Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
College: NMIMS, Mumbai By: Subhada (subhada1@gmail.com, 9769351414) Nishant Kumar (mailkumarnishant@gmail.com, 9987542101)
Page | 1
INDEX
3. IT RISK MANAGEMENT....................................................................................................8 3.1 INTEGRATION OF RISK MANAGEMENT INTO SDLC......................................................................8 3.2 RISK ASSESSMENT.................................................................................................................9 3.3 RISK CATEGORIES...............................................................................................................11 3.4 MANAGING RISK................................................................................................................17 4. CONCLUSION....................................................................................................................18 5. REFERENCES....................................................................................................................18
SUMMARY
We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex and hence managing IT Infrastructure together with reducing exposure to all types of IT risk is important.
Page | 2
In this paper approach for IT infrastructure management is suggested. IT infrastructure management is the process of modifying the infrastructure so that it is more consolidated; exible and automated. An effective approach to infrastructure management involves three stages namely: 1. Simplify IT infrastructure and manages assets for a positive nancial impact on the corporate strategy. 2. Increases operational efficiency to enhance exibility and maximize power consumption. 3. Retains and grows IT infrastructure to align with company business goals, without costly renovations. IT risk management is another topic discussed in the paper and it is suggested to integrate risk management in SDLC. Minimizing negative impact on an organization and need for sound basis in decision making are important and hence an effective risk management must be totally integrated into the SDLC and how to do it is explained in the detail document. Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the output of this process helps to identify appropriate controls for reducing or eliminating risk. The steps for proper assessment are suggested in the document. Four main types of risk which IT organizations today must address are Business Disruption risk, Relational Risk, Technology risk and IT governance risk. To address all the aspects of IT risk, the IT department needs to craft and implement a holistic IT risk management strategy that incorporates assessment, accountability, measurement, and management. A fivestep approach to managing IT risk is suggested which includes awareness about risk, quantify risk and risk assessment, managing the risk, implementing the solution and to develop a systematic ongoing capacity to manage IT risk.
1. INTRODUCTION
We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex and hence managing IT Infrastructure together with reducing exposure to all types of IT risk is important. Risk management is the process that allows IT managers to balance the
Page | 3
operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT infrastructure and data that support their organizations missions. Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. Effective risk management must be totally integrated into the SDLC (software development life cycle). The fact is, if we dont do proper infrastructure management and dont get IT risk under control, we put the entire business at risk. Thus optimised usage of available infrastructure resources together with proper risk management is the call of the day to ensure reduced cost in the present economic condition.
2. IT INFRASTRUCTURE MANAGEMNT
As the business grows, the number and complexity of the data processing systems and the workload on the server room increases, placing greater demands on the IT infrastructure. Increased demand means increased power consumption, and with rising energy costs, midsized businesses are faced with the imperative to do more with their IT infrastructure for less. The solution to the problem is to efficiently manage and optimize the available IT infrastructure. By optimizing the IT infrastructure the business can be the recipient of many benets, including: Energy cost savings Reduced energy consumption Improved efficiency Maximized power consumption Managed capacity Shared resources Reduced complexity Lower unit cost
Page | 4
Page | 5
4. Dispose of and recycle unused IT assets safely. Some typical cost reductions associated with IT asset simplication include:
1. Server consolidation (4 to 1)
2. Storage consolidation (25%) 3. Support automation (30%) Simplication of IT assets provides a consolidated view of data, regardless of where it is housed, freeing up the valuable resources so that they can focus on exploring innovative ways to gain competitive advantage. One can also reuse the assets more easily, which reduces the cost of change in the IT environment. Simplication provides an architecture and platform that centrally supports and manages applications that are currently maintained at different sites. It also uses automated provisioning, which lowers costs by removing labor-intensive tasks. This can dramatically improve the decision-making, increase productivity, improve relationships with customers, partners and suppliers and create more uniform customer service. Virtualization is a signicant component of asset simplication. When you establish multiple virtual servers per physical server, you are likely to enjoy noticeable cost savings. With a broad set of virtualization capabilities, including cross-platform virtualization, automation and systems management solutions, mid-sized businesses like thes can simply and dynamically access and manage resources for better asset utilization and reduced operating costs. You can incorporate an intranet and extranet portal to share information to further facilitate productivity improvements and cost savings. When the physical server utilization rates increase, the virtual servers are provisioned quickly and automatically. Such automation lowers the provisioning costs while letting the IT environment respond quickly to changing business needs. With automatic workload management, the IT infrastructure utilization rates can be high without the burden of costly labor-intensive manual system congurations. Utilizing multiple
Page | 6
virtual servers per physical server will also dramatically reduce licensing costs in many congurations and facilitate administration.
When the technical resources are consumed with problem determination and resolution, it can adversely affect efficiency and productivity. This is because identifying the root cause of problems and rectifying them can be extremely time-consuming and very costly. The same National Institute of Standards and Technology study showed that 80% of development funds are spent identifying and xing problems. Why does problem determination and resolution claim so much time and money? Because many companies rely on manual processes to identify and solve problemsmanual processes that can impair a companys competitiveness. By reducing the time that the staff spends on problem determination and resolution and by increasing the productivity of all technical resources, the IT infrastructure and staff can promote rather than inhibit the on-demand business. The benets of increased operational efficiency include: 1. Better server and storage use
3. 4.
