Many organizations attempt to address the risks resulting from IT depen-dence. It is important that they employ well-structured Risk Management methodologies to get reap the benefits of their IT Risk Management activi-ties, therefore, the necessity of IT Risk Management should be discussed.
3.5.1 The Necessity of Information Technology Risk Management
The management of the security of organizational computer systems is an im-portant function (Whitson, 2003). There are new threats that are constantly becoming apparent and activities such as policy development, intrusion de-tection, monitoring, patching software and updating firewall rules prove to be an ongoing concern (Whitson, 2003). An effective approach to IT Risk Management however, can greatly facilitate the execution of these activities by providing the correct information about which important risks need to be addressed and thus ensuring that the correct controls are implemented. Ac-cording to Kontio, Getto, and Landes (1998) major problem that currently exists is that not many organizations are implementing efficient and accepted Risk Management methodologies. The personnel involved in analyzing and controlling risks rely on their own intuition instead of attempting to manage risks by some structured and consistent methodology (Kontio et al., 1998).
Kontio et al. (1998) suggests that “leaving Risk Management up to intuition and initiative may sometimes work but is a poor substitute for a systematic, professional and consistent approach for Risk Management”. A sound and efficient approach to Risk Management provides a solid basis for identifying and controlling organizational IT-related risks. This is important because senior management must authorize their IT systems prior to their operation (National Institute of Standards and Technology, 2001). They are responsible for protecting the organization’s IT assets and the mission of the organiza-tion (Naorganiza-tional Institute of Standards and Technology, 2001). The failure to adequately fulfill this responsibility could lead to negative consequences in-cluding the tarnishing of the corporate reputation and the loss of consumer and investor trust. It is imperative that senior management make every ef-fort to ensure that all significant risks are identified and are fully addressed and identify other controls that may be needed to reduce IT-related risks (National Institute of Standards and Technology, 2001). It is important that residual risks are reduced to an acceptable level before the IT systems are authorized for operation otherwise the Risk Management process should be reiterated until this residual risk is at an acceptable level (National Institute of Standards and Technology, 2001).
The implementation of IT Risk Management in a structured and appro-priate manner ensures the best security controls will be implemented. Some benefits of correct control selection include removing various vulnerabilities of the IT systems, introducing a target control to mitigate the potential and driving force behind a threat as well as mitigating the enormity of the impact of particular risks (National Institute of Standards and Technology, 2001).
3.6 Conclusion
The importance of IT Risk Analysis and Risk Management are best demon-strated when considering the vast implementation of IT in an organization to facilitate the execution of business functions and providing competitive edge. The risks associated with IT will always be present and according to Bandyopadhyay et al. (1999) will only increase with dependence on IT. It would be impractical to believe that risk can be completely removed. The current business environment is all about how effectively risks are identified and managed. IT Risk Management should be a continuous process. This is important because the asset that is most at risk because of current or-ganizational IT dependence is business information. IT enables competitive advantage through the effective use of business information resources. The use of IT has, however, exposed business information to numerous risks. It is essential that an organization make every effort to secure its business in-formation. IT Risk Management has a role to play in this regard because it fits into the bigger framework of Information Security. Information Secu-rity ensures the proper protection of business information assets through the implementation of Information Security Management (ISM). The following chapter explores Information Security and Information Security Management to illustrate how information-related risks should be controlled.
The Management of Business Information Security
65
4.1 Introduction
Business information plays a critical role in enabling most organizations to be successful and formidable industry competitors. IT greatly facilitates them in achieving this goal but exposes their information to a great variety of risks.
IT Risk Management aims to mitigate these IT-related risks. However, this alone is not sufficient as the scope of business information risk is far wider that IT. Information Security aims to address the full scope of business infor-mation risks, through the effective implementation of Inforinfor-mation Security Management. This chapter aims to motivate the importance of Information Security Management as the means by which business information risks are comprehensively addressed. The importance of business information is ad-dressed and its scope and characteristics are defined. Business information risk, which involves more than IT-related risks, is discussed and he sources of such risks are noted. Information Security and Information Security Man-agement are discussed to motivate their importance in terms of addressing the full scope of information-related risks.