Defining ITRM
IT Risk Management (ITRM) is a form of risk mitigation commonly used in information technology (IT). Per the ISACA Risk IT Framework, ITRM is the process by which enterprises identify and address risks associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization.
ITRM addresses an extensive range of activities and objectives, including:
- Risk Identification
- Risk Assessments
- Risk Treatment
- Risk Monitoring
- Compliance with laws, standards, regulations, and frameworks
- IT Risk & Compliance Audits & Assessments
An ITRM program addresses the potential negative impact of IT operations and services through risk mitigation efforts while supporting the positive impact of using technology to enable and enhance the business.
Why is ITRM important?
With the continued shift to digital risk management, increasing compliance obligations, and the proliferation of cloud technology, IT risk management is more critical than ever. The establishment and maintenance of a strong ITRM program allows organizations to maintain a strong security posture and enables them to provide evidence of compliance when asked — making it a crucial part of any company.
ITRM & Digital transformation
Over the last year, reliance on remote work drove a rapid increase in digital transformation, pushing security teams to expand protective measures and expose vulnerabilities with a quick turnaround. As the world has settled into its new normal, the number of successful, large-scale cyber-attacks and ransomware have astronomically increased (62% in the last year, to be exact).
To combat the all-time high of cyberattacks and execute a successful ITRM strategy, organizations must actively seek to understand how technology is used throughout business and consistently instill protective measures.
How can IT security leaders understand risk throughout the organization?
There are two broad approaches to risk assessment: top-down and bottom-up. A top-down risk assessment evaluates risk from the viewpoint of the C-level executive — strategically. While a bottom-up risk assessment looks at risk from the viewpoint of the frontline employee — tactically. Although there is no “right way” to perform a risk assessment, most people recommend taking a blended approach, because there are pros and cons to each.
Opting for a top-down risk assessment is generally easier to execute because there are fewer individuals involved, which makes it easier to define and standardize risk scoring. A top-down risk assessment allows C-level executives to focus on a few top risks rather than an exhaustive list of risks.
Using a bottom-up risk assessment model empowers all areas of your business to contribute to identifying, defining, and prioritizing risk. This model looks at risk from the viewpoint of the frontline worker, who is much closer to business processes and associated finite risks, rather than the C-level executive, who is more concerned with high-level strategic risks. A bottom-up risk assessment can be more challenging to execute but often results in a more comprehensive picture of risk.
Regardless of which risk assessment approach you take, the experience needs to be easy for first-line users to participate in and simple for second-line users to aggregate results. It also enables IT risk and security teams to turn around results more quickly, which will enhance your overall security posture cross-organizationally and ensure a universal understanding of processes at all levels of the enterprise.
How to make your ITRM program first line friendly
Ensuring that your risk management program is first line friendly starts with enabling first-line members to understand what risk is and how to own, respond, and act on it. Although measuring and managing risk is a highly technical operation led by trained risk professionals, every level of an organization is responsible for risk management and must understand it. Risk and compliance leaders implementing a first-line friendly solution need to address the subjective nature of risk by:
- Clearly and concisely communicating risk with impact to the line of business.
- Assessing risk in real time using plain language that your line of business understands.
- Accurately reporting and describing the business context of risk to leadership.
- Empowering all areas of your organization to partake in risk ownership and actioning.
Executing a first-line friendly risk management program requires you to enhance visibility for your risk owners. By doing this, paired with ensuring a strong understanding of risk across your business, you enable all your employees to own risk. In turn, risk and compliance initiatives must be clearly communicated and understood throughout your line of business, and employees must have regular access to update or review the status of risk.
Applying the principles above will help bridge risk management across the first and second lines. The next step is to get out of spreadsheets and legacy GRC tools to create a better user experience for everyone involved. With a first-line friendly ITRM solution, you can simplify the IT risk assessment process and centralize access to risk information and workflows. This enables you to share focused insights with key risk updates for your line of business to stay informed and own risk across processes, assets, and the relationships that they manage.
Learn more about what it means to have a first-line friendly ITRM strategy in our blog.
