IT Risk Management (ITRM) is a form of risk mitigation commonly used in information technology (IT). Per the ISACA Risk IT Framework, ITRM is the process by which enterprises identify and address risks associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization.
ITRM addresses an extensive range of activities and objectives, including:
An ITRM program addresses the potential negative impact of IT operations and services through risk mitigation efforts while supporting the positive impact of using technology to enable and enhance the business.
With the continued shift to digital risk management, increasing compliance obligations, and the proliferation of cloud technology, IT risk management is more critical than ever. The establishment and maintenance of a strong ITRM program allows organizations to maintain a strong security posture and enables them to provide evidence of compliance when asked — making it a crucial part of any company.
ITRM & Digital transformation
Over the last year, reliance on remote work drove a rapid increase in digital transformation, pushing security teams to expand protective measures and expose vulnerabilities with a quick turnaround. As the world has settled into its new normal, the number of successful, large-scale cyber-attacks and ransomware have astronomically increased (62% in the last year, to be exact).
To combat the all-time high of cyberattacks and execute a successful ITRM strategy, organizations must actively seek to understand how technology is used throughout business and consistently instill protective measures.
There are two broad approaches to risk assessment: top-down and bottom-up. A top-down risk assessment evaluates risk from the viewpoint of the C-level executive — strategically. While a bottom-up risk assessment looks at risk from the viewpoint of the frontline employee — tactically. Although there is no “right way” to perform a risk assessment, most people recommend taking a blended approach, because there are pros and cons to each.
Opting for a top-down risk assessment is generally easier to execute because there are fewer individuals involved, which makes it easier to define and standardize risk scoring. A top-down risk assessment allows C-level executives to focus on a few top risks rather than an exhaustive list of risks.
Using a bottom-up risk assessment model empowers all areas of your business to contribute to identifying, defining, and prioritizing risk. This model looks at risk from the viewpoint of the frontline worker, who is much closer to business processes and associated finite risks, rather than the C-level executive, who is more concerned with high-level strategic risks. A bottom-up risk assessment can be more challenging to execute but often results in a more comprehensive picture of risk.
Regardless of which risk assessment approach you take, the experience needs to be easy for first-line users to participate in and simple for second-line users to aggregate results. It also enables IT risk and security teams to turn around results more quickly, which will enhance your overall security posture cross-organizationally and ensure a universal understanding of processes at all levels of the enterprise.
Ensuring that your risk management program is first line friendly starts with enabling first-line members to understand what risk is and how to own, respond, and act on it. Although measuring and managing risk is a highly technical operation led by trained risk professionals, every level of an organization is responsible for risk management and must understand it. Risk and compliance leaders implementing a first-line friendly solution need to address the subjective nature of risk by:
Executing a first-line friendly risk management program requires you to enhance visibility for your risk owners. By doing this, paired with ensuring a strong understanding of risk across your business, you enable all your employees to own risk. In turn, risk and compliance initiatives must be clearly communicated and understood throughout your line of business, and employees must have regular access to update or review the status of risk.
Applying the principles above will help bridge risk management across the first and second lines. The next step is to get out of spreadsheets and legacy GRC tools to create a better user experience for everyone involved. With a first-line friendly ITRM solution, you can simplify the IT risk assessment process and centralize access to risk information and workflows. This enables you to share focused insights with key risk updates for your line of business to stay informed and own risk across processes, assets, and the relationships that they manage.
Learn more about what it means to have a first-line friendly ITRM strategy in our blog.
Another factor in developing your ITRM program is alignment with industry frameworks and standards. There are numerous frameworks and standards relevant used to inform ITRM work (84% of organizations utilize a cybersecurity framework, and 44% use more than one), but when it comes down to your business, how do you know which framework(s) to select? First, you need to determine which framework aligns with your company’s needs and industry requirements. Here are five common frameworks to consider:
Dive into frameworks, regulations, and laws relevant to ITRM with OneTrust’s DataGuidance.