The cost savings of automated provisioning IT assets that are aligned with business requirements through orchestration
IT budgets have two components: spending on new initiatives and spending to operate and maintain IT organizations, systems and equipment. As stated earlier, companies typically spend approximately 80% of their budgets on maintenance and operations, leaving very little for new projects, such as integrating business processes with key partners, suppliers and clients. IT managers are seeking help to align IT resources and budget to focus on supporting the strategic objectives of the company.
Page | 7
As you reduce the complexity and improve how the IT assets are used, the maintenance and licensing cost savings can be reallocated from routine operating expenses to strategic investments, such as innovative technologies, services, techniques and strategic opportunities. By integrating existing systems into a exible IT infrastructure, you are giving IT the tools to respond to changing business priorities rapidly. By integrating the data, you can send a unied view of information to the right people at the right time, helping them to make informed business decisions based on the best and most comprehensive data. Another IT asset that you may wish to optimize is the Web site. It is not only a communication and support tool for customers, but it is also a communication tool for investors and suppliers, so it must be fast, reliable and fully functioning 24x7.
3. IT RISK MANAGEMENT
IT Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events. Because IT risk is limited to security, it enables organizations to identify weak or overlooked risk domains. The risk can be divided into four categories business disruption, relational, technology, and IT governance. Thus, in this context an IT risk is the potential for exposure to loss for the organization from a failure in any aspect of the IT environment, and falls within risk domains of business disruption, relational, technology, and governance.
Page | 8
management is an iterative process that can be performed during each major phase of the SDLC as shown below:
Page | 9
Page | 10
Business disruption risks include malicious attacks and online privacy issues, as well as external events that could hinder a rms continued operations. It can be of four types:
Business continuity risk: Poor or inadequate planning on ITs part remains a major business continuity risk. On the other hand, one CISO observed that the business is at risk of solely associating business continuity planning (BCP) with IT recovery at the expense of ignoring logistical and resource issues outside of ITs direct control (e.g., accessing Rolodexes kept in a locked desk that is no longer accessible). Insucient resources driven by a short business attention span that is only galvanized by disaster is another business continuity risk and hinders BCP from being taken seriously. Finally, inadequate BCP on the part of a supplier, vendor, or business partner can be the Achilles heel of even the most thorough BCP eort because of increasingly interdependent relationships with third parties.
Page | 11
IT security risk: IT security risks are growing as the reasons and means for disrupting business increase. However resource cutbacks have hamstrung some security organizations from dealing with new security threats or reacting quickly to attacks. Because IT security risk is rarely on the mind of the business unless there are signicant breaches in the news, it is hard for the business to understand residual security risk and allocate resources accordingly.
Online risk: Limiting customer input or access to company Web sites is the easiest way to deal with some aspects of online risk, especially when the company Web site is more informational than interactive. However, rms that conduct nancial transactions or process customer credit card data online not only must develop standards and controls to protect their Web sites from hackers and the like, they also must educate their customers about best practices for protecting their privacy and personal information when surng their Web site. And the risks in the online world go beyond security-related risks to encompass branding, reputation, and even broader compliance risks such as American Disabilities Act (ADA) compliance.
Information risk: Its hard to overestimate the impact of a loss or breach of information. Not only is an incident embarrassing, there are regulatory and legal consequences as well. To prevent unauthorized access or disclosure, rms need to develop controls that address the accuracy, mobility, modication, and access of information. The challenge is educating each level of the business on the sensitivity of the info it possesses so that it can then recognize what should be protected. As part of educating the business, one state agency hosts a computer security day and a computer awareness competition.
Relational risks emerge from dependency on third parties and the business perception of IT as shaped by the frequency of service disruption and the eectiveness of ITs communications.
Page | 12
Vendor management risk: Vendor management risks include vendor selection, requirements, inuence, and stability. Poor vendor selection can lead to misused resources, strained sta, and service disruptions or delays. If IT omits vendor requirements from the service-level agreement (SLA) or the vendor does not understand them, the organization is at risk especially if the vendor has sloppy risk management practices that could expose the rms information or IP to loss or improper access. Firms also worry that they will not have the clout to keep the vendors attention from driting to other product areas. If the vendor goes out of business, how will that aect your organization and the support expected? For example, VoIP, there are more than 200 vendors that oer services. Within the next 10 years, there will be ve. I need to pick the right one today and hope they are still around because I know that my decisions will be available three years down the road. (Director of IT security, Governmental agency).
Third-party relationship risk: Distributed business tears down dened organization boundaries. Organizations have been reengineered, outsourced, and established a myriad of business relationships to partners and suppliers that signicantly add to the risk complexity within IT. Similar to the risks generated by vendor relationships, companies face the risk of not dening requirements, the risk of the other party not understanding what is expected of them, and the risk of not monitoring ater the SLA has been signed to ensure the agreement is being followed. Businesses are also at risk if they have not built in security controls for third-party human resources into their contracts and SLAs to protect them from liability.