Aligning to common cybersecurity frameworks & standards
Another factor in developing your ITRM program is alignment with industry frameworks and standards. There are numerous frameworks and standards relevant used to inform ITRM work (84% of organizations utilize a cybersecurity framework, and 44% use more than one), but when it comes down to your business, how do you know which framework(s) to select? First, you need to determine which framework aligns with your company’s needs and industry requirements. Here are five common frameworks to consider:
Dive into frameworks, regulations, and laws relevant to ITRM with OneTrust’s DataGuidance.
ISO 27001, 27005, 27002
The ISO catalog of frameworks is among the leading risk management frameworks. One of the most widely known and globally adopted standards within the information security community is ISO 27001. The framework provides specific guidance and security controls for processing financial information, intellectual property, employee details, or information entrusted to you by third parties. In accordance with ISO 27001, ISO 27005 is the international standard that describes how to conduct an information security risk assessment. ISO 27002 is a variation of 27001 for institutions to establish an Information Security Management System (ISMS) based on ISO/IEC 27001. It provides in-depth detail about control objectives to help organizations best implement the framework within their unique operations.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) was published in January 2020 by the United States Department of Defense. The model establishes a new method to evaluate vendor cybersecurity programs by measuring both technical controls in place and ongoing processes to review and improve practices in place. The CMMC takes a collaborative approach by sampling practices across leading IT risk management frameworks, cloud security and more to deliver a comprehensive model based on the latest cyber-community insights.
NIST 800-53
The National Institute of Standards and Technology (NIST) publishes a handful of process guides and IT risk management frameworks, most notably, NIST 800-53 & NIST CFS. NIST 800-53 documents a robust catalog of security and privacy controls and objectives designated for U.S. federal information systems to support best-in-class cybersecurity standards.
NIST Cybersecurity Framework
Another notable framework is the NIST Cybersecurity Framework (CSF), which consists of standards, guidelines, and practices. NIST CSF builds on existing frameworks (including NIST 800-53, ISO 27000) but offers a focused scope of controls alongside a thorough explanation written in ordinary language suited for non-technical executives or line of business individuals.
AICIPA, SOC 2
Developed and published by the American Institute of CPAs (AICPA), SOC2 defines criteria for managing customer data based on five core principles: security, availability, processing integrity, confidentiality, and privacy.
Rather than providing a detailed IT risk management framework of pre-defined controls, organizations can define their set of Service and Organization Controls (SOC), embed controls into their corporate policies, audit effectiveness, and design to evaluate how well the control model meets the five principles according to business operations.
Unified Compliance Framework (UCF)
Created by Unified Compliance, the Unified Compliance Framework (UCF) derives from an industry-wide need to simplify the scope, definition, and maintenance of compliance over time. The framework recognizes the evergreen nature of regulatory and compliance mandates by noting commonalities between new and existing regulations. Ultimately, this reduces lift across the business as new mandates come into place.
Secure Controls Framework (SCF)
Encompassing 100 frameworks and thousands of requirements, the Secure Controls Framework (SCF) empowers security professionals to more holistically understand the disciplines of privacy and security. The SCF provides one comprehensive reference point for professionals through a four-pronged approach addressing statutory obligations, regulatory obligations, contractual obligations and leading practices.
Quantifying risk
Simply put, risk quantification is the process of evaluating the identified risks and developing the data that is needed for making decisions. The data elements that you use or have available will determine:
- Repeatability: Repeatability is essential to risk quantification. Establishing a common risk scoring formula enables your organization to be consistent with risk scoring. This standardization empowers the organization to compare risks across the company.
- Reliability: Reliability is crucial for trusting your data and trusting that the data is showing the entire picture. Subjectivity or overlooking any relevant data points are common reasons that some risks scores are not seen as reliable.
- Reportability: Reportability is your ability to pull meaningful risk insights when reporting on your risk posture. Risk quantification without context makes it exceedingly difficult to understand and prioritize risk appropriately. This enables the organization to gain insight on risk posture and provides visibility into any gaps present.
Risk quantification can help your organization go beyond traditional risk matrix scoring, applying values to contributing factors of risk, and calculating them across what can be massive data loads. This enables the organization to gain insight on risk posture and provides visibility into any gaps present. Ultimately, risk quantification will empower your organization to better manage risk while pushing the strategic initiatives of the organization forward.