ISO 27001, 27005, 27002
The ISO catalog of frameworks is among the leading risk management frameworks. One of the most widely known and globally adopted standards within the information security community is ISO 27001. The framework provides specific guidance and security controls for processing financial information, intellectual property, employee details, or information entrusted to you by third parties. In accordance with ISO 27001, ISO 27005 is the international standard that describes how to conduct an information security risk assessment. ISO 27002 is a variation of 27001 for institutions to establish an Information Security Management System (ISMS) based on ISO/IEC 27001. It provides in-depth detail about control objectives to help organizations best implement the framework within their unique operations.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) was published in January 2020 by the United States Department of Defense. The model establishes a new method to evaluate vendor cybersecurity programs by measuring both technical controls in place and ongoing processes to review and improve practices in place. The CMMC takes a collaborative approach by sampling practices across leading IT risk management frameworks, cloud security and more to deliver a comprehensive model based on the latest cyber-community insights.
The National Institute of Standards and Technology (NIST) publishes a handful of process guides and IT risk management frameworks, most notably, NIST 800-53 & NIST CFS. NIST 800-53 documents a robust catalog of security and privacy controls and objectives designated for U.S. federal information systems to support best-in-class cybersecurity standards.
NIST Cybersecurity Framework
Another notable framework is the NIST Cybersecurity Framework (CSF), which consists of standards, guidelines, and practices. NIST CSF builds on existing frameworks (including NIST 800-53, ISO 27000) but offers a focused scope of controls alongside a thorough explanation written in ordinary language suited for non-technical executives or line of business individuals.
AICIPA, SOC 2
Developed and published by the American Institute of CPAs (AICPA), SOC2 defines criteria for managing customer data based on five core principles: security, availability, processing integrity, confidentiality, and privacy.
Rather than providing a detailed IT risk management framework of pre-defined controls, organizations can define their set of Service and Organization Controls (SOC), embed controls into their corporate policies, audit effectiveness, and design to evaluate how well the control model meets the five principles according to business operations.
Unified Compliance Framework (UCF)
Created by Unified Compliance, the Unified Compliance Framework (UCF) derives from an industry-wide need to simplify the scope, definition, and maintenance of compliance over time. The framework recognizes the evergreen nature of regulatory and compliance mandates by noting commonalities between new and existing regulations. Ultimately, this reduces lift across the business as new mandates come into place.
Secure Controls Framework (SCF)
Encompassing 100 frameworks and thousands of requirements, the Secure Controls Framework (SCF) empowers security professionals to more holistically understand the disciplines of privacy and security. The SCF provides one comprehensive reference point for professionals through a four-pronged approach addressing statutory obligations, regulatory obligations, contractual obligations and leading practices.
Simply put, risk quantification is the process of evaluating the identified risks and developing the data that is needed for making decisions. The data elements that you use or have available will determine:
Risk quantification can help your organization go beyond traditional risk matrix scoring, applying values to contributing factors of risk, and calculating them across what can be massive data loads. This enables the organization to gain insight on risk posture and provides visibility into any gaps present. Ultimately, risk quantification will empower your organization to better manage risk while pushing the strategic initiatives of the organization forward.
Businesses face a host of challenges when managing IT risk. Here are a few of the most common challenges to be aware of as you dive into ITRM:
As your business expands and departments specialize, so do the applications they use. A foundational element to any GRC strategy is to have a centralized view of data and controls across business systems and devices. Still, many enterprise-level operations execute across disjointed systems and manual, siloed processes. Integrations help connect your existing enterprise technology with your ITRM solution. Common integration use cases for ITRM include:
Integrations help expedite risk insights, improve data quality, and reduce duplication of data in multiple systems. The goal is to seamlessly connect systems without sacrificing functional experiences and operational efficiencies within your ITRM and line of business applications.
Connecting systems today doesn’t have to be a complex hard-coded exercise. Many solution providers offer an integration gallery of pre-built system plug-ins to support this connection: A visual integration builder can simplify connecting and sharing data across enterprise systems, save resources, and minimize system maintenance.
Given that the areas covered by ITRM are vast and the challenges are robust, it’s important to understand best practices in the space. Following the practices below will aid your organization in implementing an ITRM strategy that enables your entire organization to be secure.