IT Risk Management and IT Infrastructure Management

College: NMIMS, Mumbai By: Subhada (subhada1@gmail.com, 9769351414) Nishant Kumar (mailkumarnishant@gmail.com, 9987542101)

Page | 1

INDEX

1. INTRODUCTION..................................................................................................................3 2. IT INFRASTRUCTURE MANAGEMNT............................................................................4 2.1 APPROACH FOR IT INFRASTRUCTURE MANAGEMENT..................................................................5

2.1.1 Simplify the IT infrastructure..............................................................................5 2.1.2 Increase operational efficiency..........................................................................7 2.2.2 Retain and grow.................................................................................................7

3. IT RISK MANAGEMENT....................................................................................................8 3.1 INTEGRATION OF RISK MANAGEMENT INTO SDLC......................................................................8 3.2 RISK ASSESSMENT.................................................................................................................9 3.3 RISK CATEGORIES...............................................................................................................11 3.4 MANAGING RISK................................................................................................................17 4. CONCLUSION....................................................................................................................18 5. REFERENCES....................................................................................................................18

SUMMARY
We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex and hence managing IT Infrastructure together with reducing exposure to all types of IT risk is important.

Page | 2

In this paper approach for IT infrastructure management is suggested. IT infrastructure management is the process of modifying the infrastructure so that it is more consolidated; exible and automated. An effective approach to infrastructure management involves three stages namely: 1. Simplify IT infrastructure and manages assets for a positive nancial impact on the corporate strategy. 2. Increases operational efficiency to enhance exibility and maximize power consumption. 3. Retains and grows IT infrastructure to align with company business goals, without costly renovations. IT risk management is another topic discussed in the paper and it is suggested to integrate risk management in SDLC. Minimizing negative impact on an organization and need for sound basis in decision making are important and hence an effective risk management must be totally integrated into the SDLC and how to do it is explained in the detail document. Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the output of this process helps to identify appropriate controls for reducing or eliminating risk. The steps for proper assessment are suggested in the document. Four main types of risk which IT organizations today must address are Business Disruption risk, Relational Risk, Technology risk and IT governance risk. To address all the aspects of IT risk, the IT department needs to craft and implement a holistic IT risk management strategy that incorporates assessment, accountability, measurement, and management. A fivestep approach to managing IT risk is suggested which includes awareness about risk, quantify risk and risk assessment, managing the risk, implementing the solution and to develop a systematic ongoing capacity to manage IT risk.

1. INTRODUCTION
We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex and hence managing IT Infrastructure together with reducing exposure to all types of IT risk is important. Risk management is the process that allows IT managers to balance the
Page | 3

operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT infrastructure and data that support their organizations missions. Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. Effective risk management must be totally integrated into the SDLC (software development life cycle). The fact is, if we dont do proper infrastructure management and dont get IT risk under control, we put the entire business at risk. Thus optimised usage of available infrastructure resources together with proper risk management is the call of the day to ensure reduced cost in the present economic condition.

2. IT INFRASTRUCTURE MANAGEMNT
As the business grows, the number and complexity of the data processing systems and the workload on the server room increases, placing greater demands on the IT infrastructure. Increased demand means increased power consumption, and with rising energy costs, midsized businesses are faced with the imperative to do more with their IT infrastructure for less. The solution to the problem is to efficiently manage and optimize the available IT infrastructure. By optimizing the IT infrastructure the business can be the recipient of many benets, including: Energy cost savings Reduced energy consumption Improved efficiency Maximized power consumption Managed capacity Shared resources Reduced complexity Lower unit cost
Page | 4

 Easy administration Fast response rate

2.1 Approach for IT Infrastructure Management

IT infrastructure management is the process of modifying the IT infrastructure so that it is more consolidated, exible and automated. An optimized IT infrastructure facilitates the integration of new business applications. It fuels growth by managing costs with enhanced IT asset utilization, reduces operating expenses and makes it easier to keep the entire IT infrastructure in line with the growth objectives of the company. All businesses, regardless of size, can enjoy the benets gained from IT optimization. An effective approach to infrastructure management involves three stages: 1. Simplify IT infrastructure and manages assets for a positive nancial impact on the corporate strategy. 2. Increases operational efficiency to enhance exibility and maximize power consumption. 3. Retains and grows IT infrastructure to align with company business goals, without costly renovations. Simplication consolidates and virtualizes the IT environment, including servers, storage and network assets, into logical asset pools to improve IT resource utilization and lower infrastructure complexity. This provides you with a more complete view of data, which can minimize costs. Increasing operational efficiency is essentially automating capacity and workload management for increased exibility. Ultimately, you achieve policy-based computing, which results in better IT and business alignment. Retain and grow is a strategy of realigning the IT budget by using savings in maintenance and operational costs to invest in growth initiatives. Below the three steps are described in detail:

