IT risk management and information security

In view of the constantly growing demands on the functionality, performance and convenience of networked IT systems (from mainframe computers to mobile devices) on the one hand, and the embedding of more and more control and monitoring systems (buildings, vehicles, cell phone sensors, etc.) on the other, the question arises as to what risks arise with regard to confidentiality, integrity, reliability and availability of ICT (Information and Communication Technology) services, and what means are available for detecting, assessing and limiting these risks.

Dealing with risks

A risk is also usually defined in ICT as the forecast of possible damage in the negative case or possible benefit in the positive case. What is considered to be damage or benefit depends heavily on the values applied. However, it should be noted that taking ICT risks usually does not generate a profit and that prevention costs remain even if no damage is done. Accordingly, we define ICT security as the absence or prevention of unjustifiable risks. Since risks can never be completely avoided, we speak of risk “management” through a mixture of different strategies, in particular risk avoidance, risk transfer (e.g. through insurance), risk limitation (through countermeasures) and acceptance of residual risks. Another popular coping strategy is risk ignorance, i.e. not dealing with risks by “looking the other way”, which does not correspond to the idea of consciously managing risks, but does correspond to human nature. Which combination of strategies is chosen depends on the risk type and risk culture and should be the result of conscious consideration and calculation. However, our risk behavior is often guided by the archaic notion that mistakes are fated to “happen” and that countermeasures are therefore futile from the outset or that the person affected is “excused”. This way of thinking mainly concerns abstract risks (such as those in ICT), which usually do not cause any physical damage and are therefore often considered “harmless” by those who cause them.

ICT risk sources and potential targets

In ICT, there is a wide variety of attackers and targets. Countermeasures must therefore be precisely tailored to the combination of likely attackers and targets.

With regard to attackers, we differentiate between internal and external sources. While we like to use external attackers (from hackers to criminals to intelligence services) as a “bogeyman” and justification for the costs of countermeasures, internal perpetrators (employees, customers, etc.) present us with greater challenges, as they are implicitly considered trustworthy and are hardly recognizable due to the mostly externally oriented security facilities. In addition, successful external attacks are often carried out with (implicit or explicit) help from within. Blackmail, bribery, negligence, risk ignorance or the targeted provocation of misconduct through social engineering are playing an increasingly important role alongside technical attack methods.

The attackers’ motivation ranges from curiosity, a need for recognition or boredom to material gain and revenge against companies or individuals or the realization of political or ideological goals. In the case of untargeted attacks (spam, spyware, phishing, Trojans, etc.), a large number of targets are attacked in the hope of a sufficient number of “random hits”. The information obtained is then put to multiple commercial uses with a widely distributed value chain. Targeted attacks are aimed at a small number of selected targets, whether through sabotage, denial of service in preparation for blackmail, data theft in preparation for bribery, or for commercial/military reconnaissance. The “front runner” in this area is the theft of digital identities and targeted access to the target’s mobile devices (theft of the device – which may be used for both private and business purposes – or undetected copying of the data).

Typical losses range from the destruction of data/configurations, spying and theft of data or software, falsification and injection of false information, denial or delay of legitimate access to threats to the proper conduct of business (including the settlement of financial losses, liability and any violations of laws and regulations). Finally, values such as the company’s reputation must also be included in overall risk management.

Possible measures for IT risk management

When risk-reducing measures are discussed, two problems arise. Firstly, arguments are often based on the available (mostly technical) measures and the risk is adapted to the measures – this is where the tail wags the dog. Secondly, it is difficult to assess the acceptable level of risk well enough. Although people in ICT like to talk about “best practices” or “good practices”, many users would be perfectly happy with a “good enough practice” if they could define and measure this state with sufficient precision.

At the heart of this discussion are the assets to be protected and their value, so that the cost of countermeasures can be set in a reasonable relationship to this value. In addition, the basic assumption is that usually only a combination of technical, organizational and procedural elements leads to the goal. Finally, measurability (via well-defined parameters), the cyclical review of target achievement and a continuous improvement process are important components of risk management. Measures to promote risk-conscious behavior on the part of those involved round off an appropriate concept.

Building on this, an appropriate Information Security Management System (ISMS) can then be defined and operated – this can be based on various standards and specifications:

ISO/IEC 2700x (especially if formal certification of the company is being sought),
CoBIT-5 (suitable for a well auditable ISMS and IT risk management, based on predefined checkpoints),
BSI basic protection catalogs (well suited for defining the minimum required level of protection).

Elements of ICT “Good Enough Practice

The following is an overview of elements of “Good Enough Practice” – which elements deserve particular attention is the subject of a more detailed analysis in each individual case.

