Due to the strong IT penetration of all business processes, risks resulting from the use of information technology, require special attention from a large number of companies; not least because of the complex nature of IT network structures, a malfunction can pose very serious and even existential threats to a company. The reliability of IT is not just a function of its availability; a reliable IT infrastructure also takes care of issues such as confidentiality, integrity and the compliance of its IT services and the processed data with rules and regulations.
In addition to managing the company’s own IT systems, there are more and more challenges related to the outsourcing of services and cloud solutions. Depending on the business field, there are very strict regulatory requirements: In health care, in the credit card business and in other industries such as the information and communications industry there are rules and regulations which heavily impact the management of IT systems and the organisation of the IT infrastructure.
Information technology has now become a key factor for competitive success. The benefits of IT are accompanied by increasing costs of proper IT operation. It is therefore essential to consider the cost-benefit relation of IT and particularly IT security.
The CRISAM® information risk management provides a comprehensive solution for recognising and evaluating IT relevant risks in connection with business success; in addition, risk control is enabled through efficient measures and the cost benefit relation of IT is evaluated.
CRISAM® helps IT operations to conform to both business requirements and compliance regulations.
The focus of the CRISAM® information risk management (IRM) is the quantification and aggregation of IT risks and the evaluation of their impact on the business process. With regard to the quantification, it is generally assumed that IT related risks are rooted in the IT infrastructure or IT operations and that the possible damage can be found in the supported business process.
In order to quantify the corporate risk coming from the use of IT, individual risks of IT objects are aggregated to an overall risk by taking into account cause and effect relationships; then the impact on the business process is measured.
The core functions of the CRISAM® IRM are:
- Identification of risks – CRISAM® evaluates risks when the risk acceptance threshold – determined by management and based on criteria such as availability, confidentiality, integrity, compliance regulations and standards – is exceeded. By applying business impact analysis, fault tree analysis and GAP analysis, deviations of individual IT objects from the target specification are identified as risks. Estimating the probability of occurrence of individual risks is not required in this methodology. Instead, the quality of the individual IT systems and the infrastructure is evaluated.
- Quantifying by aggregation – IT assets are complex, interconnected and interdependent objects; their cause and effect relationships have to be taken into account in order to make risk statements. CRISAM® uses fault tree analysis (FTA) according to DIN 25424 to aggregate risks from areas required for the proper functioning of an IT service: IT objects, IT infrastructure and facilities
- Business impact – Threats of failure of IT services generally arise in the supported business processes of a company. In order to incorporate the level of threat into the risk measurement, CRISAM® uses business impact analysis (BIA). The general principle is: A poor IT service which cannot cause any damage to the business process is not a risk!
- Identification of measures – Parallel to the identification of IT risks, measures for improvement and for closing the gaps between actual and desired performance are identified – the scope of these measures depends on the risk acceptance threshold.
- Effectiveness and efficiency analysis of measures – Measures are classified as effective in case they narrow or close the identified gap between actual and desired performance. Efficient measures add value, throughout a specific observation period, in that the total costs caused by the measures are less than the overall economic benefit. CRISAM® helps to get a handle on both aspects: The effectiveness of planned measures is analysed and evaluated by means of simulation and aggregation. On the other hand, the scenario analysis module allows for comparing the economic benefit of planned measures with the connected costs, hence the efficiency of the measures can be evaluated.
- Compliance – The control questions of the CRISAM® content libraries address all contents of the compliance references. An intelligent mapping, referring to the control objectives of the addressed standards and norms, automatically recognises the compliance and evaluates it through reports and key performance indicators (KPIs). Selected KPIs can be tracked via dashboard in the “management cocKPIt”.
- Business continuity management – With the aid of business impact analysis and fault tree analysis CRISAM® provides the required details for operating a business continuity management which complies with the standards: ISO 22301:2012, BSI 100-4, etc.
- Service level management – CRISAM® evaluates IT services not just according to their availability: confidentiality and integrity are considered as well. The required service level with regard to the three criteria availability, confidentiality and integrity has to be ensured also in case the IT services are received from external providers or through a cloud. In order to facilitate a comprehensible and controllable service level management, CRISAM® provides required detailed information for both the service user and the service provider.
- Cloud computing – Information risk management of cloud services is a challenge more and more chief information officers (CIOs) are going to face. CRISAM® also enables risk management of IT services received from the cloud thanks to service level management support, the quantification of IT services and the provision of a cloud content library.
- Integration of information risk management (IRM) & enterprise risk management (ERM) – Risks arising from the use of information technology in companies are a subset of company-wide risks. For this reason, it is advisable to tie IT risks to the enterprise risk management (ERM) in an appropriate form. CRISAM® enables IT risks and KPI scores to be transferred into ERM. In addition, the monetary values of the risks, displayed in the scenario analysis module, can be exported to an external, quantitatively-oriented ERM or incorporated into an enterprise-wide CRISAM® model: CRISAM® ERM