2.1.1 Simplify the IT infrastructure

Simplication includes consolidating and virtualizing the IT infrastructure to:

Page | 5

1. Reduce IT operating costs and complexity.

2. Maximize the performance of resources.

3. Manage the IT environment more easily and effectively.

4. Dispose of and recycle unused IT assets safely. Some typical cost reductions associated with IT asset simplication include:
1. Server consolidation (4 to 1)

2. Storage consolidation (25%) 3. Support automation (30%) Simplication of IT assets provides a consolidated view of data, regardless of where it is housed, freeing up the valuable resources so that they can focus on exploring innovative ways to gain competitive advantage. One can also reuse the assets more easily, which reduces the cost of change in the IT environment. Simplication provides an architecture and platform that centrally supports and manages applications that are currently maintained at different sites. It also uses automated provisioning, which lowers costs by removing labor-intensive tasks. This can dramatically improve the decision-making, increase productivity, improve relationships with customers, partners and suppliers and create more uniform customer service. Virtualization is a signicant component of asset simplication. When you establish multiple virtual servers per physical server, you are likely to enjoy noticeable cost savings. With a broad set of virtualization capabilities, including cross-platform virtualization, automation and systems management solutions, mid-sized businesses like thes can simply and dynamically access and manage resources for better asset utilization and reduced operating costs. You can incorporate an intranet and extranet portal to share information to further facilitate productivity improvements and cost savings. When the physical server utilization rates increase, the virtual servers are provisioned quickly and automatically. Such automation lowers the provisioning costs while letting the IT environment respond quickly to changing business needs. With automatic workload management, the IT infrastructure utilization rates can be high without the burden of costly labor-intensive manual system congurations. Utilizing multiple
Page | 6

virtual servers per physical server will also dramatically reduce licensing costs in many congurations and facilitate administration.

2.1.2 Increase operational efficiency

When the technical resources are consumed with problem determination and resolution, it can adversely affect efficiency and productivity. This is because identifying the root cause of problems and rectifying them can be extremely time-consuming and very costly. The same National Institute of Standards and Technology study showed that 80% of development funds are spent identifying and xing problems. Why does problem determination and resolution claim so much time and money? Because many companies rely on manual processes to identify and solve problemsmanual processes that can impair a companys competitiveness. By reducing the time that the staff spends on problem determination and resolution and by increasing the productivity of all technical resources, the IT infrastructure and staff can promote rather than inhibit the on-demand business. The benets of increased operational efficiency include: 1. Better server and storage use

2. Less server redundancy

3. 4.

The cost savings of automated provisioning IT assets that are aligned with business requirements through orchestration

2.2.2 Retain and grow

IT budgets have two components: spending on new initiatives and spending to operate and maintain IT organizations, systems and equipment. As stated earlier, companies typically spend approximately 80% of their budgets on maintenance and operations, leaving very little for new projects, such as integrating business processes with key partners, suppliers and clients. IT managers are seeking help to align IT resources and budget to focus on supporting the strategic objectives of the company.

Page | 7

As you reduce the complexity and improve how the IT assets are used, the maintenance and licensing cost savings can be reallocated from routine operating expenses to strategic investments, such as innovative technologies, services, techniques and strategic opportunities. By integrating existing systems into a exible IT infrastructure, you are giving IT the tools to respond to changing business priorities rapidly. By integrating the data, you can send a unied view of information to the right people at the right time, helping them to make informed business decisions based on the best and most comprehensive data. Another IT asset that you may wish to optimize is the Web site. It is not only a communication and support tool for customers, but it is also a communication tool for investors and suppliers, so it must be fast, reliable and fully functioning 24x7.

3. IT RISK MANAGEMENT
IT Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Because IT risk is limited to security, it enables organizations to identify weak or overlooked risk domains. The risk can be divided into four categories business disruption, relational, technology, and IT governance. Thus, in this context an IT risk is the potential for exposure to loss for the organization from a failure in any aspect of the IT environment, and falls within risk domains of business disruption, relational, technology, and governance.