Technology

Processes and rules

Know what you have (ICT, personnel, suppliers, etc. à IT asset management)
Knowing who is who (identity management)
Know who is allowed to do what (user administration, roles, rights)
Know who does what (access control, protocol)
Know which threats are relevant – recognize and fend off these threats
Define and know the IT architecture
Have an overall view (“Command & Control”)
Derive actions (reporting, alerting, escalation)
Consider the entire ICT life cycle
Monitor all changes
Provide backup infrastructure and processes in the event of a crisis
Keeping activity and evidence logs

Clear assignment and implementation of mission, roles, responsibilities and competencies
Definition and maintenance of organizational and process-related interfaces
Determination of the desired state, definition of measurement parameters and measures
Define and implement immediate measures
Complete, up-to-date documentation
Leading a continuous improvement process
Regular assessment of status as a non-delegable management task
Regular management reporting
Systematic evaluation of claims and “near misses”
Promote awareness of the problem, if necessary through staff appraisal and target agreements

Five prerequisites for successful implementation

Prerequisite 1: established communication

A common understanding of the ICT resources used is crucial for success. This requires that a common language is spoken and that the value systems are actively aligned. The cornerstones of a corresponding strategy are:

Linguistic communication, i.e. fewer documents and more direct conversation
Only as many technical terms as necessary
Explanations of the content and disciplines of ICT appropriate to the recipient
The aim is to build and maintain mutual trust over time

Requirement 2: sufficiently precise specifications

Good target agreements and targets are currently often more of a craft than standardized processes. Nevertheless, the methodical support of targets is important for feasibility, measurability and continuous improvement up to the desired target state. The company’s management bodies are involved with regard to strategic targets, as are the operational units with regard to tactical targets. Currently “typical” topics in the area of guidelines relate to elements such as ensuring information flows, competence regulations, sourcing strategies and strategic cooperation, ICT architectures, strategically important products and projects, control/reduction of ICT complexity as well as risk identification and raising awareness of ICT risks among the people involved.

It is a good idea to divide these targets into “must” and “can” targets in the sense of defining non-negotiable “baselines”. The result can then be communicated in the form of an internal control system (ICS) and then influences the target agreements of business units, departments and individuals.

Prerequisite 3: proven economic efficiency

Since prevention costs are always controversial and their benefits are questioned in times of tight budgets, it is particularly important to prove the cost-effectiveness of the targeted measures.

Cornerstones	Possible measures
IT strategy and principles, i.e. support “from the top” Coordinated approach by all authorities The cost bearer is always the user Balanced measures in terms of technology, organization and personal conduct Cost/benefit-based offers Consistent controlling	Users make requirements and bear the application-related “total cost of ownership” IT offers an adequate infrastructure Coordinated views on the extent of IT security among all exponents Consistent risk management in the company (including unrealized opportunities) Transparent reporting

Prerequisite 4: consistent risk management

Organization-wide management of operational risks such as those of ICT includes the cyclical identification, assessment, definition and implementation of measures as well as the formal acceptance of residual risk. Important elements of such risk management are

Regularly carrying out risk assessments and estimating the consequences of such risks by means of a business impact analysis (BIA).
Maintaining and regularly updating a “risk register” with all assessed and incurred risks, measures, consequences, etc. As many companies only suffer a few real loss events, “near misses”, i.e. losses that have only just been averted, should also be recorded, similar to aviation.
The creation of a timely overview in the form of a risk map or a risk cockpit, which is used to communicate with decision-makers, but also with supervisory authorities, employees, customers, partners, etc. in a step-by-step and timely manner.

Prerequisite 5: consistent reporting

Decision-makers can only make the right decisions if they are actively informed. Possible elements for this information flow in the company environment are

Quarterly integration of the ICT risk assessment via the MIS to the Board of Directors for key facts, risks and important projects
At least once a year, a formal presentation to the Board of Directors on the status of ICT and the planned measures
Formal acknowledgement of audit reports on ICT security and ICT risk management and approval of the proposed measures – if necessary, involvement of external experts
Regular formal presentation to the Executive Board on the status of ICT and the planned measures; direct involvement / variants for important projects.

Concluding remarks

Active risk management in a volatile ICT environment is a constant dance on the volcano – it is certain that an eruption will occur, but it is not clear when, and to what extent, and which preventive measures are appropriate to the risk. In this environment, those organizations that act in accordance with the above requirements and whose employees are agile and flexible enough to react promptly and appropriately to sudden changes are well positioned.