliancewithframeworks–treatingpublicationslikeNIST800-39thatrecommendvarioussecuritypracticesorcontrolsaschecklists,ontheassumptionthatthemorecontrolsimplemented,thelowertherisk.Withoutquantitativeriskmeasurement,however,that’sanunprovableassumption. Theframeworksaregoodfoundationalguidesforasecurityprogram.Buttheirstrictlytechnicalapproachtocybersecuritycan’tbefullyalignedwithbusinessneeds,suchasdeterminingsecurityinvestmentsorcommunicatingtheneedforbudgettothebusinessbasedonROI. TypesofRiskManagementFrameworks ControlFrameworks >>TheSANSCISControlsisabasiclistofcybersecuritycontrolsthatshouldmitigate80%ofattacks.NIST800-53isanextensivelistofcontrolsthat,practicallyspeaking,noorganizationwouldeverimplementinentirety. Note:FAIRisincludedinthe SANSCISControlsposter aspartoftheFiveKeysforBuildingaCybersecurityProgram. ProgramFrameworks >>ISO27001bringsinbusinessrequirementstoacontrolslistbutdoesn’tprescribeaspecificapproachtoanalyzingrisk.ThepopularNISTCSFmapsspecificcontrolstoeachcybersecurityfunctionforagoodtechnicaloverviewofariskmanagementprogram. Note:TheNISTCSFincludesFAIRasan“informativereference”amongitsrecommendedcontrolsandprocesses. Neitherthecontrolsframeworksnortheprogramframeworkscananswerthebasicquestionsforbusinessdecision-making,suchas“ifweinvestinonesecuritycontroloranother,howmuchlessriskwillwehave?”FAIRcomplementstheframeworksbyprovidingthemissingquantitativeriskanalysis. TechnologyRisk,BusinessContinuityPlanningandResilience Largeorganizationsoftencreateabusinessimpactanalysisstatement(BIA)tounderstandthelinksbetweenprocessesthatdrivethebusiness,andtheprobableoutcomesofoutagesduetoman-madeornaturaleventsthatmightsignificantlyinterruptoperations.Forinformationtechnology,thatmeansbusinesscontinuityplansshouldprioritizeITresourcestominimizetheeffectofanoutageonthebusiness.Typicaloff-the-shelfBIAs,however,sharethefaultofothernon-quantitativeriskassessments–theycan’tcommunicateriskinbusinessterms.Learnhowoneorganizationraisedtheirgameonbusinessimpactanalysis: CaseStudy:HealthcareSupplierUsesRiskLenstoIdentifyBestBusinessContinuityStrategy Ransomware:WhereCyberRisk,TechnologyRisk,OperationalRiskandEnterpriseRiskConverge TherecentransomwareattacksonColonialPipeline,thefueldistributor,andJBSUSA,themeatpacker,twoownersofcriticalinfrastructure,quicklyjumpedtheincreasinglyirrelevantlinesamongriskdisciplines. IntheColonialPipelinecase,thecompanychosetoshutdownfuelshipmentafterransomwarehittheirbusinesssystems.DetailsfortheJBSUSAcasearen’tyetclear—whethertheransomwarepenetratedtotheiroperationalsystems,orthecompanyalsohaltedproductionlinesoutofcaution. Eitherway,acyberriskquicklyescalatedthroughtechnologyrisktooperationalriskandultimatelyarisktotheenterprise,potentiallyinmaterialimpactonthebottomlineandcertainlyreputationandperhapslegalandregulatoryimpact. TheNationalInstituteofStandardsandTechnologyrecentlyreleasedIntegratingCybersecurityandEnterpriseRiskManagement (NISTIR8286)toadviseorganizationsondealingwiththisnewriskreality. ThepublicationcalledoutFAIR,asarecommendedtoolto“betterprioritizerisksorpreparemoreaccurateriskexposureforecasts”inariskregister.NISTIR8286alsoendorsedmanyofthestandardpracticesofFAIRanalysis,includingriskprioritization,riskscenariomodeling,MonteCarlosimulations,and,ofcourse,quantificationofcyberriskinfinancialterms. Learnquantitativecyberriskanalysis,enhanceyourcareerinriskmanagementwithFAIRtrainingfromtheRiskLensAcademy. Share: Stayup-to-datewiththelatestinsightsandblogpostsfromRiskLens. RecentBlogPosts ViewAllBlogPosts What'sRiskManagementMaturity? Guides&Tips ReadMore BuildorBuyanApplicationtoRunFAIRCyberRiskQuantification? Guides&Tips|IndustryInsights ReadMore HowtoHelpYourCFOTakeOutCostWhileOptimizingYourCybersecurityStrategy Guides&Tips|IndustryInsights ReadMore
延伸文章資訊
- 1Technology Risk Management Guidelines - Monetary ...
TECHNOLOGY RISK MANAGEMENT GUIDELINES. JANUARY 2021. Monetary Authority of Singapore. 3. 6.4. App...
- 2Technology Risk Management - The Definitive Guide | LeanIX
- 3What is Technology Risk? - Reciprocity
- 4Technology risk services | EY - Global
The Technology Risk teams can help you achieve sustainable growth by supporting your efforts to p...
- 5'The ghost in the machine': Managing technology risk | McKinsey
Technological risks are becoming more prominent--and more dangerous. Six principles can guide ban...