3.1 Integration of risk management into SDLC

Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. Effective risk management must be totally integrated into the SDLC. An IT systems SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. In some cases, an IT system may occupy several of these phases at the same time. However, the risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk

Page | 8

management is an iterative process that can be performed during each major phase of the SDLC as shown below:

3.2 Risk Assessment

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. The risk assessment methodology encompasses nine primary steps:

Page | 9

Page | 10

3.3 Risk Categories

Generally speaking, organizations today must address four main types of IT risk:
3.1.1 Business Disruption Risks:

Business disruption risks include malicious attacks and online privacy issues, as well as external events that could hinder a rms continued operations. It can be of four types:

Business continuity risk: Poor or inadequate planning on ITs part remains a major business continuity risk. On the other hand, one CISO observed that the business is at risk of solely associating business continuity planning (BCP) with IT recovery at the expense of ignoring logistical and resource issues outside of ITs direct control (e.g., accessing Rolodexes kept in a locked desk that is no longer accessible). Insucient resources driven by a short business attention span that is only galvanized by disaster is another business continuity risk and hinders BCP from being taken seriously. Finally, inadequate BCP on the part of a supplier, vendor, or business partner can be the Achilles heel of even the most thorough BCP eort because of increasingly interdependent relationships with third parties.

Page | 11

IT security risk: IT security risks are growing as the reasons and means for disrupting business increase. However resource cutbacks have hamstrung some security organizations from dealing with new security threats or reacting quickly to attacks. Because IT security risk is rarely on the mind of the business unless there are signicant breaches in the news, it is hard for the business to understand residual security risk and allocate resources accordingly.

Online risk: Limiting customer input or access to company Web sites is the easiest way to deal with some aspects of online risk, especially when the company Web site is more informational than interactive. However, rms that conduct nancial transactions or process customer credit card data online not only must develop standards and controls to protect their Web sites from hackers and the like, they also must educate their customers about best practices for protecting their privacy and personal information when surng their Web site. And the risks in the online world go beyond security-related risks to encompass branding, reputation, and even broader compliance risks such as American Disabilities Act (ADA) compliance.

Information risk: Its hard to overestimate the impact of a loss or breach of information. Not only is an incident embarrassing, there are regulatory and legal consequences as well. To prevent unauthorized access or disclosure, rms need to develop controls that address the accuracy, mobility, modication, and access of information. The challenge is educating each level of the business on the sensitivity of the info it possesses so that it can then recognize what should be protected. As part of educating the business, one state agency hosts a computer security day and a computer awareness competition.

3.2 Relational Risks:

Relational risks emerge from dependency on third parties and the business perception of IT as shaped by the frequency of service disruption and the eectiveness of ITs communications.
Page | 12

Vendor management risk: Vendor management risks include vendor selection, requirements, inuence, and stability. Poor vendor selection can lead to misused resources, strained sta, and service disruptions or delays. If IT omits vendor requirements from the service-level agreement (SLA) or the vendor does not understand them, the organization is at risk especially if the vendor has sloppy risk management practices that could expose the rms information or IP to loss or improper access. Firms also worry that they will not have the clout to keep the vendors attention from driting to other product areas. If the vendor goes out of business, how will that aect your organization and the support expected? For example, VoIP, there are more than 200 vendors that oer services. Within the next 10 years, there will be ve. I need to pick the right one today and hope they are still around because I know that my decisions will be available three years down the road. (Director of IT security, Governmental agency).

Third-party relationship risk: Distributed business tears down dened organization boundaries. Organizations have been reengineered, outsourced, and established a myriad of business relationships to partners and suppliers that signicantly add to the risk complexity within IT. Similar to the risks generated by vendor relationships, companies face the risk of not dening requirements, the risk of the other party not understanding what is expected of them, and the risk of not monitoring ater the SLA has been signed to ensure the agreement is being followed. Businesses are also at risk if they have not built in security controls for third-party human resources into their contracts and SLAs to protect them from liability.

IT reputation/customer satisfaction risk: Major service interruptions and incidents erode ITs reputation with the business and complicate ITs eorts to position itself as a value generator. Likewise, business perception of IT suers when it does not deliver cost-ecient, timely solutions that meet new business needs and fulll existing SLA commitments. When IT tries to assess business perception, it often relies exclusively on customer satisfaction surveys that never really address the main concerns of the business. In one energy organization, even people in IT

Page | 13

are skeptical because customer satisfaction results are in the 1990s but dialogue with the business paints a dierent picture.

3.3 Technology Risks:

Technology risks include ITs ability to keep pace with new technology, manage and develop projects that address business needs, implement business changes in a responsible manner, and maintain a standardized but exible IT infrastructure.

IT agility risk: IT agility is sometimes constrained by the business openness to innovation. On the other hand, more organizations have the opposite problem where the business is willing and able to innovate but the IT culture resists innovation. If IT drags its feet implementing change, it has to play catch up to the business and becomes a source of frustration instead of a partner in innovation.

IT architecture risk: Architecture risk involves properly dening the architecture and developing standards that provide structure but do not constrain exibility. The risk here is that rms will not upgrade old technologies quickly enough to meet the technical needs associated with business change. A corresponding risk is that the business will not want to follow the established architecture, preferring short-term tactical needs over long-term architecture strategy.