IT reputation/customer satisfaction risk: Major service interruptions and incidents erode ITs reputation with the business and complicate ITs eorts to position itself as a value generator. Likewise, business perception of IT suers when it does not deliver cost-ecient, timely solutions that meet new business needs and fulll existing SLA commitments. When IT tries to assess business perception, it often relies exclusively on customer satisfaction surveys that never really address the main concerns of the business. In one energy organization, even people in IT
Page | 13
are skeptical because customer satisfaction results are in the 1990s but dialogue with the business paints a dierent picture.
Technology risks include ITs ability to keep pace with new technology, manage and develop projects that address business needs, implement business changes in a responsible manner, and maintain a standardized but exible IT infrastructure.
IT agility risk: IT agility is sometimes constrained by the business openness to innovation. On the other hand, more organizations have the opposite problem where the business is willing and able to innovate but the IT culture resists innovation. If IT drags its feet implementing change, it has to play catch up to the business and becomes a source of frustration instead of a partner in innovation.
IT architecture risk: Architecture risk involves properly dening the architecture and developing standards that provide structure but do not constrain exibility. The risk here is that rms will not upgrade old technologies quickly enough to meet the technical needs associated with business change. A corresponding risk is that the business will not want to follow the established architecture, preferring short-term tactical needs over long-term architecture strategy.
Change execution risk: The major risk is that change management processes for infrastructure or apps are either absent or not followed. One information security specialist pointed out that there is a direct correlation between the enforcement of change management processes and the availability of systems and integrity of the environment. Without vigilance, business customers may try to beat the system to avoid following established processes. In addition, some organizations engage in so many drastic changes that they have unnecessary, expensive service outages while others are so comfortable with the familiarity of existing infrastructure they miss possible improvements.
Page | 14
Project development risk: he business may take a hands-o approach to project management because they do not understand the importance of being involved throughout the process or are content because project planning ran smoothly. If business priorities shit and they do not communicate this to IT, project developers may design an expensive, irrelevant project that no longer meets business needs.
IT governance risk is nearly universally recognized as an important risk for businesses regardless of industry. Without a strong governance structure in place, rms will be unable to mitigate the IT risks associated with other domains.
IT strategic risk: IT strategic risk results from a lack of alignment with the business, inconsistent compliance with governance standards, or a loss of control. In some cases, the business pays lip service to the ideal of IT governance while not providing adequate resources or completely disregarding IT governance standards when there is an attractive business opportunity. Dierences in governance between the rm and associated third parties also put the rm at risk of losing control of its information, services, and critical resources.
IT resources risk: Major risk areas include nding the right people, right skills, and right funding. Due to the specialized skills required, IT security professionals and quality control specialists are in high demand and low supply and therefore paid accordingly. Firms risk losing their best people to competitive salary oers. For rms that outsource, there are risks associated with nding the right vendor to match the skills needed by the organization as well as determining which skills should be outsourced. In addition, IT must identify internal employees with leadership skills and technical know how to guide the vendors appropriately. From a funding perspective, IT organizations face a triple challenge: getting adequate funds from the business, allocating resources quickly enough to keep pace with evolving business requirements, and managing the resources they have been given eectively.
Page | 15
Compliance/legal risk: The real challenge for IT is to not only be aware of regulations and regulatory changes like SOX and HIPAA, but to modify processes in a timely manner to keep pace with them. Therefore, IT must manage the risks of compliance as a process, not as individual projects. The dynamic nature of business and IT requires that organizations stay on top of requirements to keep abreast of the pace of business and technology change. Firms that operate in multiple jurisdictions also face the complexity and resource drain of conicting regulations and duplicative audits. Even domestically there is regulatory overlap that unwittingly contributes to ineciency and strains IT resources. Some business opportunities may be passed over due to the expensive or onerous compliance requirements they trigger.
All these four types of IT risk are increasingly interrelated and important to just about everyone in the organization. For example, IT Directors and Managers are on the front lines when IT failures occur. They see how patches must be rolled out in a compliant manner to protect systems from security threats, or how data protection practices designed to improve availability might impact network performance and create security vulnerabilities if data isnt encrypted. Its all connected. Also as IT failures become synonymous with business failures, IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies such as FedEx, Proctor and Gamble, and Home Depot have even established special board committees whose sole purpose is management of IT risk.
Page | 16
Page | 17
4. CONCLUSION
In this era of stiff competition, to survive one has to reduce its cost of running the business as compared to its competitors. An important task in hand is thus to manage its available infrastructure well together with minimizing its risk. This paper highlights the ways to optimize use of available infrastructure together with means to identify risk and to mitigate the same.
5. REFERENCES
1. www.ibm.com 2. www.symantec.com 3. www.unisys.com 4. www.forrester.com 5. www.thinkstrategies.com
6. www.wikipedia.org Page | 18
7. www.best-management-practice.com 8. www.zdnet.com
Page | 19