Common ITRM challenges
Businesses face a host of challenges when managing IT risk. Here are a few of the most common challenges to be aware of as you dive into ITRM:
- Evolving technology: Over time individual business units acquire their own tools and technologies to solve specific needs (enhancing productivity, structuring business processes, etc.). This is the same for their internal business practices outside of IT. In turn, this has led to a decentralization of operational and IT risk identification and mitigation and, in many instances, a rise in shadow IT. Identifying and reducing enterprise risks can quickly become near impossible without a central reference point for processes and data validation.
- Numerous laws, standards, frameworks, and regulations: An additional challenge is that many organizations have a wide variety of obligations in the form of laws, standards, and frameworks with differing and overlapping requirements and objectives. IT risk & compliance teams often translate the requirements for these frameworks and laws into simple qualitative determinations of high versus low-risk impacts, while others require the organization to determine a quantitative score based on a combination of the probability an event would occur, along with the corresponding impact to the organization. However, as risk becomes more and more specialized, these interpretations may not be universal across risk domains such as vendor or privacy compliance.
- Evolving risk landscape: A rapidly changing risk landscape like security and operations has left several organizations exposed to evolving threats. These companies have since built governance and risk mitigation practices beyond what frameworks and regulations require of them. Frameworks are updated infrequently, and regulations require years of approval as they slowly move through Congress and Parliaments. Beyond keeping pace with the speed of digital transformation, leading frameworks and far-reaching regulations are designed to apply at scale across companies of various sizes, maturity, and industry. This means that organizational leadership and IT risk compliance teams need to identify, measure and manage the risks to their organization beyond what is prescribed by government or industry bodies.
The importance of integrations
As your business expands and departments specialize, so do the applications they use. A foundational element to any GRC strategy is to have a centralized view of data and controls across business systems and devices. Still, many enterprise-level operations execute across disjointed systems and manual, siloed processes. Integrations help connect your existing enterprise technology with your ITRM solution. Common integration use cases for ITRM include:
- Data Visualization & Reporting
- Collaboration Tools
- Productivity Suites
- Incident Management
- Project Management & Issue Tracking
- Threat & Vulnerability Scanners
- CMDBs
- SIEM/SOAR
- Data Discovery
Integrations help expedite risk insights, improve data quality, and reduce duplication of data in multiple systems. The goal is to seamlessly connect systems without sacrificing functional experiences and operational efficiencies within your ITRM and line of business applications.
Connecting systems today doesn’t have to be a complex hard-coded exercise. Many solution providers offer an integration gallery of pre-built system plug-ins to support this connection: A visual integration builder can simplify connecting and sharing data across enterprise systems, save resources, and minimize system maintenance.
ITRM best practices
Given that the areas covered by ITRM are vast and the challenges are robust, it’s important to understand best practices in the space. Following the practices below will aid your organization in implementing an ITRM strategy that enables your entire organization to be secure.
- Measure and report risks: Organizations need the ability to measure and report on their risks both qualitatively and quantitatively. This is based on the frameworks, regulatory body, or audits they are subject to.
- Score methodologies based on risk type: Organizations need the ability to adapt their scoring methodologies to changes in the types of risks they face as their industry continues to evolve. For example, the COVID-19 pandemic changed the way that organizations operate in general and what they classify as critical risk and assets.
- Use universal language: Most importantly, the organization needs to be speaking the same common language. A risk score for one business unit needs to compare on the same scale for other business units so that risk professionals, and even line of business managers, can prioritize risk at scale. For example, the numerical value of “4” needs to mean the same level of impact and probability to the privacy compliance team as it does to the IT security team. Additionally, a quantitative risk score of 10 that a finance team is tracking needs to be immediately equated to a qualitative “high” or “low” risk to the accounting team.
- Automation: OneTrust GRC IT & Security Risk Management can deliver the features, functionality, and automation to help your team save time and mature your program. Opportunities for automation in ITRM include:
- Aggregation and calculation of risk scores
- Risk lifecycle workflow management
- Benchmarking risk tolerance of assets
- Distribution of risk assessments