Change execution risk: The major risk is that change management processes for infrastructure or apps are either absent or not followed. One information security specialist pointed out that there is a direct correlation between the enforcement of change management processes and the availability of systems and integrity of the environment. Without vigilance, business customers may try to beat the system to avoid following established processes. In addition, some organizations engage in so many drastic changes that they have unnecessary, expensive service outages while others are so comfortable with the familiarity of existing infrastructure they miss possible improvements.

Page | 14

Project development risk: he business may take a hands-o approach to project management because they do not understand the importance of being involved throughout the process or are content because project planning ran smoothly. If business priorities shit and they do not communicate this to IT, project developers may design an expensive, irrelevant project that no longer meets business needs.

3.4 IT Governance Risks:

IT governance risk is nearly universally recognized as an important risk for businesses regardless of industry. Without a strong governance structure in place, rms will be unable to mitigate the IT risks associated with other domains.

IT strategic risk: IT strategic risk results from a lack of alignment with the business, inconsistent compliance with governance standards, or a loss of control. In some cases, the business pays lip service to the ideal of IT governance while not providing adequate resources or completely disregarding IT governance standards when there is an attractive business opportunity. Dierences in governance between the rm and associated third parties also put the rm at risk of losing control of its information, services, and critical resources.

IT resources risk: Major risk areas include nding the right people, right skills, and right funding. Due to the specialized skills required, IT security professionals and quality control specialists are in high demand and low supply and therefore paid accordingly. Firms risk losing their best people to competitive salary oers. For rms that outsource, there are risks associated with nding the right vendor to match the skills needed by the organization as well as determining which skills should be outsourced. In addition, IT must identify internal employees with leadership skills and technical know how to guide the vendors appropriately. From a funding perspective, IT organizations face a triple challenge: getting adequate funds from the business, allocating resources quickly enough to keep pace with evolving business requirements, and managing the resources they have been given eectively.

Page | 15

Compliance/legal risk: The real challenge for IT is to not only be aware of regulations and regulatory changes like SOX and HIPAA, but to modify processes in a timely manner to keep pace with them. Therefore, IT must manage the risks of compliance as a process, not as individual projects. The dynamic nature of business and IT requires that organizations stay on top of requirements to keep abreast of the pace of business and technology change. Firms that operate in multiple jurisdictions also face the complexity and resource drain of conicting regulations and duplicative audits. Even domestically there is regulatory overlap that unwittingly contributes to ineciency and strains IT resources. Some business opportunities may be passed over due to the expensive or onerous compliance requirements they trigger.

All these four types of IT risk are increasingly interrelated and important to just about everyone in the organization. For example, IT Directors and Managers are on the front lines when IT failures occur. They see how patches must be rolled out in a compliant manner to protect systems from security threats, or how data protection practices designed to improve availability might impact network performance and create security vulnerabilities if data isnt encrypted. Its all connected. Also as IT failures become synonymous with business failures, IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies such as FedEx, Proctor and Gamble, and Home Depot have even established special board committees whose sole purpose is management of IT risk.

Page | 16

3.4 Managing Risk

To address all the aspects of IT risk, the IT department needs to craft and implement a holistic IT risk management strategy that incorporates assessment, accountability, measurement, and management. A five-step approach to managing IT risk is suggested. The cornerstone of the approach is this belief: When an organization successfully manages IT risk, it is better able to use IT to compete and innovate with confidence. 1. The first step is to develop an awareness and understanding of specific IT risks to your business security, availability, performance, and compliance. 2. The second step is to quantify risks through an impact assessment and develop a business case for IT investment. Impact can take many forms, including customer losses, business losses, damage to brand equity, legal costs, and regulatory fines. 3. Next, companies should understand the range of tools they can apply to managing IT risk and design a solution. Technology is clearly an important component of the solution, but just as important are tools that address the human elements of an IT system, including training and operational processes. 4. The fourth step is to align IT risks and costs with the business to find the right level of investment and implement the solution. Obviously we cant afford to apply the highest levels of protection to every IT risk we identify. 5. The last step is to develop a systematic ongoing capacity to manage IT risk. Its not a project but an ongoing activity that must be built into the culture of the organization.

Page | 17

Fig: Managing Risk

4. CONCLUSION
In this era of stiff competition, to survive one has to reduce its cost of running the business as compared to its competitors. An important task in hand is thus to manage its available infrastructure well together with minimizing its risk. This paper highlights the ways to optimize use of available infrastructure together with means to identify risk and to mitigate the same.

5. REFERENCES
1. www.ibm.com 2. www.symantec.com 3. www.unisys.com 4. www.forrester.com 5. www.thinkstrategies.com
6. www.wikipedia.org Page | 18

7. www.best-management-practice.com 8. www.zdnet.com

Page | 19